openshield-org · aav-wh · May 30, 2026 · Jun 1, 2026
diff --git a/compliance/frameworks/cis_azure_benchmark.json b/compliance/frameworks/cis_azure_benchmark.json
@@ -107,11 +107,11 @@
       "control_id": "8.3",
       "control_name": "Ensure that 'OS patching' is enabled for virtual machines",
       "description": "The virtual machine does not have automatic OS patching enabled. CIS 8.3 requires that OS patches are applied in a timely manner. Unpatched VMs are vulnerable to known exploits targeting unpatched OS vulnerabilities."
-    },  
+    },
     "AZ-KV-001": {
       "control_id": "8.5",
       "control_name": "Ensure the Key Vault is Recoverable",
-      "description": "Azure Key Vault soft delete should be enabled on all Key Vaults. The soft delete feature allows recovery of deleted vaults and vault objects (keys, secrets, certificates) for a configurable retention period (7\u201390 days), protecting against accidental or malicious deletion."
+      "description": "Azure Key Vault soft delete should be enabled on all Key Vaults. The soft delete feature allows recovery of deleted vaults and vault objects (keys, secrets, certificates) for a configurable retention period (7–90 days), protecting against accidental or malicious deletion."
     },
     "AZ-STOR-003": {
       "control_id": "3.7",
@@ -151,7 +151,7 @@
     "AZ-DB-004": {
       "control_id": "4.1.2",
       "control_name": "Ensure that 'Allow access to Azure services' for SQL Servers is disabled",
-      "description": "Enabling 'Allow access to Azure services' on a SQL Server firewall creates a rule that permits any Azure-hosted resource \u2014 including services from other tenants \u2014 to connect to the server. This significantly increases the attack surface. Access should be restricted to specific trusted IP ranges or private endpoints."
+      "description": "Enabling 'Allow access to Azure services' on a SQL Server firewall creates a rule that permits any Azure-hosted resource — including services from other tenants — to connect to the server. This significantly increases the attack surface. Access should be restricted to specific trusted IP ranges or private endpoints."
     },
     "AZ-IDN-004": {
       "control_id": "1.14",
@@ -174,4 +174,4 @@
       "description": "VNet peering connections with allowGatewayTransit or useRemoteGateways enabled allow traffic to route between network segments through shared gateways. This can break network segmentation and enable lateral movement between zones that should remain isolated. Peering connections should be reviewed and gateway transit disabled unless explicitly required and documented."
     }
   }
-}
+}
diff --git a/compliance/frameworks/iso27001.json b/compliance/frameworks/iso27001.json
@@ -98,16 +98,16 @@
       "control_name": "Policy on the use of cryptographic controls",
       "description": "Virtual machine OS and data disks are using platform-managed encryption only (EncryptionAtRestWithPlatformKey). A.10.1.1 requires that a policy on the use of cryptographic controls is developed and implemented."
     },
+    "AZ-CMP-003": {
+      "control_id": "A.12.2.1",
+      "control_name": "Controls against malware",
+      "description": "The virtual machine does not have a recognised endpoint protection extension installed. A.12.2.1 requires that detection, prevention and recovery controls are implemented to protect against malware."
+    },
     "AZ-CMP-004": {
       "control_id": "A.12.6.1",
       "control_name": "Management of technical vulnerabilities",
       "description": "The virtual machine does not have automatic OS patching enabled. A.12.6.1 requires that information about technical vulnerabilities is obtained and the organisation's exposure evaluated. Without automatic patching, known OS vulnerabilities remain unmitigated."
     },
-    "AZ-CMP-003": {
-      "control_id": "A.12.2.1",
-      "control_name": "Controls against malware",
-      "description": "The virtual machine does not have a recognised endpoint protection extension installed. A.12.2.1 requires that detection, prevention and recovery controls are implemented to protect against malware. Without endpoint protection, malware executing on the VM will not be detected or prevented."
-    },
     "AZ-KV-001": {
       "control_id": "A.17.2.1",
       "control_name": "Availability of information processing facilities",
@@ -166,12 +166,12 @@
     "AZ-NET-013": {
       "control_id": "A.13.1.1",
       "control_name": "Network controls",
-      "description": "A virtual network without an Azure Firewall relies on NSGs alone and has no centralized perimeter inspection or logging. A.13.1.1 requires that networks be managed and controlled to protect information in systems and applications. Deploying an Azure Firewall provides stateful inspection, filtering, and logging at the network boundary."
+      "description": "Virtual Networks without an Azure Firewall deployed rely solely on Network Security Groups for perimeter defence. NSGs provide no deep packet inspection, threat intelligence filtering, or centralised traffic logging. Networks should be managed and controlled using a dedicated firewall to inspect and control all inbound and outbound traffic."
     },
     "AZ-NET-014": {
       "control_id": "A.13.1.1",
       "control_name": "Network controls",
-      "description": "VNet peering connections with gateway transit enabled allow traffic to flow between network segments through shared gateways, potentially bypassing network controls. Networks should be managed and controlled to protect information in systems and applications. Gateway transit on peering connections should be disabled unless explicitly required."
+      "description": "VNet peering connections with allowGatewayTransit or useRemoteGateways enabled allow traffic to flow between network segments through shared gateways, potentially bypassing network controls between zones that should remain isolated. Networks should be managed and controlled with explicit restrictions on gateway transit across peering connections."
     }
   }
-}
+}
diff --git a/compliance/frameworks/nist_csf.json b/compliance/frameworks/nist_csf.json
@@ -174,4 +174,4 @@
       "description": "VNet peering with gateway transit enabled allows traffic to cross network boundaries through shared gateways, undermining network segmentation. PR.AC-5 requires that network integrity is protected. Disabling gateway transit on peering connections enforces boundary integrity between network zones."
     }
   }
-}
+}
diff --git a/compliance/frameworks/soc2.json b/compliance/frameworks/soc2.json
@@ -113,6 +113,11 @@
       "control_name": "Protects Data in Transit and At Rest",
       "description": "Virtual machine OS and data disks are using platform-managed encryption only (EncryptionAtRestWithPlatformKey). CC6.7 requires that data is protected using encryption. Platform-managed keys lack customer control and audit capabilities needed for compliance."
     },
+    "AZ-CMP-003": {
+      "control_id": "CC6.8",
+      "control_name": "Prevents or Detects Unauthorized or Malicious Software",
+      "description": "The virtual machine does not have a recognised endpoint protection extension installed. CC6.8 requires that controls are implemented to prevent or detect and act upon the introduction of unauthorized or malicious software. Without endpoint protection, malicious code executing on the VM will not be detected or blocked."
+    },
     "AZ-CMP-004": {
       "control_id": "CC7.1",
       "control_name": "System Vulnerabilities are Identified and Managed",
@@ -151,7 +156,7 @@
     "AZ-DB-004": {
       "control_id": "CC6.6",
       "control_name": "Restricts Access from Outside the Network Boundary",
-      "description": "Enabling 'Allow access to Azure services' on a SQL Server firewall creates a rule that permits any Azure-hosted resource \u2014 including services from other tenants \u2014 to connect to the database. CC6.6 requires that access from outside the network boundary is restricted to authorised sources. Disabling this setting and replacing it with explicit firewall rules or private endpoints enforces the network boundary and ensures only known and trusted systems can reach the SQL Server."
+      "description": "Enabling 'Allow access to Azure services' on a SQL Server firewall creates a rule that permits any Azure-hosted resource — including services from other tenants — to connect to the database. CC6.6 requires that access from outside the network boundary is restricted to authorised sources. Disabling this setting and replacing it with explicit firewall rules or private endpoints enforces the network boundary and ensures only known and trusted systems can reach the SQL Server."
     },
     "AZ-IDN-004": {
       "control_id": "CC6.3",
@@ -169,4 +174,4 @@
       "description": "VNet peering with allowGatewayTransit or useRemoteGateways enabled allows traffic to cross network boundaries through shared gateways, weakening the logical separation between network zones. CC6.6 requires that logical access from outside the network boundary is restricted and controlled. Gateway transit on peering connections should be disabled to enforce boundary separation."
     }
   }
-}
+}
diff --git a/playbooks/cli/fix_az_net_013.sh b/playbooks/cli/fix_az_net_013.sh
@@ -1,82 +1,33 @@
 #!/bin/bash
-# Playbook: fix_az_net_013.sh
-# Rule: AZ-NET-013 - Azure Firewall not enabled on Virtual Network
-
 set -euo pipefail
 
-if [[ $# -lt 2 ]]; then
-  echo "Usage: $0 <resource-group> <vnet-name> [location] [firewall-name]"
-  echo ""
-  echo "Deploys an Azure Firewall into the target virtual network so traffic"
-  echo "can be inspected, filtered, and logged at the network perimeter."
-  echo "Note: Azure Firewall is a billed resource - review pricing first."
+RESOURCE_GROUP=$1
+VNET_NAME=$2
+
+if [ -z "$RESOURCE_GROUP" ] || [ -z "$VNET_NAME" ]; then
+  echo "Usage: $0 <resource-group> <vnet-name>"
   exit 1
 fi
 
-RESOURCE_GROUP="$1"
-VNET_NAME="$2"
-LOCATION="${3:-}"
-FIREWALL_NAME="${4:-${VNET_NAME}-fw}"
-PUBLIC_IP_NAME="${FIREWALL_NAME}-pip"
-
-# Azure Firewall requires a dedicated subnet named exactly "AzureFirewallSubnet"
-# with a minimum prefix of /26.
-FIREWALL_SUBNET_NAME="AzureFirewallSubnet"
-FIREWALL_SUBNET_PREFIX="${FIREWALL_SUBNET_PREFIX:-10.0.255.0/26}"
+echo "Deploying Azure Firewall for VNet: $VNET_NAME in resource group: $RESOURCE_GROUP..."
 
-# Derive the VNet location if one was not supplied.
-if [[ -z "$LOCATION" ]]; then
-  echo "Resolving location for VNet '$VNET_NAME'..."
-  LOCATION=$(az network vnet show \
-    --resource-group "$RESOURCE_GROUP" \
-    --name "$VNET_NAME" \
-    --query "location" --output tsv)
-fi
-
-echo "Ensuring '$FIREWALL_SUBNET_NAME' exists in VNet '$VNET_NAME'..."
-if ! az network vnet subnet show \
-      --resource-group "$RESOURCE_GROUP" \
-      --vnet-name "$VNET_NAME" \
-      --name "$FIREWALL_SUBNET_NAME" >/dev/null 2>&1; then
-  echo "  Creating subnet '$FIREWALL_SUBNET_NAME' ($FIREWALL_SUBNET_PREFIX)..."
-  echo "  (Adjust FIREWALL_SUBNET_PREFIX to a free /26 range in your VNet.)"
-  az network vnet subnet create \
-    --resource-group "$RESOURCE_GROUP" \
-    --vnet-name "$VNET_NAME" \
-    --name "$FIREWALL_SUBNET_NAME" \
-    --address-prefixes "$FIREWALL_SUBNET_PREFIX" \
-    --output none
-fi
+az network vnet subnet create \
+  --resource-group "$RESOURCE_GROUP" \
+  --vnet-name "$VNET_NAME" \
+  --name AzureFirewallSubnet \
+  --address-prefixes 10.0.1.0/26
 
-echo "Creating Standard Static public IP '$PUBLIC_IP_NAME'..."
 az network public-ip create \
   --resource-group "$RESOURCE_GROUP" \
-  --name "$PUBLIC_IP_NAME" \
-  --location "$LOCATION" \
+  --name "${VNET_NAME}-fw-pip" \
   --sku Standard \
-  --allocation-method Static \
-  --output none
+  --allocation-method Static
 
-echo "Creating Azure Firewall '$FIREWALL_NAME'..."
 az network firewall create \
   --resource-group "$RESOURCE_GROUP" \
-  --name "$FIREWALL_NAME" \
-  --location "$LOCATION" \
-  --output none
-
-echo "Associating firewall with VNet '$VNET_NAME' and public IP..."
-az network firewall ip-config create \
-  --resource-group "$RESOURCE_GROUP" \
-  --firewall-name "$FIREWALL_NAME" \
-  --name "${FIREWALL_NAME}-ipconfig" \
-  --vnet-name "$VNET_NAME" \
-  --public-ip-address "$PUBLIC_IP_NAME" \
-  --output none
+  --name "${VNET_NAME}-firewall" \
+  --sku-name AZFW_VNet \
+  --sku-tier Standard
 
-echo "Done. Azure Firewall '$FIREWALL_NAME' deployed in VNet '$VNET_NAME'."
-echo "Next steps:"
-echo "  - Add firewall rules (network/application/NAT) to permit required traffic."
-echo "  - Create a route table sending subnet traffic (0.0.0.0/0) to the firewall"
-echo "    private IP, then associate it with the workload subnets."
-echo "Verify with:"
-echo "  az network firewall show --resource-group $RESOURCE_GROUP --name $FIREWALL_NAME --output table"
+echo "Azure Firewall deployed for VNet: $VNET_NAME"
+echo "Note: Configure network and application rules to control traffic before routing through the firewall."
-Original file line number
+Diff line change
@@ Expand Up / @@ -174,4 +174,4 @@ @@
           "description": "VNet peering with gateway transit enabled allows traffic to cross network boundaries through shared gateways, undermining network segmentation. PR.AC-5 requires that network integrity is protected. Disabling gateway transit on peering connections enforces boundary integrity between network zones."
         }
       }
-    }
+    }