I am using VSTS and a private build agent and I want to make sure that I am not opening my organization to attack. The build and deployment pipeline allow Powershell scripts to execute on premise. To protect against hackers I have done the following
Limited the access of the service account that runs the VSTS Build agent
Limited who can invoke a Build or deployment
Avoided executing scripts as part of the build that are in git
We have linked our internal Active directory to VSTS, which means we have a single sign on from within our organization.
My question is what else can I do to secure my Build and release pipelines? Are there tools or scripts that can be used to monitor the build scripts and there use?
You can set permissions with two aspects to make your build/release and the private agent secure:
Set permissions for build/release definitions
Click … button for build/release definitions -> Security -> set detail permissions for groups or users -> Save changes.
Set permissions for agent
You can also set different roles for groups and users for Agent queues and Agent pools.
More details, you can refer the document Set build and release permissions.
Related
We have an Azure Function and an Azure DevOps Pipeline, the pipeline builds and published the code of the function's repo automatically. We want to escape discrepancies caused by, potentially, people manually publishing a version of the code, from within their Visual Studio, that is not in source control.
How can we ensure that?
Is there a way to disable manual publishing and only allow the Azure DevOps Pipeline to publish code to the function?
I am referring to a person using the "Publish" option in Visual Studio. Is there a way to forbid the Azure function from accepting such a publish?
To stop manual changes to the build, yaml files and pipeline would be to restric access to the build section of the pipeline for all the users.
This way no one will be able to change the pipeline but the admin user will still have access to the pipeline.
To set the permission we have to go to manage security which is under the pipeline tag.
Then we can select the permission for the users.
Here each tag represents a permission. Since we want to stop manual deployment we would set Edit build pipeline and Edit quality pipeline to deny.
These permissions can be set for individuals as well as security group.
Reference:
permissions in devops.
is there any way, I can make below tasks mandatory so that a user cannot disable it under Build Pipeline(CI) in Azure DevOps
If you are the owner of the organization, you can manage it through the settings.
Navigate to Your Project -> Pipeline -> Manage Security and probably you need to restrict the user from editing the pipeline
There are various policies available which you can play around.
You can develop a Pipeline decorator extension and then install it to your organization. Pipeline decorators let you add steps to the beginning and end of every pipeline job.
To view more details, you can see "Use a decorator to inject steps into a pipeline".
Normally, only the Organization Owner or Project Collection Administrators can add or delete the extensions on the organization. So, other users are not able to remove the decorators from the pipelines.
I'm using Azure DevOps pipelines and for 'builds' I can define 'Hosted Ubuntu' agent (in my pipelines.yml file). But for 'releases' there's no way to edit yaml just the UI. The agent pool drop down list shows 'Default (no agents)'. I assume my problem is probably related to project permissions but haven't figured out what controls the visibility. On another account I see all the hosted agent options available.
For the possible security permissions issue
Check that you are part of the group(s) assigned as User to the security of the app pool in question.
If this security operates like other Allow, Deny, NotSet permissions, then your occupation in a group that has less than User permission will revoke that permission, but I haven't seen any documentation about this.
For the use of YAML in release pipelines
Yaml usage in the formal release pipeline hub is not supported. If you want to use yaml for your CD release, you're going to need to enable the new multi-stage pipelines experience.
This allows you to create stages in your .yml file that relate to deployment functions in addition to the classic build functions.
I believe this removes your release tracking from the release hub and integrates it directly into the build hub.
This is still a new concept for Azure DevOps, as is the documentation and writing about it. I found this article to be helpful.
Because this new feature seems to be centered around AKS (or other Kubernetes services) and Docker, I'm not sure if this will help you by allowing you to specify the host in yaml, but you mentioned "release" and "yaml" in the same sentence, so I thought I would address that.
I'm in the process of setting out Azure Devops for our organisation and although I have got things working to an extent, I still dont understand a couple of concepts that I think I should.
I have set up a Deployment Pool (Organization settings > Deployment Pools) and used the script to install and configure the Agents on my Dev, Test and Prod servers, and have been successfully able to deploy code to them
I have been able to build my projects using the Azure Hosted option for now, but I would really like to use the locally hosted option, but when looking at the Agent Pools(Organization settings > Agent Pools) I can only see my Production server and it wont let me use that build with. I clicked the button to "Download Agent" but it downloads the agent I already set up in the Deployment Pool stage using the same powershell command .config.cmd command
So as far as I can tell, there is no difference between an agent in an "Agent pool" vs a "Deployment pool", but I'm obviously missing something here as I cannot see the agent in the Agent pool.
Can anyone help me to understand what I might have missed, and why there are two totally different ways of downloading the same agent?
Many thanks!
Deployment pool are for deployment groups are a special agent configuration that are used specifically in release pipelines. They give some additional options for your release pipelines beyond the regular agents.
Deployment groups:
Specify the security context and runtime targets for the agents. As you create a deployment group, you add users and give them appropriate permissions to administer, manage, view, and use the group.
Let you view live logs for each server as a deployment takes place, and download logs for all servers to track your deployments down to individual machines.
Enable you to use machine tags to limit deployment to specific sets of target servers
It leverages the same pipeline agent but you are just specifying different configuration for the initialization. If you navigate to the Agent Pool page, there is a download link there with the configuration for setting up an agent that you can leverage in a build pipeline or in a release pipeline when you use an Agent Phase instead of a Deployment Group phase.
Is it possible to disable user-level credential deployment in a particular App Service Plan?
In a development environment deploying directly to the AppService is fine, however a production environment should require more gates e.g. via a release pipeline.
User-level credentials are shared across an entire azure account, is it possible to disable them for production?
The portal indicates the ability to disable ftp, but it doesn't suggest this covers deployments in general.
Is it possible to disable app-level credentials as well? I'm wary of it's audit-ability not being tied to an individual user.
EDIT:
The release pipeline is currently using the MSDeploy extension within an ARM template. For this app we're currently not using deployment slots, but that's a good point we would use them for other applications.
Unfortunately, no at this moment. As long as the user is a contributor to the site, he/she will be able to browse to the relevant SCM site (meaning making changes/deployment). Similarly, for app-level cred. Could you clarify what type of cred is being used to do release pipeline? Does it mean deploy to slot and swap is the only mean of deployment?