standard
turbot/azure_cis

Pipeline: 9.11 Ensure that 'Remote debugging' is set to 'Off'

Description

Remote Debugging allows Azure App Service to be debugged in real-time directly on the Azure environment. When remote debugging is enabled, it opens a communication channel that could potentially be exploited by unauthorized users if not properly secured.

Disabling remote debugging on Azure App Service is primarily about enhancing security.

Remote debugging opens a communication channel that can be exploited by attackers. By disabling it, you reduce the number of potential entry points for unauthorized access.

If remote debugging is enabled without proper access controls, it can allow unauthorized users to connect to your application, potentially leading to data breaches or malicious code execution.

During a remote debugging session, sensitive information might be exposed. Disabling remote debugging helps ensure that such data remains secure. This minimizes the use of remote access tools to reduce risk.

Remediation

From Azure Portal

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click on each App.
  4. Under Setting section, Click on Configuration.
  5. Under the General settings tab, set the Remote debugging option to Off.

From Azure CLI

To set remote debugging status to off, run the following command

az webapp config set --resource-group <resource_group_name> --name <app_name> --remote-debugging-enabled false

From PowerShell

To set remote debugging status to off, run the following command

Set-AzWebApp -ResourceGroupName <resource_group_name> -Name <app_name> -RemoteDebuggingEnabled $false

Default Value

By default, remote debugging is set to off.

Run the pipeline

To run this pipeline from your terminal:

flowpipe pipeline run azure_cis.pipeline.cis_v300_9_12

Use this pipeline

To call this pipeline from your pipeline, use a step:

step "pipeline" "step_name" {
pipeline = azure_cis.pipeline.cis_v300_9_12
}

Params

NameTypeRequiredDescriptionDefault
database
connection.steampipe
YesDatabase connection string.connection.steampipe.default
notifier
notifier
YesThe name of the notifier to use for sending notification messages.notifier.default
notification_level
string
YesThe verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'.info
approvers
list(notifier)
YesList of notifiers to be used for obtaining action/approval decisions.notifier.default

Outputs

This pipeline has no outputs.

Tags

folder = CIS v3.0.0/9 App Service