[CIS Azure] AppService rules

[jeniawhite]

We would like to implement the following rules:

• 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

[orestisfl]

9.4 verification ambiguous ❓

Resource fail-94 should fail according to the rule's instructions for the azure portal but succeed according to the instructions for the cli:

UI:

Instructions:

1. Login to Azure Portal using https://portal.azure.com
2. Go to App Services
3. Click on each App
4. Under the Settings section, Click on Configuration, then General settings
5. Ensure that the option Client certificate mode located under Incoming client
   certificates is set to Require
   Result:
   

CLI

output:

$ az webapp show --resource-group fail-94_group --name fail-94 --query clientCertEnabled
true

Possible solution

1. The graph sets property "clientCertMode": "Required", we can check that. This is more consistent with the description and rationale of the rule:

Client certificates allow for the app to request a certificate for incoming requests. Only
clients that have a valid certificate will be able to reach the app.

2. We can leave it as is, since the cli instructions (also for remediation) agree with out finding.