fedramp-20x-mcp 0.4.8__py3-none-any.whl

fedramp_20x_mcp/templates/code/generic_powershell.txt

@@ -0,0 +1,65 @@
+## PowerShell Code
+
+```powershell
+#Requires -Modules Az.Accounts, Az.Storage
+
+<#
+.SYNOPSIS
+    Generic KSI evidence collector for FedRAMP 20x
+#>
+
+param(
+    [Parameter(Mandatory=$true)]
+    [string]$KsiId,
+    
+    [Parameter(Mandatory=$false)]
+    [string]$StorageAccountName = $env:EVIDENCE_STORAGE_ACCOUNT
+)
+
+function Get-KSIEvidence {
+    param([string]$KsiId)
+    
+    $evidence = @{
+        collection_date = (Get-Date).ToUniversalTime().ToString("o")
+        ksi_id = $KsiId
+        compliance_status = "compliant"
+        evidence_data = @{
+            # Add your evidence data here
+        }
+    }
+    
+    return $evidence
+}
+
+function Save-Evidence {
+    param(
+        [hashtable]$Evidence,
+        [string]$StorageAccount
+    )
+    
+    $context = New-AzStorageContext -StorageAccountName $StorageAccount -UseConnectedAccount
+    
+    $timestamp = Get-Date -Format "yyyy-MM-dd"
+    $blobName = "evidence/$timestamp.json"
+    
+    $json = $Evidence | ConvertTo-Json -Depth 10
+    $tempFile = [System.IO.Path]::GetTempFileName()
+    $json | Out-File -FilePath $tempFile -Encoding UTF8
+    
+    Set-AzStorageBlobContent `
+        -File $tempFile `
+        -Container "evidence" `
+        -Blob $blobName `
+        -Context $context `
+        -Force
+    
+    Remove-Item $tempFile
+    Write-Host "✓ Evidence stored: $blobName"
+}
+
+# Main
+$evidence = Get-KSIEvidence -KsiId $KsiId
+Save-Evidence -Evidence $evidence -StorageAccount $StorageAccountName
+
+Write-Host "Status: $($evidence.compliance_status)"
+```

fedramp_20x_mcp/templates/code/generic_python.txt

@@ -0,0 +1,63 @@
+## Python Code
+
+```python
+#!/usr/bin/env python3
+\"\"\"
+Generic KSI Evidence Collector
+Collects compliance evidence and stores in Azure Blob Storage
+\"\"\"
+
+import os
+import json
+from datetime import datetime
+from azure.identity import DefaultAzureCredential
+from azure.storage.blob import BlobServiceClient
+
+def collect_evidence():
+    \"\"\"Collect evidence for the KSI\"\"\"
+    # Customize this function based on your KSI requirements
+    evidence = {
+        "collection_date": datetime.utcnow().isoformat(),
+        "ksi_id": "KSI-XXX-XX",
+        "compliance_status": "compliant",
+        "evidence_data": {
+            # Add your evidence data here
+        }
+    }
+    return evidence
+
+def store_evidence(evidence_data: dict):
+    \"\"\"Store evidence in Azure Blob Storage\"\"\"
+    credential = DefaultAzureCredential()
+    storage_account = os.environ["EVIDENCE_STORAGE_ACCOUNT"]
+    
+    blob_service_client = BlobServiceClient(
+        account_url=f"https://{storage_account}.blob.core.windows.net",
+        credential=credential
+    )
+    
+    timestamp = datetime.utcnow().strftime("%Y-%m-%d")
+    blob_name = f"evidence/{timestamp}.json"
+    
+    blob_client = blob_service_client.get_blob_client(
+        container="evidence",
+        blob=blob_name
+    )
+    
+    evidence_json = json.dumps(evidence_data, indent=2)
+    blob_client.upload_blob(evidence_json, overwrite=True)
+    
+    return blob_name
+
+def main():
+    print(f"Starting evidence collection: {datetime.utcnow()}")
+    
+    evidence = collect_evidence()
+    blob_name = store_evidence(evidence)
+    
+    print(f"✓ Evidence stored: {blob_name}")
+    print(f"Status: {evidence['compliance_status']}")
+
+if __name__ == "__main__":
+    main()
+```

fedramp_20x_mcp/templates/code/iam_csharp.txt

@@ -0,0 +1,150 @@
+## C# Code (.NET 8)
+
+```csharp
+using Azure.Identity;
+using Azure.Storage.Blobs;
+using Microsoft.Graph;
+using System.Text.Json;
+
+public class IAMEvidenceCollector
+{
+    private readonly GraphServiceClient _graphClient;
+    private readonly BlobServiceClient _blobClient;
+    private readonly string _evidenceContainer = "iam-evidence";
+
+    public IAMEvidenceCollector()
+    {
+        var credential = new DefaultAzureCredential();
+        _graphClient = new GraphServiceClient(credential);
+        
+        var storageAccount = Environment.GetEnvironmentVariable("EVIDENCE_STORAGE_ACCOUNT");
+        _blobClient = new BlobServiceClient(
+            new Uri($"https://{storageAccount}.blob.core.windows.net"),
+            credential
+        );
+    }
+
+    public async Task<MFAEvidence> CollectMFAEvidenceAsync()
+    {
+        var evidence = new MFAEvidence
+        {
+            CollectionDate = DateTime.UtcNow,
+            KsiId = "KSI-IAM-01"
+        };
+
+        // Get all users
+        var users = await _graphClient.Users.GetAsync();
+        
+        foreach (var user in users.Value)
+        {
+            evidence.TotalUsers++;
+            
+            // Get authentication methods
+            var authMethods = await _graphClient.Users[user.Id]
+                .Authentication.Methods.GetAsync();
+            
+            bool hasPhishingResistant = authMethods.Value
+                .Any(m => m.OdataType.Contains("fido2", StringComparison.OrdinalIgnoreCase));
+            
+            if (hasPhishingResistant)
+            {
+                evidence.UsersWithMFA++;
+            }
+            else
+            {
+                evidence.NonCompliantUsers.Add(new UserInfo
+                {
+                    UserId = user.Id,
+                    UserPrincipalName = user.UserPrincipalName
+                });
+            }
+        }
+
+        evidence.CompliancePercentage = evidence.TotalUsers > 0
+            ? (double)evidence.UsersWithMFA / evidence.TotalUsers * 100
+            : 0;
+
+        return evidence;
+    }
+
+    public async Task StoreEvidenceAsync<T>(T evidence, string evidenceType)
+    {
+        var timestamp = DateTime.UtcNow.ToString("yyyy-MM-dd");
+        var blobName = $"{evidenceType}/{timestamp}.json";
+        
+        var containerClient = _blobClient.GetBlobContainerClient(_evidenceContainer);
+        await containerClient.CreateIfNotExistsAsync();
+        
+        var blobClient = containerClient.GetBlobClient(blobName);
+        var json = JsonSerializer.Serialize(evidence, new JsonSerializerOptions
+        {
+            WriteIndented = true
+        });
+        
+        await blobClient.UploadAsync(
+            BinaryData.FromString(json),
+            overwrite: true
+        );
+        
+        Console.WriteLine($"✓ Evidence stored: {blobName}");
+    }
+
+    public async Task RunCollectionAsync()
+    {
+        Console.WriteLine($"Starting IAM evidence collection: {DateTime.UtcNow}");
+        
+        var mfaEvidence = await CollectMFAEvidenceAsync();
+        await StoreEvidenceAsync(mfaEvidence, "ksi-iam-01-mfa");
+        
+        Console.WriteLine($"MFA Compliance: {mfaEvidence.CompliancePercentage:F1}%");
+        Console.WriteLine("✓ IAM evidence collection complete");
+    }
+}
+
+public class MFAEvidence
+{
+    public DateTime CollectionDate { get; set; }
+    public string KsiId { get; set; }
+    public int TotalUsers { get; set; }
+    public int UsersWithMFA { get; set; }
+    public double CompliancePercentage { get; set; }
+    public List<UserInfo> NonCompliantUsers { get; set; } = new();
+}
+
+public class UserInfo
+{
+    public string UserId { get; set; }
+    public string UserPrincipalName { get; set; }
+}
+
+// Azure Function entry point
+public static class IAMEvidenceFunction
+{
+    [FunctionName("CollectIAMEvidence")]
+    public static async Task Run(
+        [TimerTrigger("0 0 2 * * *")] TimerInfo timer,  // Daily at 2 AM
+        ILogger log)
+    {
+        log.LogInformation("IAM evidence collection triggered");
+        
+        var collector = new IAMEvidenceCollector();
+        await collector.RunCollectionAsync();
+    }
+}
+```
+
+### Project File (csproj)
+```xml
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <AzureFunctionsVersion>v4</AzureFunctionsVersion>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Azure.Identity" Version="1.10.4" />
+    <PackageReference Include="Azure.Storage.Blobs" Version="12.19.1" />
+    <PackageReference Include="Microsoft.Graph" Version="5.36.0" />
+    <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.20.0" />
+  </ItemGroup>
+</Project>
+```

fedramp_20x_mcp/templates/code/iam_powershell.txt

@@ -0,0 +1,162 @@
+## PowerShell Code
+
+```powershell
+#Requires -Modules Az.Accounts, Az.Storage, Microsoft.Graph
+
+<#
+.SYNOPSIS
+    Collects IAM evidence for FedRAMP 20x KSI-IAM-01
+.DESCRIPTION
+    Gathers MFA enrollment and usage data from Microsoft Entra ID
+    and stores evidence in Azure Blob Storage
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory=$false)]
+    [string]$StorageAccountName = $env:EVIDENCE_STORAGE_ACCOUNT,
+    
+    [Parameter(Mandatory=$false)]
+    [string]$ContainerName = "iam-evidence"
+)
+
+# Connect to Microsoft Graph
+Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All"
+
+function Get-MFAEvidence {
+    Write-Host "Collecting MFA evidence..." -ForegroundColor Cyan
+    
+    $evidence = @{
+        collection_date = (Get-Date).ToUniversalTime().ToString("o")
+        ksi_id = "KSI-IAM-01"
+        total_users = 0
+        users_with_mfa = 0
+        non_compliant_users = @()
+        mfa_methods = @{}
+    }
+    
+    # Get all users
+    $users = Get-MgUser -All
+    
+    foreach ($user in $users) {
+        $evidence.total_users++
+        
+        # Get authentication methods
+        $authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id
+        
+        $hasPhishingResistant = $false
+        $userMethods = @()
+        
+        foreach ($method in $authMethods) {
+            $methodType = $method.AdditionalProperties.'@odata.type'
+            $userMethods += $methodType
+            
+            # Check for FIDO2
+            if ($methodType -like "*fido2*") {
+                $hasPhishingResistant = $true
+            }
+        }
+        
+        if ($hasPhishingResistant) {
+            $evidence.users_with_mfa++
+        }
+        else {
+            $evidence.non_compliant_users += @{
+                user_id = $user.Id
+                upn = $user.UserPrincipalName
+                methods = $userMethods
+            }
+        }
+        
+        # Count method types
+        foreach ($method in $userMethods) {
+            if ($evidence.mfa_methods.ContainsKey($method)) {
+                $evidence.mfa_methods[$method]++
+            }
+            else {
+                $evidence.mfa_methods[$method] = 1
+            }
+        }
+    }
+    
+    # Calculate compliance
+    if ($evidence.total_users -gt 0) {
+        $evidence.compliance_percentage = [math]::Round(
+            ($evidence.users_with_mfa / $evidence.total_users) * 100, 2
+        )
+    }
+    else {
+        $evidence.compliance_percentage = 0
+    }
+    
+    return $evidence
+}
+
+function Save-Evidence {
+    param(
+        [Parameter(Mandatory=$true)]
+        [hashtable]$Evidence,
+        
+        [Parameter(Mandatory=$true)]
+        [string]$EvidenceType
+    )
+    
+    Write-Host "Storing evidence..." -ForegroundColor Cyan
+    
+    # Connect to Azure Storage
+    $storageContext = New-AzStorageContext -StorageAccountName $StorageAccountName -UseConnectedAccount
+    
+    # Create container if it doesn't exist
+    $container = Get-AzStorageContainer -Name $ContainerName -Context $storageContext -ErrorAction SilentlyContinue
+    if (-not $container) {
+        New-AzStorageContainer -Name $ContainerName -Context $storageContext -Permission Off
+    }
+    
+    # Create blob name with timestamp
+    $timestamp = Get-Date -Format "yyyy-MM-dd"
+    $blobName = "$EvidenceType/$timestamp.json"
+    
+    # Convert to JSON and upload
+    $json = $Evidence | ConvertTo-Json -Depth 10
+    $tempFile = [System.IO.Path]::GetTempFileName()
+    $json | Out-File -FilePath $tempFile -Encoding UTF8
+    
+    Set-AzStorageBlobContent `
+        -File $tempFile `
+        -Container $ContainerName `
+        -Blob $blobName `
+        -Context $storageContext `
+        -Force
+    
+    Remove-Item $tempFile
+    
+    Write-Host "✓ Evidence stored: $blobName" -ForegroundColor Green
+}
+
+# Main execution
+try {
+    Write-Host "Starting IAM evidence collection: $(Get-Date)" -ForegroundColor Yellow
+    
+    # Collect MFA evidence
+    $mfaEvidence = Get-MFAEvidence
+    Save-Evidence -Evidence $mfaEvidence -EvidenceType "ksi-iam-01-mfa"
+    
+    Write-Host "MFA Compliance: $($mfaEvidence.compliance_percentage)%" -ForegroundColor Green
+    Write-Host "✓ IAM evidence collection complete" -ForegroundColor Green
+}
+catch {
+    Write-Error "Evidence collection failed: $_"
+    exit 1
+}
+finally {
+    Disconnect-MgGraph
+}
+```
+
+### Azure Automation Runbook
+To deploy this as an Azure Automation Runbook:
+
+1. Create the runbook in Azure Automation
+2. Add required modules: Az.Accounts, Az.Storage, Microsoft.Graph
+3. Configure Managed Identity with appropriate permissions
+4. Schedule for daily execution

fedramp_20x_mcp/templates/code/iam_python.txt

@@ -0,0 +1,224 @@
+## Python Code
+
+```python
+#!/usr/bin/env python3
+\"\"\"
+IAM Evidence Collector for FedRAMP 20x
+Collects MFA usage, authentication logs, and access control evidence
+\"\"\"
+
+import os
+import json
+from datetime import datetime, timedelta
+from azure.identity import DefaultAzureCredential
+from azure.mgmt.resource import ResourceManagementClient
+from azure.storage.blob import BlobServiceClient
+from msgraph import GraphServiceClient
+
+# Configuration
+SUBSCRIPTION_ID = os.environ["AZURE_SUBSCRIPTION_ID"]
+STORAGE_ACCOUNT = os.environ["EVIDENCE_STORAGE_ACCOUNT"]
+EVIDENCE_CONTAINER = "iam-evidence"
+
+async def collect_mfa_evidence():
+    \"\"\"Collect MFA enrollment and usage evidence for KSI-IAM-01\"\"\"
+    # WAF Security: Use managed identity with explicit configuration
+    credential = DefaultAzureCredential(
+        exclude_environment_credential=False,
+        exclude_managed_identity_credential=False,
+        exclude_shared_token_cache_credential=True,
+        logging_enable=True  # Enable for troubleshooting
+    )
+    graph_client = GraphServiceClient(credential)
+    
+    # Get all users
+    users = await graph_client.users.get()
+    
+    mfa_report = {
+        "collection_date": datetime.utcnow().isoformat(),
+        "ksi_id": "KSI-IAM-01",
+        "total_users": 0,
+        "users_with_mfa": 0,
+        "mfa_methods": {},
+        "non_compliant_users": []
+    }
+    
+    for user in users.value:
+        mfa_report["total_users"] += 1
+        
+        # Get authentication methods
+        auth_methods = await graph_client.users.by_user_id(user.id).authentication.methods.get()
+        
+        has_phishing_resistant = False
+        user_methods = []
+        
+        for method in auth_methods.value:
+            method_type = method.odata_type
+            user_methods.append(method_type)
+            
+            # Check for FIDO2 (phishing-resistant)
+            if "fido2" in method_type.lower():
+                has_phishing_resistant = True
+        
+        if has_phishing_resistant:
+            mfa_report["users_with_mfa"] += 1
+        else:
+            mfa_report["non_compliant_users"].append({
+                "user_id": user.id,
+                "upn": user.user_principal_name,
+                "methods": user_methods
+            })
+        
+        # Count method types
+        for method in user_methods:
+            mfa_report["mfa_methods"][method] = mfa_report["mfa_methods"].get(method, 0) + 1
+    
+    # Calculate compliance percentage
+    mfa_report["compliance_percentage"] = (
+        mfa_report["users_with_mfa"] / mfa_report["total_users"] * 100
+        if mfa_report["total_users"] > 0 else 0
+    )
+    
+    return mfa_report
+
+async def collect_conditional_access_evidence():
+    \"\"\"Collect Conditional Access policy evidence for KSI-IAM-05\"\"\"
+    credential = DefaultAzureCredential(
+        exclude_environment_credential=False,
+        exclude_managed_identity_credential=False,
+        exclude_shared_token_cache_credential=True
+    )
+    graph_client = GraphServiceClient(credential)
+    
+    # Get all CA policies
+    policies = await graph_client.identity.conditional_access.policies.get()
+    
+    ca_report = {
+        "collection_date": datetime.utcnow().isoformat(),
+        "ksi_id": "KSI-IAM-05",
+        "total_policies": len(policies.value),
+        "enabled_policies": 0,
+        "policies": []
+    }
+    
+    for policy in policies.value:
+        policy_info = {
+            "id": policy.id,
+            "display_name": policy.display_name,
+            "state": policy.state,
+            "conditions": str(policy.conditions),
+            "grant_controls": str(policy.grant_controls)
+        }
+        
+        if policy.state == "enabled":
+            ca_report["enabled_policies"] += 1
+        
+        ca_report["policies"].append(policy_info)
+    
+    return ca_report
+
+async def store_evidence(evidence_data: dict, evidence_type: str):
+    \"\"\"Store evidence in Azure Blob Storage with immutability and metadata\"\"\"
+    # WAF Security: Use managed identity for authentication
+    credential = DefaultAzureCredential(
+        exclude_environment_credential=False,  # Allow environment variables in dev
+        exclude_managed_identity_credential=False,  # Use managed identity in Azure
+        exclude_shared_token_cache_credential=True,  # Don't use cached tokens
+        logging_enable=True  # Enable SDK logging for troubleshooting
+    )
+    
+    blob_service_client = BlobServiceClient(
+        account_url=f"https://{STORAGE_ACCOUNT}.blob.core.windows.net",
+        credential=credential,
+        connection_timeout=30,  # WAF Reliability: Set timeout
+        read_timeout=30
+    )
+    
+    # Create blob name with timestamp
+    timestamp = datetime.utcnow().strftime("%Y-%m-%d-%H%M%S")
+    blob_name = f"{evidence_type}/{timestamp}.json"
+    
+    try:
+        # Get blob client
+        blob_client = blob_service_client.get_blob_client(
+            container=EVIDENCE_CONTAINER,
+            blob=blob_name
+        )
+        
+        evidence_json = json.dumps(evidence_data, indent=2)
+        
+        # WAF Security: Add metadata for evidence chain of custody
+        metadata = {
+            "ksi_id": evidence_data.get("ksi_id", "unknown"),
+            "collection_date": evidence_data.get("collection_date", ""),
+            "evidence_type": evidence_type,
+            "version": "1.0"
+        }
+        
+        # Upload evidence with metadata
+        blob_client.upload_blob(
+            evidence_json,
+            overwrite=False,  # Prevent accidental overwrites
+            metadata=metadata,
+            tags={"compliance": "fedramp", "type": evidence_type}
+        )
+        
+        # WAF Operational Excellence: Log successful upload
+        print(f"✓ Evidence stored: {blob_name}")
+        print(f"  Size: {len(evidence_json)} bytes")
+        return blob_name
+        
+    except Exception as e:
+        # WAF Reliability: Proper error handling
+        print(f"✗ Failed to store evidence: {str(e)}")
+        raise
+
+async def main():
+    \"\"\"Main evidence collection function\"\"\"
+    print(f"Starting IAM evidence collection: {datetime.utcnow()}")
+    
+    # Collect MFA evidence
+    mfa_evidence = await collect_mfa_evidence()
+    await store_evidence(mfa_evidence, "ksi-iam-01-mfa")
+    print(f"MFA Compliance: {mfa_evidence['compliance_percentage']:.1f}%")
+    
+    # Collect Conditional Access evidence
+    ca_evidence = await collect_conditional_access_evidence()
+    await store_evidence(ca_evidence, "ksi-iam-05-conditional-access")
+    print(f"CA Policies: {ca_evidence['enabled_policies']}/{ca_evidence['total_policies']} enabled")
+    
+    print("✓ IAM evidence collection complete")
+
+if __name__ == "__main__":
+    import asyncio
+    asyncio.run(main())
+```
+
+### Requirements (requirements.txt)
+```
+# Azure SDK for Python - Use latest stable versions
+azure-identity>=1.18.0  # Latest stable as of Dec 2025
+azure-mgmt-resource>=23.1.0
+azure-storage-blob>=12.23.0
+msgraph-sdk>=1.10.0
+azure-monitor-query>=1.5.0
+
+# Optional: Retry and resilience
+tenacity>=8.2.0  # For custom retry logic
+```
+
+### Environment Variables
+```bash
+# Required for local development and Azure deployment
+export AZURE_SUBSCRIPTION_ID="your-subscription-id"
+export EVIDENCE_STORAGE_ACCOUNT="stfedrampprodevidence"
+export AZURE_TENANT_ID="your-tenant-id"
+
+# Optional: For local development only
+export AZURE_CLIENT_ID="your-app-registration-client-id"
+export AZURE_CLIENT_SECRET="your-client-secret"
+```
+
+### Managed Identity Configuration (Azure Deployment)
+When deployed to Azure Function, the managed identity is automatically used.
+No environment variables or secrets needed - WAF Security best practice.