fedramp-20x-mcp 0.4.8__py3-none-any.whl

fedramp_20x_mcp/templates/code/mla_python.txt

@@ -0,0 +1,124 @@
+## Python Code
+
+```python
+#!/usr/bin/env python3
+\"\"\"
+Monitoring, Logging & Analysis Evidence Collector
+Collects log coverage, retention, and SIEM evidence
+\"\"\"
+
+import os
+import json
+from datetime import datetime, timedelta
+from azure.identity import DefaultAzureCredential
+from azure.monitor.query import LogsQueryClient
+from azure.storage.blob import BlobServiceClient
+
+WORKSPACE_ID = os.environ["LOG_ANALYTICS_WORKSPACE_ID"]
+STORAGE_ACCOUNT = os.environ["EVIDENCE_STORAGE_ACCOUNT"]
+
+def collect_log_coverage_evidence():
+    \"\"\"Collect evidence of log sources for KSI-MLA-02\"\"\"
+    credential = DefaultAzureCredential(
+        exclude_environment_credential=False,
+        exclude_managed_identity_credential=False,
+        exclude_shared_token_cache_credential=True
+    )
+    logs_client = LogsQueryClient(credential)
+    
+    # Query to find all distinct log sources
+    query = \"\"\"
+    union *
+    | where TimeGenerated > ago(7d)
+    | distinct Type
+    | summarize LogTypes = make_set(Type)
+    \"\"\"
+    
+    response = logs_client.query_workspace(
+        workspace_id=WORKSPACE_ID,
+        query=query,
+        timespan=timedelta(days=7)
+    )
+    
+    log_types = []
+    for table in response.tables:
+        for row in table.rows:
+            log_types = row[0]
+    
+    evidence = {
+        "collection_date": datetime.utcnow().isoformat(),
+        "ksi_id": "KSI-MLA-02",
+        "workspace_id": WORKSPACE_ID,
+        "log_sources_count": len(log_types),
+        "log_sources": log_types,
+        "required_sources": [
+            "AzureActivity",
+            "SigninLogs",
+            "AuditLogs",
+            "SecurityEvent",
+            "Syslog",
+            "ContainerLog"
+        ]
+    }
+    
+    # Check coverage
+    required = set(evidence["required_sources"])
+    actual = set(log_types)
+    evidence["missing_sources"] = list(required - actual)
+    evidence["coverage_percentage"] = len(actual & required) / len(required) * 100
+    
+    return evidence
+
+def collect_retention_evidence():
+    \"\"\"Collect log retention configuration evidence\"\"\"
+    credential = DefaultAzureCredential()
+    
+    # Query workspace retention settings
+    from azure.mgmt.loganalytics import LogAnalyticsManagementClient
+    
+    client = LogAnalyticsManagementClient(credential, os.environ["AZURE_SUBSCRIPTION_ID"])
+    workspaces = client.workspaces.list()
+    
+    retention_report = {
+        "collection_date": datetime.utcnow().isoformat(),
+        "ksi_id": "KSI-MLA-02",
+        "workspaces": []
+    }
+    
+    for workspace in workspaces:
+        retention_report["workspaces"].append({
+            "name": workspace.name,
+            "retention_days": workspace.retention_in_days,
+            "compliant": workspace.retention_in_days >= 365  # FedRAMP minimum
+        })
+    
+    return retention_report
+
+async def main():
+    print("Starting MLA evidence collection")
+    
+    # Collect evidence
+    coverage = collect_log_coverage_evidence()
+    print(f"Log Coverage: {coverage['coverage_percentage']:.1f}%")
+    
+    retention = collect_retention_evidence()
+    print(f"Workspaces checked: {len(retention['workspaces'])}")
+    
+    # Store evidence
+    credential = DefaultAzureCredential()
+    blob_client = BlobServiceClient(
+        account_url=f"https://{STORAGE_ACCOUNT}.blob.core.windows.net",
+        credential=credential
+    )
+    
+    timestamp = datetime.utcnow().strftime("%Y-%m-%d")
+    for evidence_type, evidence_data in [("coverage", coverage), ("retention", retention)]:
+        blob_name = f"ksi-mla-02/{evidence_type}-{timestamp}.json"
+        blob = blob_client.get_blob_client(container="mla-evidence", blob=blob_name)
+        blob.upload_blob(json.dumps(evidence_data, indent=2), overwrite=True)
+        print(f"✓ Stored: {blob_name}")
+
+if __name__ == "__main__":
+    import asyncio
+    asyncio.run(main())
+```

fedramp_20x_mcp/templates/terraform/afr.txt

@@ -0,0 +1,29 @@
+## Terraform Configuration
+
+```hcl
+# main.tf - Authorization Framework Evidence Collection
+resource "azurerm_storage_account" "afr_evidence" {
+  name                     = "stfedrampafrevidence"
+  resource_group_name      = azurerm_resource_group.evidence.name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  min_tls_version          = "TLS1_2"
+}
+
+resource "azurerm_container_registry" "vuln_scanning" {
+  name                = "acrfedrampvuln"
+  resource_group_name = azurerm_resource_group.evidence.name
+  location            = var.location
+  sku                 = "Premium"
+  admin_enabled       = false
+}
+
+output "storage_account_name" {
+  value = azurerm_storage_account.afr_evidence.name
+}
+
+output "container_registry_name" {
+  value = azurerm_container_registry.vuln_scanning.name
+}
+```

fedramp_20x_mcp/templates/terraform/cna.txt

@@ -0,0 +1,50 @@
+## Terraform Configuration
+
+```hcl
+# main.tf - Cloud Native Architecture Evidence
+resource "azurerm_log_analytics_workspace" "aks" {
+  name                = "log-fedramp-aks"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.evidence.name
+  sku                 = "PerGB2018"
+  retention_in_days   = 730
+}
+
+resource "azurerm_kubernetes_cluster" "main" {
+  name                = "aks-fedramp-prod"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.evidence.name
+  dns_prefix          = "fedramp"
+  
+  identity {
+    type = "SystemAssigned"
+  }
+
+  network_profile {
+    network_plugin    = "azure"
+    network_policy    = "calico"
+    service_cidr      = "10.0.0.0/16"
+    dns_service_ip    = "10.0.0.10"
+  }
+
+  oms_agent {
+    log_analytics_workspace_id = azurerm_log_analytics_workspace.aks.id
+  }
+
+  azure_policy_enabled = true
+
+  default_node_pool {
+    name       = "default"
+    node_count = 3
+    vm_size    = "Standard_DS2_v2"
+  }
+}
+
+output "aks_cluster_name" {
+  value = azurerm_kubernetes_cluster.main.name
+}
+
+output "workspace_id" {
+  value = azurerm_log_analytics_workspace.aks.id
+}
+```

fedramp_20x_mcp/templates/terraform/generic.txt

@@ -0,0 +1,40 @@
+## Terraform Configuration
+
+```hcl
+# main.tf - Generic KSI Evidence Collection Infrastructure
+variable "ksi_id" {
+  description = "KSI identifier"
+  type        = string
+}
+
+resource "azurerm_log_analytics_workspace" "generic" {
+  name                = "log-${lower(var.ksi_id)}"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.evidence.name
+  sku                 = "PerGB2018"
+  retention_in_days   = 730
+}
+
+resource "azurerm_storage_account" "evidence" {
+  name                     = "st${lower(replace(var.ksi_id, "-", ""))}evidence"
+  resource_group_name      = azurerm_resource_group.evidence.name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  min_tls_version          = "TLS1_2"
+}
+
+resource "azurerm_storage_container" "evidence" {
+  name                  = "evidence"
+  storage_account_name  = azurerm_storage_account.evidence.name
+  container_access_type = "private"
+}
+
+output "storage_account_name" {
+  value = azurerm_storage_account.evidence.name
+}
+
+output "workspace_id" {
+  value = azurerm_log_analytics_workspace.generic.workspace_id
+}
+```

fedramp_20x_mcp/templates/terraform/iam.txt

@@ -0,0 +1,219 @@
+# main.tf - IAM Evidence Collection Infrastructure
+# Follows Azure CAF naming conventions and WAF best practices
+
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy = false
+    }
+    resource_group {
+      prevent_deletion_if_contains_resources = true
+    }
+  }
+}
+
+variable "environment_name" {
+  description = "Environment name (prod, dev, test)"
+  default     = "prod"
+}
+
+variable "workload_name" {
+  description = "Workload name"
+  default     = "fedramp"
+}
+
+variable "location" {
+  description = "Azure region"
+  default     = "eastus"
+}
+
+# CAF recommended tags for governance
+locals {
+  tags = {
+    Environment  = var.environment_name
+    Workload     = var.workload_name
+    CostCenter   = "Security"
+    ManagedBy    = "Terraform"
+    Compliance   = "FedRAMP"
+  }
+}
+
+# Log Analytics Workspace (CAF naming)
+resource "azurerm_log_analytics_workspace" "iam" {
+  name                = "log-${var.workload_name}-${var.environment_name}-iam"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.evidence.name
+  sku                 = "PerGB2018"
+  retention_in_days   = 730  # 2 years for FedRAMP
+  tags                = local.tags
+
+  # Prevent accidental deletion
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+# Storage Account for evidence (CAF naming)
+resource "azurerm_storage_account" "iam_evidence" {
+  name                     = "st${var.workload_name}${var.environment_name}iam"
+  resource_group_name      = azurerm_resource_group.evidence.name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"  # Geo-redundant for WAF Reliability
+  min_tls_version          = "TLS1_2"
+  https_traffic_only       = true
+  
+  # WAF Security best practices
+  allow_nested_items_to_be_public = false
+  public_network_access_enabled   = false  # Consider private endpoint
+  
+  identity {
+    type = "SystemAssigned"
+  }
+
+  blob_properties {
+    delete_retention_policy {
+      days = 30  # Soft delete for 30 days
+    }
+    container_delete_retention_policy {
+      days = 30
+    }
+  }
+
+  network_rules {
+    default_action = "Deny"
+    bypass         = ["AzureServices"]
+  }
+
+  tags = local.tags
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+# Blob container
+resource "azurerm_storage_container" "iam_evidence" {
+  name                  = "iam-evidence"
+  storage_account_name  = azurerm_storage_account.iam_evidence.name
+  container_access_type = "private"
+}
+
+# Application Insights (CAF naming)
+resource "azurerm_application_insights" "iam" {
+  name                = "appi-${var.workload_name}-${var.environment_name}-iam"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.evidence.name
+  workspace_id        = azurerm_log_analytics_workspace.iam.id
+  application_type    = "web"
+  tags                = local.tags
+}
+
+# Function App Service Plan (CAF naming)
+resource "azurerm_service_plan" "iam" {
+  name                = "asp-${var.workload_name}-${var.environment_name}-iam"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.evidence.name
+  os_type             = "Linux"
+  sku_name            = "Y1"  # Consumption plan
+  tags                = local.tags
+}
+
+# Function App (CAF naming)
+resource "azurerm_linux_function_app" "iam" {
+  name                       = "func-${var.workload_name}-${var.environment_name}-iam"
+  location                   = var.location
+  resource_group_name        = azurerm_resource_group.evidence.name
+  service_plan_id            = azurerm_service_plan.iam.id
+  storage_account_name       = azurerm_storage_account.iam_evidence.name
+  https_only                 = true  # WAF Security: Force HTTPS
+  
+  identity {
+    type = "SystemAssigned"  # WAF Security: Use managed identity
+  }
+
+  site_config {
+    application_insights_connection_string = azurerm_application_insights.iam.connection_string
+    ftps_state                             = "Disabled"  # WAF Security
+    minimum_tls_version                    = "1.2"
+    
+    application_stack {
+      dotnet_version              = "8.0"
+      use_dotnet_isolated_runtime = true
+    }
+  }
+
+  app_settings = {
+    "FUNCTIONS_WORKER_RUNTIME"       = "dotnet-isolated"
+    "LOG_ANALYTICS_WORKSPACE_ID"     = azurerm_log_analytics_workspace.iam.workspace_id
+    "EVIDENCE_STORAGE_ACCOUNT"       = azurerm_storage_account.iam_evidence.name
+    "AZURE_STORAGE_IDENTITY_CLIENT_ID" = "SystemAssigned"  # Use managed identity
+  }
+
+  tags = local.tags
+}
+
+# RBAC: Grant Function App Storage Blob Data Contributor role
+resource "azurerm_role_assignment" "function_storage" {
+  scope                = azurerm_storage_account.iam_evidence.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_linux_function_app.iam.identity[0].principal_id
+}
+
+# Metric alert for function failures (WAF Reliability)
+resource "azurerm_monitor_metric_alert" "function_failures" {
+  name                = "alert-${var.workload_name}-${var.environment_name}-iam-failures"
+  resource_group_name = azurerm_resource_group.evidence.name
+  scopes              = [azurerm_linux_function_app.iam.id]
+  description         = "Alert when IAM evidence collection fails"
+  severity            = 2
+  frequency           = "PT5M"
+  window_size         = "PT15M"
+
+  criteria {
+    metric_namespace = "Microsoft.Web/sites"
+    metric_name      = "FunctionExecutionCount"
+    aggregation      = "Total"
+    operator         = "GreaterThan"
+    threshold        = 5
+
+    dimension {
+      name     = "Status"
+      operator = "Include"
+      values   = ["Failed"]
+    }
+  }
+
+  tags = local.tags
+}
+
+# Outputs
+output "log_analytics_workspace_id" {
+  value       = azurerm_log_analytics_workspace.iam.workspace_id
+  description = "Log Analytics workspace ID"
+}
+
+output "evidence_storage_name" {
+  value       = azurerm_storage_account.iam_evidence.name
+  description = "Evidence storage account name"
+}
+
+output "function_app_name" {
+  value       = azurerm_linux_function_app.iam.name
+  description = "Function app name"
+}
+
+output "function_app_principal_id" {
+  value       = azurerm_linux_function_app.iam.identity[0].principal_id
+  description = "Function app managed identity principal ID"
+}

fedramp_20x_mcp/templates/terraform/mla.txt

@@ -0,0 +1,29 @@
+## Terraform Configuration
+
+```hcl
+# main.tf - Monitoring, Logging & Analysis Infrastructure
+resource "azurerm_log_analytics_workspace" "sentinel" {
+  name                = "log-${var.environment_name}-sentinel"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.evidence.name
+  sku                 = "PerGB2018"
+  retention_in_days   = 730
+}
+
+resource "azurerm_sentinel_log_analytics_workspace_onboarding" "sentinel" {
+  workspace_id = azurerm_log_analytics_workspace.sentinel.id
+}
+
+resource "azurerm_storage_account" "mla_evidence" {
+  name                     = "st${var.environment_name}mlaevidence"
+  resource_group_name      = azurerm_resource_group.evidence.name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  min_tls_version          = "TLS1_2"
+}
+
+output "workspace_id" {
+  value = azurerm_log_analytics_workspace.sentinel.workspace_id
+}
+```

fedramp_20x_mcp/templates/terraform/rpl.txt

@@ -0,0 +1,32 @@
+## Terraform Configuration
+
+```hcl
+# main.tf - Backup & Recovery Evidence Collection
+resource "azurerm_recovery_services_vault" "backup" {
+  name                = "rsv-fedramp-backup"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.evidence.name
+  sku                 = "Standard"
+}
+
+resource "azurerm_backup_policy_vm" "daily" {
+  name                = "DailyBackupPolicy"
+  resource_group_name = azurerm_resource_group.evidence.name
+  recovery_vault_name = azurerm_recovery_services_vault.backup.name
+
+  instant_restore_retention_days = 5
+
+  backup {
+    frequency = "Daily"
+    time      = "02:00"
+  }
+
+  retention_daily {
+    count = 30
+  }
+}
+
+output "recovery_vault_name" {
+  value = azurerm_recovery_services_vault.backup.name
+}
+```

fedramp_20x_mcp/templates/terraform/svc.txt

@@ -0,0 +1,46 @@
+## Terraform Configuration
+
+```hcl
+# main.tf - Service Management Evidence Collection
+resource "azurerm_log_analytics_workspace" "keyvault" {
+  name                = "log-fedramp-keyvault"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.evidence.name
+  sku                 = "PerGB2018"
+  retention_in_days   = 730
+}
+
+resource "azurerm_key_vault" "secrets" {
+  name                       = "kv-fedramp-secrets"
+  location                   = var.location
+  resource_group_name        = azurerm_resource_group.evidence.name
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  sku_name                   = "standard"
+  enable_rbac_authorization  = true
+  soft_delete_retention_days = 90
+  purge_protection_enabled   = true
+}
+
+resource "azurerm_monitor_diagnostic_setting" "keyvault" {
+  name                       = "kv-diagnostics"
+  target_resource_id         = azurerm_key_vault.secrets.id
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.keyvault.id
+
+  enabled_log {
+    category = "AuditEvent"
+    
+    retention_policy {
+      enabled = true
+      days    = 730
+    }
+  }
+}
+
+output "key_vault_name" {
+  value = azurerm_key_vault.secrets.name
+}
+
+output "workspace_id" {
+  value = azurerm_log_analytics_workspace.keyvault.id
+}
+```