Framework/Configurations/SVT/Services/VirtualMachine.json
|
{
"FeatureName": "VirtualMachine", "Reference": "aka.ms/azsdkosstcp/vm", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_VirtualMachine_Deploy_Latest_OS_Version", "Description": "Virtual Machine should have latest OS version installed", "Id": "VirtualMachine110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckOSVersion", "Recommendation": "Run command 'Update-AzureRmVM -ResourceGroupName {resourceGroupName} -VM (Get-AzureRmVM -ResourceGroupName {resourceGroupName} -Name {vmName})' . Run 'Get-Help Update-AzureRmVM -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Deploy", "Windows", "Linux" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Config_OS_Auto_Update_Windows", "Description": "OS automatic updates must be enabled on Windows Virtual Machine", "Id": "VirtualMachine120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOSAutoUpdateStatus", "Recommendation": "Run command 'Set-AzureRmVMOperatingSystem' with the EnableAutoUpdate flag. Run 'Get-Help Set-AzureRmVMOperatingSystem -full' for more help or Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-azurermvmoperatingsystem", "Tags": [ "SDL", "TCP", "Automated", "Config", "Windows" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Antimalware_Windows", "Description": "Antimalware must be enabled with real time protection on Windows Virtual Machine", "Id": "VirtualMachine130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAntimalwareStatus", "Recommendation": "Go to Azure Portal --> VM Properties --> Extensions --> Add 'Microsoft Antimalware' --> Enable Real-Time Protection and Scheduled Scan --> Click Ok. Refer: https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware", "Tags": [ "SDL", "TCP", "Automated", "Config", "Windows", "SOX" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Config_Enable_NSG", "Description": "NSG must be configured for Virtual Machine", "Id": "VirtualMachine140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGConfig", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/endpoints-in-resource-manager, https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-nsg-arm-ps", "Tags": [ "SDL", "TCP", "Automated", "Config", "Windows", "Linux" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_NetSec_Justify_PublicIPs", "Description": "Public IPs on a Virtual Machine should carefully reviewed", "Id": "VirtualMachine150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIP", "Recommendation": "Go to Azure Portal --> VM Properties --> Network Interfaces --> <Select NIC> --> IP Configurations --> <Selec IP Configs with Public IP> --> Click “Disabled” --> Save. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#a-namecreate-ip-configaadd-a-secondary-ip-configuration-to-a-nic ", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Windows", "Linux" ], "Enabled": true, "DataObjectProperties": [ "PublicIpAllocationMethod", "IpConfiguration", "Id", "DnsSettings" ] }, { "ControlID": "Azure_VirtualMachine_DP_Enable_Disk_Encryption_Windows", "Description": "Disk encryption must be enabled on both OS and data disks for Windows Virtual Machine", "Id": "VirtualMachine160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDiskEncryption", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json", "Tags": [ "SDL", "TCP", "Automated", "DP", "Windows" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Audit_ASC_Healthy", "Description": "Virtual Machine must be in a healthy state in Azure Security Center", "Id": "VirtualMachine170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckASCStatus", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Windows", "Linux" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Audit_Vulnerabilities", "Description": "Virtual Machine must be in a healthy state in Azure Security Center", "Id": "VirtualMachine171", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckASCVulnerabilities", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Windows" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_SI_Missing_OS_Patches", "Description": "Virtual Machine must have all the required OS patches installed.", "Id": "VirtualMachine172", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckASCVMMissingPatchingStatus", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Windows", "SOX" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Audit_Enable_Diagnostics", "Description": "Diagnostics (IaaSDiagnostics extension on Windows; LinuxDiagnostic extension on Linux) must be enabled on Virtual Machine", "Id": "VirtualMachine180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMDiagnostics", "Recommendation": "Go to Azure Portal --> VM Properties --> Diagnostics settings --> Enable guest-level-monitoring. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/azure-diagnostics", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Windows", "Linux" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_NetSec_Dont_Open_Management_Ports", "Description": "Do not leave management ports open on Virtual Machines", "Id": "VirtualMachine190", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckOpenPorts", "Recommendation": "Go to Azure Portal --> VM Properties --> Network Interfaces --> Network security group --> Inbound security rules --> Select RDP/WINRM Security Rule --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Windows", "Linux", "Owner" ], "Enabled": true } ] } |