module/ConfigurationProvider/ControlConfigurations/Services/VirtualMachineScaleSet.json
|
{
"FeatureName": "VirtualMachineScaleSet", "Reference": "aka.ms/azsktcp/virtualmachinescaleset", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_VirtualMachineScaleSet_Deploy_Monitoring_Agent", "Description": "Log analytics agent should be installed on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMSSMonitoringAgent", "Rationale": "Installing the Log Analytics extension for Windows and Linux allows Azure Monitor to collect data from your Azure VM Scale Sets which can be used for detailed analysis and correlation of events.", "Recommendation": "Run following commands: 1- `$allVersions= (Get-AzVMExtensionImage -Location 'eastus' -PublisherName 'Microsoft.EnterpriseCloud.Monitoring' -Type 'MicrosoftMonitoringAgent or OmsAgentForLinux').Version 2- `$versionString = `$allVersions[(`$allVersions.count)-1].Split('.')[0] + '.' + `$allVersions[(`$allVersions.count)-1].Split('.')[1] 3- `$VMSS = Get-AzVmss -ResourceGroupName <VMSS RG Name> -VMScaleSetName <VMSS Name> 4- Add-AzVmssExtension -VirtualMachineScaleSet `$VMSS -Name 'MicrosoftMonitoringAgent' -Publisher 'Microsoft.EnterpriseCloud.Monitoring' -Type 'MicrosoftMonitoringAgent or OmsAgentForLinux' -TypeHandlerVersion `$versionString -Setting '{'workspaceId': '<your workspace ID here>'}' -ProtectedSetting '{'workspaceKey': '<your workspace key here>'}' 5- Update-AzVmss -ResourceGroupName <VMSS RG Name> -Name <VMSS Name> -VirtualMachineScaleSet `$VMSS ", "Tags": [ "SDL", "TCP", "Automated", "Deploy", "ERvNet", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Log analytics agent should be installed on Virtual Machine Scale Set", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "ControlSettings": { "LinuxExtensionType": "OmsAgentForLinux", "LinuxExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring", "WindowsExtensionType": "MicrosoftMonitoringAgent", "WindowsExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring" }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Enable_Antimalware", "Description": "Antimalware must be enabled with real time protection on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet120", "DisplayName": "Antimalware must be enabled with real time protection on Virtual Machine Scale Set", "Category": "Deploy antimalware extension", "ControlRequirements": "Anti-malware must be up to date and running", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSAntimalwareExtension", "Rationale": "Enabling antimalware protection minimizes the risks from existing and new attacks from various types of malware. Microsoft Antimalware provide real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection etc.", "Recommendation": "To install antimalware, Go to Azure Portal --> VMSS --> Settings --> Extensions --> Add 'Microsoft Antimalware' --> Enable Real-Time Protection and Scheduled Scan --> Click Ok. To turn on antimalware using powershell,refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#how-do-i-turn-on-antimalware-in-my-virtual-machine-scale-set", "Tags": [ "SI", "ERvNet", "ExcludeServiceFabric", "ExcludeKubernetes", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "VMInstance" ] }, "Enabled": true, "ControlSettings": { "ExtensionType": "IaaSAntimalware", "Publisher": "Microsoft.Azure.Security", "ExclusionTags": [ { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" }, { "Description": "VM is part of Service Fabric.", "TagName": "resourcetype", "TagValue": "service fabric" } ] }, "CustomTags": [ "Windows" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_Audit_Enable_Diagnostics", "Description": "Diagnostics (IaaSDiagnostics extension on Windows; LinuxDiagnostic extension on Linux) must be enabled on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMSSDiagnostics", "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/cli/azure/vmss/diagnostics?view=azure-cli-latest", "Tags": [ "SDL", "TCP", "Automated", "Audit", "ERvNet", "ExcludeServiceFabric", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Diagnostics (IaaSDiagnostics extension on Windows; LinuxDiagnostic extension on Linux) must be enabled on Virtual Machine Scale Set", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "ControlSettings": { "LinuxExtensionType": "LinuxDiagnostic", "LinuxExtensionPublisher": "Microsoft.OSTCExtensions", "WindowsExtensionType": "IaaSDiagnostics", "WindowsExtensionPublisher": "Microsoft.Azure.Diagnostics" }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_DP_Enable_Disk_Encryption", "Description": "Disk encryption must be enabled on both OS and data disks for Windows Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet150", "DisplayName": "Disk encryption should be applied on virtual machine scale sets", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSDiskEncryption", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. In the case of VM Scale Set, both OS and data disks may contain sensitive information that needs to be protected at rest. Hence disk encryption must be enabled for both.", "Recommendation": "Refer: https://docs.microsoft.com/en-in/azure/virtual-machine-scale-sets/disk-encryption-powershell", "Tags": [ "SDL", "TCP", "Automated", "DP", "ERvNet", "ExcludeKubernetes", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "AzureDiskEncryptionExtension": { "ExtensionDefaultName": "AzureDiskEncryption", "LinuxExtensionDefaultName": "AzureDiskEncryptionForLinux" } }, "CustomTags": [ "Windows" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Latest_Model_Applied", "Description": "All VMs in VM Scale Set must be up-to-date with the latest scale set model", "Id": "VirtualMachineScaleSet160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSInstancesStatus", "Rationale": "All the security configurations applied on VM Scale Set will be effective only if all the individual VM instances in Scale Set is up-to-date with the latest overall Scale Set model", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set#how-to-bring-vms-up-to-date-with-the-latest-scale-set-model.", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet", "ExcludeServiceFabric", "ExcludeKubernetes", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "All VMs in VM Scale Set must be up-to-date with the latest scale set model", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "CustomTags": [ "Linux", "Windows" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Enforce_Automatic_Upgrade_Policy", "Description": "Enforce Automatic Upgrade policy in VMSS", "Id": "VirtualMachineScaleSet320", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSUpgradePolicy", "Rationale": "All the security configurations applied on VM Scale Set will be effective only if all the individual VM instances in Scale Set are up-to-date with the latest overall Scale Set model. Automatic upgrade policy mode ensures individual VM instances are up-to-date with the latest overall Scale Set model.", "Recommendation": "To set upgrade policy for VMSS, please refer: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-policy", "Tags": [ "Automated", "SI", "VirtualMachineScaleSet", "Baseline" ], "ControlSettings": { "AllowedUpgradePolicyModes": [ "Automatic" ], "ApplicableOrchestrationModes": [ "Uniform" ], "ExcludeBasedOnExtension": { "Linux": { "AllMandatory": false, "Extensions": [ { "Type": "Compute.AKS.Linux.Billing", "Publisher": "Microsoft.AKS", "ExclusionMessage": "VMSS is part of AKS cluster." } ] }, "Windows": { "AllMandatory": false, "Extensions": [ { "Type": "Compute.AKS.Windows.Billing", "Publisher": "Microsoft.AKS", "ExclusionMessage": "VMSS is part of AKS cluster." } ] } } }, "Enabled": true, "DisplayName": "Enforce Automatic Upgrade policy in VMSS", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [ "VMSSOrchestrationMode" ] }, "CustomTags": [ "Daily", "TBv11", "TenantBaseline", "MSD", "CAIPreview", "EDPreview", "SMTPreview", "SN:VMSS_UpgradePolicy" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_NetSec_Justify_PublicIPs", "Description": "Public IPs on a Virtual Machine Scale Set instances should be carefully reviewed", "Id": "VirtualMachineScaleSet180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSPublicIP", "Rationale": "Public IPs provide direct access over the internet exposing the VMSS instance to attacks over the public network. Hence each public IP on a VMSS instance must be reviewed carefully.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#public-ipv4-per-virtual-machine", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Public IPs on a Virtual Machine Scale Set instances should be carefully reviewed", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [ "VMPublicIP" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_Config_Enable_NSG", "Description": "NSG must be configured for Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet190", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMSSNSGConfig", "Rationale": "Restricting inbound and outbound traffic via NSGs limits the network exposure of a VM Scale Set by reducing the attack surface.", "Recommendation": "To apply NSG at scale set, refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#nsg--asgs-per-scale-set or to apply NSG at subnet level, refer: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic#associate-network-security-group-to-subnet", "Tags": [ "SDL", "TCP", "Automated", "Config", "ExcludeServiceFabric", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "NSG must be configured for Virtual Machine Scale Set", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [ "VMPublicIP" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_NetSec_Dont_Open_Management_Ports", "Description": "Do not leave management ports open on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet200", "DisplayName": "Management ports must not be open on Virtual Machine Scale Sets", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSOpenPorts", "Rationale": "Open remote management ports expose a VMSS instance/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Scale Set --> Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22, SMB-445) --> Click 'Delete' under Action --> Click Save.", "Tags": [ "NetSec", "VirtualMachineScaleSet", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "ControlSettings": { "RestrictedPortsForWindows": "445,3389,5985", "RestrictedPortsForLinux": "445,3389,22" }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Enable_Auto_OS_Upgrade", "Description": "Enable automatic OS image upgrade on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet210", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMSSAutoOSUpgrade", "Rationale": "Being on the latest OS version significantly reduces risks from security design issues and security bugs that may be present in previous versions.", "Recommendation": "To configure auto OS image upgarde on VM Scale Set, please refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet", "ExcludeKubernetes", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Enable automatic OS image upgrade on Virtual Machine Scale Set", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Missing_OS_Patches", "Description": "Virtual Machine Scale Set must have all the required OS patches installed.", "Id": "VirtualMachineScaleSet220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "DisplayName": "System updates on virtual machine scale sets must be installed", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "bd20bd91-aaf1-7f14-b6e4-866de2f43146", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "bd20bd91-aaf1-7f14-b6e4-866de2f43146" ] }, "PolicyDefinitionId": "", "Rationale": "Un-patched VMSSs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates . It takes 24 hours to reflect the latest status at MDC.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SI", "ERvNet", "VirtualMachineScaleSet", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "CustomTags": [ "Windows", "SOX", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Remediate_Security_Vulnerabilities", "Description": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated.", "Id": "VirtualMachineScaleSet230", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "DisplayName": "Vulnerabilities in security configuration on your virtual machine scale sets must be remediated.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "8941d121-f740-35f6-952c-6561d2b38d36", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "8941d121-f740-35f6-952c-6561d2b38d36" ] }, "PolicyDefinitionId": "", "Recommendation": "Go to security center --> Compute & apps --> VM scale sets --> Click on VMSS name --> Click on VMSS Vulnerability remediation recommendation --> Click on Take Action --> Remediate list of vulnerabilities", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Tags": [ "SDL", "Automated", "Audit", "SI", "VirtualMachineScaleSet", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "CustomTags": [ "Windows", "SOX", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_DP_Avoid_Plaintext_Secrets", "Description": "Virtual Machine Scale Sets must not have secrets/credentials present in plain text", "Id": "VirtualMachineScaleSet240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "AvoidPlaintextSecretsAsync", "DisplayName": "Virtual Machine Scale Sets must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the API information available in Source, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily" ], "CustomTags": [ "Preview", "TenantBaseline", "EDPreview", "SMTPreview", "MSD", "TBv7", "CAIPreview", "SN:VirtualMachineScaleSet_AvoidSecrets", "CAIWave1", "Secrets" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Remediate_Security_Configurations_Vulnerabilities_MCSB", "Description": "[MCSB] Virtual machine scale sets should be configured securely", "Id": "VirtualMachineScaleSet250", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Virtual machine scale sets should be configured securely", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Known vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "To remediate vulnerabilities in VM scale set security configurations: 1. Review the list of failed rules. 2. Fix each rule according to the instructions provided.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "8941d121-f740-35f6-952c-6561d2b38d36" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_AuthN_Enable_Microsoft_Entra_ID_Auth_Linux", "Description": "Entra ID (formerly AAD) extension must be deployed to the Linux VMSS.", "Id": "VirtualMachineScaleSet260", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckAADExtensionTrial", "DisplayName": "Entra ID (formerly AAD) extension must be deployed to the Linux VMSS.", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Installing Entra ID (formerly AAD) extension on VMSS allows you to login into VMSS instances using Azure AD, making it possible to login user without password and improves authentication security.", "Recommendation": "To install Entra ID (formerly AAD) Extension in VMSS, Go to Azure Portal --> VMSS --> Settings --> Extensions+Applications --> Click Add --> Select AADSSHForLinuxVM --> Click Next --> Click Review+Create.", "Enabled": true, "ControlSettings": { "Linux": { "ExtensionType": "AADSSHLoginForLinux", "ExtensionPublisher": "Microsoft.Azure.ActiveDirectory", "ProvisioningState": "Succeeded" }, "ExcludeBasedOnExtension": { "Linux": { "AllMandatory": false, "Extensions": [ { "Type": "Compute.AKS.Linux.Billing", "Publisher": "Microsoft.AKS", "ExclusionMessage": "VMSS is part of AKS cluster." } ] } } }, "Tags": [ "Automated", "AuthN", "Baseline", "VirtualMachineScaleSet" ], "CustomTags": [ "Daily", "Preview", "TenantBaseline", "MSD", "TBv9", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:LINUX_VMSS_EntraIDAuth" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Install_EndPointProtection_MCSB", "Description": "[MCSB] Endpoint protection solution should be installed on virtual machine scale sets.", "Id": "VirtualMachineScaleSet290", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Endpoint protection solution should be installed on virtual machine scale sets.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.", "Recommendation": "Please refer:https://learn.microsoft.com/en-us/answers/questions/714430/install-endpoint-protection-solution-on-virtual-ma", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachineScaleSet" ], "AssessmentProperties": { "AssessmentNames": [ "21300918-b2e3-0346-785f-c77ff57d243b" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Install_Guest_Attestation_Extension_MCSB", "Description": "[MCSB] Guest Attestation extension should be installed on virtual machines scale sets", "Id": "VirtualMachineScaleSet300", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Guest Attestation extension should be installed on virtual machines scale sets", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.", "Recommendation": "To install Guest Attestation extension on supported Linux virtual machine scale sets: 1. In the Azure portal, open Cloud Shell. 2. Run the following Azure CLI command: 'az vmss extension set --name GuestAttestation --publisher Microsoft.Azure.Security.LinuxAttestation' --vmss-name MyVMSS --resource-group MyResourceGroup", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachineScaleSet" ], "AssessmentProperties": { "AssessmentNames": [ "a9a53f4f-26b6-3d68-33f3-2ec1f2452b5d", "02e8ca50-0e7e-cc34-0b91-215af2904248" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Install_LogAnalytics_Agent_MCSB", "Description": "[MCSB] Log Analytics agent must be installed on virtual machine scale sets.", "Id": "VirtualMachineScaleSet280", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Log Analytics agent must be installed on virtual machine scale sets.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.", "Recommendation": "Please refer:https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachineScaleSet" ], "AssessmentProperties": { "AssessmentNames": [ "45cfe080-ceb1-a91e-9743-71551ed24e94" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*KubernetesNonRelevantRecommendation(.)*" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Install_System_Updates_MCSB", "Description": "[MCSB] System updates on virtual machine scale sets should be installed", "Id": "VirtualMachineScaleSet310", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] System updates on virtual machine scale sets should be installed", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Machines with missing updates are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems.", "Recommendation": "To update virtual machine scale set with powershell commands please refer: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set#update-the-os-image-for-your-scale-set", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachineScaleSet" ], "AssessmentProperties": { "AssessmentNames": [ "bd20bd91-aaf1-7f14-b6e4-866de2f43146" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "KubernetesNonRelevantRecommendation(.)*" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_AuthN_Enable_AAD_Auth_Windows", "Description": "AAD extension must be deployed to the Windows VMSS", "Id": "VirtualMachineScaleSet330", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckAADExtensionForWindows", "DisplayName": "AAD extension must be deployed to the Windows VMSS", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Installing AAD extension on VMSS allows you to login into VMSS instances using Azure AD, making it possible to login user without password and improves authentication security.", "Recommendation": "To install AAD Extension in VMSS, Go to Azure Portal --> VMSS --> Settings --> Extensions+Applications --> Click Add --> Select 'Azure AD based Windows Login' --> Click Next --> Click Review+Create.", "Enabled": true, "ControlSettings": { "Windows": { "ExtensionType": "AADLoginForWindows", "ExtensionPublisher": "Microsoft.Azure.ActiveDirectory", "ProvisioningState": "Succeeded" }, "ExcludeBasedOnExtension": { "Windows": { "AllMandatory": false, "Extensions": [ { "Type": "Compute.AKS.Windows.Billing", "Publisher": "Microsoft.AKS", "ExclusionMessage": "VMSS is part of AKS cluster." } ] } } }, "Tags": [ "Automated", "AuthN", "Baseline", "VirtualMachineScaleSet" ], "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_Audit_Enable_DataCollectionRule", "Description": "Enable security logging in Azure Virtual Machine Scale Sets", "Id": "VirtualMachineScaleSet340", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMSSDataCollectionRules", "DisplayName": "Enable security logging in Azure Virtual Machine Scale Sets", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing logs must be enabled as they provide details for investigation in case of a security breach for threats", "Recommendation": "You can change the data collection rules from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-data-collection and while configuring or updating the data collection rule, default Performance counters and event logs should be configured.", "Tags": [ "Baseline", "Audit", "Diagnostics", "ERvNet", "VirtualMachineScaleSet", "ExcludeKubernetes" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DataCollectionRules" ] }, "Enabled": true, "ControlSettings": { "ApplicableOrchestrationModes": [ "Uniform" ], "ExcludeADBVMSS": true, "ExcludeBasedOnExtension": { "Windows": { "AllMandatory": false, "Extensions": [ { "Type": "Compute.AKS.Windows.Billing", "Publisher": "Microsoft.AKS", "ExclusionMessage": "VMSS is part of AKS cluster." } ] } }, "RequiredOsType": [ "Windows" ], "Windows": { "ExtensionType": "AzureMonitorWindowsAgent", "ExtensionPublisher": "Microsoft.Azure.Monitor", "ProvisioningState": "Succeeded", "RequiredDiagnosticLogs": [ "Audit Failure", "Audit Success" ], "RequiredAuditLogsValue": "13510798882111488", "AuditLogsConfig": [ { "Name": "Audit Failure", "Value": "4503599627370496" }, { "Name": "Audit Success", "Value": "9007199254740992" } ] } }, "CustomTags": [ "Daily", "TenantBaseline", "TBv14", "SN:VirtualMachineScaleSet_Logging" ] } ] } |