module/ConfigurationProvider/ControlConfigurations/Services/VirtualMachineScaleSet.json
|
{
"FeatureName": "VirtualMachineScaleSet", "Reference": "aka.ms/azsktcp/virtualmachinescaleset", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_VirtualMachineScaleSet_Deploy_Monitoring_Agent", "Description": "Log analytics agent should be installed on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMSSMonitoringAgent", "Rationale": "Installing the Log Analytics extension for Windows and Linux allows Azure Monitor to collect data from your Azure VM Scale Sets which can be used for detailed analysis and correlation of events.", "Recommendation": "Run following commands: 1- `$allVersions= (Get-AzVMExtensionImage -Location 'eastus' -PublisherName 'Microsoft.EnterpriseCloud.Monitoring' -Type 'MicrosoftMonitoringAgent or OmsAgentForLinux').Version 2- `$versionString = `$allVersions[(`$allVersions.count)-1].Split('.')[0] + '.' + `$allVersions[(`$allVersions.count)-1].Split('.')[1] 3- `$VMSS = Get-AzVmss -ResourceGroupName <VMSS RG Name> -VMScaleSetName <VMSS Name> 4- Add-AzVmssExtension -VirtualMachineScaleSet `$VMSS -Name 'MicrosoftMonitoringAgent' -Publisher 'Microsoft.EnterpriseCloud.Monitoring' -Type 'MicrosoftMonitoringAgent or OmsAgentForLinux' -TypeHandlerVersion `$versionString -Setting '{'workspaceId': '<your workspace ID here>'}' -ProtectedSetting '{'workspaceKey': '<your workspace key here>'}' 5- Update-AzVmss -ResourceGroupName <VMSS RG Name> -Name <VMSS Name> -VirtualMachineScaleSet `$VMSS ", "Tags": [ "SDL", "TCP", "Automated", "Deploy", "ERvNet", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Log analytics agent should be installed on Virtual Machine Scale Set", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "ControlSettings": { "LinuxExtensionType": "OmsAgentForLinux", "LinuxExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring", "WindowsExtensionType": "MicrosoftMonitoringAgent", "WindowsExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring" }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Enable_Antimalware", "Description": "Antimalware must be enabled with real time protection on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet120", "DisplayName": "Antimalware must be enabled with real time protection on Virtual Machine Scale Set", "Category": "Deploy antimalware extension", "ControlRequirements": "Anti-malware must be up to date and running", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSAntimalwareExtension", "Rationale": "Enabling antimalware protection minimizes the risks from existing and new attacks from various types of malware. Microsoft Antimalware provide real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection etc.", "Recommendation": "To install antimalware, Go to Azure Portal --> VMSS --> Settings --> Extensions --> Add 'Microsoft Antimalware' --> Enable Real-Time Protection and Scheduled Scan --> Click Ok. To turn on antimalware using powershell,refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#how-do-i-turn-on-antimalware-in-my-virtual-machine-scale-set", "Tags": [ "SI", "ERvNet", "ExcludeServiceFabric", "ExcludeKubernetes", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "VMInstance" ] }, "Enabled": true, "ControlSettings": { "ExtensionType": "IaaSAntimalware", "Publisher": "Microsoft.Azure.Security", "ExclusionTags": [ { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" }, { "Description": "VM is part of Service Fabric.", "TagName": "resourcetype", "TagValue": "service fabric" } ] }, "CustomTags": [ "Windows" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_Audit_Enable_Diagnostics", "Description": "Diagnostics (IaaSDiagnostics extension on Windows; LinuxDiagnostic extension on Linux) must be enabled on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMSSDiagnostics", "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/cli/azure/vmss/diagnostics?view=azure-cli-latest", "Tags": [ "SDL", "TCP", "Automated", "Audit", "ERvNet", "ExcludeServiceFabric", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Diagnostics (IaaSDiagnostics extension on Windows; LinuxDiagnostic extension on Linux) must be enabled on Virtual Machine Scale Set", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "ControlSettings": { "LinuxExtensionType": "LinuxDiagnostic", "LinuxExtensionPublisher": "Microsoft.OSTCExtensions", "WindowsExtensionType": "IaaSDiagnostics", "WindowsExtensionPublisher": "Microsoft.Azure.Diagnostics" }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_DP_Enable_Disk_Encryption", "Description": "Disk encryption must be enabled on both OS and data disks for Windows Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet150", "DisplayName": "Disk encryption should be applied on virtual machine scale sets", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSDiskEncryption", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. In the case of VM Scale Set, both OS and data disks may contain sensitive information that needs to be protected at rest. Hence disk encryption must be enabled for both.", "Recommendation": "Refer: https://docs.microsoft.com/en-in/azure/virtual-machine-scale-sets/disk-encryption-powershell", "Tags": [ "SDL", "TCP", "Automated", "DP", "ERvNet", "ExcludeKubernetes", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "AzureDiskEncryptionExtension": { "ExtensionDefaultName": "AzureDiskEncryption", "LinuxExtensionDefaultName": "AzureDiskEncryptionForLinux" } }, "CustomTags": [ "Windows" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Latest_Model_Applied", "Description": "All VMs in VM Scale Set must be up-to-date with the latest scale set model", "Id": "VirtualMachineScaleSet160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSInstancesStatus", "Rationale": "All the security configurations applied on VM Scale Set will be effective only if all the individual VM instances in Scale Set is up-to-date with the latest overall Scale Set model", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set#how-to-bring-vms-up-to-date-with-the-latest-scale-set-model.", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet", "ExcludeServiceFabric", "ExcludeKubernetes", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "All VMs in VM Scale Set must be up-to-date with the latest scale set model", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "CustomTags": [ "Linux", "Windows" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "VirtualMachineScaleSet170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Virtual Machine Scale Set. Run command: Remove-AzRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC", "VirtualMachineScaleSet" ], "Enabled": false, "CustomTags": [ "Linux", "Windows" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_NetSec_Justify_PublicIPs", "Description": "Public IPs on a Virtual Machine Scale Set instances should be carefully reviewed", "Id": "VirtualMachineScaleSet180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSPublicIP", "Rationale": "Public IPs provide direct access over the internet exposing the VMSS instance to attacks over the public network. Hence each public IP on a VMSS instance must be reviewed carefully.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#public-ipv4-per-virtual-machine", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Public IPs on a Virtual Machine Scale Set instances should be carefully reviewed", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [ "VMPublicIP" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_Config_Enable_NSG", "Description": "NSG must be configured for Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet190", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMSSNSGConfig", "Rationale": "Restricting inbound and outbound traffic via NSGs limits the network exposure of a VM Scale Set by reducing the attack surface.", "Recommendation": "To apply NSG at scale set, refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#nsg--asgs-per-scale-set or to apply NSG at subnet level, refer: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic#associate-network-security-group-to-subnet", "Tags": [ "SDL", "TCP", "Automated", "Config", "ExcludeServiceFabric", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "NSG must be configured for Virtual Machine Scale Set", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [ "VMPublicIP" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_NetSec_Dont_Open_Management_Ports", "Description": "Do not leave management ports open on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet200", "DisplayName": "Management ports must not be open on Virtual Machine Scale Sets", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVMSSOpenPorts", "Rationale": "Open remote management ports expose a VMSS instance/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Scale Set --> Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22, SMB-445) --> Click 'Delete' under Action --> Click Save.", "Tags": [ "NetSec", "VirtualMachineScaleSet", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "ControlSettings": { "RestrictedPortsForWindows": "445,3389,5985", "RestrictedPortsForLinux": "445,3389,22" }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Enable_Auto_OS_Upgrade", "Description": "Enable automatic OS image upgrade on Virtual Machine Scale Set", "Id": "VirtualMachineScaleSet210", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMSSAutoOSUpgrade", "Rationale": "Being on the latest OS version significantly reduces risks from security design issues and security bugs that may be present in previous versions.", "Recommendation": "To configure auto OS image upgarde on VM Scale Set, please refer: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet", "ExcludeKubernetes", "VirtualMachineScaleSet", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Enable automatic OS image upgrade on Virtual Machine Scale Set", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Missing_OS_Patches", "Description": "Virtual Machine Scale Set must have all the required OS patches installed.", "Id": "VirtualMachineScaleSet220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "DisplayName": "System updates on virtual machine scale sets must be installed", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "bd20bd91-aaf1-7f14-b6e4-866de2f43146", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "bd20bd91-aaf1-7f14-b6e4-866de2f43146" ] }, "PolicyDefinitionId": "", "Rationale": "Un-patched VMSSs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates . It takes 24 hours to reflect the latest status at MDC.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SI", "ERvNet", "VirtualMachineScaleSet", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "CustomTags": [ "Windows", "SOX", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_SI_Remediate_Security_Vulnerabilities", "Description": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated.", "Id": "VirtualMachineScaleSet230", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "DisplayName": "Vulnerabilities in security configuration on your virtual machine scale sets must be remediated.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "8941d121-f740-35f6-952c-6561d2b38d36", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "8941d121-f740-35f6-952c-6561d2b38d36" ] }, "PolicyDefinitionId": "", "Recommendation": "Go to security center --> Compute & apps --> VM scale sets --> Click on VMSS name --> Click on VMSS Vulnerability remediation recommendation --> Click on Take Action --> Remediate list of vulnerabilities", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Tags": [ "SDL", "Automated", "Audit", "SI", "VirtualMachineScaleSet", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "CustomTags": [ "Windows", "SOX", "Linux" ] }, { "ControlID": "Azure_VirtualMachineScaleSet_DP_Avoid_Plaintext_Secrets_Trial", "Description": "VirtualMachineScaleSet must not have secrets/credentials present in plain text", "Id": "VirtualMachineScaleSet240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "AvoidPlaintextSecrets", "DisplayName": "VirtualMachineScaleSet must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the API information available in Source, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily", "Trial" ], "Enabled": true } ] } |