Monitor OS Vulnerabilities setting is not enabled
More Info:
Enable OS Vulnerabilities recommendations for virtual machines.Risk Level
LowAddress
Security, Operational MaturityCompliance Standards
SOC2, ISO27001, HIPAATriage and Remediation
Remediation
Using Console
Using Console
To remediate the “Monitor OS Vulnerabilities setting is not enabled” misconfiguration in Azure using the Azure console, you can follow these steps:
- Log in to the Azure portal (https://portal.azure.com/).
- Navigate to the Azure Security Center from the left-hand menu.
- Click on the “Security policy” tab.
- Select the subscription you want to remediate.
- Click on the “Edit” button next to the security policy.
- Scroll down to the “Endpoint protection” section.
- Under “Operating system vulnerabilities”, make sure the “Monitor” setting is enabled.
- If it is not enabled, click on the “On” button to enable it.
- Click on the “Save” button to save the changes.
- Wait for the changes to take effect.
Using CLI
Using CLI
To remediate the “Monitor OS Vulnerabilities setting is not enabled” misconfiguration in AZURE using AZURE CLI, follow the below steps:
-
Open the AZURE CLI and login to your AZURE account using the command
az login. -
Once you are successfully logged in, run the command
az account set --subscription <subscription_id>to set your subscription ID. -
Next, run the command
az policy definition create --name 'Monitor-OS-Vulnerabilities' --mode All --rules 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Compute/monitor-vm-os-vulnerabilities/azurepolicy.rules.json' --params 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Compute/monitor-vm-os-vulnerabilities/azurepolicy.parameters.json' --display-name 'Monitor OS Vulnerabilities' --description 'This policy enables monitoring of OS vulnerabilities on virtual machines'to create a new policy definition. -
After the policy definition is created, assign it to the scope where you want to enable the “Monitor OS Vulnerabilities” setting. For example, to assign it to a resource group, run the command
az policy assignment create --name 'Monitor-OS-Vulnerabilities-Assignment' --scope /subscriptions/<subscription_id>/resourceGroups/<resource_group_name> --policy 'Monitor-OS-Vulnerabilities'. -
Finally, verify that the policy assignment is successfully applied by running the command
az policy assignment show --name 'Monitor-OS-Vulnerabilities-Assignment' --query 'properties.status.message'. The output should show “Policy assignment is compliant” which means the “Monitor OS Vulnerabilities” setting is enabled.
Using Python
Using Python
To remediate the “Monitor OS Vulnerabilities setting is not enabled” misconfiguration in Azure using Python, you can use the Azure SDK for Python. Here are the step-by-step instructions:Note: Replace
- Install the Azure SDK for Python using pip:
- Import the necessary modules:
- Authenticate to Azure using a service principal:
- Instantiate the
MonitorManagementClientusing the authenticated credentials:
- Get the existing diagnostic settings for the resource you want to remediate:
- Check if the “Security” diagnostic setting is already enabled:
- If the “Security” diagnostic setting is not enabled, enable it:
<your-client-id>, <your-client-secret>, <your-tenant-id>, <your-subscription-id>, <your-resource-group>, <your-vm-name>, <your-event-hub-name>, and <your-event-hub-auth-rule-id> with your own values.These steps will enable the “Monitor OS Vulnerabilities” setting for the specified virtual machine in Azure.