Versions Compared

Old Version 8

changes.mady.by.user Allan Cornwell

Saved on

compared with

New Version Current

changes.mady.by.user Amanda McGown

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS Hardened Images® (Azure)

Product Version

all (Linux)

Date

Problem

As configured with the default Hardening options and applied Recommendations, CIS Hardened Linux Images on Azure do not successfully integrate with Azure Monitor Log Analytics or Azure Automation Update Management.

Solution

Follow the steps below to enable these features on CIS Hardened Images in Azure.

Table of Contents
minLevel3
maxLevel7
exclude.*\.[1//2]

Configuring Azure Monitoring / Log Analytics Agent

1

On the selected Hardened Image, ensure the attached Network Security Group allows access on
TCP Port 443 Outbound.

2

Install and Configure Azure CLI on the instance - refer to the link below for all supported platforms:
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)

3

Gather your Workspace key and Workspace ID from your Log Analytics Workspace.

  • Navigate to Log Analytics Workspaces

  • Click on your workspace

  • On the left panel, select “Advanced Settings”
    (or “Agents Management” in newer revisions)

4

Run the following command on your Hardened Image instance, substituting the values as outlined below:

Code Block
az vm extension set 
--resource-group myResourceGroup 
--vm-name myVM 
--name OmsAgentForLinux 
--publisher Microsoft.EnterpriseCloud.Monitoring 
--version 1.10.1 
--protected-settings '{"workspaceKey":"myWorkspaceKey"}' 
--settings '{"workspaceId":"myWorkspaceId"}'

  • Change myResourceGroup to your Resource Group Name

  • Change myVm to your Instance Name

  • Change myWorkspaceKey & myWorkspaceId → Copy and paste from your Log Analytics Workspace

5

Return to your Log Analytics Workspace and click Activity log on the side panel to verify the extension has been added successfully, and monitor any notifications that follow.

Configuring Azure Update Manager

Panel
panelIconIdatlassian-info
panelIcon:info:
bgColor#FFF0B3

Please undertake the modifications to Recommendations below before the instance is added to Azure Automation Accounts and the Azure Update Manager.

If the instance already exists, remove it and re-add it after the changes have been made.

In alignment with the corresponding CIS Benchmarks, the following parameters are set on a CIS Hardened Image in /etc/profile.d/tmout.sh:
TMOUT=900, readonly TMOUT, export TMOUT

However, Update manager requires a shell to be able to apply updates, gather heartbeat/status information, and send the assessment information back to Azure from the omsagent user.

To remedy this:

  • Remove the TMOUT=900, readonly TMOUT, export TMOUT parameters from /etc/profile.d/tmout.sh

  • Add the instances to Azure Update Manger after this change has been made

You can track the logs at:
/var/opt/microsoft/omsagent/<workspace id>/log/omsagent.log
to ensure the instance is successfully forwarding the logs as intended. You should see output similar to the example below (the main focus being the Sending Available Updates message):

Code Block
2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : Filtering xml size=158
2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : Sending available updates information data. Hash=55f821
2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : installedPackages x 0, availableUpdates x 0

 

Keywords; Azure, Hardened Image, Linux, Update Manager, Log Analytics

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2022

Center for Internet Security®

Privacy Policy

Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Jira Legacy
serverSystem JIRA
serverIdb90ca2a8-9df7-3869-89db-c424866c1b16
keySUPPORT-22766

Created by

Allan Cornwell

Reviewed by

Andrew Dannenberger Nick Romanzo Parami Swenson Perfect Tangban (Unlicensed) Amanda McGown Chuck Cerny

Approved by

Support

Remove by