Using CIS Hardened Linux Images with Azure Log Analytics & Update Manager

Owned by
Allan Cornwell
, created
Last updated: Nov 16, 2022 by
Amanda McGown
2 min read

Product Name

CIS Hardened Images® (Azure)

Product Version

all (Linux)

Date

Nov 9, 2022

Problem

As configured with the default Hardening options and applied Recommendations, CIS Hardened Linux Images on Azure do not successfully integrate with Azure Monitor Log Analytics or Azure Automation Update Management.

Solution

Follow the steps below to enable these features on CIS Hardened Images in Azure.

Configuring Azure Monitoring / Log Analytics Agent

1

On the selected Hardened Image, ensure the attached Network Security Group allows access on
TCP Port 443 Outbound.

2

Install and Configure Azure CLI on the instance - refer to the link below for all supported platforms:
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)

3

Gather your Workspace key and Workspace ID from your Log Analytics Workspace.

  • Navigate to Log Analytics Workspaces

  • Click on your workspace

  • On the left panel, select “Advanced Settings”
    (or “Agents Management” in newer revisions)

4

Run the following command on your Hardened Image instance, substituting the values as outlined below:

az vm extension set --resource-group myResourceGroup --vm-name myVM --name OmsAgentForLinux --publisher Microsoft.EnterpriseCloud.Monitoring --version 1.10.1 --protected-settings '{"workspaceKey":"myWorkspaceKey"}' --settings '{"workspaceId":"myWorkspaceId"}'

  • Change myResourceGroup to your Resource Group Name

  • Change myVm to your Instance Name

  • Change myWorkspaceKey & myWorkspaceId → Copy and paste from your Log Analytics Workspace

5

Return to your Log Analytics Workspace and click Activity log on the side panel to verify the extension has been added successfully, and monitor any notifications that follow.

Configuring Azure Update Manager

Please undertake the modifications to Recommendations below before the instance is added to Azure Automation Accounts and the Azure Update Manager.

If the instance already exists, remove it and re-add it after the changes have been made.

In alignment with the corresponding CIS Benchmarks, the following parameters are set on a CIS Hardened Image in /etc/profile.d/tmout.sh:
TMOUT=900, readonly TMOUT, export TMOUT

However, Update manager requires a shell to be able to apply updates, gather heartbeat/status information, and send the assessment information back to Azure from the omsagent user.

To remedy this:

  • Remove the TMOUT=900, readonly TMOUT, export TMOUT parameters from /etc/profile.d/tmout.sh

  • Add the instances to Azure Update Manger after this change has been made

You can track the logs at:
/var/opt/microsoft/omsagent/<workspace id>/log/omsagent.log
to ensure the instance is successfully forwarding the logs as intended. You should see output similar to the example below (the main focus being the Sending Available Updates message):

2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : Filtering xml size=158 2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : Sending available updates information data. Hash=55f821 2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : installedPackages x 0, availableUpdates x 0

 

Keywords; Azure, Hardened Image, Linux, Update Manager, Log Analytics

Content by Label

Copyright © 2022

Center for Internet Security®