Using CIS Hardened Linux Images with Azure Log Analytics & Update Manager
Product Name
CIS Hardened Images® (Azure)
Product Version
all (Linux)
Date
Nov 9, 2022
Problem
As configured with the default Hardening options and applied Recommendations, CIS Hardened Linux Images on Azure do not successfully integrate with Azure Monitor Log Analytics or Azure Automation Update Management.
Solution
Follow the steps below to enable these features on CIS Hardened Images in Azure.
Configuring Azure Monitoring / Log Analytics Agent
1 | On the selected Hardened Image, ensure the attached Network Security Group allows access on |
2 | Install and Configure Azure CLI on the instance - refer to the link below for all supported platforms: |
3 | Gather your Workspace key and Workspace ID from your Log Analytics Workspace.
|
4 | Run the following command on your Hardened Image instance, substituting the values as outlined below: az vm extension set
--resource-group myResourceGroup
--vm-name myVM
--name OmsAgentForLinux
--publisher Microsoft.EnterpriseCloud.Monitoring
--version 1.10.1
--protected-settings '{"workspaceKey":"myWorkspaceKey"}'
--settings '{"workspaceId":"myWorkspaceId"}'
|
5 | Return to your Log Analytics Workspace and click Activity log on the side panel to verify the extension has been added successfully, and monitor any notifications that follow. |
Configuring Azure Update Manager
Please undertake the modifications to Recommendations below before the instance is added to Azure Automation Accounts and the Azure Update Manager.
If the instance already exists, remove it and re-add it after the changes have been made.
In alignment with the corresponding CIS Benchmarks, the following parameters are set on a CIS Hardened Image in /etc/profile.d/tmout.sh
: TMOUT=900, readonly TMOUT, export TMOUT
However, Update manager requires a shell to be able to apply updates, gather heartbeat/status information, and send the assessment information back to Azure from the omsagent
user.
To remedy this:
Remove the
TMOUT=900, readonly TMOUT, export TMOUT
parameters from/etc/profile.d/tmout.sh
Add the instances to Azure Update Manger after this change has been made
You can track the logs at:/var/opt/microsoft/omsagent/<workspace id>/log/omsagent.log
to ensure the instance is successfully forwarding the logs as intended. You should see output similar to the example below (the main focus being the Sending Available Updates
message):
2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : Filtering xml size=158
2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : Sending available updates information data. Hash=55f821
2021-11-22 16:12:57 +0000 [info]: LinuxUpdates : installedPackages x 0, availableUpdates x 0
Keywords; Azure, Hardened Image, Linux, Update Manager, Log Analytics
Content by Label