Ensure that Monitor Application Health feature is enabled for all the instances running within your Azure virtual machine scale set. Health monitoring via Application Health extension is required for OS upgrades and automatic instance repairs. The Azure Application Health extension reports on the application health from inside the virtual machine scale set instances. You can configure the health extension to probe on an application endpoint and update the status of the application on that instance. This status is checked by Microsoft Azure to determine whether the instance is eligible for upgrade or repair operations.
PoC代码[已公开]
id: azure-vmss-health-monitoring-missing
info:
name: Azure VMSS Health Monitoring Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that Monitor Application Health feature is enabled for all the instances running within your Azure virtual machine scale set. Health monitoring via Application Health extension is required for OS upgrades and automatic instance repairs. The Azure Application Health extension reports on the application health from inside the virtual machine scale set instances. You can configure the health extension to probe on an application endpoint and update the status of the application on that instance. This status is checked by Microsoft Azure to determine whether the instance is eligible for upgrade or repair operations.
impact: |
Without enabling the Application Health extension, the VM instances may not be eligible for important OS upgrades or repairs, potentially leading to higher vulnerability and system instability.
remediation: |
Enable the Application Health extension in your Azure VMSS instances to ensure continuous health monitoring and eligibility for necessary upgrades and repairs.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let VMSSData of iterate(template.vmssList)) {
VMSSData = JSON.parse(VMSSData);
set("name", VMSSData.name);
set("resourceGroup", VMSSData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors:
- type: json
name: vmssList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss show --name "$name" --resource-group "$resourceGroup" --query 'virtualMachineProfile.extensionProfile.extensions[*].name'
matchers-condition: and
matchers:
- type: word
words:
- '['
- type: word
words:
- 'ApplicationHealthLinux'
- 'healthRepairExtension'
negative: true
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " does not have health monitoring enabled"'
# digest: 4a0a0047304502210099fdefb7bb4678883edf03d7f72c77263ed6d9fa53a688e4293f730b3ea4052802203160466184b179839207d6f030efc907a867bc433026e04e590641ad40eb72d4:922c64590222798bb761d5b6d8e72950