Azure VMSS Automatic Instance Repairs Not Enabled
ID: azure-vmss-auto-repairs-disabled
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
Description
Section titled “Description”Ensure that unhealthy virtual machine instances are automatically deleted from the scale sets and new ones are created, using the latest instance model settings. Automatic Instance Repairs feature relies on health checks performed for individual instances running in a scale set. These virtual machine instances can be configured to emit an application health status using the Azure Application Health extension or a load balancer health probe. If a VM instance is found to be unhealthy, as reported by the Application Health extension or by the associated load balancer health probe, then the scale set performs the repair action by deleting the unhealthy instance and creating a new one to replace it.
YAML Source
Section titled “YAML Source”id: azure-vmss-auto-repairs-disabledinfo: name: Azure VMSS Automatic Instance Repairs Not Enabled author: princechaddha severity: medium description: | Ensure that unhealthy virtual machine instances are automatically deleted from the scale sets and new ones are created, using the latest instance model settings. Automatic Instance Repairs feature relies on health checks performed for individual instances running in a scale set. These virtual machine instances can be configured to emit an application health status using the Azure Application Health extension or a load balancer health probe. If a VM instance is found to be unhealthy, as reported by the Application Health extension or by the associated load balancer health probe, then the scale set performs the repair action by deleting the unhealthy instance and creating a new one to replace it. impact: | Not having Automatic Instance Repairs enabled can lead to prolonged downtime and potential service disruption as unhealthy instances may not be promptly replaced. remediation: | Enable the Automatic Instance Repairs feature for Azure VMSS to ensure high availability and resilience of your applications. reference: - https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: | code(1); for (let ScaleSetData of iterate(template.scaleSetList)) { ScaleSetData = JSON.parse(ScaleSetData); set("name", ScaleSetData.name); set("resourceGroup", ScaleSetData.resourceGroup); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors: - type: json name: scaleSetList internal: true json: - '.[]'
- engine: - sh - bash source: | az vmss show --name "$name" --resource-group "$resourceGroup" --query '{"AutomaticRepairsPolicyEnabled": automaticRepairsPolicy.enabled}'
matchers-condition: and matchers: - type: word words: - '"AutomaticRepairsPolicyEnabled": null'
extractors: - type: dsl dsl: - 'name + " in " + resourceGroup + " does not have automatic instance repairs enabled"'# digest: 4a0a0047304502200bb2271ef7c206d28dbb7dc16cfb6f7d7a4045a7c8f06bf25fa5d1fd7e324ae6022100cefef05d5f9721948ba2957f0c9c0a8967b485cbf731acac5a9fdb3e7d04e877:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/virtualmachines/azure-vmss-auto-repairs-disabled.yaml"