Azure VMSS Health Monitoring Not Enabled
ID: azure-vmss-health-monitoring-missing
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
Description
Section titled “Description”Ensure that Monitor Application Health feature is enabled for all the instances running within your Azure virtual machine scale set. Health monitoring via Application Health extension is required for OS upgrades and automatic instance repairs. The Azure Application Health extension reports on the application health from inside the virtual machine scale set instances. You can configure the health extension to probe on an application endpoint and update the status of the application on that instance. This status is checked by Microsoft Azure to determine whether the instance is eligible for upgrade or repair operations.
YAML Source
Section titled “YAML Source”id: azure-vmss-health-monitoring-missinginfo: name: Azure VMSS Health Monitoring Not Enabled author: princechaddha severity: medium description: | Ensure that Monitor Application Health feature is enabled for all the instances running within your Azure virtual machine scale set. Health monitoring via Application Health extension is required for OS upgrades and automatic instance repairs. The Azure Application Health extension reports on the application health from inside the virtual machine scale set instances. You can configure the health extension to probe on an application endpoint and update the status of the application on that instance. This status is checked by Microsoft Azure to determine whether the instance is eligible for upgrade or repair operations. impact: | Without enabling the Application Health extension, the VM instances may not be eligible for important OS upgrades or repairs, potentially leading to higher vulnerability and system instability. remediation: | Enable the Application Health extension in your Azure VMSS instances to ensure continuous health monitoring and eligibility for necessary upgrades and repairs. reference: - https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: | code(1); for (let VMSSData of iterate(template.vmssList)) { VMSSData = JSON.parse(VMSSData); set("name", VMSSData.name); set("resourceGroup", VMSSData.resourceGroup); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors: - type: json name: vmssList internal: true json: - '.[]'
- engine: - sh - bash source: | az vmss show --name "$name" --resource-group "$resourceGroup" --query 'virtualMachineProfile.extensionProfile.extensions[*].name'
matchers-condition: and matchers: - type: word words: - '['
- type: word words: - 'ApplicationHealthLinux' - 'healthRepairExtension' negative: true
extractors: - type: dsl dsl: - 'name + " in " + resourceGroup + " does not have health monitoring enabled"'# digest: 4a0a0047304502210099fdefb7bb4678883edf03d7f72c77263ed6d9fa53a688e4293f730b3ea4052802203160466184b179839207d6f030efc907a867bc433026e04e590641ad40eb72d4:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/virtualmachines/azure-vmss-health-monitoring-missing.yaml"