AzPolicyAdvertizer

last sync: 2023-Jun-09 17:46:13 UTC

Azure Policy definition

Running container images should have vulnerability findings resolved

Name Running container images should have vulnerability findings resolved
Azure Portal
Id 0fc39691-5a3f-4e3e-94ee-2e6447309ad9
Version 1.0.2
details on versioning
Category Security Center
Microsoft docs
Description Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC
Role(s)		 none
Rule
Aliases		 THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code false
Rule
ResourceTypes		 IF (1)
Microsoft.ContainerService/managedClusters
Compliance The following 11 compliance controls are associated with this Policy definition 'Running container images should have vulnerability findings resolved' (0fc39691-5a3f-4e3e-94ee-2e6447309ad9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DS-6 Azure_Security_Benchmark_v3.0_DS-6 Microsoft cloud security benchmark DS-6 DevOps Security Enforce security of workload throughout DevOps lifecycle Shared **Security Principle:** Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment stage. Use Azure Security Benchmark to evaluate the controls (such as network security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your DevOps process: - Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure management (infrastructure as code), and testing to reduce human error and attack surface. - Ensure VMs, container images and other artifacts are secure from malicious manipulation. - Scan the workload artifacts (in other words, container images, dependencies, SAST and DAST scans) prior to the deployment in the CI/CD workflow - Deploy vulnerability assessment and threat detection capability into the production environment and continuously use these capabilities in the run-time. **Azure Guidance:** Guidance for Azure VMs: - Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. - Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Through custom images, Azure Resource Manager template, and/or Azure Policy guest configuration to deploy and enforce these the configuration baseline. Guidance for Azure container services: - Use Azure Container Registry (ACR) to create your private container registry where a granular access can be restricted through Azure RBAC, so only authorized services and accounts can access the containers in the private registry. - Use Defender for Azure Container Registry for vulnerability assessment of the images in your private Azure Container Registry. In addition, you can use Microsoft Defender for Cloud to ingrate container images scan as part of your CI/CD workflows. For Azure serverless services, adopt the similar controls to ensure security controls are shift left to the stage prior to the deployment. **Implementation and additional context:** Shared Image Gallery overview: https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Security considerations for Azure Container: https://docs.microsoft.com/azure/container-instances/container-instances-image-security Azure Defender for container registries: https://docs.microsoft.com/azure/security-center/defender-for-container-registries-introduction n/a link 4
Azure_Security_Benchmark_v3.0 PV-6 Azure_Security_Benchmark_v3.0_PV-6 Microsoft cloud security benchmark PV-6 Posture and Vulnerability Management Rapidly and automatically remediate vulnerabilities Shared **Security Principle:** Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. **Azure Guidance:** Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager. Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. **Implementation and additional context:** How to configure Update Management for virtual machines in Azure: https://docs.microsoft.com/azure/automation/update-management/overview Manage updates and patches for your Azure VMs: https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm n/a link 12
RBI_CSF_Banks_v2016 2.3 RBI_CSF_Banks_v2016_2.3 Preventing Execution Of Unauthorised Software Security Update Management-2.3 n/a Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. If a patch/series of patches is/are released by the OEM/manufacturer/vendor for protection against wellknown/well publicised/reported attacks exploiting the vulnerability patched, the banks must have a mechanism to apply them expeditiously following an emergency patch management process. 9
RBI_CSF_Banks_v2016 6.1 RBI_CSF_Banks_v2016_6.1 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.1 n/a Incorporate/Ensure information security across all stages of application life cycle. 3
RBI_CSF_Banks_v2016 6.3 RBI_CSF_Banks_v2016_6.3 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.3 n/a Secure coding practices may also be implemented for internally /collaboratively developed applications. 3
RBI_CSF_Banks_v2016 6.6 RBI_CSF_Banks_v2016_6.6 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.6 n/a Software/Application development approach should be based on threat modelling, incorporate secure coding principles and security testing based on global standards and secure rollout 3
RBI_CSF_Banks_v2016 6.7 RBI_CSF_Banks_v2016_6.7 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.7 n/a Ensure that software/application development practices addresses the vulnerabilities based on best practices baselines such as Open Web Application Security Project (OWASP) proactively and adopt principle of defence-in-depth to provide layered security mechanism. 6
RBI_CSF_Banks_v2016 7.1 RBI_CSF_Banks_v2016_7.1 Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.1 n/a Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of patches and applying patches so as to minimize the number of vulnerable systems and the time window of vulnerability/exposure. 12
RBI_CSF_Banks_v2016 7.2 RBI_CSF_Banks_v2016_7.2 Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.2 n/a Put in place systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end-user devices directly connected to the internet and in respect of Server operating Systems/Databases/Applications/ Middleware, etc. 12
RBI_CSF_Banks_v2016 7.6 RBI_CSF_Banks_v2016_7.6 Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.6 n/a As a threat mitigation strategy, identify the root cause of incident and apply necessary patches to plug the vulnerabilities. 21
RBI_ITF_NBFC_v2017 3.3 RBI_ITF_NBFC_v2017_3.3 RBI IT Framework 3.3 Information and Cyber Security Vulnerability Management-3.3 n/a A vulnerability can be defined as an inherent configuration flaw in an organization???s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy link 14
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-05-16 17:42:35 change Patch (1.0.1 > 1.0.2) *changes on text case sensitivity are not tracked
2022-01-07 18:14:35 change Patch (1.0.0 > 1.0.1) *changes on text case sensitivity are not tracked
2021-12-06 22:17:57 add 0fc39691-5a3f-4e3e-94ee-2e6447309ad9
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
JSON