Snyk Cloud Rules Database

When this setting is enabled, it analyzes operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack.

How to fix?

Set policyDefinitionId to /providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 and enforcementMode to Default.

Example configuration:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2019-09-01",
            "name": "allowed",
            "properties": {
                "displayName": "A vulnerability assessment solution should be enabled on your virtual machines",
                "description": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.",
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
                "enforcementMode": "Default"
            }
        }
    ]
}

Set policy_definition_id to /providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15, and set enforce to true or remove the attribute.

Example configuration:

resource "azurerm_subscription_policy_assignment" "allowed" { 
  name = "monitor-os-vulnerabilities" 
  subscription_id = data.azurerm_subscription.current.id 
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15" 
  description = "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations" 
  display_name = "Vulnerabilities in security configuration on your machines should be remediated" 
  enforce = true
}

Security Center default policy setting 'Monitor OS Vulnerabilities' is not enabled Affecting Security Center service in Azure

Severity

Is your environment affected by this misconfiguration?

Description

How to fix?

Terraform

References