last sync: 2024-Nov-25 18:54:24 UTC

Machines should have secret findings resolved

Azure BuiltIn Policy definition

Source Azure Portal
Display name Machines should have secret findings resolved
Id 3ac7c827-eea2-4bde-acc7-9568cd320efa
Version 1.0.2
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.2
Built-in Versioning [Preview]
Category Security Center
Microsoft Learn
Description Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code True False
Rule resource types IF (2)
Microsoft.ClassicCompute/virtualMachines
Microsoft.Compute/virtualMachines
Compliance
The following 3 compliance controls are associated with this Policy definition 'Machines should have secret findings resolved' (3ac7c827-eea2-4bde-acc7-9568cd320efa)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-8 Azure_Security_Benchmark_v3.0_IM-8 Microsoft cloud security benchmark IM-8 Identity Management Restrict the exposure of credential and secrets Shared **Security Principle:** Ensure that application developers securely handle credentials and secrets: - Avoid embedding the credentials and secrets into the code and configuration files - Use key vault or a secure key store service to store the credentials and secrets - Scan for credentials in source code. Note: This is often governed and enforced through a secure software development lifecycle (SDLC) and DevOps security process **Azure Guidance:** Ensure that secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into the code and configuration files. - Implement Azure DevOps Credential Scanner to identify credentials within the code. - For GitHub, use the native secret scanning feature to identify credentials or other form of secrets within the code. Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities to access Azure Key Vault securely. See Data Protection controls related to the use of Azure Key Vault for secrets management. **Implementation and additional context:** How to setup Credential Scanner: https://secdevtools.azurewebsites.net/helpcredscan.html GitHub secret scanning: https://docs.github.com/github/administering-a-repository/about-secret-scanning n/a link 3
Azure_Security_Benchmark_v3.0 PV-5 Azure_Security_Benchmark_v3.0_PV-5 Microsoft cloud security benchmark PV-5 Posture and Vulnerability Management Perform vulnerability assessments Shared **Security Principle:** Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on. Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning. **Azure Guidance:** Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machine scan. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Note: Azure Defender services (including Defender for server, container registry, App Service, SQL, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool. Note: Ensure your setup email notifications in Microsoft Defender for Cloud. **Implementation and additional context:** How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Integrated vulnerability scanner for virtual machines: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment SQL vulnerability assessment: https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment Exporting Microsoft Defender for Cloud vulnerability scan results: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results n/a link 4
New_Zealand_ISM 06.2.6.C.01 New_Zealand_ISM_06.2.6.C.01 New_Zealand_ISM_06.2.6.C.01 06. Information security monitoring 06.2.6.C.01 Resolving vulnerabilities n/a Agencies SHOULD analyse and treat all vulnerabilities and subsequent security risks to their systems identified during a vulnerability assessment. 7
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-08-03 17:56:09 change Patch (1.0.1 > 1.0.2)
2023-07-03 17:55:16 change Patch (1.0.0 > 1.0.1)
2023-06-26 17:52:13 add 3ac7c827-eea2-4bde-acc7-9568cd320efa
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC