Summarizing Security Status of Ubuntu Machines on Azure with Runbooks

Key Value
Summary Summarizing Security Status of Ubuntu Machines on Azure with Runbooks
Categories cloud, Azure
Difficulty 2
Author @jota-ce

Overview

Ensuring that all machines in an Azure subscription are up-to-date with the latest security updates is crucial for maintaining a secure infrastructure. The pro security-status command can help identify potential security vulnerabilities.

pro security-status is a built-in command that comes with Ubuntu. It provides information on the security status of the packages installed on a machine, including any available Expanded Security Maintenance (ESM) related content. It generates a summary of the installed packages based on their origin, which includes main/restricted/universe/multiverse (packages from the Ubuntu archive), esm-infra/esm-apps (packages from the ESM archive), third-party (packages installed from non-Ubuntu sources), and unknown (packages that don’t have an installation source, such as local deb packages or packages for which the source was removed).

Manually running the command on multiple machines can be overwhelming. But, you can simplify the task by utilizing an Azure Automation runbook, which automates the process for you. In addition to executing the command, the runbook produces a summary that identifies machines that require an update, enabling you to quickly assess their security status. Administrators must take appropriate actions, such as updating/upgrading the machines, based on the summary provided.

What you’ll learn

By following this tutorial, you will learn how to use Azure Automation to automate tasks across multiple machines in your Azure subscription. You will also learn how to use pro security-status command to check and report on package vulnerabilities in Ubuntu machines.

What you’ll need

To complete this blog post, you will need:

  • An active Azure subscription
  • At least one Ubuntu machine running in your Azure subscription
  • Basic knowledge of PowerShell and Azure Automation

Creating an Azure Runbook to Check for Outdated Packages on VMs

Authentication

  • Navigate to the Azure portal and sign in with your desired account.

Create Azure Automation Account

  • In the Azure portal, type “Automation” in the search pane and go to the Azure Automation section of the portal. Screenshot from 2023-03-12 11-54-00
  • Click on the “Create” button.
  • Fill in the details for your automation account, such as name, resource group, location, etc. Screenshot from 2023-03-12 11-54-30
  • Click the “Review + create” button.
  • Make sure that “System assigned identity” is marked as “Yes” (if no - go back and add it on the “Advanced” tab); and click “Create” if everything looks good.

Add the Automation Account to a Subscription

  • In the Azure portal, navigate to “Subscriptions” and select your desired subscription.
  • Copy and save your subscription ID.
  • Navigate to “IAM” and click “Add role assignment”. Screenshot from 2023-03-12 11-55-42
  • Select “Virtual Machine Contributor” and add the freshly created Automation account. Screenshot from 2023-03-12 11-56-23

Create and Publish the Runbook

  • Go back to the Automation account > Runbooks > Create a runbook.
  • Choose a name for your runbook.
  • Choose PowerShell as the runbook type and select runtime version 7.1 (preview).
  • Open the playbook source code (https://pastebin.com/raw/mzTK4W5x) and paste it into the editor.
  • Click Save and then Publish.

What is the Runbook doing?

This Azure Runbook checks for outdated packages on Ubuntu VMs within a specified Azure subscription. It takes a mandatory parameter $SubscriptionId which specifies the Azure subscription ID to check for outdated packages on Linux VMs. The runbook then connects to an Azure account using a managed service identity and loops through all VMs within the specified subscription. It checks if they are Linux VMs that are currently running and invokes an AzVMRunCommand job on each VM to check for outdated packages, using the pro security-status command mentioned before,. Finally, it outputs statistics about how many machines were checked and how many were found to be compliant or non-compliant.

Execute the Runbook

  • Click “Start” to execute the runbook.
  • Enter your subscription ID (saved earlier) and click OK.
  • Check the “output” for results.

Conclusion

By leveraging an Azure Automation runbook, you can streamline the process of evaluating the security posture of all your machines, saving valuable time and effort. To tackle the issues identified in the summary, administrators should consider taking a range of measures, such as upgrading or patching the machines, and potentially acquiring a PRO entitlement. Moreover, the same runbook approach can be utilized to automate the application of updates, further enhancing the efficiency of your security management process.