Control: 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
Description
It is recommended to enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.
VA setting Periodic recurring scans schedules periodic (weekly) vulnerability scanning. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.
Enabling Azure Defender for SQL enables Periodic recurring scans by default but does not configure the Storage account.
Remediation
From Console
- Login to Azure console and navigate to SQL Servers.
- For each server instance, go to Security section from left pane.
- Click on
Security Center
. - Make sure
Enable Azure Defender for SQL
isOn
. - Select
Configure
next to Azure Defender for SQL: Enabled at the server-level. - In section
VULNERABILITY ASSESSMENT SETTINGS
, select subscription and storage account. - Set
Periodic recurring scans
to ON. - Click Save.
From PowerShell
Enable Azure Defender for a SQL if not enabled
Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
Enable ADS-VA service with Periodic recurring scans
Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName "<resource group name>"`-ServerName "<Server Name>"`-StorageAccountName "<Storage Name from same subscription and same Location" `-ScanResultsContainerName "vulnerability-assessment" ` -RecurringScansInterval Weekly `-EmailSubscriptionAdmins $true `-NotificationEmail @("mail1@mail.com" , "mail2@mail.com")
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_4_2_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_4_2_3 --share
SQL
This control uses a named query:
sql_server_va_setting_periodic_scan_enabled