v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied

Description

It is recommended the latest OS patches for all virtual machines are applied. The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.

Windows and Linux virtual machines should be kept updated to:

  • Fix a security vulnerability
  • Improve an OS or application’s general stability
  • Address a specific bug or flaw

Remediation

From Console

Perform the following action to check latest OS patches are applied on VM:

  1. Go to Security Center - Recommendations.
  2. Ensure that there are no recommendations available for Apply system updates.

Follow Microsoft Azure documentation to apply security patches from the security center - Security-benchmarks

Note

  • By default, patches are not automatically deployed.
  • You can deploy your own patch assessment and management tool to periodically assess, report and install the required security patches for your OS.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v130_7_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v130_7_5 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 7.5
cis_level = 1
cis_section_id = 7
cis_type = manual
cis_version = v1.3.0
plugin = azure
service = Azure/Compute