Control: 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
Description
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.
VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.
Remediation
From Azure Console
- Go to
SQL servers
. - For each server instance.
- Click on
Security Center
. - In Section
Vulnerability Assessment Settings
, setStorage Account
if not already. - Toggle 'Periodic recurring scans' to ON.
- Click
Save
.
From Powershell
If not already, Enable Advanced Data Security
for a SQL Server:
Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
To enable ADS-VA service with 'Periodic recurring scans'
Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName "<resource group name>"` -ServerName "<Server Name>"` -StorageAccountName "<Storage Name from same subscription and same Location" ` -ScanResultsContainerName "vulnerability-assessment" ` -RecurringScansInterval Weekly ` -EmailSubscriptionAdmins $true ` -NotificationEmail @("mail1@mail.com" , "mail2@mail.com")
Default Value
Enabling Microsoft Defender for SQL
enables 'Periodic recurring scans' by default but does not configure the Storage account.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_4_2_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_4_2_3 --share
SQL
This control uses a named query:
sql_server_va_setting_periodic_scan_enabled