Control: 4.5 Ensure that the latest OS Patches for all Virtual Machines are applied
Description
Ensure that the latest OS patches for all virtual machines are applied.
Remediation
From Console
- Logon to Security Center Console.
- Select
Vulnerabilities. - Apply all patches for vulnerabilities.
Default Value:
By default, patches are not automatically deployed.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v200_4_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v200_4_5 --shareSQL
This control uses a named query:
with instances_with_unfixed_vulns as ( select distinct instance_id, instance_name, region, account_id, count(*) as unfixed_vulnerability_count from alicloud_security_center_vulnerability where status = 0 -- 0 = unfixed and instance_id is not null and instance_id != '' group by instance_id, instance_name, region, account_id)select arn as resource, case when i.status != 'Running' then 'skip' when iv.unfixed_vulnerability_count > 0 then 'alarm' else 'ok' end as status, case when i.status != 'Running' then i.title || ' is not in running state.' when iv.unfixed_vulnerability_count > 0 then i.title || ' has ' || iv.unfixed_vulnerability_count || ' unfixed vulnerabilities.' else i.title || ' has all OS patches applied - no unfixed vulnerabilities found.' end as reason , i.account_id as account_id, i.region as regionfrom alicloud_ecs_instance i left join instances_with_unfixed_vulns iv on i.instance_id = iv.instance_id and i.region = iv.region and i.account_id = iv.account_id