Benchmark: Vulnerability Monitoring and Scanning (RA-5)
Description
Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Vulnerability Monitoring and Scanning (RA-5).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5_ra_5 --share
Controls
- Vulnerabilities in container security configurations should be remediated
- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
- Vulnerabilities in security configuration on your machines should be remediated
- A vulnerability assessment solution should be enabled on your virtual machines
- SQL servers on machines should have vulnerability findings resolved
- Container registry images should have vulnerability findings resolved
- Vulnerability assessment should be enabled on SQL Managed Instance
- Azure Defender for App Service should be enabled
- Microsoft Defender for Containers should be enabled
- Azure Defender for DNS should be enabled
- Azure Defender for Key Vault should be enabled
- Azure Defender for Resource Manager should be enabled
- Azure Defender for servers should be enabled
- Azure Defender for Azure SQL Database servers should be enabled
- Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
- Microsoft Defender for Storage (Classic) should be enabled
- SQL databases should have vulnerability findings resolved
- Vulnerability assessment should be enabled on your SQL servers
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- Vulnerability assessment should be enabled on your Synapse workspaces