Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Apply Latest OS Patches

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-005

Ensure that the latest OS patches (critical security and system updates) are being applied to all your Microsoft Azure virtual machines (Windows and Linux) in order to improve the operating system (OS) general stability, address a specific bug or flaw, or fix a security vulnerability.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on the service configured on your virtual machines (VMs). The Security Center service also checks for the latest updates within Linux systems. If one of your virtual machines is missing a system update, Azure Security Center will recommend updating the VM's operating system. Cloud Conformity strongly recommends applying the latest system updates/OS patches as soon as these become available, in order to improve your VM's security, functionality, and performance.


Audit

To determine if your Azure VMs have the latest system updates installed, perform the following actions:

Note: Checking your Microsoft Azure virtual machines to find out if they have the latest system updates installed using Azure Command Line Interface (CLI) is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, under RESOURCE SECURITY HYGIENE, choose Recommendations to view the recommendations made available by the Azure Security Center for the cloud resources available in the current subscription. A recommendation represents an action for you to take in order to secure your Azure resources. Each Security Center recommendation consists of 1) a short description of what is being recommended, 2) the steps required to implement the recommendation, 3) the affected resource(s) that require the recommended actions and 4) the secure score impact if the recommendation is implemented.

04 On the Recommendations page, search for the Missing system updates recommendation entry. If there is no Missing system updates recommendation, the Security Center did not find any virtual machines that require the latest OS patches to be installed. If Missing system updates are available as recommendation, one or more Microsoft Azure virtual machines (Windows and/or Linux), provisioned within the current subscription, are missing the latest system updates (i.e. OS patches).

05 Repeat steps no. 2 – 4 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To apply the latest OS patches (critical security and system updates) to all your Microsoft Azure virtual machines following Azure Security Center recommendations, perform the following actions:

Note: Applying the latest OS patches for your Azure virtual machines (VMs) using the Azure Command Line Interface (CLI) is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, under RESOURCE SECURITY HYGIENE, choose Recommendations to access the Azure Security Center recommendations made for the cloud resources available within the current subscription.

04 On the Recommendations page, click on the Missing system updates recommendation to open the list with the system (OS) updates that are missing from your Azure virtual machines (VMs).

05 On the Apply system updates dashboard, click on the missing system (OS) update that you want to install in order to remediate the security issue.

06 On the selected missing system security update, click on the Search button to open the search log with the Azure virtual machines that are missing the selected OS patch.

07 Select the Microsoft Azure virtual machine (VM) that you want to reconfigure in order to apply the required system update.

08 Connect to the selected Azure VM and install the missing security update based on the recommendations provided by the Azure Security Center.

09 Repeat step no. 7 and 8 to install the missing system security updates for the rest of the Azure virtual machines available on the list.

10 Repeat steps no. 5 – 9 to apply the rest of the missing system (OS) updates found by Security Center for the Azure VMs provisioned in the current subscription.

11 If required, repeat steps no. 2 – 10 for other subscriptions available within your Microsoft Azure account.

References

Publication date Sep 20, 2019