Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Install Approved Extensions Only

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VirtualMachines-004

Ensure that your Microsoft Azure virtual machines (VMs) have only organization-approved extensions installed in order to follow your organization's security and compliance requirements. Azure virtual machine extensions are small cloud applications that provide post-deployment configuration and automation tasks for virtual machines. These extensions run with administrative privileges and could potentially access any configuration file or piece of data on a virtual machine. Prior to enabling this conformity rule, a list with the organization-approved software extensions must be defined within the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To adhere to security best practices and meet regulatory compliance, each organization needs to maintain authorized software by carefully evaluating Azure virtual machine (VM) extensions and ensure that only those that are approved for use are actually implemented.


Audit

To determine if your Azure VMs have only approved extensions installed, perform the following actions:

Using Azure Console

01 Sign in to your Cloud Conformity account, access Install Approved Extensions Only conformity rule settings and note each virtual machine extension approved by your organization.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Virtual machine to show only the virtual machines (VMs) available in the selected subscription.

06 Click on the name of the virtual machine that you want to examine.

07 In the navigation panel, under Settings, select Extensions to access the list of extensions installed on selected Azure VM.

08 On the Extensions page, compare the list with the extensions installed on the selected VM with the organization-approved extensions list identified at step no. 1. If one or more extensions installed on the VM are not found within the organization-approved extensions list, the selected Microsoft Azure virtual machine has software extensions that are not approved for use.

09 Repeat steps no. 6 – 8 for each Azure virtual machine available in the selected subscription.

10 Repeat steps no. 4 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Install Approved Extensions Only conformity rule settings and note each virtual machine extension approved by your organization.

02 Run vm list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine (VM) provisioned in the current Azure subscription:

az vm list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

03 The command output should return the requested virtual machine (VM) identifiers:

Name                      ResourceGroup
-----------------------   ------------------------------
cc-internal-app-server    cloud-shell-storage-westeurope
cc-warehouse-app-server   cloud-shell-storage-westeurope

04 Run vm extension list command (Windows/macOS/Linux) using the name of the virtual machine that you want to examine and the associated resource group as identifier parameters to describe the names of the software extensions currently installed on the selected Azure VM:

az vm extension list
	--vm-name cc-internal-app-server
	--resource-group cloud-shell-storage-westeurope
	--query '[*].name'

05 The command output should return the names of the extensions installed on the specified VM server:

[
  "AzureNetworkWatcherExtension",
  "CustomScriptExtension",
  "IaaSAntimalware"
]

Compare the extensions list returned by the vm extension list command output with the organization-approved extensions list identified at step no. 1. If one or more VM extensions returned at the previous step are not found in the organization-approved extensions list defined in the conformity rule settings, the selected Microsoft Azure virtual machine (VM) contains software extensions that are not approved for use.

06 Repeat step no. 4 and 5 for each Azure virtual machine provisioned within the current subscription.

07 Repeat steps no. 2 – 6 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To uninstall any unapproved software extensions running on your Microsoft Azure virtual machines, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to show only the virtual machines (VMs) available in the selected subscription.

05 Click on the name of the virtual machine that you want to reconfigure.

06 In the navigation panel, under Settings, select Extensions to access the list of the extensions currently installed on selected Azure VM.

07 On the Extensions overview page, click on the name of the unapproved extension that you want to remove from your virtual machine (see Audit section part I to identify the right software extension).

08 On the selected VM extension page, choose Uninstall, then click Yes inside the Uninstall extension confirmation box to remove the extension from your virtual machine. The removal process should take just a few minutes.

09 Repeat step no. 7 and 8 for each unapproved software extension that you want to remove.

10 Repeat steps no. 5 – 9 for every Azure virtual machine available in the selected subscription.

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm extension delete command (Windows/macOS/Linux) using the name of the unapproved software extension that you want to uninstall as identifier parameter (see Audit section part II to identify the right extension) to remove the extension from the specified Azure virtual machine. For example, the following command request removes a VM extension named "CustomScriptExtension" from a virtual machine identified by the name "cc-internal-app-server" (the command does not produce an output):

az vm extension delete
	--vm-name cc-internal-app-server
	--resource-group cloud-shell-storage-westeurope
	--name "CustomScriptExtension"

02 Repeat step no. 1 for each unapproved VM software extension that you want to uninstall.

03 Repeat step no. 1 and 2 for every Azure virtual machine available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription available within your Microsoft Azure cloud account.

References

Publication date Sep 13, 2019