在Azure中添加Linux Defender扩展的问题

y1aodyip  于 2023-05-29  发布在  Linux
关注(0)|答案(1)|浏览(233)

注:交叉发表在Hashicorp论坛:https://discuss.hashicorp.com/t/problems-in-adding-linux-defender-extension-in-azure/53949
我正在尝试将MS Defender扩展添加到Azure中的Linux VM(rockylinux 8.x)。下面是我的terraform代码:

resource "azurerm_virtual_machine_extension" "linux_defender" {
  name                        = "linux_defender"
  virtual_machine_id          = azurerm_virtual_machine.linuxvm[0].id 
  auto_upgrade_minor_version  = "true"
  publisher                   = "Microsoft.Azure.AzureDefenderForServers"
  type                        = "MDE.Linux"
  type_handler_version        = "1.0"
}

当我执行它时,我得到以下错误:

Error: Code="VMExtensionHandlerNonTransientError" Message="The handler for VM extension type 'Microsoft.Azure.AzureDefenderForServers.MDE.Linux' has reported terminal failure for VM extension 'linux_defender' with error message: '[ExtensionOperationError] Non-zero exit code: 53, /var/lib/waagent/Microsoft.Azure.AzureDefenderForServers.MDE.Linux-1.0.3.7/PythonRunner.sh src/MdeExtensionHandler.py enable\n[stdout]\nPython 3.6.8\n\n\n[stderr]\n2023-05-18 16:20:02,212, INFO - Start executing handler action: enable\n2023-05-18 16:20:02,213, ERROR - Failed to retrieve configuration. Expecting value: line 1 column 1 (char 0)\n'.\r\n    \r\n'Enable handler for the extension failed. More information on troubleshooting is available at https://aka.ms/vmextensionlinuxtroubleshoot'"
│ 
│   with module.virtual_machines["d-rhub-vm0"].azurerm_virtual_machine_extension.linux_defender[0],

有没有人成功地为Azure中的Redhat风格的Linux服务器添加了防御者扩展?我不确定Defender是否会从Azure Marketplace映像中预加载到Linux中?

rfbsl7qr

rfbsl7qr1#

检查以下代码:

启用Azure Defender:源代码来自:Microsoft defender terraform-Github
编码

resource "azurerm_subscription_policy_assignment" "assgn_asb" {
  name                 = "azuresecuritybenchmark"
  display_name         = "Azure Security Benchmark"
  policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
  subscription_id      = data.azurerm_subscription.current.id
}

  ....
resource "azurerm_security_center_subscription_pricing" "mdc_servers" {
  tier          = "Standard"
  resource_type = "VirtualMachines"
}

resource "azurerm_security_center_setting" "setting_mcas" {
  setting_name = "MCAS"
  enabled      = false
}


resource "azurerm_security_center_setting" "setting_mde" {
  setting_name = "WDATP"
  enabled      = true
}

下面是启用loganalytics代理或azure监控代理的示例。

resource "azurerm_security_center_auto_provisioning" "auto-provisioning" {
  auto_provision = "On"
}

创建日志分析工作区以存储这些日志。

resource "azurerm_security_center_workspace" "myloga_workspace" {
  scope        = data.azurerm_subscription.current.id
  workspace_id = azurerm_log_analytics_workspace.myloga_workspace.id
}

resource "azurerm_subscription_policy_assignment" "auto-provisioning" {
  name                 = "mdc-va-autoprovisioning"
  display_name         = "Machines to receive a vulnerability assessment provider"
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b"
  subscription_id      = data.azurerm_subscription.current.id
  identity {
    type = "SystemAssigned"
  }
  location = "West US2"
  parameters =..

}

resource "azurerm_role_assignment" "auto-provrole" {
  scope              = data.azurerm_subscription.current.id
  role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
  principal_id       = azurerm_subscription_policy_assignment.va-auto-provisioning.identity[0].principal_id
}

resource "azurerm_security_center_automation" "la-exports" {
  name                = "ExportToWorkspace"
  location            =data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  action {
    type              = "loganalytics"
    resource_id       = azurerm_log_analytics_workspace.myloga_workspace.id
  }

  source {
    event_source = "Alerts"
    rule_set {
      rule {
        property_path  = "Severity"
        operator       = "Equals"
        expected_value = "High"
        property_type  = "String"
      }
      rule {
        property_path  = "Severity"
        operator       = "Equals"
        expected_value = "Medium"
        property_type  = "String"
      }
    }
  }

  source {
    event_source = "SecureScores"
  }

  source {
    event_source = "SecureScoreControls"
  }

  scopes = [ data.azurerm_subscription.current.id ]
}

**注意:**启用自动部署时,Defender for Endpoint for Linux安装将在已存在运行服务的计算机上中止

沿着possible resolutions VMExtensionProvisioningError| Microsoft learn

参考号:启用集成|Microsoft Learn

相关问题