Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(arm): add CKV_AZURE_177 to ensure that Windows VM enables automatic updates #6484

Merged
merged 5 commits into from
Jul 14, 2024
Merged

feat(arm): add CKV_AZURE_177 to ensure that Windows VM enables automatic updates #6484

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
334e7e3
added a new arm policy for resource: WinVMAutomaticUpdates
tehila86127 Jun 24, 2024
d12a8d2
update arm policy for resource: WinVMAutomaticUpdates
tehila86127 Jul 1, 2024
b9c12bc
Merge branch 'main' into WinVMAutomaticUpdates
AdamDev Jul 3, 2024
88ea63c
update arm policy for resource: WinVMAutomaticUpdates
tehila86127 Jul 7, 2024
5b25225
Merge remote-tracking branch 'origin/WinVMAutomaticUpdates' into WinV…
tehila86127 Jul 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions checkov/arm/checks/resource/WinVMAutomaticUpdates.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck


class WinVMAutomaticUpdates(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Windows VM enables automatic updates"
id = "CKV_AZURE_177"
supported_resources = ("Microsoft.Compute/virtualMachines", "Microsoft.Compute/virtualMachineScaleSets")
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED,)

def get_inspected_key(self) -> str:
if self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
return "properties/virtualMachineProfile/osProfile/windowsConfiguration/enableAutomaticUpdates"
return "properties/osProfile/windowsConfiguration/enableAutomaticUpdates"


check = WinVMAutomaticUpdates()
165 changes: 165 additions & 0 deletions tests/arm/checks/resource/example_WinVMAutomaticUpdates/fail.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmSku": {
"type": "string",
"defaultValue": "Standard_D2s_v3",
"metadata": {
"description": "Size of VMs in the VM Scale Set."
}
},
"vmssName": {
"type": "string",
"metadata": {
"description": "Unique name for the scale set. Must be 3-61 characters in length and unique across the VNet."
},
"maxLength": 61
},
"instanceCount": {
"type": "int",
"metadata": {
"description": "Number of VM instances (100 or less)."
},
"defaultValue": 2
},
"adminUsername": {
"type": "string",
"metadata": {
"description": "Admin username on all VMs."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Admin password on all VMs."
}
},
"existingVnetName": {
"type": "string",
"metadata": {
"description": "Name of the existing virtual network to deploy the scale set into."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location parameter"
}
},
"existingSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the existing subnet to deploy the scale set into."
}
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"name": "fail",
"location": "[parameters('location')]",
"apiVersion": "2020-12-01",
"sku": {
"name": "[parameters('vmSku')]",
"capacity": "[parameters('instanceCount')]"
},
"properties": {
"overprovision": false,
"upgradePolicy": {
"mode": "Manual"
},
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"createOption": "FromImage",
"caching": "ReadWrite"
},
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2016-Datacenter",
"version": "latest"
}
},
"osProfile": {
"computerNamePrefix": "[parameters('vmssName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"enableAutomaticUpdates": false,
"provisionVmAgent": true
}
},
"networkProfile": {
"networkInterfaceConfigurations": [
{
"name": "nic",
"properties": {
"primary": true,
"ipConfigurations": [
{
"name": "ipconfig",
"properties": {
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVnetName'), parameters('existingSubnetName'))]"
}
}
}
]
}
}
]
}
}
}
},
{
"name": "fail",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2019-12-01",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces/', variables('networkInterfaceName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"osDisk": {
"createOption": "fromImage",
"managedDisk": {
"storageAccountType": "[variables('osDiskType')]"
}
},
"imageReference": {
"publisher": "MicrosoftVisualStudio",
"offer": "visualstudio2019latest",
"sku": "vs-2019-comm-latest-ws2019",
"version": "latest"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
}
]
},
"osProfile": {
"computerName": "[parameters('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"enableAutomaticUpdates": false,
"provisionVmAgent": true
}
}
}
}
]
}
Loading
Loading