How to demonstrate the new containers features in Azure Security Center

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

At Ignite Azure Security Center team announced many new features and capabilities in the CSPM and the CWPP segments. The entire list can be found in this blog post.

One out of many areas that the product team invested a lot of resources and innovation is the containers workload and specifically AKS (Azure Kubernetes Service).

 

The new capabilities in this public preview release include:

  1. Discovery & Visibility - Continuous discovery of managed AKS instances within Security Center’s registered subscriptions. 
  2. Secure Score recommendations - Actionable items to help customers comply to security best practices in AKS as part of the customer’s Secure Score, such as "Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster". 
  3. Threat Detection - Host and cluster-based analytics, such as “A privileged container detected”. 
  4. Scan container images in Azure Container Registry (ACR) for vulnerabilities.

You can learn more about these capabilities reading the following articles: 

 

On this blog post we will focus on how to simulate alerts that are part of the AKS threat Detection and the image scanning (ACR) recommendation. 

 

Simulate AKS alert on Azure security center 

To simulate AKS alert on a cluster that is protected under Azure Security center follow the following steps: 

  1. Validate that your AKS threat protection pricing tier is enabled. If it is not, make sure to enabled it. 

pricing1.JPG

 

2. From Azure CLI logic to the AKS subscription by running the above commands: 

 

az login az account set --subscription "MyAzureSubName"

 

 

3. Download AKS tools for Azure CLI and add a local path:  

 

az aks install-cli $env:path += 'C:\Users\User\.azure-kubectl'

 

 

4. Run the alert simulation command below: 

 

kubectl get pods -–namespace=asc-alerttest-662jfi039n

 

 

You may see an output similar to the one below:

ps2.JPG

 

Wait approximately 40 minutes and open Azure security center alert blade: 

alert3.JPG

 

Once you see it, click on it until you see the full details, as shown below: 

alert4.JPG

 

Simulate a scanning for a vulnerable container image to an Azure Container Registry (ACR) and present its recommendation in Azure security Center.

One of the exciting features that introduced in Ignite was the ability to scan container image and share the vulnerability recommendation on Azure security center. 

 

Key notes about this feature are: 

  • The underline scanning engine that we using is Qualys  
  • The scan action is only happening on push image activity. 

To simulate this, the first step is to install Docker desktop desktop.

Follow the steps below to do that: 

  1. Navigate to https://www.docker.com/products/docker-desktop 
  2. Download and install Docker for Desktop 
  3. As part of the installation you will need to enable Hyper-V on your local computer 
  4. Open PowerShell 
  5. Verify your docker version by executing in PowerShell: 

 

docker version

 

 

Once you finish the installation, validate if you have the container registry pricing tier enabled on ASC, as shown below: 

pricing5.JPG

Next, you should create the Container Registry in Azure portal or via CLI.

Follow the steps below to do that and continue the validation:

 

1. Select container registries and press new.

portal6.JPG

 

2. Enter a unique name, select, or create a new resource group and press create. 

Once the ACR was created successfully, copy the Login server URL.

acr7.JPG

 

Open PowerShell and run (where the name is the ACR name that you created) the command below: 

 

az acr login --name ASCYanivSH

 

 

4. Download vulnerable image from docker hub https://hub.docker.com/r/vulnerables/web-dvwa/,

By brunning the command below:

 

docker pull vulnerables/web-dvwa

 

 

A sample of the output is shown below: 

pull9.JPG

 

5. Check the image on your local repository by running the command below: 

 

Docker image list

 

 

A sample of the output is shown below: 

list10.JPG

 

6. In this step we need to tag our image with the ACR Login URL that we copied in steps Execute the following command: 

 

Docker tag vulnerables/web-dvwa:latest ascyanivsh.azurecr.io/vulnerables/web-dvwa:v5

 

 

A sample of the output is shown below: 

tag11.JPG

 

7. Run again the docker image list, and notify the new image with the new tag, as shown in the sample below: 

tag12.JPG

 

8. Run docker push to upload the new image to the azure repository and generate the ASC image scan (it can take some time), using the command below: 

 

Docker push ascyanivsh.azurecr.io/vulnerables/web-dvwa:v5

 

 

A sample of the output is shown below: 

push13.JPG

 

Once done check on your ACR repository and validate that you have a new repository with new image.

reg13.JPG

 

Open ASC and look for Container registry images” recommendation. 

Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) recommendation. 

rec13.jpg

 

Drill down to the recommendation and review image and the set of vulnerabilities that Azure Security Center discovered. 

rec14.jpg

 

In this blogpost, we provided details on the options to simulate

alerts that are part of the AKS threat Detection and the image scanning (ACR) recommendation. 

For more information on how Azure Security Center provides co visit our documentation below:

Azure Security Center Documentation

 

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.