cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
How to demonstrate the new containers features in Azure Security Center
By
Yaniv Shasha
Published Nov 15 2019 10:35 AM 28.3K Views
Yaniv Shasha
Microsoft
‎Nov 15 2019 10:35 AM

How to demonstrate the new containers features in Azure Security Center

‎Nov 15 2019 10:35 AM

At Ignite Azure Security Center team announced many new features and capabilities in the CSPM and the CWPP segments. The entire list can be found in this blog post.

One out of many areas that the product team invested a lot of resources and innovation is the containers workload and specifically AKS (Azure Kubernetes Service).

 

The new capabilities in this public preview release include:

  1. Discovery & Visibility - Continuous discovery of managed AKS instances within Security Center’s registered subscriptions. 
  2. Secure Score recommendations - Actionable items to help customers comply to security best practices in AKS as part of the customer’s Secure Score, such as "Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster". 
  3. Threat Detection - Host and cluster-based analytics, such as “A privileged container detected”. 
  4. Scan container images in Azure Container Registry (ACR) for vulnerabilities.

You can learn more about these capabilities reading the following articles: 

 

On this blog post we will focus on how to simulate alerts that are part of the AKS threat Detection and the image scanning (ACR) recommendation. 

 

Simulate AKS alert on Azure security center 

To simulate AKS alert on a cluster that is protected under Azure Security center follow the following steps: 

  1. Validate that your AKS threat protection pricing tier is enabled. If it is not, make sure to enabled it. 

pricing1.JPG

 

2. From Azure CLI logic to the AKS subscription by running the above commands: 

 

 

 

az login 

az account set --subscription "MyAzureSubName"

 

 

 

 

3. Download AKS tools for Azure CLI and add a local path:  

 

 

 

az aks install-cli 

$env:path += 'C:\Users\User\.azure-kubectl'

 

 

 

 

4. Run the alert simulation command below: 

 

 

 

kubectl get pods -–namespace=asc-alerttest-662jfi039n

 

 

 

 

You may see an output similar to the one below:

ps2.JPG

 

Wait approximately 40 minutes and open Azure security center alert blade: 

alert3.JPG

 

Once you see it, click on it until you see the full details, as shown below: 

alert4.JPG

 

Simulate a scanning for a vulnerable container image to an Azure Container Registry (ACR) and present its recommendation in Azure security Center.

One of the exciting features that introduced in Ignite was the ability to scan container image and share the vulnerability recommendation on Azure security center. 

 

Key notes about this feature are: 

  • The underline scanning engine that we using is Qualys  
  • The scan action is only happening on push image activity. 

To simulate this, the first step is to install Docker desktop desktop.

Follow the steps below to do that: 

  1. Navigate to https://www.docker.com/products/docker-desktop 
  2. Download and install Docker for Desktop 
  3. As part of the installation you will need to enable Hyper-V on your local computer 
  4. Open PowerShell 
  5. Verify your docker version by executing in PowerShell: 

 

 

 

docker version

 

 

 

 

Once you finish the installation, validate if you have the container registry pricing tier enabled on ASC, as shown below: 

pricing5.JPG

Next, you should create the Container Registry in Azure portal or via CLI.

Follow the steps below to do that and continue the validation:

 

1. Select container registries and press new.

portal6.JPG

 

2. Enter a unique name, select, or create a new resource group and press create. 

Once the ACR was created successfully, copy the Login server URL.

acr7.JPG

 

Open PowerShell and run (where the name is the ACR name that you created) the command below: 

 

 

 

az acr login --name ASCYanivSH

 

 

 

 

4. Download vulnerable image from docker hub https://hub.docker.com/r/vulnerables/web-dvwa/,

By brunning the command below:

 

 

 

docker pull vulnerables/web-dvwa

 

 

 

 

A sample of the output is shown below: 

pull9.JPG

 

5. Check the image on your local repository by running the command below: 

 

 

 

Docker image list

 

 

 

 

A sample of the output is shown below: 

list10.JPG

 

6. In this step we need to tag our image with the ACR Login URL that we copied in steps Execute the following command: 

 

 

 

Docker tag  vulnerables/web-dvwa:latest  ascyanivsh.azurecr.io/vulnerables/web-dvwa:v5

 

 

 

 

A sample of the output is shown below: 

tag11.JPG

 

7. Run again the docker image list, and notify the new image with the new tag, as shown in the sample below: 

tag12.JPG

 

8. Run docker push to upload the new image to the azure repository and generate the ASC image scan (it can take some time), using the command below: 

 

 

 

Docker push  ascyanivsh.azurecr.io/vulnerables/web-dvwa:v5

 

 

 

 

A sample of the output is shown below: 

push13.JPG

 

Once done check on your ACR repository and validate that you have a new repository with new image.

reg13.JPG

 

Open ASC and look for Container registry images” recommendation. 

Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) recommendation. 

rec13.jpg

 

Drill down to the recommendation and review image and the set of vulnerabilities that Azure Security Center discovered. 

rec14.jpg

 

In this blogpost, we provided details on the options to simulate

alerts that are part of the AKS threat Detection and the image scanning (ACR) recommendation. 

For more information on how Azure Security Center provides co visit our documentation below:

Azure Security Center Documentation

 

5 Comments
James van den Berg
MVP
‎Nov 17 2019 01:17 AM
‎Nov 17 2019 01:17 AM

Great Blogpost on Containers and Security. :cool:

I have shared it on Social Media 

khoyle
Copper Contributor
‎Nov 18 2019 08:32 AM
‎Nov 18 2019 08:32 AM

Is there a way to drill down to the specific vulnerable container? In my ACR test, I pushed a basic hardened container, and the DVWA container. The vulnerability alert came up in Security Centre, but I wasn't able to tell which container was throwing the vulnerability.

0 Likes
Like
larryms
Microsoft
‎Nov 19 2019 10:44 AM
‎Nov 19 2019 10:44 AM

Thanks for the info.  I think the security scanning steps can be simplified to remove the need for local docker desktop via the native acr import capability.  https://docs.microsoft.com/en-us/azure/container-registry/container-registry-import-images

I think you could simplify steps 4-8 to:

az acr import --name ascyanivsh --source docker.io/vulnerables/web-dvwa:latest  --image ascyanivsh.azurecr.io/vulnerables/web-dvwa:v5

 

0 Likes
Like
Yaniv Shasha
Microsoft
‎Nov 20 2019 12:52 AM
‎Nov 20 2019 12:52 AM

@khoyle thanks for your input. please see the fllow that will show you the impacted image

1.JPG

0 Likes
Like
piotrgwiazda
Copper Contributor
‎Jul 10 2020 12:48 AM
‎Jul 10 2020 12:48 AM

@larryms I have a container registry which contains only imported images with acr import. None of the images got scanned. It seems that since they were not "pushed" the scanning didn't go off. 

 

Also:

Is there a way to check and confirm that the image was scanned and no vulnerabilities were found? Using some automation - I want to make it part of the release pipeline.

 

 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Nov 30 2021 07:57 AM
Updated by: