在 Azure 中添加 Linux Defender 扩展时出现问题

Question

注：交叉发布在 Hashicorp 论坛：https://discuss.hashicorp.com/t/problems-in-adding-linux-defender-extension-in-azure/53949

我正在尝试将 MS Defender 扩展添加到 Azure 中的 Linux VM (rockylinux 8.x)。这是我的地形代码：

resource "azurerm_virtual_machine_extension" "linux_defender" {
  name                        = "linux_defender"
  virtual_machine_id          = azurerm_virtual_machine.linuxvm[0].id 
  auto_upgrade_minor_version  = "true"
  publisher                   = "Microsoft.Azure.AzureDefenderForServers"
  type                        = "MDE.Linux"
  type_handler_version        = "1.0"
}

当我执行它时，出现以下错误：

 Error: Code="VMExtensionHandlerNonTransientError" Message="The handler for VM extension type 'Microsoft.Azure.AzureDefenderForServers.MDE.Linux' has reported terminal failure for VM extension 'linux_defender' with error message: '[ExtensionOperationError] Non-zero exit code: 53, /var/lib/waagent/Microsoft.Azure.AzureDefenderForServers.MDE.Linux-1.0.3.7/PythonRunner.sh src/MdeExtensionHandler.py enable\n[stdout]\nPython 3.6.8\n\n\n[stderr]\n2023-05-18 16:20:02,212, INFO - Start executing handler action: enable\n2023-05-18 16:20:02,213, ERROR - Failed to retrieve configuration. Expecting value: line 1 column 1 (char 0)\n'.\r\n    \r\n'Enable handler for the extension failed. More information on troubleshooting is available at https://aka.ms/vmextensionlinuxtroubleshoot'"
│ 
│   with module.virtual_machines["d-rhub-vm0"].azurerm_virtual_machine_extension.linux_defender[0],

是否有人成功在 Azure 中为 Redhat 风格的 Linux 添加了服务器的 Defender 扩展？我不确定 Defender 是否从 Azure 市场映像预加载到 Linux 中？

Answer 1

检查以下代码：

启用Azure Defender：源代码来自：Microsoft Defender terraform-Github

代码：

resource "azurerm_subscription_policy_assignment" "assgn_asb" {
  name                 = "azuresecuritybenchmark"
  display_name         = "Azure Security Benchmark"
  policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
  subscription_id      = data.azurerm_subscription.current.id
}

  ....
resource "azurerm_security_center_subscription_pricing" "mdc_servers" {
  tier          = "Standard"
  resource_type = "VirtualMachines"
}

resource "azurerm_security_center_setting" "setting_mcas" {
  setting_name = "MCAS"
  enabled      = false
}



resource "azurerm_security_center_setting" "setting_mde" {
  setting_name = "WDATP"
  enabled      = true
}

此处启用 loganalytics 代理或 azure 监视器代理。

resource "azurerm_security_center_auto_provisioning" "auto-provisioning" {
  auto_provision = "On"
}

创建一个日志分析工作区来存储这些日志。

resource "azurerm_security_center_workspace" "myloga_workspace" {
  scope        = data.azurerm_subscription.current.id
  workspace_id = azurerm_log_analytics_workspace.myloga_workspace.id
}

resource "azurerm_subscription_policy_assignment" "auto-provisioning" {
  name                 = "mdc-va-autoprovisioning"
  display_name         = "Machines to receive a vulnerability assessment provider"
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b"
  subscription_id      = data.azurerm_subscription.current.id
  identity {
    type = "SystemAssigned"
  }
  location = "West US2"
  parameters =..

}

resource "azurerm_role_assignment" "auto-provrole" {
  scope              = data.azurerm_subscription.current.id
  role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
  principal_id       = azurerm_subscription_policy_assignment.va-auto-provisioning.identity[0].principal_id
}


resource "azurerm_security_center_automation" "la-exports" {
  name                = "ExportToWorkspace"
  location            =data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  action {
    type              = "loganalytics"
    resource_id       = azurerm_log_analytics_workspace.myloga_workspace.id
  }

  source {
    event_source = "Alerts"
    rule_set {
      rule {
        property_path  = "Severity"
        operator       = "Equals"
        expected_value = "High"
        property_type  = "String"
      }
      rule {
        property_path  = "Severity"
        operator       = "Equals"
        expected_value = "Medium"
        property_type  = "String"
      }
    }
  }

  source {
    event_source = "SecureScores"
  }

  source {
    event_source = "SecureScoreControls"
  }

  scopes = [ data.azurerm_subscription.current.id ]
}

注： 启用自动部署后，Defender for Endpoint for Linux 安装将在具有预先存在的正在运行服务的计算机上中止

同时检查可能的解决方案 VMExtensionProvisioningError|微软学习

参考：启用集成 |微软学习

Answer 2

仅应为 MDC Defender for Servers 客户安装此扩展。上述kavyaS提供的说明将其打开，并解释了如何打开MDE扩展的自动配置设置。请注意，还应打开其他 2 个设置（Linux 以及 Windows Server 2012R2 和 2016 的统一代理）

在 Azure 中添加 Linux Defender 扩展时出现问题

问题描述投票：0回答：2

2个回答

最新问题

在 Azure 中添加 Linux Defender 扩展时出现问题

问题描述 投票：0回答：2

2个回答

最新问题

问题描述投票：0回答：2