注:交叉发布在 Hashicorp 论坛:https://discuss.hashicorp.com/t/problems-in-adding-linux-defender-extension-in-azure/53949
我正在尝试将 MS Defender 扩展添加到 Azure 中的 Linux VM (rockylinux 8.x)。这是我的地形代码:
resource "azurerm_virtual_machine_extension" "linux_defender" {
name = "linux_defender"
virtual_machine_id = azurerm_virtual_machine.linuxvm[0].id
auto_upgrade_minor_version = "true"
publisher = "Microsoft.Azure.AzureDefenderForServers"
type = "MDE.Linux"
type_handler_version = "1.0"
}
当我执行它时,出现以下错误:
Error: Code="VMExtensionHandlerNonTransientError" Message="The handler for VM extension type 'Microsoft.Azure.AzureDefenderForServers.MDE.Linux' has reported terminal failure for VM extension 'linux_defender' with error message: '[ExtensionOperationError] Non-zero exit code: 53, /var/lib/waagent/Microsoft.Azure.AzureDefenderForServers.MDE.Linux-1.0.3.7/PythonRunner.sh src/MdeExtensionHandler.py enable\n[stdout]\nPython 3.6.8\n\n\n[stderr]\n2023-05-18 16:20:02,212, INFO - Start executing handler action: enable\n2023-05-18 16:20:02,213, ERROR - Failed to retrieve configuration. Expecting value: line 1 column 1 (char 0)\n'.\r\n \r\n'Enable handler for the extension failed. More information on troubleshooting is available at https://aka.ms/vmextensionlinuxtroubleshoot'"
│
│ with module.virtual_machines["d-rhub-vm0"].azurerm_virtual_machine_extension.linux_defender[0],
是否有人成功在 Azure 中为 Redhat 风格的 Linux 添加了服务器的 Defender 扩展? 我不确定 Defender 是否从 Azure 市场映像预加载到 Linux 中?
检查以下代码:
启用Azure Defender:源代码来自:Microsoft Defender terraform-Github
代码:
resource "azurerm_subscription_policy_assignment" "assgn_asb" { name = "azuresecuritybenchmark" display_name = "Azure Security Benchmark" policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" subscription_id = data.azurerm_subscription.current.id } .... resource "azurerm_security_center_subscription_pricing" "mdc_servers" { tier = "Standard" resource_type = "VirtualMachines" } resource "azurerm_security_center_setting" "setting_mcas" { setting_name = "MCAS" enabled = false } resource "azurerm_security_center_setting" "setting_mde" { setting_name = "WDATP" enabled = true }
此处启用 loganalytics 代理或 azure 监视器代理。
resource "azurerm_security_center_auto_provisioning" "auto-provisioning" { auto_provision = "On" }
创建一个日志分析工作区来存储这些日志。
resource "azurerm_security_center_workspace" "myloga_workspace" { scope = data.azurerm_subscription.current.id workspace_id = azurerm_log_analytics_workspace.myloga_workspace.id } resource "azurerm_subscription_policy_assignment" "auto-provisioning" { name = "mdc-va-autoprovisioning" display_name = "Machines to receive a vulnerability assessment provider" policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b" subscription_id = data.azurerm_subscription.current.id identity { type = "SystemAssigned" } location = "West US2" parameters =.. } resource "azurerm_role_assignment" "auto-provrole" { scope = data.azurerm_subscription.current.id role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" principal_id = azurerm_subscription_policy_assignment.va-auto-provisioning.identity[0].principal_id } resource "azurerm_security_center_automation" "la-exports" { name = "ExportToWorkspace" location =data.azurerm_resource_group.example.location resource_group_name = data.azurerm_resource_group.example.name action { type = "loganalytics" resource_id = azurerm_log_analytics_workspace.myloga_workspace.id } source { event_source = "Alerts" rule_set { rule { property_path = "Severity" operator = "Equals" expected_value = "High" property_type = "String" } rule { property_path = "Severity" operator = "Equals" expected_value = "Medium" property_type = "String" } } } source { event_source = "SecureScores" } source { event_source = "SecureScoreControls" } scopes = [ data.azurerm_subscription.current.id ] }
注: 启用自动部署后,Defender for Endpoint for Linux 安装将在具有预先存在的正在运行服务的计算机上中止
同时检查 可能的解决方案 VMExtensionProvisioningError|微软学习
参考:启用集成 |微软学习
仅应为 MDC Defender for Servers 客户安装此扩展。上述kavyaS提供的说明将其打开,并解释了如何打开MDE扩展的自动配置设置。请注意,还应打开其他 2 个设置(Linux 以及 Windows Server 2012R2 和 2016 的统一代理)