您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将启用了 Azure Arc 的服务器连接到 Azure 安全中心Connect Azure Arc enabled servers to Azure Security Center

本文提供了有关如何将支持 Azure Arc 的服务器登记到 azure 安全中心 (Azure 安全中心) 的指导。This article provides guidance on how to onboard an Azure Arc enabled server to Azure Security Center (Azure Security Center). 这有助于你开始收集与安全相关的配置和事件日志,因此你可以推荐操作并改善你的总体 Azure 安全状况。This helps you start collecting security-related configurations and event logs so you can recommend actions and improve your overall Azure security posture.

在以下过程中,将在 Azure 订阅中启用并配置 Azure 安全中心标准层。In the following procedures, you enable and configure Azure Security Center Standard tier on your Azure subscription. 这会提供高级威胁防护 (ATP) 和检测功能。This provides advanced threat protection (ATP) and detection capabilities. 此过程包括:The process includes:

  • 设置 Log Analytics 工作区,其中聚合了日志和事件以供分析。Setup a Log Analytics workspace where logs and events are aggregated for analysis.
  • 分配安全中心的默认安全策略。Assign Security Center's default security policies.
  • 查看 Azure 安全中心的建议。Review Azure Security Center's recommendations.
  • 使用 Quick Fix 修正将建议的配置应用于启用了 Azure Arc 的服务器上。Apply recommended configurations on Azure Arc enabled servers using the Quick Fix remediations.

重要

本文中的过程假定你已部署了 Vm 或运行本地或其他云的服务器,并且你已将其连接到 Azure Arc。如果你尚未这样做,以下信息可以帮助你自动执行此过程。The procedures in this article assumes you've already deployed VMs, or servers that are running on-premises or on other clouds, and you have connected them to Azure Arc. If you haven't, the following information can help you automate this.

先决条件Prerequisites

  1. 克隆 Azure Arc Jumpstart 存储库。Clone the Azure Arc Jumpstart repository.

    git clone https://github.com/microsoft/azure_arc
    
  2. 如上所述,本指南从已将 Vm 或裸机服务器部署和连接到 Azure Arc 的点开始。对于此方案,我们使用已连接到 Azure Arc 并在 Azure 中作为资源显示的 Google Cloud Platform (GCP) 实例。As mentioned, this guide starts at the point where you already deployed and connected VMs or bare-metal servers to Azure Arc. For this scenario, we use a Google Cloud Platform (GCP) instance that has been already connected to Azure Arc and is visible as a resource in Azure. 如以下屏幕截图所示:As shown in the following screenshots:

    Azure 门户中启用了 Azure Arc 的服务器的屏幕截图。

    Azure 门户中启用了 Azure Arc 的服务器的详细信息屏幕截图。

  3. 安装或更新 Azure CLIInstall or update Azure CLI. Azure CLI 应运行版本2.7 或更高版本。Azure CLI should be running version 2.7 or later. 使用 az --version 检查当前安装的版本。Use az --version to check your current installed version.

  4. 创建 Azure 服务主体。Create an Azure service principal.

    若要将 VM 或裸机服务器连接到 Azure Arc,需要具有 "参与者" 角色分配的 Azure 服务主体。To connect a VM or bare-metal server to Azure Arc, Azure service principal assigned with the Contributor role is required. 若要创建它,请登录到 Azure 帐户,并运行以下命令。To create it, sign in to your Azure account and run the following command. 你还可以在 Azure Cloud Shell中运行此命令。You can also run this command in Azure Cloud Shell.

    az login
    az ad sp create-for-rbac -n "<Unique SP Name>" --role contributor
    

    例如:For example:

    az ad sp create-for-rbac -n "http://AzureArcServers" --role contributor
    

    输出应如下所示:Output should look like this:

    {
      "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "displayName": "AzureArcServers",
      "name": "http://AzureArcServers",
      "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    }
    

备注

我们强烈建议你将服务主体的范围限定为特定的 Azure 订阅和资源组We highly recommend that you scope the service principal to a specific Azure subscription and resource group.

集成 Azure 安全中心Onboard Azure Security Center

  1. Azure 安全中心收集的数据存储在 Log Analytics 工作区中。Data collected by Azure Security Center is stored in a Log Analytics workspace. 你可以使用由 Azure 安全中心创建的默认帐户,也可以使用你创建的自定义项。You can either use the default one created by Azure Security Center or a custom one created by you. 如果要创建专用工作区,则可以通过编辑 Azure 资源管理器模板 (ARM 模板) 参数文件来自动完成部署,提供工作区的名称和位置:If you want to create a dedicated workspace, you can automate the deployment by editing the Azure Resource Manager template (ARM template) parameters file, provide a name and location for your workspace:

    ARM 模板的屏幕截图。

  2. 若要部署 ARM 模板,请导航到 部署文件夹 并运行以下命令:To deploy the ARM template, navigate to the deployment folder and run the following command:

    az deployment group create --resource-group <Name of the Azure resource group> \
    --template-file <The `log_analytics-template.json` template file location> \
    --parameters <The `log_analytics-template.parameters.json` template file location>
    
  3. 如果要使用用户定义的工作区,则应指示安全中心使用该工作区而不是默认工作区,并使用以下命令:If you are going for an user-defined workspace, you should instruct Security Center to use it instead of the default one, use the following command:

    az security workspace-setting create --name default \
    --target-workspace '/subscriptions/<Your subscription ID>/resourceGroups/<Name of the Azure resource group>/providers/Microsoft.OperationalInsights/workspaces/<Name of the Log Analytics Workspace>'
    
  4. 选择 Azure 安全中心层。Select the Azure Security Center tier. 默认情况下,将在所有 Azure 订阅上启用免费层,并提供持续的安全评估和切实可行的安全建议。The Free tier is enabled on all your Azure subscriptions by default and will provide continuous security assessment and actionable security recommendations. 在本指南中,将使用适用于 Azure 虚拟机的标准层,这些功能可扩展这些功能,可跨混合云工作负荷提供统一的安全管理和威胁防护。In this guide, you use the Standard tier for Azure Virtual Machines that extends these capabilities providing unified security management and threat protection across your hybrid cloud workloads. 若要为 Vm 启用 Azure 安全中心的标准层,请运行以下命令:To enable the Standard tier of Azure Security Center for VMs, run the following command:

    az security pricing create -n VirtualMachines --tier 'standard'
    
  5. 分配默认安全中心策略计划。Assign the default Security Center policy initiative. Azure 安全中心根据策略进行安全建议。Azure Security Center makes its security recommendations based on policies. 存在使用定义 ID 对安全中心策略进行分组的特定计划 1f3afdf9-d0c9-4c3d-847f-89da613e70a8There is an specific initiative that groups Security Center policies with the definition ID 1f3afdf9-d0c9-4c3d-847f-89da613e70a8. 以下命令会将 Azure 安全中心计划分配给你的订阅。The following command will assign the Azure Security Center initiative to your subscription.

    az policy assignment create --name 'Azure Security Center Default <Your subscription ID>' \
    --scope '/subscriptions/<Your subscription ID>' \
    --policy-set-definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
    

Azure Arc 和 Azure 安全中心集成Azure Arc and Azure Security Center integration

成功载入 Azure 安全中心后,你将获得帮助你保护资源的建议,包括启用了 Azure Arc 的服务器。After you successfully onboard Azure Security Center, you'll get recommendations to help you protect your resources, including your Azure Arc enabled servers. Azure 安全中心会定期分析 Azure 资源的安全状态,以识别潜在的安全漏洞。Azure Security Center will periodically analyze the security state of your Azure resources to identify potential security vulnerabilities.

vm & 服务器 下的 "计算 & 应用" 部分中,Azure 安全中心概述了 vm 和计算机的所有已发现的安全建议,包括 azure Vm、azure 经典 Vm、服务器和 Azure Arc 计算机。In the Compute & Apps section under VM & Servers, Azure Security Center provides an overview of all the discovered security recommendations for your VMs and computers, including Azure VMs, Azure classic VMs, servers, and Azure Arc machines.

Azure 安全中心的 * * 计算 & 应用 * * 的屏幕截图。

在启用了 Azure Arc 的服务器上,Azure 安全中心建议安装 Log Analytics 代理。On the Azure Arc enabled servers, Azure Security Center recommends installing the Log Analytics agent. 每项建议还包括:Each recommendation also includes:

  • 建议的简短说明。A short description of the recommendation.
  • 安全分数影响,在本例中,状态为 " "。A secure score impact, in this case, with a status of High.
  • 为实施建议而要执行的补救步骤。The remediation steps to carry out in order to implement the recommendation.

对于特定建议,如以下屏幕截图中所示,你还将获得 快速修补 程序,使你能够快速修正针对多个资源的建议。For specific recommendations, like in the following screenshot, you will also get a Quick Fix that enables you to quickly remediate a recommendation on multiple resources.

支持 Azure Arc 的服务器的 Azure 安全中心建议的屏幕截图。

Azure 安全中心建议安装 Log Analytics 的屏幕截图。

以下更正 快速修复 使用 ARM 模板在 Azure Arc 计算机上部署 Microsoft Monitoring Agent 扩展。The following remediation Quick Fix is using an ARM template to deploy the Microsoft Monitoring Agent extension on the Azure Arc machine.

Azure 安全中心的屏幕截图 * * 快速修复 * * ARM 模板。

可以通过 Azure 安全中心仪表板上的 ARM 模板,选择用于 Azure 安全中心的 "Log Analytics" 工作区,然后选择 " 修正1资源" 来触发修正。You can trigger the remediation with the ARM template from the Azure Security Center dashboard, by selecting the Log Analytics workspace used for Azure Security Center and then choosing Remediate 1 resource.

如何在 Azure 安全中心触发修正步骤的屏幕截图。

在启用了 Azure Arc 的服务器上应用建议后,资源将标记为 "正常"。After you apply the recommendation on the Azure Arc enabled server, the resource will be marked as healthy.

启用了正常运行的 Azure Arc 服务器的屏幕截图。

清理环境Clean up your environment

完成以下步骤来清理环境。Complete the following steps to clean up your environment.

  1. 按照每个指南中的拆卸说明,从每个环境中删除虚拟机。Remove the virtual machines from each environment by following the teardown instructions from each guide.

  2. 通过执行 Azure CLI 中的以下脚本删除 Log Analytics 工作区。Remove the Log Analytics workspace by executing the following script in Azure CLI. 提供创建 Log Analytics 工作区时使用的工作区名称。Provide the workspace name you used when creating the Log Analytics workspace.

az monitor log-analytics workspace delete --resource-group <Name of the Azure resource group> --workspace-name <Log Analytics Workspace Name> --yes