您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:使用 Azure 安全中心监视 Linux 虚拟机Tutorial: Use Azure Security Center to monitor Linux virtual machines

Azure 安全中心可以帮助你深入了解 Azure 资源安全做法。Azure Security Center can help you gain visibility into your Azure resource security practices. 安全中心提供了集成的安全监视功能。Security Center offers integrated security monitoring. 它可以检测到在其他方式下可能不会注意到的风险。It can detect threats that otherwise might go unnoticed. 本教程介绍 Azure 安全中心,以及如何执行以下操作:In this tutorial, you learn about Azure Security Center, and how to:

  • 设置数据收集Set up data collection
  • 设置安全策略Set up security policies
  • 查看和修复配置运行状况问题View and fix configuration health issues
  • 查看检测到的威胁Review detected threats

安全中心概述Security Center overview

安全中心可帮助识别潜在的虚拟机 (VM) 配置问题和目标安全威胁。Security Center identifies potential virtual machine (VM) configuration issues and targeted security threats. 这可能包括缺少网络安全组的 VM、未加密的磁盘以及暴力远程桌面协议 (RDP) 攻击。These might include VMs that are missing network security groups, unencrypted disks, and brute-force Remote Desktop Protocol (RDP) attacks. 安全中心仪表板上易于阅读的图中显示了此信息。The information is shown on the Security Center dashboard in easy-to-read graphs.

若要访问安全中心仪表板,请在 Azure 门户中的菜单上选择安全中心To access the Security Center dashboard, in the Azure portal, on the menu, select Security Center. 在仪表板上,可以查看 Azure 环境的安全状况、查找当前建议的计数以及查看威胁警报的当前状态。On the dashboard, you can see the security health of your Azure environment, find a count of current recommendations, and view the current state of threat alerts. 可以展开每个高级别图表来查看更多详细信息。You can expand each high-level chart to see more detail.

安全中心仪表板

安全中心不仅提供数据发现功能,而且还针对它检测到到问题提供建议。Security Center goes beyond data discovery to provide recommendations for issues that it detects. 例如,如果所部署的 VM 没有附加的网络安全组,则安全中心会显示一个建议,其中提供了可以采取的修正步骤。For example, if a VM was deployed without an attached network security group, Security Center displays a recommendation, with remediation steps you can take. 无需退出安全中心的上下文即可自动完成修正。You get automated remediation without leaving the context of Security Center.

建议

设置数据收集Set up data collection

若要深入了解 VM 安全配置,首先需要设置安全中心数据收集。Before you can get visibility into VM security configurations, you need to set up Security Center data collection. 这涉及启用数据收集,从而会自动在订阅中的所有 VM 上安装 Microsoft Monitoring Agent。This involves turning on data collection which automatically installs the Microsoft Monitoring Agent on all the VMs in your subscription.

  1. 在安全中心仪表板上单击“安全策略”,并选择你的订阅。On the Security Center dashboard, click Security policy, and then select your subscription.
  2. 对于数据收集,请在“自动预配”中选择“启用”。For Data collection, in Auto Provisioning select On.
  3. 对于“默认工作区配置”,请将其保留为“使用安全中心创建的工作区(默认)”。For Default workspace configuration leave it as Use workspace(s) created by Security Center (default).
  4. 在“安全事件”下,保留默认选项“通用”。Under Security Events keep the default option of Common.
  5. 单击页顶部的“保存”。Click Save at the top of the page.

然后,会在所有 VM 上安装安全中心数据收集代理并开始收集数据。The Security Center data collection agent is then installed on all VMs, and data collection begins.

设置安全策略Set up a security policy

安全策略用于定义安全中心要为哪些项收集数据并提供建议。Security policies are used to define the items for which Security Center collects data and makes recommendations. 可将不同的安全策略应用到不同的 Azure 资源集。You can apply different security policies to different sets of Azure resources. 尽管默认情况下会对照所有策略项评估 Azure 资源,但可以针对所有 Azure 资源或某个资源组关闭单个策略项。Although by default Azure resources are evaluated against all policy items, you can turn off individual policy items for all Azure resources or for a resource group. 有关安全中心安全策略的详细信息,请参阅在 Azure 安全中心设置安全策略For in-depth information about Security Center security policies, see Set security policies in Azure Security Center.

若要为整个订阅设置安全策略,请执行以下操作:To set up a security policy for an entire subscription:

  1. 在安全中心仪表板上选择“安全策略”,并选择订阅。On the Security Center dashboard, select Security policy and then select your subscription.
  2. 在“安全策略”边栏选项卡上,选择“安全策略”。On the Security policy blade, select Security policy.
  3. 在“安全策略 - 安全策略”边栏选项卡中,打开或关闭要应用到订阅的策略项。On the ** Security policy - Security policy ** blade, turn on or turn off policy items that you want to apply to the subscription.
  4. 完成设置选择后,选择边栏选项卡顶部的“保存”。When you're finished selecting your settings, select Save at the top of the blade.

唯一策略

查看 VM 配置运行状况View VM configuration health

打开数据收集并设置安全策略后,安全中心将开始提供警报和建议。After you've turned on data collection and set a security policy, Security Center begins to provide alerts and recommendations. 部署 VM 时,将安装数据收集代理。As VMs are deployed, the data collection agent is installed. 然后,安全中心内将填充新 VM 的数据。Security Center is then populated with data for the new VMs. 有关 VM 配置运行状况的详细信息,请参阅在安全中心保护 VMFor in-depth information about VM configuration health, see Protect your VMs in Security Center.

收集数据时,每个 VM 和相关 Azure 资源的资源运行状况会聚合。As data is collected, the resource health for each VM and related Azure resource is aggregated. 这些信息会显示在易于阅读的图表中。The information is shown in an easy-to-read chart.

查看资源运行状况:To view resource health:

  1. 在安全中心仪表板上的“防护”下面,选择“计算”。On the Security Center dashboard, under Prevention, select Compute.
  2. 在“计算”边栏选项卡上选择“VM 和计算机”。On the Compute blade, select VMs and computers. 此视图提供所有 VM 的配置状态摘要。This view provides a summary of the configuration status for all your VMs.

计算运行状况

若要查看针对某个 VM 的所有建议,请选择该 VM。To see all recommendations for a VM, select the VM.

修正配置问题Remediate configuration issues

在安全中心内开始填充配置数据后,系统会根据设置的安全策略生成建议。After Security Center begins to populate with configuration data, recommendations are made based on the security policy you set up. 例如,如果设置 VM 时未关联网络安全组,系统将生成有关创建网络安全组的建议。For instance, if a VM was set up without an associated network security group, a recommendation is made to create one.

查看所有建议列表:To see a list of all recommendations:

  1. 在安全中心仪表板上选择“建议”。On the Security Center dashboard, select Recommendations.
  2. 选择特定的建议。Select a specific recommendation. 将显示该建议适用于的所有资源的列表。A list of all resources for which the recommendation applies appears.
  3. 若要应用某个建议,请选择资源。To apply a recommendation, select the resource.
  4. 按照修正步骤的说明进行操作。Follow the instructions for remediation steps.

在许多情况下,安全中心会提供可行的步骤来遵照建议解决问题,并且无需退出安全中心。In many cases, Security Center provides actionable steps you can take to address a recommendation without leaving Security Center. 在以下示例中,安全中心检测到一个具有不受限入站规则的网络安全组。In the following example, Security Center detects a network security group that has an unrestricted inbound rule. 在建议页上,可以选择“编辑入站规则”按钮。On the recommendation page, you can select the Edit inbound rules button. 此时会显示用于修改规则的 UI。The UI that is needed to modify the rule appears.

建议

建议修正后将标记为已解决。As recommendations are remediated, they are marked as resolved.

查看检测到的威胁View detected threats

除了资源配置建议外,安全中心还显示威胁检测警报。In addition to resource configuration recommendations, Security Center displays threat detection alerts. 安全警报功能聚合从每个 VM、Azure 网络日志和连接的合作伙伴解决方案中收集的数据,以便检测针对 Azure 资源的安全威胁。The security alerts feature aggregates data collected from each VM, Azure networking logs, and connected partner solutions to detect security threats against Azure resources. 有关安全中心威胁检测功能的详细信息,请参阅 Azure 安全中心检测功能For in-depth information about Security Center threat detection capabilities, see Azure Security Center detection capabilities.

安全警报功能要求将安全中心定价层从“免费”提升到“标准”。The security alerts feature requires the Security Center pricing tier to be increased from Free to Standard. 迁移到这个更高的定价层后,可以免费试用A free trial is available when you move to this higher pricing tier.

更改定价层:To change the pricing tier:

  1. 在安全中心仪表板上单击“安全策略”,并选择你的订阅。On the Security Center dashboard, click Security policy, and then select your subscription.
  2. 选择“定价层”。Select Pricing tier.
  3. 选择“标准”,然后单击边栏选项卡顶部的“保存”。Select Standard and then click Save at the top of the blade.

更改定价层后,安全警报图表会在检测到安全威胁时开始填充。After you've changed the pricing tier, the security alerts graph begins to populate as security threats are detected.

安全警报

选择一个警报可查看信息。Select an alert to view information. 例如,可以看到威胁说明、检测时间、所有威胁企图和建议的修正措施。For example, you can see a description of the threat, the detection time, all threat attempts, and the recommended remediation. 在下面的示例中,检测到一个 RDP 暴力攻击以及 294 次失败的 RDP 尝试。In the following example, an RDP brute-force attack was detected, with 294 failed RDP attempts. 提供了建议的解决方案。A recommended resolution is provided.

RDP 攻击

后续步骤Next steps

在本教程中,用户设置了安全中心,并查看了安全中心内的 VM。In this tutorial, you set up Azure Security Center, and then reviewed VMs in Security Center. 你已了解如何:You learned how to:

  • 设置数据收集Set up data collection
  • 设置安全策略Set up security policies
  • 查看和修复配置运行状况问题View and fix configuration health issues
  • 查看检测到的威胁Review detected threats

请继续学习下一教程,详细了解如何使用 Jenkins、GitHub 和 Docker 创建 CI/CD 管道。Advance to the next tutorial to learn more about creating a CI/CD pipeline with Jenkins, GitHub, and Docker.