您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:使用 Azure 安全中心监视 Linux 虚拟机Tutorial: Use Azure Security Center to monitor Linux virtual machines

Azure 安全中心可以帮助你深入了解 Azure 资源安全做法。Azure Security Center can help you gain visibility into your Azure resource security practices. 安全中心提供了集成的安全监视功能。Security Center offers integrated security monitoring. 它可以检测到在其他方式下可能不会注意到的风险。It can detect threats that otherwise might go unnoticed. 本教程介绍 Azure 安全中心,以及如何执行以下操作:In this tutorial, you learn about Azure Security Center, and how to:

  • 设置数据收集Set up data collection
  • 设置安全策略Set up security policies
  • 查看和修复配置运行状况问题View and fix configuration health issues
  • 查看检测到的威胁Review detected threats

安全中心概述Security Center overview

安全中心可帮助识别潜在的虚拟机 (VM) 配置问题和目标安全威胁。Security Center identifies potential virtual machine (VM) configuration issues and targeted security threats. 这可能包括缺少网络安全组的 VM、未加密的磁盘以及暴力远程桌面协议 (RDP) 攻击。These might include VMs that are missing network security groups, unencrypted disks, and brute-force Remote Desktop Protocol (RDP) attacks. 安全中心仪表板上易于阅读的图中显示了此信息。The information is shown on the Security Center dashboard in easy-to-read graphs.

若要访问安全中心仪表板,请在 Azure 门户中的菜单上选择安全中心To access the Security Center dashboard, in the Azure portal, on the menu, select Security Center. 在仪表板上,可以查看 Azure 环境的安全状况、查找当前建议的计数以及查看威胁警报的当前状态。On the dashboard, you can see the security health of your Azure environment, find a count of current recommendations, and view the current state of threat alerts. 可以展开每个高级别图表来查看更多详细信息。You can expand each high-level chart to see more detail.

安全中心仪表板

安全中心不仅提供数据发现功能,而且还针对它检测到到问题提供建议。Security Center goes beyond data discovery to provide recommendations for issues that it detects. 例如,如果所部署的 VM 没有附加的网络安全组,则安全中心会显示一个建议,其中提供了可以采取的修正步骤。For example, if a VM was deployed without an attached network security group, Security Center displays a recommendation, with remediation steps you can take. 无需退出安全中心的上下文即可自动完成修正。You get automated remediation without leaving the context of Security Center.

建议

设置数据收集Set up data collection

若要深入了解 VM 安全配置,首先需要设置安全中心数据收集。Before you can get visibility into VM security configurations, you need to set up Security Center data collection. 这涉及启用数据收集和创建用于保存所收集数据的 Azure 存储帐户。This involves turning on data collection and creating an Azure storage account to hold collected data.

  1. 在安全中心仪表板上单击“安全策略”,并选择你的订阅。On the Security Center dashboard, click Security policy, and then select your subscription.
  2. 选择“数据收集”对应的“打开”。For Data collection, select On.
  3. 若要创建存储帐户,请选择“选择存储帐户”。To create a storage account, select Choose a storage account. 选择“确定”。Then, select OK.
  4. 在“安全策略”边栏选项卡上,选择“保存”。On the Security Policy blade, select Save.

然后,会在所有 VM 上安装安全中心数据收集代理并开始收集数据。The Security Center data collection agent is then installed on all VMs, and data collection begins.

设置安全策略Set up a security policy

安全策略用于定义安全中心要为哪些项收集数据并提供建议。Security policies are used to define the items for which Security Center collects data and makes recommendations. 可将不同的安全策略应用到不同的 Azure 资源集。You can apply different security policies to different sets of Azure resources. 尽管默认情况下会对照所有策略项评估 Azure 资源,但可以针对所有 Azure 资源或某个资源组关闭单个策略项。Although by default Azure resources are evaluated against all policy items, you can turn off individual policy items for all Azure resources or for a resource group. 有关安全中心安全策略的详细信息,请参阅在 Azure 安全中心设置安全策略For in-depth information about Security Center security policies, see Set security policies in Azure Security Center.

为所有 Azure 资源设置安全策略:To set up a security policy for all Azure resources:

  1. 在安全中心仪表板上选择“安全策略”,并选择订阅。On the Security Center dashboard, select Security policy, and then select your subscription.
  2. 选择“保护策略”。Select Prevention policy.
  3. 打开或关闭要应用到所有 Azure 资源的策略项。Turn on or turn off policy items that you want to apply to all Azure resources.
  4. 完成设置选择后,选择“确定”。When you're finished selecting your settings, select OK.
  5. 在“安全策略”边栏选项卡上,选择“保存”。On the Security policy blade, select Save.

为特定的资源组设置策略:To set up a policy for a specific resource group:

  1. 在安全中心仪表板上选择“安全策略”,并选择资源组。On the Security Center dashboard, select Security policy, and then select a resource group.
  2. 选择“保护策略”。Select Prevention policy.
  3. 打开或关闭要应用到该资源组的策略项。Turn on or turn off policy items that you want to apply to the resource group.
  4. 在“继承”下面,选择“唯一”。Under INHERITANCE, select Unique.
  5. 完成设置选择后,选择“确定”。When you're finished selecting your settings, select OK.
  6. 在“安全策略”边栏选项卡上,选择“保存”。On the Security policy blade, select Save.

也可以在此页上针对特定的资源组关闭数据收集。You also can turn off data collection for a specific resource group on this page.

在以下示例中,为名为 myResoureGroup 的资源组创建了唯一策略。In the following example, a unique policy has been created for a resource group named myResoureGroup. 在此策略中,磁盘加密和 Web 应用程序防火墙建议已关闭。In this policy, disk encryption and web application firewall recommendations are turned off.

唯一策略

查看 VM 配置运行状况View VM configuration health

打开数据收集并设置安全策略后,安全中心将开始提供警报和建议。After you've turned on data collection and set a security policy, Security Center begins to provide alerts and recommendations. 部署 VM 时,将安装数据收集代理。As VMs are deployed, the data collection agent is installed. 然后,安全中心内将填充新 VM 的数据。Security Center is then populated with data for the new VMs. 有关 VM 配置运行状况的详细信息,请参阅在安全中心保护 VMFor in-depth information about VM configuration health, see Protect your VMs in Security Center.

收集数据时,每个 VM 和相关 Azure 资源的资源运行状况会聚合。As data is collected, the resource health for each VM and related Azure resource is aggregated. 这些信息会显示在易于阅读的图表中。The information is shown in an easy-to-read chart.

查看资源运行状况:To view resource health:

  1. 在安全中心仪表板上的“资源安全运行状况”下面,选择“计算”。On the Security Center dashboard, under Resource security health, select Compute.
  2. 在“计算”边栏选项卡上选择“虚拟机”。On the Compute blade, select Virtual machines. 此视图提供所有 VM 的配置状态摘要。This view provides a summary of the configuration status for all your VMs.

计算运行状况

若要查看针对某个 VM 的所有建议,请选择该 VM。To see all recommendations for a VM, select the VM. 本教程的下一部分更详细地介绍了建议和修正措施。Recommendations and remediation are covered in more detail in the next section of this tutorial.

修正配置问题Remediate configuration issues

在安全中心内开始填充配置数据后,系统会根据设置的安全策略生成建议。After Security Center begins to populate with configuration data, recommendations are made based on the security policy you set up. 例如,如果设置 VM 时未关联网络安全组,系统将生成有关创建网络安全组的建议。For instance, if a VM was set up without an associated network security group, a recommendation is made to create one.

查看所有建议列表:To see a list of all recommendations:

  1. 在安全中心仪表板上选择“建议”。On the Security Center dashboard, select Recommendations.
  2. 选择特定的建议。Select a specific recommendation. 将显示该建议适用于的所有资源的列表。A list of all resources for which the recommendation applies appears.
  3. 若要应用某个建议,请选择特定的资源。To apply a recommendation, select a specific resource.
  4. 按照修正步骤的说明进行操作。Follow the instructions for remediation steps.

在许多情况下,安全中心会提供可行的步骤来遵照建议解决问题,并且无需退出安全中心。In many cases, Security Center provides actionable steps you can take to address a recommendation without leaving Security Center. 在以下示例中,安全中心检测到一个具有不受限入站规则的网络安全组。In the following example, Security Center detects a network security group that has an unrestricted inbound rule. 在建议页上,可以选择“编辑入站规则”按钮。On the recommendation page, you can select the Edit inbound rules button. 此时会显示用于修改规则的 UI。The UI that is needed to modify the rule appears.

建议

建议修正后将标记为已解决。As recommendations are remediated, they are marked as resolved.

查看检测到的威胁View detected threats

除了资源配置建议外,安全中心还显示威胁检测警报。In addition to resource configuration recommendations, Security Center displays threat detection alerts. 安全警报功能聚合从每个 VM、Azure 网络日志和连接的合作伙伴解决方案中收集的数据,以便检测针对 Azure 资源的安全威胁。The security alerts feature aggregates data collected from each VM, Azure networking logs, and connected partner solutions to detect security threats against Azure resources. 有关安全中心威胁检测功能的详细信息,请参阅 Azure 安全中心检测功能For in-depth information about Security Center threat detection capabilities, see Azure Security Center detection capabilities.

安全警报功能要求将安全中心定价层从“免费”提升到“标准”。The security alerts feature requires the Security Center pricing tier to be increased from Free to Standard. 过渡到这个更高的定价层后,可以免费试用 30 天。A 30-day free trial is available when you move to this higher pricing tier.

更改定价层:To change the pricing tier:

  1. 在安全中心仪表板上单击“安全策略”,并选择你的订阅。On the Security Center dashboard, click Security policy, and then select your subscription.
  2. 选择“定价层”。Select Pricing tier.
  3. 选择新层,并选择“选择”。Select the new tier, and then select Select.
  4. 在“安全策略”边栏选项卡上,选择“保存”。On the Security policy blade, select Save.

更改定价层后,安全警报图表会在检测到安全威胁时开始填充。After you've changed the pricing tier, the security alerts graph begins to populate as security threats are detected.

安全警报

选择一个警报可查看信息。Select an alert to view information. 例如,可以看到威胁说明、检测时间、所有威胁企图和建议的修正措施。For example, you can see a description of the threat, the detection time, all threat attempts, and the recommended remediation. 在下面的示例中,检测到一个 RDP 暴力攻击以及 294 次失败的 RDP 尝试。In the following example, an RDP brute-force attack was detected, with 294 failed RDP attempts. 提供了建议的解决方案。A recommended resolution is provided.

RDP 攻击

后续步骤Next steps

在本教程中,用户设置了安全中心,并查看了安全中心内的 VM。In this tutorial, you set up Azure Security Center, and then reviewed VMs in Security Center. 你已了解如何:You learned how to:

  • 设置数据收集Set up data collection
  • 设置安全策略Set up security policies
  • 查看和修复配置运行状况问题View and fix configuration health issues
  • 查看检测到的威胁Review detected threats

请继续学习下一教程,详细了解如何使用 Jenkins、GitHub 和 Docker 创建 CI/CD 管道。Advance to the next tutorial to learn more about creating a CI/CD pipeline with Jenkins, GitHub, and Docker.