教學課程:使用 Azure 資訊安全中心來監視 Linux 虛擬機器Tutorial: Use Azure Security Center to monitor Linux virtual machines

Azure 資訊安全中心可協助您了解 Azure 資源的安全性作法。Azure Security Center can help you gain visibility into your Azure resource security practices. 資訊安全中心提供了整合式的安全性監視功能。Security Center offers integrated security monitoring. 它可以偵測到可能不會被察覺的威脅。It can detect threats that otherwise might go unnoticed. 在本教學課程中,您將會了解 Azure 資訊安全中心,以及要如何︰In this tutorial, you learn about Azure Security Center, and how to:

  • 設定資料收集功能Set up data collection
  • 設定安全性原則Set up security policies
  • 檢視及修正組態的健康狀態問題View and fix configuration health issues
  • 檢閱所偵測到的威脅Review detected threats

資訊安全中心概觀Security Center overview

資訊安全中心會找出潛在的虛擬機器 (VM) 組態問題和針對性的安全性威脅。Security Center identifies potential virtual machine (VM) configuration issues and targeted security threats. 這些項目可能包括缺少網路安全性群組的 VM、磁碟未加密,以及遠端桌面通訊協定 (RDP) 暴力破解攻擊。These might include VMs that are missing network security groups, unencrypted disks, and brute-force Remote Desktop Protocol (RDP) attacks. 此資訊會以容易看懂的圖表形式顯示在資訊安全中心儀表板上。The information is shown on the Security Center dashboard in easy-to-read graphs.

若要存取資訊安全中心儀表板,請在 Azure 入口網站的功能表上選取 [資訊安全中心]。To access the Security Center dashboard, in the Azure portal, on the menu, select Security Center. 在儀表板上,您可以看到 Azure 環境的安全性健康狀態、找到目前建議項目的計數,以及檢視目前的威脅警示狀態。On the dashboard, you can see the security health of your Azure environment, find a count of current recommendations, and view the current state of threat alerts. 展開每個高階圖表就能查看更多詳細資料。You can expand each high-level chart to see more detail.

資訊安全中心儀表板

資訊安全中心不只能探索資料,它還會提供建議以讓您解決所偵測到的問題。Security Center goes beyond data discovery to provide recommendations for issues that it detects. 例如,如果 VM 在部署時未連結網路安全性群組,資訊安全中心便會顯示建議,並指出可供採取的補救步驟。For example, if a VM was deployed without an attached network security group, Security Center displays a recommendation, with remediation steps you can take. 您不需要離開資訊安全中心便能自動補救。You get automated remediation without leaving the context of Security Center.

建議

設定資料收集功能Set up data collection

您必須先設定資訊安全中心的資料收集功能,才能了解 VM 的安全性組態。Before you can get visibility into VM security configurations, you need to set up Security Center data collection. 這包含開啟資料收集,以在訂用帳戶的所有 VM 上自動安裝 Microsoft Monitoring Agent。This involves turning on data collection which automatically installs the Microsoft Monitoring Agent on all the VMs in your subscription.

  1. 在資訊安全中心儀表板上,按一下 [安全性原則] 並選取您的訂用帳戶。On the Security Center dashboard, click Security policy, and then select your subscription.
  2. 針對 [資料收集],在 [自動佈建] 中,選取 [開啟]。For Data collection, in Auto Provisioning select On.
  3. 針對 [預設工作區設定],將它保留為 [使用資訊安全中心建立的工作區 (預設)]。For Default workspace configuration leave it as Use workspace(s) created by Security Center (default).
  4. 在 [安全性事件] 下方,保留預設選項 [通用]。Under Security Events keep the default option of Common.
  5. 按一下頁面頂端的 [儲存]。Click Save at the top of the page.

系統隨即會在所有 VM 上安裝資訊安全中心的資料收集代理程式,並開始收集資料。The Security Center data collection agent is then installed on all VMs, and data collection begins.

設定安全性原則Set up a security policy

安全性原則可用來定義原則項目,讓資訊安全中心收集其資料並提出建議。Security policies are used to define the items for which Security Center collects data and makes recommendations. 您可以對不同的 Azure 資源集合套用不同的安全性原則。You can apply different security policies to different sets of Azure resources. 雖然系統預設會根據所有原則項目來評估 Azure 資源,但您可以針對所有 Azure 資源或某個資源群組來關閉個別的原則項目。Although by default Azure resources are evaluated against all policy items, you can turn off individual policy items for all Azure resources or for a resource group. 若要深入了解資訊安全中心的安全性原則,請參閱在 Azure 資訊安全中心設定安全性原則For in-depth information about Security Center security policies, see Set security policies in Azure Security Center.

設定整個訂用帳戶的安全性原則:To set up a security policy for an entire subscription:

  1. 在 [資訊安全中心] 儀表板中,選取 [安全性原則],然後選取訂用帳戶。On the Security Center dashboard, select Security policy and then select your subscription.
  2. 在 [安全性原則] 刀鋒視窗上,選取 [安全性原則]。On the Security policy blade, select Security policy.
  3. 在 [安全性原則 - 安全性原則] 刀鋒視窗上,開啟或關閉您要套用至訂用帳戶的原則項目。On the Security policy - Security policy blade, turn on or turn off policy items that you want to apply to the subscription.
  4. 當您選取完設定時,選取刀鋒視窗頂端的 [儲存]。When you're finished selecting your settings, select Save at the top of the blade.

唯一原則

檢視 VM 組態健康狀態View VM configuration health

在開啟資料收集功能並設定好安全性原則後,資訊安全中心會開始提供警示和建議。After you've turned on data collection and set a security policy, Security Center begins to provide alerts and recommendations. VM 在部署時就已安裝好資料收集代理程式。As VMs are deployed, the data collection agent is installed. 之後,系統就會在資訊安全中心內填入新 VM 的資料。Security Center is then populated with data for the new VMs. 若要深入了解 VM 組態的健康狀態,請參閱在資訊安全中心內保護您的 VMFor in-depth information about VM configuration health, see Protect your VMs in Security Center.

隨著資料的收集,系統會彙總每個 VM 和相關 Azure 資源的資源健康狀態。As data is collected, the resource health for each VM and related Azure resource is aggregated. 此資訊會以容易看懂的圖表形式來顯示。The information is shown in an easy-to-read chart.

若要檢視資源健康狀態︰To view resource health:

  1. 在 [資訊安全中心] 儀表板的 [預防] 下方,選取 [計算]。On the Security Center dashboard, under Prevention, select Compute.
  2. 在 [計算] 刀鋒視窗上,選取 [VM 和電腦]。On the Compute blade, select VMs and computers. 此檢視會提供所有 VM 組態的狀態摘要。This view provides a summary of the configuration status for all your VMs.

計算健康狀態

若要查看某個 VM 的所有建議,請選取該 VM。To see all recommendations for a VM, select the VM.

補救組態問題:Remediate configuration issues

在資訊安全中心開始填入組態資料後,系統會根據您設定的安全性原則來提出建議。After Security Center begins to populate with configuration data, recommendations are made based on the security policy you set up. 例如,如果 VM 在設置時沒有相關聯的網路安全性群組,系統會建議您建立一個安全性群組。For instance, if a VM was set up without an associated network security group, a recommendation is made to create one.

若要查看所有建議項目的清單︰To see a list of all recommendations:

  1. 在資訊安全中心儀表板上,選取 [建議]。On the Security Center dashboard, select Recommendations.
  2. 選取特定建議。Select a specific recommendation. 適用該項建議的所有資源清單隨即會出現。A list of all resources for which the recommendation applies appears.
  3. 若要套用建議,請選取資源。To apply a recommendation, select the resource.
  4. 遵循補救步驟的指示來進行。Follow the instructions for remediation steps.

在許多情況下,資訊安全中心會提供可行步驟,供您執行建議卻又無須離開資訊安全中心。In many cases, Security Center provides actionable steps you can take to address a recommendation without leaving Security Center. 在下列範例中,資訊安全中心會偵測到輸入規則未受限制的網路安全性群組。In the following example, Security Center detects a network security group that has an unrestricted inbound rule. 在建議頁面中,您可以選取 [編輯輸入規則] 按鈕。On the recommendation page, you can select the Edit inbound rules button. 用以修改規則的 UI 會隨即出現。The UI that is needed to modify the rule appears.

建議

建議在執行補救後會標示為已解決。As recommendations are remediated, they are marked as resolved.

檢視偵測到的威脅View detected threats

除了資源組態建議外,資訊安全中心也會提供威脅偵測警示。In addition to resource configuration recommendations, Security Center displays threat detection alerts. 安全性警示功能會彙總從每個 VM、Azure 網路記錄和連線合作夥伴解決方案所收集到的資料,以偵測不利於 Azure 資源的安全性威脅。The security alerts feature aggregates data collected from each VM, Azure networking logs, and connected partner solutions to detect security threats against Azure resources. 若要深入了解資訊安全中心的威脅偵測功能,請參閱 Azure 資訊安全中心的偵測功能For in-depth information about Security Center threat detection capabilities, see Azure Security Center detection capabilities.

若要使用安全性警示功能,須將資訊安全中心的定價層從「免費」提升為「標準」。The security alerts feature requires the Security Center pricing tier to be increased from Free to Standard. 當您改用這個較高的定價層時,會有免費試用A free trial is available when you move to this higher pricing tier.

若要變更定價層:To change the pricing tier:

  1. 在資訊安全中心儀表板上,按一下 [安全性原則] 並選取您的訂用帳戶。On the Security Center dashboard, click Security policy, and then select your subscription.
  2. 選取 [定價層]。Select Pricing tier.
  3. 選取 [標準],然後按一下刀鋒視窗頂端的 [儲存]。Select Standard and then click Save at the top of the blade.

在變更定價層後,一旦系統偵測到安全性威脅,安全性警示圖表就會開始填入資料。After you've changed the pricing tier, the security alerts graph begins to populate as security threats are detected.

安全性警示

選取警示以檢視資訊。Select an alert to view information. 例如,您可以看到威脅、偵測時間、所有威脅嘗試和建議補救步驟等項目的描述。For example, you can see a description of the threat, the detection time, all threat attempts, and the recommended remediation. 在下列範例中,系統會偵測到 RDP 暴力破解攻擊,且這項 RDP 攻擊嘗試已失敗 294 次。In the following example, an RDP brute-force attack was detected, with 294 failed RDP attempts. 資訊安全中心會提供建議的解決方案。A recommended resolution is provided.

RDP 攻擊

後續步驟Next steps

在本教學課程中,您已設定 Azure 資訊安全中心,然後在資訊安全中心檢閱了 VM。In this tutorial, you set up Azure Security Center, and then reviewed VMs in Security Center. 您已了解如何︰You learned how to:

  • 設定資料收集功能Set up data collection
  • 設定安全性原則Set up security policies
  • 檢視及修正組態的健康狀態問題View and fix configuration health issues
  • 檢閱所偵測到的威脅Review detected threats

前進到下一個教學課程,深入了解如何利用 Jenkins、GitHub、Docker 建立 CI/CD 管線。Advance to the next tutorial to learn more about creating a CI/CD pipeline with Jenkins, GitHub, and Docker.