More Info:
Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databasesRisk Level
MediumAddress
SecurityCompliance Standards
CISAZURE, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure That Vulnerability Assessment Is Enabled On SQL Server By Setting Storage Account” in Azure using Azure console, follow the below steps:
- Login to the Azure portal (https://portal.azure.com/) using your credentials.
- Navigate to the SQL server that you want to remediate.
- Click on the “Security + Compliance” option from the left-hand side menu.
- Under the “Security + Compliance” menu, click on the “Vulnerability assessment” option.
- In the “Vulnerability assessment” page, click on the “Storage settings” tab.
- Click on the “Configure storage settings” button.
- In the “Configure storage settings” page, select the “Use existing storage account” option.
- Select the storage account that you want to use for vulnerability assessment.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate this misconfiguration in AZURE using AZURE CLI, follow these steps:
-
Open the AZURE CLI terminal and log in to your AZURE account using the command
az login
. -
Once you are logged in, set the subscription in which the SQL Server is running using the command
az account set --subscription <subscription_id>
. -
Now, create a new storage account or use an existing one to store the vulnerability assessment scan results. You can create a new storage account using the command
az storage account create --name <storage_account_name> --resource-group <resource_group_name> --location <location> --sku Standard_LRS
, where<storage_account_name>
is the name of the storage account,<resource_group_name>
is the name of the resource group in which the storage account will be created, and<location>
is the location where the storage account will be created. -
Once the storage account is created, enable vulnerability assessment on the SQL Server using the command
az sql server va create --resource-group <resource_group_name> --server <sql_server_name> --storage-account <storage_account_name> --storage-key <storage_account_key> --scan-results-container-name <container_name>
, where<resource_group_name>
is the name of the resource group in which the SQL Server is running,<sql_server_name>
is the name of the SQL Server,<storage_account_name>
is the name of the storage account created in step 3,<storage_account_key>
is the access key of the storage account, and<container_name>
is the name of the container in which the vulnerability assessment scan results will be stored. -
Once the vulnerability assessment is enabled, you can run a scan on the SQL Server using the command
az sql server va scan create --resource-group <resource_group_name> --server <sql_server_name> --scan-id <scan_id>
, where<resource_group_name>
is the name of the resource group in which the SQL Server is running,<sql_server_name>
is the name of the SQL Server, and<scan_id>
is the ID of the vulnerability assessment scan.
Using Python
Using Python
To remediate the misconfiguration “Ensure that Vulnerability Assessment is enabled on SQL Server by setting storage account” in Azure using Python, follow these steps:Note: Replace the placeholders
- Import the necessary libraries:
- Set up the Azure credentials:
- Create a Storage Account:
- Enable Vulnerability Assessment on SQL Server:
- Verify that Vulnerability Assessment is enabled:
<subscription_id>
, <resource_group_name>
, <server_name>
, <database_name>
, <storage_account_name>
, <storage_account_key>
, <location>
and <container_path>
with the appropriate values for your environment.