I have enabled Security Health Analytics under the Security Command Center Standard at Org level; however, I am still prompted to enable it on the Vulnerabilities page.
I have tried multiple times to enable/disable Security Health Analytics, but I still encounter the same prompt.
Has anyone else faced a similar issue? How did you manage to resolve the problem?
This is normally caused by a lack of permissions. Make sure that you have the following permissions:
roles/securitycenter.admin, or
roles/resourcemanager.organizationAdmin
Additionally, the service account used by CSCC must have the role:
roles/securitycenter.serviceAgent
GCP Support confirmed it was a misconfiguration on their backend, and they fixed it for me.
Related
Out of the blue my App service (asp.net core app) is down and nothing helps (e.g. restarting). Not my field of knowledge I have to say. Few noticeable things:
First it throwed 502.
Cannot even access kudu (advanced tools) on https://.scm.azurewebsites.net/ (also 502)
In Diagnose and solve problems and Web App Restarted I have found this:
In Diagnose and solve problems and Web App Down I have found:
2021-10-04T21:19:50.239475918Z Failed to get size of file [/home/site/wwwroot/BlazorApp.Server.deps.json]
2021-10-04T21:19:50.239515518Z Error initializing the dependency resolver: An error occurred while parsing: /home/site/wwwroot/BlazorApp.Server.deps.json
And also this console output:
2021-10-04T20:42:04.875817259Z Running oryx create-script -appPath /home/site/wwwroot -output /opt/startup/startup.sh -defaultAppFilePath /defaulthome/hostingstart/hostingstart.dll -bindPort 8080 -userStartupCommand 'dotnet BlazorApp.Server.dll'
2021-10-04T20:42:04.934145638Z Cound not find build manifest file at '/home/site/wwwroot/oryx-manifest.toml'
2021-10-04T20:42:04.941038071Z Could not find operation ID in manifest. Generating an operation id...
2021-10-04T20:42:04.941048571Z Build Operation ID: 1728b184-ac6f-47b3-a5fa-2ca5f55543ac
2021-10-04T20:42:12.944327812Z
2021-10-04T20:42:12.944356612Z Agent extension
2021-10-04T20:42:19.058804845Z Before if loop >> DotNet Runtime Writing output script to '/opt/startup/startup.sh'
2021-10-04T20:42:25.687081462Z Running user provided startup command...
2021-10-04T20:43:02.238418373Z Failed to get size of file [/home/site/wwwroot/BlazorApp.Server.deps.json]
2021-10-04T20:43:02.238447773Z Error initializing the dependency resolver: An error occurred while parsing: /home/site/wwwroot/BlazorApp.Server.deps.json
Well, thank you for any help you provide!
Edit:
It is located in North Europe. Pay-as-you-go is my subscription. Graph about container crashes is added to the question.
Edit2:
The issue solved by itself after few hour. Is it possible to be related to that facebook outage?
To benefit the community posting our discussion from comments section.
"The issue solved by itself after few hour."
Firstly, apologies for the inconvenience with this issue. Glad to know the issue was resolved. Thanks for the update.
Review the Azure Service Health for any reported issues on your subscription.
Also, review Azure Resource Health and Azure Status.
Azure Service Health provides personalized alerts and guidance when Azure service issues affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue resolves. It can also help you prepare for planned maintenance and changes that could affect the availability of your resources.
Azure Resource Health helps you diagnose and get support for service problems that affect your Azure resources. It reports on the current and past health of your resources.
Azure status page is a global view of the health of all Azure services in all regions. Reports on service problems that affect a broad set of Azure customers.
You may post your question on Microsoft Q&A forum to receive swift help on such issues from our Microsoft SMEs/MVPs and the Microsoft Q&A community or file a support ticket for any urgent help.
Thanks for your patience.
I have been able to work in Azure APIM with no problems until yesterday. Another member on my team can edit and save with no problems; but my save to an Inbound Processing rule always fails with:
Could not save policy for "Access API 1.2" API. Please try again
later.
Thoughts?
Of Note:
Our companies security access team verifies that I am a contributor to APIM
I login in through the companies' two factor authentication system into Azure.
Same results on Edge/Chrome.
I can update individual endpoint api policies.
Our company opened a Microsoft Support ticket on this and their response was
You are running into a known issue with APIM integration with ARM. The
dev team is working on a fix for this issue now and we are told it
will get deployed by this evening.
The following day it was working for me
The APIM dev team fixed the issue late yesterday and you should now
see the ability to update policies for the API scope too.
Note to anyone running into this situation in the future the secondary advice given revolved around the browser which was
Make sure you’ll not pulling down cached files. Try loading an
in-private session or press CTRL+F5 to refresh the page and pull down
new files.
I've tried un-registering and re-registering and it just keeps getting stuck. No logs I can see so I'm not really sure what to do...
Has anyone experienced this before?
It appears that there was some issue, which is now mitigated. Check your Service Health/Resource Health page.
The ‘Service Health’ - Service issues view shows any ongoing problems in Azure services that are impacting your resources. You can understand when the issue began, and what services and regions are impacted. You can also read the most recent update to understand what Azure is doing to resolve the issue.
Resource health helps you diagnose and get support when an Azure issue impacts your resources. It informs you about the current and past health of your resources and helps you mitigate issues. Resource health provides technical support when you need help with Azure service issues.
Reference:
https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview
If its a brand new subscription i always like to deploy a new Resource manager VM to register all the required resource provider. Once the VM deploys OKs then you can try the AKS (Kubernetes) deployment.
Note: you might still need to register Microsoft.ContainerService for AKS
While you wait for support you can try that an see. Don't forget to delete the VM.
This appears to be an issue that pops up on occasion. As far as I can tell there's no self-service way to fix this when it happens, and your only recourse is to file a support request via the Azure Portal here: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview
I've been running an instance of SQL Azure for a while now and making use of the Automated Export feature to backup directly into Azure Storage.
I've recently switched over to use the Security Enabled Connection String-
{server}.database.secure.windows.net
-so I could make use of the auditing features in Azure too. I set my Security Enabled Access settings to Required to enforce that, as I don't want to miss out on the auditing.
However I've had no new backups in Azure Storage since I switched over. I've investigated into the issue but can't come to a solid conclusion of what's going wrong.
I'm still able to connect to the server and view the database in SQL Management Studio using the non-secure connection string-
{server}.database.windows.net
-but I can't see any tables in the database, which is good as that indicates that the secure connection is indeed required.
My gut feel is that the automated backup in Azure uses the non-secure connection string by default and hasn't picked up the Required Security Enabled Access setting.
The automated backup feature is still in preview mode so the setting may not be supported yet.
So the question is:
Does anyone have any links to official resources detailing this limitation and/or has also experienced the same problem and has a workaround?
The below issue has been fixed. Using SECURITY ENABLED ACCESS required and Import/Export works.
There is a known issue, which is getting fixed, when using
SECURITY ENABLED ACCESS required and import/export. There are a couple
of workarounds you can use to get around this.
You can use client tools, like SSMS, and login do your database as the server principal and use the built-in export data-tier application
functionality. To do this, login with the secure connection, right
click on the database you want to export, select tasks, and select
export data-tier application. Make sure you update SSMS with the
update to support V12 servers. You can find it here.
If you don't need to audit the import/export, you could also set SECURITY ENABLED ACCESS to optional.
I suggest using the first method because you still will audit the
operation.
The issue is now fixed. There should be no problem running automated / manual import / export while having auditing enabled.
I want to enable RabbitMQ Management plugin on my production environment, but I'm not sure about the security concerns this might bring.
I already have a few applications connected to the RMQ, and hence can't change the credentials now (I'm using default).
Could anyone shed some light on this? I want to know what all things I might need to worry about and what I could do to minimise vulnerabilities.
Thanks!
Management Plugin use credentials, which is enough for most cases unless you want it to be accessible from outside. At this case iptables is your friend. In addition you can proxy HTTP api and management interface via nginx (or apache) and use additional security layer like basic auth.
If you are a bit paranoid (like me) you can combine all 3 methods to have more protection (and have non-trivial access to your management interface from non-usual locations like free wifi zone in airport when flow control get applied ont your server, but this is quite unusual situation).
UPD:
Note: if your application is badly-designed and mix routine job with management job under same account you may get into some troubles. I suggest you management plugin Permission section for further reading.
Usually, separate account for application and management job, as well as disabling default guest account (for outside only or in general) is the best choice from security point of view.
If you are forced to use default guest account you can disable management plugin for it and create separate account for administration only. In fact in recent RabbitMQ version it is disabled for accessing from outside.
To do this, firs create administration user (account with administrator tag), make sure it works and then update guest use by removing all tags it has (actually, removing administrator tag is the only one set by default for guest account).
Here is a pic of default guest account with note what to remove.