You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/azure-marketplace-images.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,17 +7,18 @@ manager: rkarlin
7
7
ms.service: security
8
8
ms.subservice: security-fundamentals
9
9
ms.topic: article
10
-
ms.date: 08/29/2023
10
+
ms.date: 02/06/2024
11
11
ms.author: terrylan
12
+
ms.reviewer: mattmcinnes
12
13
13
14
---
14
15
# Security Recommendations for Azure Marketplace Images
15
16
16
-
Your image must meet these security configuration recommendations. This helps maintain a high level of security for partner solution images in the Azure Marketplace.
17
+
Prior to uploading images to the Azure Marketplace, your image must be updated with several security configuration requirements. These requirements help maintain a high level of security for partner solution images across the Azure Marketplace.
17
18
18
-
Always run a security vulnerability detection on your image prior to submitting. If you detect a security vulnerability in your own published image, you must inform your customers in a timely manner of both the vulnerabilityand how to correct it.
19
+
Make sure to run a security vulnerability detection on your image Prior to submitting it to the Azure Marketplace. If you detect a security vulnerability in your own already published image, you must inform your customers in a timely manner both of the vulnerability's details and how to correct it in current deployments.
19
20
20
-
## Open Source-based Images
21
+
## Linux and open source OS images
21
22
22
23
| Category | Check |
23
24
| -------- | ----- |
@@ -28,18 +29,18 @@ Always run a security vulnerability detection on your image prior to submitting.
28
29
| Security | The VHD image only includes necessary locked accounts that do not have default passwords that would allow interactive login; no back doors. |
29
30
| Security | Disable firewall rules unless application functionally relies on them, such as a firewall appliance. |
30
31
| Security | Remove all sensitive information from the VHD image, such as test SSH keys, known hosts file, log files, and unnecessary certificates. |
31
-
| Security | Avoid using LVM. |
32
-
| Security | Include the latest versions of required libraries: </br> - OpenSSL v1.0 or greater </br> - Python 2.5 or above (Python 2.6+ is highly recommended) </br> - Python pyasn1 package if not already installed </br> - d.OpenSSL v 1.0 or greater |
33
-
| Security | Clear Bash/Shell history entries. |
32
+
| Security | Avoid using LVM. LVM is Vulnerable to write caching issues with VM hypervisors and also increases data recovery complexity for users of your image.|
33
+
| Security | Include the latest versions of required libraries: </br> - OpenSSL v1.0 or greater </br> - Python 2.5 or above (Python 2.6+ is highly recommended) </br> - Python pyasn1 package if not already installed </br> - d.OpenSSL v 1.0 or greater |
34
+
| Security | Clear Bash/Shell history entries. This could include private information or plain-text credentials for other systems.|
34
35
| Networking | Include the SSH server by default. Set SSH keep alive to sshd config with the following option: ClientAliveInterval 180. |
35
-
| Networking | Remove any custom network configuration from the image. Delete the resolv.conf: `rm /etc/resolv.conf`. |
36
+
| Networking | Remove any custom network configuration from the image. Delete the resolv.conf: `rm /etc/resolv.conf`. |
36
37
| Deployment | Install the latest Azure Linux Agent.</br> - Install using the RPM or Deb package. </br> - You may also use the manual install process, but the installer packages are recommended and preferred. </br> - If installing the agent manually from the GitHub repository, first copy the `waagent` file to `/usr/sbin` and run (as root): </br>`# chmod 755 /usr/sbin/waagent` </br>`# /usr/sbin/waagent -install` </br>The agent configuration file is placed at `/etc/waagent.conf`. |
37
38
| Deployment | Ensure Azure Support can provide our partners with serial console output when needed and provide adequate timeout for OS disk mounting from cloud storage. Add the following parameters to the image Kernel Boot Line: `console=ttyS0 earlyprintk=ttyS0 rootdelay=300`. |
38
39
| Deployment | No swap partition on the OS disk. Swap can be requested for creation on the local resource disk by the Linux Agent. |
39
40
| Deployment | Create a single root partition for the OS disk. |
0 commit comments