Merge pull request #213963 from deeikele/ci-vulnmgmt

Recommendations on how to keep CI up-to-date

Author: Court72

articles/machine-learning/concept-vulnerability-management.md

@@ -72,24 +72,41 @@ It's a shared responsibility between you and Microsoft to ensure that your envir
 
 ### Compute instance
 
-* Compute instances get latest VM images at time of provisioning. 
-* Microsoft doesn't provide active OS patching for compute instance. To obtain the latest VM image, delete and recreate the compute instance. 
-* You could use set up scripts to install extra scanning software. Azure Defender agents are currently not supported. 
-* To query resource age, you could use the following log analytics query: 
-
-    ```kusto
-    AmlComputeClusterEvent 
-    | where ClusterType == "DSI" and EventType =="CreateOperationCompleted" and split(_ResourceId, "/")[-1]=="<wsname>" 
-    | project ClusterName, TimeCreated=TimeGenerated 
-    | summarize Last_Time_Created=arg_max(TimeCreated, *) by ClusterName 
-    | join kind = leftouter (AmlComputeClusterEvent
-        | where ClusterType == "DSI" and EventType =="DeleteOperationCompleted"  
-        | project ClusterName, TimeGenerated 
-        | summarize Last_Time_Deleted=arg_max(TimeGenerated, *) by ClusterName) 
-        on ClusterName  
-    | where (Last_Time_Created>Last_Time_Deleted or isnull(Last_Time_Deleted)) and Last_Time_Created < ago(30days) 
-    | project ClusterName, Last_Time_Created, Last_Time_Deleted 
-    ```
+Compute instances get the latest VM images at the time of provisioning. Microsoft releases new VM images on a monthly basis. Once a compute instance is deployed, it does not get actively updated. To keep current with the latest software updates and security patches, you could:
+
+1. Recreate a compute instance to get the latest OS image (recommended)
+
+   * Data and customizations such as installed packages that are stored on the instance’s OS and temporary disks will be lost.
+   * [Store notebooks under "User files"](/azure/machine-learning/concept-compute-instance#accessing-files) to persist them when recreating your instance.
+   * [Mount data using datasets and datastores](/azure/machine-learning/v1/concept-azure-machine-learning-architecture#datasets-and-datastores) to persist files when recreating your instance.
+   * See [Compute Instance release notes](azure-machine-learning-ci-image-release-notes.md) for details on image releases.
+
+1. Alternatively, regularly update OS and python packages.
+
+   * Use Linux package management tools to update the package list with the latest versions.
+     
+     ```bash
+     sudo apt-get update
+     ```
+     
+   * Use Linux package management tools to upgrade packages to the latest versions. Note that package conflicts might occur using this approach.
+     
+     ```bash
+     sudo apt-get upgrade
+     ```
+     
+   * Use Python package management tools to upgrade packages and check for updates.
+     
+     ```bash
+     pip list --outdated
+     ```
+     
+You may install and run additional scanning software on compute instance to scan for security issues. 
+   
+* [Trivy](https://github.com/aquasecurity/trivy) may be used to discover OS and python package level vulnerabilities. 
+* [ClamAV](https://www.clamav.net/) may be used to discover malware and comes pre-installed on compute instance.
+* Defender for Server agent installation is currently not supported. 
+* Consider using [customization scripts](/azure/machine-learning/how-to-customize-compute-instance) for automation.
 
 ### Compute clusters