nuclei-templates/cloud/azure/virtualmachines/azure-vmss-health-monitoring-missing.yaml

id: azure-vmss-health-monitoring-missing
info:
  name: Azure VMSS Health Monitoring Not Enabled
  author: princechaddha
  severity: medium
  description: |
    Ensure that Monitor Application Health feature is enabled for all the instances running within your Azure virtual machine scale set. Health monitoring via Application Health extension is required for OS upgrades and automatic instance repairs. The Azure Application Health extension reports on the application health from inside the virtual machine scale set instances. You can configure the health extension to probe on an application endpoint and update the status of the application on that instance. This status is checked by Microsoft Azure to determine whether the instance is eligible for upgrade or repair operations.    
  impact: |
    Without enabling the Application Health extension, the VM instances may not be eligible for important OS upgrades or repairs, potentially leading to higher vulnerability and system instability.    
  remediation: |
    Enable the Application Health extension in your Azure VMSS instances to ensure continuous health monitoring and eligibility for necessary upgrades and repairs.    
  reference:
    - https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension
  tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config

flow: |
  code(1);
  for (let VMSSData of iterate(template.vmssList)) {
    VMSSData = JSON.parse(VMSSData);
    set("name", VMSSData.name);
    set("resourceGroup", VMSSData.resourceGroup);
    code(2);
  }  

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'      

    extractors:
      - type: json
        name: vmssList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az vmss show --name "$name" --resource-group "$resourceGroup" --query 'virtualMachineProfile.extensionProfile.extensions[*].name'      

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '['

      - type: word
        words:
          - 'ApplicationHealthLinux'
          - 'healthRepairExtension'
        negative: true

    extractors:
      - type: dsl
        dsl:
          - 'name + " in " + resourceGroup + " does not have health monitoring enabled"'
# digest: 4a0a00473045022100e0be589e349ac35c1f38e9ba77c473b0d3e28cb998a17d55505e2833ad8c4f2b02205db192c517814a5e7433069d664de5737dea117a35767c8fdfa747b53facefc1:922c64590222798bb761d5b6d8e72950