AzPolicyAdvertizer

last sync: 2021-Sep-22 19:36:51 UTC

Azure Policy definition

Windows machines should meet requirements for 'Security Options - Audit'

Name Windows machines should meet requirements for 'Security Options - Audit'
Azure Portal

Id 33936777-f2ac-45aa-82ec-07958ec9ade4

Version 2.0.0
details on versioning

Category Guest Configuration
Microsoft docs

Description Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Mode Indexed

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Used RBAC Role none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2020-09-15 14:06:41	change	Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Audit'
2020-08-20 14:05:01	add	33936777-f2ac-45aa-82ec-07958ec9ade4

Used in Initiatives

Initiative DisplayName	Initiative Id	Initiative Category	State
[Preview]: Windows machines should meet requirements for the Azure compute security baseline	be7a78aa-3e10-4153-a5fd-8c6506dbc821	Guest Configuration	Preview
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA

JSON

{
  "displayName": "Windows machines should meet requirements for 'Security Options - Audit'",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
  "metadata": {
    "category": "Guest Configuration",
    "version": "2.0.0",
    "requiredProviders": [
      "Microsoft.GuestConfiguration"
    ],
    "guestConfiguration": {
      "name": "AzureBaseline_SecurityOptionsAudit",
      "version": "1.*",
      "configurationParameter": {
        "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": "Audit: Shut down system immediately if unable to log security audits;ExpectedValue"
      }
    }
  },
  "parameters": {
    "IncludeArcMachines": {
      "type": "String",
      "metadata": {
        "displayName": "Include Arc connected servers",
        "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
      },
      "allowedValues": [
        "true",
        "false"
      ],
      "defaultValue": "false"
    },
    "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
      "type": "String",
      "metadata": {
        "displayName": "Audit: Shut down system immediately if unable to log security audits",
        "description": "Audits if the system will shut down when unable to log Security events."
      },
      "defaultValue": "0"
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of this policy"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Compute/imagePublisher",
                  "in": [
                    "esri",
                    "incredibuild",
                    "MicrosoftDynamicsAX",
                    "MicrosoftSharepoint",
                    "MicrosoftVisualStudio",
                    "MicrosoftWindowsDesktop",
                    "MicrosoftWindowsServerHPCPack"
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "MicrosoftWindowsServer"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "2008*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "MicrosoftSQLServer"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "notLike": "SQL2008*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "microsoft-dsvm"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "dsvm-windows"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "microsoft-ads"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "standard-data-science-vm",
                        "windows-data-science-vm"
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "batch"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "rendering-windows2016"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "center-for-internet-security-inc"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "cis-windows-server-201*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "pivotal"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "bosh-windows-server*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "cloud-infrastructure-services"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "ad*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                          "exists": "true"
                        },
                        {
                          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                          "like": "Windows*"
                        }
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "exists": "false"
                        },
                        {
                          "allOf": [
                            {
                              "field": "Microsoft.Compute/imageSKU",
                              "notLike": "2008*"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "notLike": "SQL2008*"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ]
            }
          ]
        },
        {
          "allOf": [
            {
              "value": "[parameters('IncludeArcMachines')]",
              "equals": "true"
            },
            {
              "field": "type",
              "equals": "Microsoft.HybridCompute/machines"
            },
            {
              "field": "Microsoft.HybridCompute/imageOffer",
              "like": "windows*"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
        "name": "AzureBaseline_SecurityOptionsAudit",
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
              "equals": "Compliant"
            },
            {
              "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
              "equals": "[base64(concat('Audit: Shut down system immediately if unable to log security audits;ExpectedValue', '=', parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')))]"
            }
          ]
        }
      }
    }
  }
}