last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

Audit Linux machines that are not using SSH key for authentication

Name Audit Linux machines that are not using SSH key for authentication
Azure Portal
Id 630c64f9-8b6b-4c64-b511-6544ceff6fd6
Version 2.0.0
details on versioning
Category Guest Configuration
Microsoft docs
Description Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-09-16 13:09:49 change Previous DisplayName: Audit Linux virtual machines on which the use of passwords for SSH is allowed
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Audit Linux virtual machines on which the use of passwords for SSH is allowed
2020-06-09 16:25:53 add 630c64f9-8b6b-4c64-b511-6544ceff6fd6
Used in Initiatives none
Json
{
  "properties": {
    "displayName": "Audit Linux machines that are not using SSH key for authentication",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "LinuxNoPasswordForSSH",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
              "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "LinuxNoPasswordForSSH",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "630c64f9-8b6b-4c64-b511-6544ceff6fd6"
}