| JSON |
{
"properties": {
"displayName": "Linux machines should only have local accounts that are allowed",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter.",
"metadata": {
"category": "Guest Configuration",
"version": "1.0.0",
"requiredProviders": [
"Microsoft.GuestConfiguration"
],
"guestConfiguration": {
"name": "LocalUsers_Linux",
"version": "1.*",
"configurationParameter": {
"Allowed": "[LocalUser]Accounts;Exclude"
}
}
},
"parameters": {
"IncludeArcMachines": {
"type": "String",
"metadata": {
"displayName": "Include Arc connected servers",
"description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
},
"Allowed": {
"type": "String",
"metadata": {
"displayName": "Allowed local accounts",
"description": "List the name of accounts that should be excluded, seperated by a semicolon (';'). If these accounts exist and are enabled, they will be identified as Compliant."
},
"defaultValue": ""
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of this policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"microsoft-aks",
"qubole-inc",
"datastax",
"couchbase",
"scalegrid",
"checkpoint",
"paloaltonetworks",
"debian"
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "OpenLogic"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "CentOS*"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "6*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "Oracle"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "Oracle-Linux"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "6*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "RedHat"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"RHEL",
"RHEL-HA",
"RHEL-SAP",
"RHEL-SAP-APPS",
"RHEL-SAP-HA",
"RHEL-SAP-HANA"
]
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "6*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "RedHat"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"osa",
"rhel-byos"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "center-for-internet-security-inc"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"cis-centos-7-l1",
"cis-centos-7-v2-1-1-l1",
"cis-centos-8-l1",
"cis-debian-linux-8-l1",
"cis-debian-linux-9-l1",
"cis-nginx-centos-7-v1-1-0-l1",
"cis-oracle-linux-7-v2-0-0-l1",
"cis-oracle-linux-8-l1",
"cis-postgresql-11-centos-linux-7-level-1",
"cis-rhel-7-l2",
"cis-rhel-7-v2-2-0-l1",
"cis-rhel-8-l1",
"cis-suse-linux-12-v2-0-0-l1",
"cis-ubuntu-linux-1604-v1-0-0-l1",
"cis-ubuntu-linux-1804-l1"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "credativ"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "Debian"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "7*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "Suse"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "SLES*"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "11*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "Canonical"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "UbuntuServer"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "12*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-dsvm"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"linux-data-science-vm-ubuntu",
"azureml"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "cloudera"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "cloudera-centos-os"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "6*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "cloudera"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "cloudera-altus-centos-os"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-ads"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "linux*"
}
]
},
{
"allOf": [
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
"exists": "true"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Linux*"
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"exists": "false"
},
{
"field": "Microsoft.Compute/imagePublisher",
"notIn": [
"OpenLogic",
"RedHat",
"credativ",
"Suse",
"Canonical",
"microsoft-dsvm",
"cloudera",
"microsoft-ads",
"center-for-internet-security-inc",
"Oracle"
]
}
]
}
]
}
]
}
]
},
{
"allOf": [
{
"value": "[parameters('IncludeArcMachines')]",
"equals": "true"
},
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "Microsoft.HybridCompute/imageOffer",
"like": "linux*"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
"name": "LocalUsers_Linux",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
"equals": "Compliant"
},
{
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
"equals": "[base64(concat('[LocalUser]Accounts;Exclude', '=', parameters('Allowed')))]"
}
]
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/73db37c4-f180-4b0f-ab2c-8ee96467686b",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "73db37c4-f180-4b0f-ab2c-8ee96467686b"
}
|