last sync: 2021-Aug-04 14:59:26 UTC

Azure Policy definition

[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot

Name [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot
Azure Portal
Id 95406fc3-1f69-47b0-8105-4c03b276ec5c
Version 1.0.0-preview
details on versioning
Category Security Center
Microsoft docs
Description Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Used RBAC Role
Role Name Role Id
Virtual Machine Contributor 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-06-08 15:17:13 add 95406fc3-1f69-47b0-8105-4c03b276ec5c
Used in Initiatives none
JSON
{
  "properties": {
  "displayName": "[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "18_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "0001-com-ubuntu-server-focal"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "20_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "RHEL"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "83-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "SLES-15-SP2"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "gen2"
                  }
                ]
              }
            ]
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "notEquals": "true"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines",
        "name": "[field('fullName')]",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                "value": "[field('name')]"
                },
                "location": {
                "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                  "name": "[parameters('vmName')]",
                  "location": "[parameters('location')]",
                    "type": "Microsoft.Compute/virtualMachines",
                    "apiVersion": "2020-12-01",
                    "properties": {
                      "securityProfile": {
                        "uefiSettings": {
                          "secureBootEnabled": "true"
                        },
                        "securityType": "TrustedLaunch"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/95406fc3-1f69-47b0-8105-4c03b276ec5c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "95406fc3-1f69-47b0-8105-4c03b276ec5c"
}