AzPolicyAdvertizer

last sync: 2020-Sep-18 14:08:07 UTC

Azure Policy

Audit Linux machines that allow remote connections from accounts without passwords

Policy DisplayName Audit Linux machines that allow remote connections from accounts without passwords
Policy Id ea53dbee-c6c9-4f0e-9f9e-de0039b78023
Policy Category Guest Configuration
Policy Description Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-09-09 11:24:03 add: Policy ea53dbee-c6c9-4f0e-9f9e-de0039b78023
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
[Preview]: NIST SP 800-171 R2 03055927-78bd-4236-86c0-f36125a10dc9
Audit machines with insecure password security settings 095e4ed9-c835-4ab6-9439-b5644362a06c
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2
[Deprecated]: DOD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8
NIST SP 800-53 R4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693
Policy Rule 
{
  "properties": {
    "displayName": "Audit Linux machines that allow remote connections from accounts without passwords",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords",
    "metadata": {
      "category": "Guest Configuration",
      "version": "1.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "PasswordPolicy_msid110",
        "version": "1.*"
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "microsoft-aks",
                      "qubole-inc",
                      "datastax",
                      "couchbase",
                      "scalegrid",
                      "checkpoint",
                      "paloaltonetworks",
                      "debian"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "OpenLogic"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "CentOS*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Oracle"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Oracle-Linux"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "RHEL",
                          "RHEL-HA",
                          "RHEL-SAP",
                          "RHEL-SAP-APPS",
                          "RHEL-SAP-HA",
                          "RHEL-SAP-HANA"
                        ]
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "RedHat"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "osa",
                          "rhel-byos"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "cis-centos-7-l1",
                          "cis-centos-7-v2-1-1-l1",
                          "cis-centos-8-l1",
                          "cis-debian-linux-8-l1",
                          "cis-debian-linux-9-l1",
                          "cis-nginx-centos-7-v1-1-0-l1",
                          "cis-oracle-linux-7-v2-0-0-l1",
                          "cis-oracle-linux-8-l1",
                          "cis-postgresql-11-centos-linux-7-level-1",
                          "cis-rhel-7-l2",
                          "cis-rhel-7-v2-2-0-l1",
                          "cis-rhel-8-l1",
                          "cis-suse-linux-12-v2-0-0-l1",
                          "cis-ubuntu-linux-1604-v1-0-0-l1",
                          "cis-ubuntu-linux-1804-l1"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "credativ"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "Debian"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "7*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Suse"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "SLES*"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "11*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "Canonical"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "UbuntuServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "12*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "linux-data-science-vm-ubuntu",
                          "azureml"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-centos-os"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "6*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloudera"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "cloudera-altus-centos-os"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "linux*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Linux*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "exists": "false"
                          },
                          {
                            "field": "Microsoft.Compute/imagePublisher",
                            "notIn": [
                              "OpenLogic",
                              "RedHat",
                              "credativ",
                              "Suse",
                              "Canonical",
                              "microsoft-dsvm",
                              "cloudera",
                              "microsoft-ads",
                              "center-for-internet-security-inc",
                              "Oracle"
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
              "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "linux*"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "PasswordPolicy_msid110",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ea53dbee-c6c9-4f0e-9f9e-de0039b78023",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ea53dbee-c6c9-4f0e-9f9e-de0039b78023"
}