last sync: 2023-Feb-06 18:40:05 UTC

Azure Policy definition

Audit Linux machines that have accounts without passwords

Name Audit Linux machines that have accounts without passwords
Azure Portal
Id f6ec09a3-78bf-4f8f-99dc-6c77182d0f99
Version 3.0.0
details on versioning
Category Guest Configuration
Microsoft docs
Description Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC
Role(s)
none
Rule
Aliases
IF (7)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration Microsoft.Compute virtualMachines properties.osProfile.linuxConfiguration true
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType Microsoft.Compute virtualMachines properties.storageProfile.osDisk.osType true
Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType Microsoft.ConnectedVMwarevSphere virtualmachines properties.osProfile.osType false
Microsoft.HybridCompute/imageOffer Microsoft.HybridCompute machines properties.osName false
THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus Microsoft.GuestConfiguration guestConfigurationAssignments properties.complianceStatus false
Rule
ResourceTypes
IF (3)
Microsoft.Compute/virtualMachines
Microsoft.ConnectedVMwarevSphere/virtualMachines
Microsoft.HybridCompute/machines
Compliance The following 16 compliance controls are associated with this Policy definition 'Audit Linux machines that have accounts without passwords' (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1546 AU_ISM_1546 AU ISM 1546 Guidelines for System Hardening - Authentication hardening Authenticating to systems - 1546 n/a Users are authenticated before they are granted access to a system and its resources. link 7
CCCS IA-5 CCCS_IA-5 CCCS IA-5 Identification and Authentication Authenticator Management n/a (A) The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. (B) The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. (C) The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. (D) The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators. (E) The organization manages information system authenticators by changing the default content of authenticators prior to information system installation. (F) The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. (G) The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031. (H) The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification. (I) The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. (J) The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. link 5
CMMC_2.0_L2 AC.L1-3.1.1 CMMC_2.0_L2_AC.L1-3.1.1 404 not found n/a n/a 57
CMMC_L3 IA.1.077 CMMC_L3_IA.1.077 CMMC L3 IA.1.077 Identification and Authentication Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. link 9
CMMC_L3 IA.2.078 CMMC_L3_IA.2.078 CMMC L3 IA.2.078 Identification and Authentication Enforce a minimum password complexity and change of characters when new passwords are created. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. link 7
FedRAMP_High_R4 AC-3 FedRAMP_High_R4_AC-3 FedRAMP High AC-3 Access Control Access Enforcement Shared n/a The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. References: None. link 21
FedRAMP_Moderate_R4 AC-3 FedRAMP_Moderate_R4_AC-3 FedRAMP Moderate AC-3 Access Control Access Enforcement Shared n/a The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. References: None. link 21
IRS_1075_9.3 .7.5 IRS_1075_9.3.7.5 IRS 1075 9.3.7.5 Identification and Authentication Authenticator Management (IA-5) n/a The agency must manage information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator b. Establishing initial authenticator content for authenticators defined by the agency c. Ensuring that authenticators have sufficient strength of mechanism for their intended use d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators e. Changing default content of authenticators prior to information system installation f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators g. Changing/refreshing authenticators h. Protecting authenticator content from unauthorized disclosure and modification i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators j. Changing authenticators for group/role accounts when membership to those accounts changes The information system must, for password-based authentication: a. Enforce minimum password complexity of: 1. Eight characters 2. At least one numeric and at least one special character 3. A mixture of at least one uppercase and at least one lowercase letter 4. Storing and transmitting only encrypted representations of passwords b. Enforce password minimum lifetime restriction of one day c. Enforce non-privileged account passwords to be changed at least every 90 days d. Enforce privileged account passwords to be changed at least every 60 days e. Prohibit password reuse for 24 generations f. Allow the use of a temporary password for system logon requiring an immediate change to a permanent password g. Password-protect system initialization (boot) settings link 12
ISO27001-2013 A.9.1.2 ISO27001-2013_A.9.1.2 ISO 27001:2013 A.9.1.2 Access Control Access to networks and network services Shared n/a Users shall only be provided with access to the network and network services that they have been specifically authorized to use. link 29
NIST_SP_800-171_R2_3 .1.1 NIST_SP_800-171_R2_3.1.1 NIST SP 800-171 R2 3.1.1 Access Control Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Shared Microsoft and the customer share responsibilities for implementing this requirement. Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. link 55
NIST_SP_800-53_R4 AC-3 NIST_SP_800-53_R4_AC-3 NIST SP 800-53 Rev. 4 AC-3 Access Control Access Enforcement Shared n/a The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. References: None. link 21
NIST_SP_800-53_R5 AC-3 NIST_SP_800-53_R5_AC-3 NIST SP 800-53 Rev. 5 AC-3 Access Control Access Enforcement Shared n/a Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. link 21
NZISM_Security_Benchmark_v1.1 AC-4 NZISM_Security_Benchmark_v1.1_AC-4 NZISM Security Benchmark AC-4 Access Control and Passwords 16.1.40 Password selection policy Customer Agencies SHOULD implement a password policy enforcing either: a minimum password length of 16 characters with no complexity requirement; or -a minimum password length of ten characters, consisting of atleast three of the following character sets: - lowercase characters (a-z); - uppercase characters (A-Z); - digits (0-9); and - punctuation and special characters. Passwords are the primary authentication mechanism for almost all information systems and are fundamental part of access and authentication processes and mechanisms. While there are some limitations in the use of passwords, they remain the most cost effective means available with current technology. Passwords are subject to three principal groups of risks: Intentional password sharing; Password theft, loss or compromise; and Password guessing and cracking. Associated with these risk groups are four principal methods of attacking passwords: Interactive attempts including password guessing, brute force attacks or some knowledge of the user or agency. Obtaining the password through social engineering or phishing. Compromising the password through oversight, observation, use of keyloggers, cameras etc. Cracking through network traffic interception, misconfiguration, malware, data capture etc. For example a simple eight-letter password can today be brute-forced in minutes by software freely available on the Internet. Password controls are designed to manage these risks and attack methods using the controls specified in this section. For example, passwords with at least ten characters utilising upper and lower case, numbers and special characters have a much greater resistance to brute force attacks. When use in combination with controls such as password history and regular password change, passwords can present high resistance to known attack methods. link 2
SWIFT_CSCF_v2021 4.1 SWIFT_CSCF_v2021_4.1 SWIFT CSCF v2021 4.1 Prevent Compromise of Credentials Password Policy n/a Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. link 7
SWIFT_CSCF_v2022 4.1 SWIFT_CSCF_v2022_4.1 SWIFT CSCF v2022 4.1 4. Prevent Compromise of Credentials Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Shared n/a All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. link 17
UK_NCSC_CSP 10 UK_NCSC_CSP_10 UK NCSC CSP 10 Identity and authentication Identity and authentication Shared n/a All access to service interfaces should be constrained to authenticated and authorised individuals. link 25
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-03-25 18:52:24 change Major (2.0.0 > 3.0.0)
2022-01-28 17:51:01 change Major (1.2.0 > 2.0.0)
2021-12-06 22:17:57 change Minor (1.1.0 > 1.2.0)
2021-10-04 15:27:15 change Minor (1.0.0 > 1.1.0)
2020-09-09 11:24:03 add f6ec09a3-78bf-4f8f-99dc-6c77182d0f99
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
Audit machines with insecure password security settings 095e4ed9-c835-4ab6-9439-b5644362a06c Guest Configuration GA BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
JSON
changes

JSON