AzPolicyAdvertizer

last sync: 2021-Oct-22 15:42:38 UTC

Azure Policy definition

Linux machines should meet requirements for the Azure compute security baseline

Name Linux machines should meet requirements for the Azure compute security baseline
Azure Portal

Id fc9b3da7-8347-4380-8e70-0a0361d8dedd

Version 1.2.0
details on versioning

Category Guest Configuration
Microsoft docs

Description Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.

Mode Indexed

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Used RBAC Role none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-10-19 19:10:32	change	Version remains equal, old suffix: preview (1.2.0-preview > 1.2.0)
2021-10-04 15:27:15	change	Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)
2021-05-11 14:06:18	change	Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)
2021-01-22 09:14:53	change	Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
2020-09-02 14:03:46	add	fc9b3da7-8347-4380-8e70-0a0361d8dedd

Used in Initiatives

Initiative DisplayName	Initiative Id	Initiative Category	State
[Preview]: CMMC Level 3	b5629c75-5c77-4422-87b9-2509e680f8de	Regulatory Compliance	Preview
[Preview]: NIST SP 800-53 Rev. 5	179d1daa-458f-4e47-8086-2a68d0d6c38f	Regulatory Compliance	Preview
Azure Security Benchmark	1f3afdf9-d0c9-4c3d-847f-89da613e70a8	Security Center	GA
FedRAMP High	d5264498-16f4-418a-b659-fa7ef418175f	Regulatory Compliance	GA
FedRAMP Moderate	e95f5a9f-57ad-4d03-bb0b-b1d16db93693	Regulatory Compliance	GA
NIST SP 800-53 Rev. 4	cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f	Regulatory Compliance	GA

JSON Changes

Visual JSON JSON (Annotated)

Show unchanged values

JSON

{
  "displayName": "Linux machines should meet requirements for the Azure compute security baseline",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.",
  "metadata": {
    "category": "Guest Configuration",
    "version": "1.2.0",
    "requiredProviders": [
      "Microsoft.GuestConfiguration"
    ],
    "guestConfiguration": {
      "name": "AzureLinuxBaseline",
      "version": "1.*"
    }
  },
  "parameters": {
    "IncludeArcMachines": {
      "type": "String",
      "metadata": {
        "displayName": "Include Arc connected servers",
        "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
      },
      "allowedValues": [
        "true",
        "false"
      ],
      "defaultValue": "false"
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of this policy"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Compute/imagePublisher",
                  "in": [
                    "microsoft-aks",
                    "qubole-inc",
                    "datastax",
                    "couchbase",
                    "scalegrid",
                    "checkpoint",
                    "paloaltonetworks",
                    "debian"
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "OpenLogic"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "CentOS*"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "6*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "Oracle"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "Oracle-Linux"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "6*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "RedHat"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "RHEL",
                        "RHEL-HA",
                        "RHEL-SAP",
                        "RHEL-SAP-APPS",
                        "RHEL-SAP-HA",
                        "RHEL-SAP-HANA"
                      ]
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "6*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "RedHat"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "osa",
                        "rhel-byos"
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "center-for-internet-security-inc"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "cis-centos-7-l1",
                        "cis-centos-7-v2-1-1-l1",
                        "cis-centos-8-l1",
                        "cis-debian-linux-8-l1",
                        "cis-debian-linux-9-l1",
                        "cis-nginx-centos-7-v1-1-0-l1",
                        "cis-oracle-linux-7-v2-0-0-l1",
                        "cis-oracle-linux-8-l1",
                        "cis-postgresql-11-centos-linux-7-level-1",
                        "cis-rhel-7-l2",
                        "cis-rhel-7-v2-2-0-l1",
                        "cis-rhel-8-l1",
                        "cis-suse-linux-12-v2-0-0-l1",
                        "cis-ubuntu-linux-1604-v1-0-0-l1",
                        "cis-ubuntu-linux-1804-l1"
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "credativ"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "Debian"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "7*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "Suse"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "SLES*"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "11*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "Canonical"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "contains": "Ubuntu"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "12*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "microsoft-dsvm"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "linux-data-science-vm-ubuntu",
                        "azureml"
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "cloudera"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "cloudera-centos-os"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "6*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "cloudera"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "cloudera-altus-centos-os"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "microsoft-ads"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "linux*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
                          "exists": "true"
                        },
                        {
                          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                          "like": "Linux*"
                        }
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "exists": "false"
                        },
                        {
                          "field": "Microsoft.Compute/imagePublisher",
                          "notIn": [
                            "OpenLogic",
                            "RedHat",
                            "credativ",
                            "Suse",
                            "Canonical",
                            "microsoft-dsvm",
                            "cloudera",
                            "microsoft-ads",
                            "center-for-internet-security-inc",
                            "Oracle"
                          ]
                        }
                      ]
                    }
                  ]
                }
              ]
            }
          ]
        },
        {
          "allOf": [
            {
              "value": "[parameters('IncludeArcMachines')]",
              "equals": "true"
            },
            {
              "field": "type",
              "equals": "Microsoft.HybridCompute/machines"
            },
            {
              "field": "Microsoft.HybridCompute/imageOffer",
              "like": "linux*"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
        "name": "AzureLinuxBaseline",
        "existenceCondition": {
          "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
          "equals": "Compliant"
        }
      }
    }
  }
}

AzPolicyAdvertizer

Azure Policy definition

Linux machines should meet requirements for the Azure compute security baseline

JSON Left

JSON Right