Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
789 questions
@Anonymous could you help with this?
guest configuration dsc resource
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 39%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
Danse, BJ (Bart)
1
Reputation point
I am currently investigating the guest configuration preview within our environment. Scoped to only security baseline monitoring and remediation. My goal is to try to use as much default policies as possible and prevent creating of custom packages. From what I can find current guest configuration policies are only meant for auditing. Which means I would require custom packages..
Creating a custom package of our baseline would end up in a package per OS and requiring policy filtering on different OS images to apply the correct policy. Not really manageable in my opinion.
Doing some digging. I found a script on git : link. With the following line :
Start-GuestConfigurationPackageRemediation -Path 'https://oaasguestconfigwcuss1.blob.core.windows.net/builtinconfig/AzureWindowsBaseline/AzureWindowsBaseline_1.2.0.0.zip'
This package contains a AzureWindowBaseline resource with compiled mof. I think it is also used by a preview policy definition. “[Preview]: Windows machines should meet requirements of the Azure compute security baseline”. The policy seems only limited to auditing. But the big plus I see in the mof is the ability to filter each settings to one of more operating systems and or role types. With that I would only have a single policy to apply to all vm’s.
Questions:
- Is/Will AzureWindowsBaseline (AzureOSBaseline) Dsc resource be publicly available. So additional settings could be set in a similar way. If not maybe propose additional attributes to AuditPolicyDSC, SecuretyPolicyDsc. Not sure what to do with registry settings..
- Will overriding settings be a capability for the default policies. (Is yes, what is the ETA?) Needed to accommodate exceptions via alternate assignment and overriding defaults
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 70%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Michael Greene 21 Reputation points Microsoft Employee2021-10-27T18:49:31.917+00:00 I am working on a quickstart template to make the example easier. The following docs page includes a reference.
https://learn.microsoft.com/en-us/azure/governance/policy/how-to/guest-configuration-create-assignmentAs you noticed, the Windows baseline package is capable of applying settings. We have not made it a built-in DINE policy yet. Just fyi, the Linux baseline package is not yet able to apply settings.
-
Danse, BJ (Bart) 1 Reputation point
2021-10-28T09:35:59.503+00:00 @Anonymous thank you for the response.
That will eventually cover everything in de ootb baseline package. What about additional settings?
Would it be possible to make the AzureOSBaseline DSC resource publicly available?
-
Michael Greene 21 Reputation points Microsoft Employee
2021-10-28T16:12:51.64+00:00 I do expect the scope to grow but that could be some time. These resources probably won't become open source, unfortunately. I 100% agree with your assessment that the best way to collaborate in this area is through the projects AuditPolicyDSC, SecuretyPolicyDsc, and Registry (actually GPRegistryPolicyDSC).
Sign in to comment -