question

DanseBJBart-5156 avatar image
0 Votes"
DanseBJBart-5156 asked migreene commented

guest configuration dsc resource

I am currently investigating the guest configuration preview within our environment. Scoped to only security baseline monitoring and remediation. My goal is to try to use as much default policies as possible and prevent creating of custom packages. From what I can find current guest configuration policies are only meant for auditing. Which means I would require custom packages..

Creating a custom package of our baseline would end up in a package per OS and requiring policy filtering on different OS images to apply the correct policy. Not really manageable in my opinion.

Doing some digging. I found a script on git : link. With the following line :
Start-GuestConfigurationPackageRemediation -Path 'https://oaasguestconfigwcuss1.blob.core.windows.net/builtinconfig/AzureWindowsBaseline/AzureWindowsBaseline_1.2.0.0.zip'

This package contains a AzureWindowBaseline resource with compiled mof. I think it is also used by a preview policy definition. “[Preview]: Windows machines should meet requirements of the Azure compute security baseline”. The policy seems only limited to auditing. But the big plus I see in the mof is the ability to filter each settings to one of more operating systems and or role types. With that I would only have a single policy to apply to all vm’s.

Questions:

  1.  Is/Will AzureWindowsBaseline (AzureOSBaseline) Dsc resource be publicly available. So additional settings could be set in a similar way. If not maybe propose additional attributes to AuditPolicyDSC, SecuretyPolicyDsc. Not sure what to do with registry settings.. 
    
  2.  Will overriding settings be a capability for the default policies. (Is yes, what is the ETA?) Needed to accommodate exceptions via alternate assignment and overriding defaults
    


azure-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanseBJBart-5156 avatar image
0 Votes"
DanseBJBart-5156 answered

@migreene could you help with this?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

migreene avatar image
0 Votes"
migreene answered migreene commented

I am working on a quickstart template to make the example easier. The following docs page includes a reference.
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/guest-configuration-create-assignment

As you noticed, the Windows baseline package is capable of applying settings. We have not made it a built-in DINE policy yet. Just fyi, the Linux baseline package is not yet able to apply settings.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@migreene thank you for the response.

That will eventually cover everything in de ootb baseline package. What about additional settings?

Would it be possible to make the AzureOSBaseline DSC resource publicly available?

0 Votes 0 ·

I do expect the scope to grow but that could be some time. These resources probably won't become open source, unfortunately. I 100% agree with your assessment that the best way to collaborate in this area is through the projects AuditPolicyDSC, SecuretyPolicyDsc, and Registry (actually GPRegistryPolicyDSC).

0 Votes 0 ·