Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Azure security baseline for Linux is a list of security recommendations for general purpose Linux machines. The baseline is implemented via Azure Governance services (Azure Policy, Azure Machine Configuration). Azure VMs and Azure Arc-enabled machines are in scope.
Names and entry points
The baseline is referred to via several synonyms in various blogs, docs, and tools. For example, "Azure compute security baseline", "Guest Configuration baseline", "Azure security baseline for Virtual Machines - Linux Virtual Machines", and so on.
Azure Policy experience
- For audit-only behavior, assign the built-in policy definition Linux machines should meet requirements for the Azure compute security baseline. To try this out, see Quickstart: Audit Azure security baseline for Linux with a test machine.
- For audit-and-configure (remediate) behavior, use a preview custom policy definition as per Quickstart: Configure Azure security baseline for Linux with a test machine.
Microsoft Defender for Cloud experience
In Microsoft Defender for Cloud (MDC), the Recommendations experience builds upon the Azure Policy experience. If you have enabled server security features in your MDC settings, you will see a recommendation to start auditing machines. Following this recommendation leads to the deployment of the same Linux machines should meet requirements... audit policy described above. After machines have been audited at least once, you will see additional recommendations which correspond to non-compliant baseline rules.
Preview considerations
- The machine-side implementation of the baseline is a preview, and should be used in test environments.
- We are working to remove any preview limitations and we intend to remove this preview section from this document when that takes place.
- In the latest preview implementation, changes you might notice relative to previous previews include:
- For the same machine, the compliance assessment for certain baseline rules may be different from before. This is a result of improved error handling, improved handling of distro differences, etc. to reduce false positives and false negatives.
- Robust Reasons have been added for each rule status to provide evidence and clarity on how compliance was evaluated.
- Certain rule definitions have been re-factored (combined, split) for clarity and consistency, resulting in an an updated rule count.
- For feedback channels, see the Related resources section at the end of this article.
Baseline scope and limitations
- The baseline rules are motivated by security guidance from multiple sources, especially the CIS Distro Independent Benchmark version 2.0.0, with around 63% coverage of that baseline.
- Baseline rule settings (for example, expected SSH port) cannot be customized via policy parameters. Only assignment related parameters are available, including:
- Whether to include Arc-enabled machines
- Whether the policy effect should be
disabledor should be the normal effect for the given policy (AuditIfNotExistsfor Audit policy,DeployIfNotExistsfor Configure policy)