What is SSH Posture Control (private preview)-- with Azure Policy and Machine Configuration?

![IMPORTANT] This article describes an early preview version of SSH Posture Control. For up-to-date documentation, see What is SSH Posture Control? instead.

SSH Posture Control enables you to use the familiar workflows of Azure Policy and Machine Configuration to:

• Ensure compliance with standards in your industry or organization
• Reduce attack surface of remote management features
• Ensure consistent setup across your fleet for security and productivity

SSH Posture Control also provides detailed Reasons describing how compliance or non-compliance was determined. These Reasons make it easier to take action or to fully document compliance.

SSH Posture Control analyzes and enforces approximately 20 SSH server (sshd) parameters. By default it audits and applies best practices consistent with the Azure Compute Security Baseline for Linux. You can also customize certain parameters to suit your environment. For example, you can customize which users and groups are allowed SSH access.

Private preview limitations

Important

SSH Posture Control is in private preview-- intended to trigger dialog between you and Microsoft.

• The preview is intended for use with isolated dev/test machines where any problem (including inadvertently locking yourself out from SSH access) would not have important consequences.
• The preview involves importing the policy definition, rather than choosing it from the Azure Policy built-in list.
• Supported Linux distros are initially limited to Ubuntu Server (20.04, 22.04) and Debian (11, 12). Please let us know (contact info at end of page) which distros you would like to see enter the preview next.

Getting started example

This example is focused on getting started quickly. It makes simplifying assumptions and does not explore everything that is possible. For example, it uses default SSH settings from the PolicyDefinition, rather than customizing parameters such as allowed users and groups. More comprehensive information on SSH Posture Control including settings and behaviors is expected in the near future.

Tip

The following mental model and terminology are used throughout this article.

• PolicyDefinition : SSH Posture Control definition and metadata, as represented in the Azure Policy service.
• PolicyAssignment : Links your SSH Posture Control PolicyDefinition to a scope where that policy should be applied, such as a resource group.
• Machine : An endpoint capable of being managed by Azure Policy and Machine Configuration (aka Guest Configuration). In other words, an Arc enabled machine or an Azure VM.

A. Pre-requisites

1. An Azure account with permission to create a resource group, a VM (or Arc machine), a policy definition and a policy assignment.
2. For additional pre-requisites, choose your preferred experience:

Portal

1. Using a web browser, sign in to Azure Portal or your local equivalent.

PowerShell

1. A PowerShell environment with the following modules installed:
   1. Az.ResourceGraph
   2. Az.Accounts
   3. Az.Resources
2. Use Get-AzContext and/or Set-AzContext cmdlets to ensure the desired Azure environment is targeted.

Tip

Azure Cloud Shell in PowerShell mode is a ready-to-use environment, and is an easy way to get started.

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

B. Create a resource group

Portal

1. Create a resource group. In upcoming steps this will be used to scope the policy, and to contain a new test machine.

PowerShell

$myResourceGroupName = "ssh_demo_resource_group" 
$myAzureLocation = "eastus" ## Modify as needed

$myResourceGroup = New-AzResourceGroup -Name $myResourceGroupName -Location $myAzureLocation

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

C. Create the PolicyDefinition

Note

This extra step (creating rather than just choosing the PolicyDefinition) is required during the private preview.

Portal

1. Navigate to the Azure Policy Overview page. For example, you could use the URI: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Overview.
2. Navigate to the Definitions view.
3. Click the + Policy Definition button to create a new PolicyDefinition, entering the following as inputs.
   1. Definition location: Choose your Azure subscription where the PolicyDefinition will live.
   2. Name: [Preview] SSH Posture Control policy
   3. Category: Use Existing, then choose Guest Configuration
   4. Policy rule: Delete the pre-existing JSON, and paste the PolicyDefinition JSON from Preview SSH Posture Control policy definition
4. Click Save

PowerShell

$sshPolicyDefinitionJsonUri = "https://raw.githubusercontent.com/Azure/azure-osconfig/main/src/adapters/mc/sshpreview/OsConfigPolicy_DeployIfNotExists.json"
$sshPolicyDefinitionName = "[Preview] SSH Posture Control policy"

$sshPolicyDefinition = New-AzPolicyDefinition -Name $sshPolicyDefinitionName -Policy $sshPolicyDefinitionJsonUri

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

D. Use a PolicyAssignment to apply the PolicyDefinition to your resource group

Caution

This policy modifies sshd configuration on in-scope machines. These instructions have you assigning it to an initially empty resource group, where you will later create a test machine. Take great care if you choose to assign to any broader scope.

Portal

1. Navigate to the Policy | Definitions page which lists all available policy definitions.
2. Select the [Preview] SSH Posture Control policy PolicyDefinition you created earlier
3. Click Assign.
4. For Scope choose the resource group where you will later create a new test machine.
5. Proceed to the Parameters tab.
   1. Choose "true" for Include Arc connected machines, unless you specifically want to exclude Arc connected machines.
   2. NOTE: If you want to customize SSH settings, such as allowed groups, uncheck the Only show parameters... box to reveal all of the available parameters. If you do choose to specify allowed or denied users or groups, please be aware that you would enter a space delimited string, for example userA userB.
6. Proceed to the Remediation tab.
   1. NOTE: Although this demo focuses on a new machine, in other scenarios where you want the PolicyAssignment to apply to existing machines you can check the box for Create a remediation task.
   2. Choose Create a Managed Identity with System assigned and an identity location of your choice.
7. Proceed to Review + create
   1. Choose Create to complete the PolicyAssignment.

PowerShell

$myResourceGroupName = "ssh_demo_resource_group"
$myAzureLocation = "eastus"
$sshPolicyDefinitionName = "[Preview] SSH Posture Control policy"
$sshPolicyAssignmentName = "[Preview] SSH Posture Control assignment"

$myResourceGroup = Get-AzResourceGroup -Name $myResourceGroupName
$sshPolicyDefinition = Get-AzPolicyDefinition -Name $sshPolicyDefinitionName

## Assign our new SSH policy to the resource group
$sshPolicyAssignment = New-AzPolicyAssignment -Name $sshPolicyAssignmentName -PolicyDefinition $sshPolicyDefinition -Scope $myResourceGroup.ResourceId -AssignIdentity -Location $myAzureLocation
## Complete RBAC assignment
New-AzRoleAssignment -ObjectId $sshPolicyAssignment.Identity.PrincipalId -RoleDefinitionId $sshPolicyDefinition.Properties.PolicyRule.then.details.roleDefinitionIds[0].split("/")[4] -Scope "/subscriptions/$((Get-AzContext).Subscription.Id)"

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

E. Create a new machine

Although new PolicyAssignments can apply to existing machines, the process can take up to a 24 hours. For this quick-start we will focus on evaluating a new machine. In this example we will create an Azure VM, but you could create an Arc enabled machine if you prefer.

Portal

1. Navigate to the Azure Virtual Machines experience.
2. Create a new VM, ensuring the following properties:
   1. Subscription and Resource Group should match where the PolicyAssignment was scoped.
   2. Image should be "Unbuntu Server 22.04...".
   3. VM architecture should be x64.
   4. Other properties such as VM name, size, etc. can be whatever you prefer.
3. Wait for the VM creation to complete, and then click Go to Resource to reach the machine overview page
4. In the left-hand navigation, select Identity and ensure that the machine has a system managed identity
5. In the left-hand navigation, select Extensions + applications, then + Add
6. Choose the Azure Automanage Machine Configuration extension and select Next
7. Select Review + create, then create

PowerShell

$myResourceGroupName = "ssh_demo_resource_group"
$myNameForNewVM = "sshdemovm01"

## Creates a new VM which is prepped to work with MachineConfiguration
## by having a system assigned identity and the GuestConfiguration extension
New-AzVM -Name $myNameForNewVM -ResourceGroupName $myResourceGroupName -SystemAssignedIdentity -Image Ubuntu2204
Set-AzVMExtension -ResourceGroupName $myResourceGroupName -VMName $myNameForNewVM -ExtensionType "ConfigurationforLinux" -Publisher "Microsoft.GuestConfiguration" -Name "AzurePolicyForLinux" -TypeHandlerVersion 1.0

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

F. Take a break before proceeding

When new PolicyDefinitions, PolicyAssignments, and machines are involved, it can take several minutes for everything to reach steady-state. Consider waiting at least 30 minutes before proceeding to the next step.

G. Observe compliance results

The following steps enable you to see a compliance rollup at different altitudes:

• Compliance by PolicyAssignment
  • Number of machines compliant and non-compliant
  • Highest altitude, especially useful for large fleets
• Compliance by machine
  • List of machines with yes/no per machine
• Compliance by setting, for a specific machine
  • Deepest level of detail, like the screenshot at the top of this article.

Tip

Your new machine will likely be judged as non-compliant when it encounters the policy for the first time. The default SSH settings in the policy are more strict than what many OS images have configured by default. After an additional 20 minutes or so, you should find that your machine becomes compliant thanks to the remediation logic built-in to SSH Posture Control.

Portal

1. Navigate to the Policy | Compliance page.
2. Select [Preview] SSH Posture Control policy.
3. Observe that the number of compliant / non-compliant machines is reported
4. Under Resource Compliance you can see the status for individual machines
5. To drill down to the setting-by-setting details for a specific machine:
   1. Click the ... next to a machine, and choose View resource to reach the machine's Overview page
   2. In the left hand navigation under Operations, click Configuration management (not Configuration under Settings)
   3. Click LinuxSSHServerSecurityBaseline
   4. The resulting page shows each setting in the configuration with details about compliance as well as how compliance was determined.

PowerShell

To observe status at the highest altitude (just machine counts), you can use the following:

$machineCountsQuery = @'
guestconfigurationresources
| where name startswith("LinuxSshServerSecurityBaseline")
| extend complianceStatus = tostring(properties.complianceStatus)
| summarize machineCount = count() by complianceStatus
'@

Search-AzGraph -Query $machineCountsQuery

<#
Sample output from an environment with two machines:

complianceStatus machineCount
---------------- ------------
Pending                     1
Compliant                   1
#>

To see a compliance by machine, you can use the following:

$machinePerRowQuery = @'
guestconfigurationresources
| where name startswith("LinuxSshServerSecurityBaseline")
| project 
    machine = split(properties.targetResourceId,'/')[-1],
    complianceStatus = properties.complianceStatus,
    lastComplianceStatusChecked = properties.lastComplianceStatusChecked
'@

Search-AzGraph -Query $machinePerRowQuery

<#
Sample output:

machine     complianceStatus lastComplianceStatusChecked
-------     ---------------- ---------------------------
sshdemovm01 Compliant        2/15/2024 11:07:21 PM
sshdemovm02 Pending          1/1/0001 12:00:00 AM
#>

To see the setting-by-setting details, you can use the following:

$settingPerRowQuery = @'
guestconfigurationresources
| where name startswith ('LinuxSshServerSecurityBaseline')
| extend machine = split(properties.targetResourceId,'/')[-1]
| mvexpand properties.latestAssignmentReport.resources
| mvexpand properties_latestAssignmentReport_resources.reasons
| project machine,
    complianceCheck = tostring(properties_latestAssignmentReport_resources.resourceId),
    complianceStatus = tostring(properties.complianceStatus),
    complianceReason = tostring(properties_latestAssignmentReport_resources_reasons.phrase)
'@

Search-AzGraph $settingPerRowQuery

<#
Sample output:

machine     complianceCheck                                                  complianceStatus     complianceReason
-------     ---------------                                                  ------               ------
sshdemovm01 Ensure permissions on /etc/ssh/sshd_config are configured        Compliant            Access to '/etc/ssh/sshd_config' matches required ...
sshdemovm01 Ensure SSH is configured to meet best practices (protocol 2)     Compliant            'Protocol 2' is found uncommented in /etc/ssh/sshd_config
sshdemovm01 Ensure SSH is configured to ignore rhosts                        Compliant            The sshd service reports that 'ignorerhosts' is set to 'yes'
sshdemovm01 Ensure SSH LogLevel is set to INFO                               Compliant            The sshd service reports that 'loglevel' is set to 'INFO'
sshdemovm01 Ensure SSH MaxAuthTries is configured                            Compliant            The sshd service reports that 'maxauthtries' is set to '6'
sshdemovm01 Ensure allowed users for SSH access are configured               Compliant            The sshd service reports that 'allowusers' is set to '*@*'
sshdemovm01 Ensure denied users for SSH are configured                       Compliant            The sshd service reports that 'denyusers' is set to 'root'
sshdemovm01 Ensure allowed groups for SSH are configured                     Compliant            The sshd service reports that 'allowgroups' is set to '*'
sshdemovm01 Ensure denied groups for SSH are configured                      Compliant            The sshd service reports that 'denygroups' is set to 'root'
sshdemovm01 Ensure SSH host-based authenticationis disabled                  Compliant            The sshd service reports that 'hostbasedauthentication' is ...
#>

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

Next step

Contact the team at Microsoft to provide feedback, features requests, etc.

ssh_posture_control_through_azure@service.microsoft.com