虚拟机策略分配:NoComplianceReport
问题描述 投票:0回答:1
我希望根据所选合规性“规则”给出策略定义来审计虚拟机安全合规性。
我目前有一个VM,安装了 AzureMonitorWindowsAgent 和 AzurePolicyforWindows 扩展。
将源自 DSC 的custom 策略定义分配给 VM 后,我收到以下错误消息:
合规详情:
不合规原因
没有相关资源与策略定义中的效果详细信息匹配。 (错误代码:NoComplianceReport)
类型
Microsoft.GuestConfiguration/guestConfigurationAssignments
姓名
[concat('DSCPackageArtifact$pid',uniqueString(policy().assignmentId,policy().definitionReferenceId))]
我之前将其放置了大约 45 分钟,然后错误消息更改为另一个错误。然而,它再也没有这样做过。
如果下面的策略定义中的名称错误,我们深表歉意(我有两个不起作用,给出了相同的错误。这是较小的示例,我已更改名称以匹配上面的内容)
政策定义(特意将已编辑的定义添加到此处发布的部分定义中):
{
"properties": {
"displayName": "DSCPackageArtifact_AuditIfNotExists",
"policyType": "Custom",
"mode": "All",
"description": "A few of the DSCs for testing",
"metadata": {
"properties": {
"displayName": "DSC Test NonCompliance Policy",
"policyType": "Custom",
"mode": "Indexed",
"description": "DSC Test NonCompliance Policy",
"metadata": {
"category": "Guest Configuration",
"version": "1.0.0",
"requiredProviders": [
"Microsoft.GuestConfiguration"
],
"guestConfiguration": {
"name": "DSCPackageTestNonCompliance",
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "<redacted content uri with SAS token>",
"contentHash": "F5C0D40FDDCF1DBBE3C1AEF372D4B590F0D2929A220494BF6341DB8FA99A688B"
}
},
"parameters": {
"IncludeArcMachines": {
"type": "string",
"metadata": {
"displayName": "Include Arc connected machines",
"description": "By selecting this option, you agree to be charged monthly per Arc connected machine.",
"portalReview": "true"
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachineScaleSets"
}
]
},
{
"field": "tags['aks-managed-orchestrator']",
"exists": "false"
},
{
"field": "tags['aks-managed-poolName']",
"exists": "false"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"esri",
"incredibuild",
"MicrosoftDynamicsAX",
"MicrosoftSharepoint",
"MicrosoftVisualStudio",
"MicrosoftWindowsDesktop",
"MicrosoftWindowsServerHPCPack"
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftSQLServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-dsvm"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "dsvm-win*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-ads"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"standard-data-science-vm",
"windows-data-science-vm"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "batch"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "rendering-windows2016"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "center-for-internet-security-inc"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "cis-windows-server-201*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "pivotal"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "bosh-windows-server*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "cloud-infrastructure-services"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "ad*"
}
]
},
{
"allOf": [
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
"exists": true
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Windows*"
},
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/osProfile.windowsConfiguration",
"exists": true
},
{
"field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType",
"like": "Windows*"
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"exists": false
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
}
]
}
]
}
]
}
]
}
]
},
{
"allOf": [
{
"value": "[parameters('IncludeArcMachines')]",
"equals": true
},
{
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "Microsoft.HybridCompute/imageOffer",
"like": "windows*"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.ConnectedVMwarevSphere/virtualMachines"
},
{
"field": "Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType",
"like": "windows*"
}
]
}
]
}
]
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
"name": "[concat('DSCPackageTestNonCompliance$pid', uniqueString(policy().assignmentId, policy().definitionReferenceId))]",
"existenceCondition": {
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
"equals": "Compliant"
}
}
}
}
},
"name": "6c0551da-e3e9-4d16-9eb4-7e7d914de35c",
"createdBy": "6f196293-8255-4cf7-88cc-8d7b201802ee",
"createdOn": "2023-10-12T08:28:43.8359707Z",
"updatedBy": "6f196293-8255-4cf7-88cc-8d7b201802ee",
"updatedOn": "2023-10-12T08:31:05.3297191Z"
},
"parameters": {
"IncludeArcMachines": {
"type": "string",
"metadata": {
"displayName": "Include Arc connected machines",
"description": "By selecting this option, you agree to be charged monthly per Arc connected machine.",
"portalReview": "true"
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachineScaleSets"
}
]
},
{
"field": "tags['aks-managed-orchestrator']",
"exists": "false"
},
{
"field": "tags['aks-managed-poolName']",
"exists": "false"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"esri",
"incredibuild",
"MicrosoftDynamicsAX",
"MicrosoftSharepoint",
"MicrosoftVisualStudio",
"MicrosoftWindowsDesktop",
"MicrosoftWindowsServerHPCPack"
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftSQLServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-dsvm"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "dsvm-win*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-ads"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"standard-data-science-vm",
"windows-data-science-vm"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "batch"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "rendering-windows2016"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "center-for-internet-security-inc"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "cis-windows-server-201*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "pivotal"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "bosh-windows-server*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "cloud-infrastructure-services"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "ad*"
}
]
},
{
"allOf": [
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
"exists": true
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Windows*"
},
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/osProfile.windowsConfiguration",
"exists": true
},
{
"field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType",
"like": "Windows*"
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"exists": false
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
}
]
}
]
}
]
}
]
}
]
},
{
"allOf": [
{
"value": "[parameters('IncludeArcMachines')]",
"equals": true
},
{
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "Microsoft.HybridCompute/imageOffer",
"like": "windows*"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.ConnectedVMwarevSphere/virtualMachines"
},
{
"field": "Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType",
"like": "windows*"
}
]
}
]
}
]
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
"name": "[concat('DSCPackageTestNonCompliance$pid', uniqueString(policy().assignmentId, policy().definitionReferenceId))]",
"existenceCondition": {
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
"equals": "Compliant"
}
}
}
}
},
"id": "/subscriptions/<redacted subscription_id>/providers/Microsoft.Authorization/policyDefinitions/DSCPackageArtifact_AuditIfNotExists",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "DSCPackageArtifact_AuditIfNotExists",
"systemData": {
"createdBy": "<redacted emailaddress>",
"createdByType": "User",
"createdAt": "2023-10-12T08:28:43.8134715Z",
"lastModifiedBy": "<redacted emailaddress>",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-10-12T08:31:05.2747104Z"
}
}
更新:合规性审核在虚拟机的“所需状态配置管理”选项卡上使用 .mof 文件时起作用。但是,此进程已在 Linux 中停用(
Linux 的 DSC 扩展已停用)。我正在寻找一个不退休的解决方案。
1个回答
0
投票
投票
我希望根据所选合规性“规则”给出策略定义来审核虚拟机安全合规性。 我目前有一个 VM,安装了 AzureMonitorWindowsAgent 和 AzurePolicyforWindows 扩展。
审核
virtual machines和
virtual machine scale sets {
"mode": "All",
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"in": [
"MicrosoftMonitoringAgent",
"AzureMonitorWindowsAgent",
"AzurePolicyforWindows",
"IaaSAntimalware"
]
}
]
},
{
"anyOf": [
{
"field": "tags['aks-managed-orchestrator']",
"exists": false
},
{
"field": "tags['aks-managed-poolName']",
"exists": false
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"esri",
"incredibuild",
"MicrosoftDynamicsAX",
"MicrosoftSharepoint",
"MicrosoftVisualStudio",
"MicrosoftWindowsDesktop",
"MicrosoftWindowsServerHPCPack"
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftSQLServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-dsvm"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "dsvm-win*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-ads"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"standard-data-science-vm",
"windows-data-science-vm"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "batch"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "rendering-windows2016"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "center-for-internet-security-inc"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "cis-windows-server-201*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "pivotal"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "bosh-windows-server*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "cloud-infrastructure-services"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "ad*"
}
]
}
]
}
]
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {}
}
一旦将
policy分配到所需范围,它就会开始根据条件审核资源,如下所示。
最新问题
- 如何在 amCharts5 中用多边形而不是圆形制作雷达图?
- UITextView 在下一个选择后不滚动
- 如何使用 React 和 WebSockets 创建有趣的互动问答游戏?
- 基于叶节点转置层次表
- Codeigniter 3 flashdata 引导消息未显示,尽管数据已添加到数据库
- 达到速率限制时重定向到页面在 ASP.NET Core 中不起作用
- 如何通过本地存储将深色模式应用于网站的所有页面? [已关闭]
- 使用 knex 获取连接类型
- Java 中的多客户端套接字?
- ASP.NET MVC 脚本渲染问题
- 如何在加入游戏时编辑文本标签的文本
- 在 Y 轴上对范围进行着色
- WP Bakery 手风琴活动文本颜色
- PHP:按键对 JSON 数据进行排序
- 如何将参数传递给 PowerShell 脚本?
- 迁移到 Vue3 时语法错误:类型错误:无法读取未定义的属性(读取“样式”)
- 通用链接打开应用程序,但无法将 user_id 保存到 UserDefaults 中
- 如何根据特定的视口宽度有条件地渲染React组件?
- 如何在加入游戏时编辑文本标签的文本 [Roblox Studio]
- 标题:React 应用程序:任务编辑在页面刷新之前不会更新显示
© www.soinside.com 2019 - 2024. All rights reserved.