Azure
/
ausgovcaf-cloudsoe
зеркало из https://github.com/Azure/ausgovcaf-cloudsoe.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #52 from Azure/azure-arc-policies 

Changes necessary for demonstrating Azure Arc management
This commit is contained in:
Nick Price 2022-05-31 09:59:17 +10:00 коммит произвёл GitHub
Родитель 5648d6acbd 597b9f7956
Коммит a1f2866add
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 114 добавлений и 32 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

20
arm-cloudsoe-la-solutions.json
Просмотреть файл

@ -24,7 +24,8 @@
"changeTrackingResourceName": "[concat('ChangeTracking(', variables('workspaceName'), ')')]",
"securityResourceName": "[concat('Security(', variables('workspaceName'), ')')]",
"securityCenterFreeResourceName": "[concat('SecurityCenterFree(', variables('workspaceName'), ')')]",
"updatesResourceName": "[concat('Updates(', variables('workspaceName'), ')')]"
"updatesResourceName": "[concat('Updates(', variables('workspaceName'), ')')]",
"vminsightsResourceName": "[concat('VMInsights(', variables('workspaceName'), ')')]"
},
"resources": [
{
@ -88,6 +89,21 @@
"workspaceResourceId": "[parameters('workspaceResourceId')]"
}
},
{
"apiVersion": "2015-11-01-preview",
"type": "Microsoft.OperationsManagement/solutions",
"name": "[variables('vminsightsResourceName')]",
"location": "[parameters('workspaceRegion')]",
"plan": {
"name": "[variables('vminsightsResourceName')]",
"promotionCode": "",
"product": "OMSGallery/VMInsights",
"publisher": "Microsoft"
},
"properties": {
"workspaceResourceId": "[parameters('workspaceResourceId')]"
}
},
{
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
@ -137,7 +153,7 @@
"kind": "ChangeTrackingDefaultRegistry"
},
{
//Set Log Analytics workspace to collect all security events
//Set Log Analytics workspace to collect common security events
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"name": "[concat(variables('workspaceName'),'/SecurityEventCollectionConfiguration')]",

117
arm-cloudsoe-policy-baseline.json
Просмотреть файл

@ -19,6 +19,12 @@
"metadata":{
"description": "An object that lists the resource IDs for the Azure Monitor data collection rules."
}
},
"workspaceResourceId": {
"type": "string",
"metadata": {
"description": "The Log Analytics Workspace where VMs will be directed."
}
}
},
"variables": {
@ -31,10 +37,6 @@
"relativeUri": "policies/gc-windows-logon-banner/policy.template.json",
"customPolicyDefinitionName": "gc-windows-logon-banner"
},
{
"relativeUri": "policies/enable-vulnerability-assessment/policy.template.json",
"customPolicyDefinitionName": "enable-vulnerability-assessment"
},
{
"relativeUri": "policies/gc-ipsec-audit-logging/policy.template.json",
"customPolicyDefinitionName": "gc-ipsec-audit-logging"
@ -115,12 +117,15 @@
},
"bannerText": {
"value": "REPLACE WITH YOUR LEGAL BANNER TEXT"
},
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "disk-encryption",
"displayName": "Disk encryption should be applied on virtual machines",
"assignmentName": "encrypt-host-storage",
"displayName": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d"
},
@ -134,7 +139,7 @@
"assignmentName": "enable-vulnerability-assessment",
"displayName": "Deploy vulnerability assessment solution on virtual machines",
"definition": {
"customPolicyDefinitionName": "enable-vulnerability-assessment",
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b",
"roleDefinitionIds": [
"fb1c8493-542b-48eb-b624-b4c8fea62acd"
]
@ -160,7 +165,11 @@
"ISM-0999-5",
"ISM-0472-5"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "gc-ntlm-audit-logging",
@ -172,7 +181,11 @@
"ISM-1055-4",
"ISM-1603-0"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "enable-firewall-policy",
@ -183,7 +196,11 @@
"controls": [
"ISM-1416-2"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "true"
}
}
},
{
"assignmentName": "gc-windows-account-lockout",
@ -194,7 +211,11 @@
"controls": [
"ISM-1403-2"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "gc-windows-security-baseline-2016",
@ -205,7 +226,11 @@
"controls": [
"ISM-1409-1"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "gc-windows-security-baseline-2019",
@ -216,7 +241,11 @@
"controls": [
"ISM-1409-1"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "gc-windows-security-baseline-2022",
@ -227,7 +256,11 @@
"controls": [
"ISM-1409-1"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "gc-windows-password-length",
@ -238,7 +271,11 @@
"controls": [
"ISM-0421-6"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "true"
}
}
},
{
"assignmentName": "gc-windows-powershell-logging",
@ -249,7 +286,11 @@
"controls": [
"ISM-1623-0"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "gc-windows-disable-autorun",
@ -260,7 +301,11 @@
"controls": [
"ISM-0341-3"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "gc-tls-schannel-settings",
@ -271,7 +316,11 @@
"controls": [
"ISM-1139-0"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "gc-tls-dot-net-settings",
@ -282,7 +331,11 @@
"controls": [
"ISM-1139-0"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "gc-windows-powershell-v2",
@ -293,7 +346,11 @@
"controls": [
"ISM-1621-0"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "Azure Security Benchmark",
@ -317,7 +374,11 @@
"ISM-1486-0",
"ISM-1412-2"
],
"parameters": {}
"parameters": {
"IncludeArcMachines": {
"value": "True"
}
}
},
{
"assignmentName": "enable-dcr-association-account-lockout-events",
@ -472,18 +533,20 @@
}
},
{
"assignmentName": "enable-azure-monitor-agent-windows",
"displayName": "Configure Windows virtual machines to run Azure Monitor Agent",
"assignmentName": "enable-azure-monitor-for-vms",
"displayName": "Enable Azure Monitor for VMs",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca817e41-e85a-4783-bc7f-dc532d36235e",
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a",
"roleDefinitionIds": [
"9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
"92aaf0da-9dab-42b6-94a3-d43ce8d16293"
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"listOfImageIdToInclude_windows": {
"value": "[parameters('windowsImageIds')]"
},
"logAnalytics_1": {
"value": "[parameters('workspaceResourceId')]"
}
}
}

3
azureDeploy.json
Просмотреть файл

@ -203,6 +203,9 @@
},
"dataCollectionRuleEventResourceIds": {
"value": "[reference('CloudSOELaSolutionDeployment').outputs.dataCollectionRuleResourceIds.value]"
},
"workspaceResourceId": {
"value": "[parameters('workspaceResourceId')]"
}
}
}

6
docs/README.md
Просмотреть файл

@ -2,7 +2,7 @@
# About this project
Welcome to the CloudSOE project - we're developing a community-driven, cloud-native, multi-platform Standard Operating Environment (SOE) for organisations that adopt Information Security Manual (ISM) guidelines when building information systems that use Virtual Machines.
Welcome to the CloudSOE project - we're developing a community-driven, cloud-native, multi-platform Standard Operating Environment (SOE) for organisations that adopt Information Security Manual (ISM) guidelines when building information systems that use Virtual Machines, or when managing hybrid systems with Azure Arc.
The project uses a collection of cloud-native technologies to achieve desired outcomes for Azure (and in future, on-premises & multi-cloud) IaaS systems:
@ -34,7 +34,7 @@ The current prototype version of the CloudSOE implements the following features:
## Assign built-in Azure Policy
- Enable Azure Monitor for VMs
- Enable Azure Monitor for VMs (include Arc)
- Disk encryption should be applied on virtual machines
- Deploy vulnerability assessment solution on virtual machines
- Azure Security Benchmark
@ -130,6 +130,7 @@ The current prototype version of the CloudSOE implements the following features:
- Change Tracking / Inventory
- Azure Defender for Servers
- Azure Monitor for VMs
## Log Analytics data sources
@ -519,7 +520,6 @@ When creating a policy assignment in the `policyAssignments` variable, using the
We hope that future development of the CloudSOE project will be ✨community-driven✨. We can think of a number of enhancements that would improve the utility of the solution, such as:
- Simplify the setup process
- Test/build Azure Arc for on-premises and other cloud management
- Add Linux support
- Move to policy-based setting enforcement (i.e. not just audit)
- ESLZ integration