73 KiB

Исходник Постоянная ссылка Ответственный История

discussion
false

Change log

v0.19.0

What's changed since v0.18.0:

New features:
- Added Azure.GA_2020_12 baseline. #593
  - Includes rules released before or during December 2020 for Azure GA features.
  - Marked baseline Azure.GA_2020_09 as obsolete.
New rules:
- Database for MySQL:
  - Check database servers meet name requirements. #583
- Database for PostgreSQL:
  - Check database servers meet name requirements. #583
- SQL Database:
  - Check SQL logical servers meet name requirements. #583
  - Check SQL failover groups meet name requirements. #583
  - Check SQL databases meet name requirements. #583
- SQL Managed Instance:
  - Check SQL Managed Instances meet name requirements. #583
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.19.3. #590
General improvements:
- Added support for true, false, and null template functions. #579
- Added support for createObject template function. #580
Engineering:
- Bump PSRule dependency to v1.0.0. #588

What's changed since pre-release v0.19.0-B2012008:

New features:
- Added Azure.GA_2020_12 baseline. #593
  - Includes rules released before or during December 2020 for Azure GA features.
  - Marked baseline Azure.GA_2020_09 as obsolete.

v0.19.0-B2012008 (pre-release)

What's changed since pre-release v0.19.0-B2011008:

Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.19.3. #590
Engineering:
- Bump PSRule dependency to v1.0.0. #588

v0.19.0-B2011008 (pre-release)

What's changed since v0.18.0:

New rules:
- Database for MySQL:
  - Check database servers meet name requirements. #583
- Database for PostgreSQL:
  - Check database servers meet name requirements. #583
- SQL Database:
  - Check SQL logical servers meet name requirements. #583
  - Check SQL failover groups meet name requirements. #583
  - Check SQL databases meet name requirements. #583
- SQL Managed Instance:
  - Check SQL Managed Instances meet name requirements. #583
General improvements:
- Added support for true, false, and null template functions. #579
- Added support for createObject template function. #580

v0.18.0

What's changed since v0.17.0:

New rules:
- Container Registry:
  - Check registries use container image scanning. #558
  - Check registries image scanning results are healthy. #558
  - Check registries use content trust. #558
  - Check registries are geo-replicated. #558
  - Check registries uses storage space less than included storage. #558
  - Check registries have a retention set of untagged manifests (preview). #558
  - Check registries use image quarantine pattern (preview). #558
- Front Door:
  - Check Front Door WAF policy name requirements. #552
Bug fixes:
- Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554
- Fixed reason typo on template parameter metadata. #567
- Fixed Get-AzRuleTemplateLink reports incorrect parameter with file path. #568
- Fixed variable property not resolved with copy peer. #571
- Fixed blob soft delete for FileStorage storage accounts. #573
- Fixed top level variable copy detected as unused variable.#569
- Fixed ResourceGroupName property cannot be found on this object. #561

What's changed since pre-release v0.18.0-B2011023:

No additional changes.

v0.18.0-B2011023 (pre-release)

What's changed since pre-release v0.18.0-B2011005:

Bug fixes:
- Fixed reason typo on template parameter metadata. #567
- Fixed Get-AzRuleTemplateLink reports incorrect parameter with file path. #568
- Fixed variable property not resolved with copy peer. #571
- Fixed blob soft delete for FileStorage storage accounts. #573
- Fixed top level variable copy detected as unused variable.#569

v0.18.0-B2011005 (pre-release)

What's changed since pre-release v0.18.0-B2010016:

Bug fixes:
- Fixed ResourceGroupName property cannot be found on this object. #561

v0.18.0-B2010016 (pre-release)

What's changed since v0.17.0:

New rules:
- Container Registry:
  - Check registries use container image scanning. #558
  - Check registries image scanning results are healthy. #558
  - Check registries use content trust. #558
  - Check registries are geo-replicated. #558
  - Check registries uses storage space less than included storage. #558
  - Check registries have a retention set of untagged manifests (preview). #558
  - Check registries use image quarantine pattern (preview). #558
- Front Door:
  - Check Front Door WAF policy name requirements. #552
Bug fixes:
- Fixed HNS storage accounts so they are excluded from blob soft delete rule. #554

v0.17.0

What's changed since v0.16.0:

New rules:
- Azure Cache for Redis:
  - Check cache instances use Standard C1 or greater SKU. #501
  - Cache cache instances configure maxmemory-reserved setting. #502
- App Configuration:
  - Check App Configuration stores meet name requirements. #528
  - Check App Configuration stores use standard SKU. #528
- App Service:
  - Check App Service apps use HTTP/2. #538
  - Check App Service apps use managed identities. #537
  - Check App Service apps use Always On. #521
  - Check App Service apps have remote debugging disabled. #521
  - Check App Service apps use newer .NET Framework versions. #521
  - Check App Service apps use newer PHP runtime versions. #521
- Logic App:
  - Check Logic App apps limit IP range for HTTP triggers. #526
Updated rules:
- Storage:
  - Updated Azure.Storage.UseReplication for additional use cases.
    - Added support for geo-zone-redundant storage. #535
    - Exclude storage tagged with resource-usage = 'azure-functions' or resource-usage = 'azure-monitor'. #534
- Azure Kubernetes Service:
  - Promote Azure.AKS.AzurePolicyAddOn to GA rule set. #524
Removed rules:
- Azure Kubernetes Service:
  - Remove Azure.AKS.PodSecurityPolicy as this AKS feature is replaced by Azure Policy. #523
General improvements:
- Added support for providers template function. #177
- Added support for dateTimeAdd template function. #516
Bug fixes:
- Fixed expansion of templates with multiple variables copy blocks. #541
- Fixed App Service rule site config false positives in templates. #533

What's changed since pre-release v0.17.0-B2010028:

No additional changes.

v0.17.0-B2010028 (pre-release)

What's changed since pre-release v0.17.0-B2010022:

New rules:
- Azure Cache for Redis:
  - Check cache instances use Standard C1 or greater SKU. #501
  - Cache cache instances configure maxmemory-reserved setting. #502

v0.17.0-B2010022 (pre-release)

What's changed since pre-release v0.17.0-B2010017:

Bug fixes:
- Fixed expansion of templates with multiple variables copy blocks. #541

v0.17.0-B2010017 (pre-release)

What's changed since pre-release v0.17.0-B2010006:

New rules:
- App Service:
  - Check App Service apps use HTTP/2. #538
  - Check App Service apps use managed identities. #537
Updated rules:
- Storage:
  - Updated Azure.Storage.UseReplication for additional use cases.
    - Added support for geo-zone-redundant storage. #535
    - Exclude storage tagged with resource-usage = 'azure-functions' or resource-usage = 'azure-monitor'. #534
Bug fixes:
- Fixed App Service rule site config false positives in templates. #533

v0.17.0-B2010006 (pre-release)

What's changed since pre-release v0.17.0-B2009009:

New rules:
- App Configuration:
  - Check App Configuration stores meet name requirements. #528
  - Check App Configuration stores use standard SKU. #528
- App Service:
  - Check App Service apps use Always On. #521
  - Check App Service apps have remote debugging disabled. #521
  - Check App Service apps use newer .NET Framework versions. #521
  - Check App Service apps use newer PHP runtime versions. #521
- Logic App:
  - Check Logic App apps limit IP range for HTTP triggers. #526
Updated rules:
- Azure Kubernetes Service:
  - Promote Azure.AKS.AzurePolicyAddOn to GA rule set. #524
Removed rules:
- Azure Kubernetes Service:
  - Remove Azure.AKS.PodSecurityPolicy as this AKS feature is replaced by Azure Policy. #523

v0.17.0-B2009009 (pre-release)

What's changed since v0.16.0:

General improvements:
- Added support for providers template function. #177
- Added support for dateTimeAdd template function. #516

v0.16.0

What's changed since v0.15.0:

New features:
- Added Azure.GA_2020_09 baseline. #488
  - Includes rules released before or during September 2020 for Azure GA features.
  - Marked baseline Azure.GA_2020_06 as obsolete.
New rules:
- CDN:
  - Check CDN endpoint naming requirements. #486
  - Check CDN endpoints use TLS 1.2. #487
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.18.8. #504
General improvements:
- Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481
- Improve output of template processing exceptions. #484
Engineering:
- Bump PSRule dependency to v0.20.0.
Bug fixes:
- Fixed Data Factory version not detected with template. #498
- Fixed parameter file detection with 2019-04-01 schema. #495
- Fixed deprecated $Rule properties. #491

What's changed since pre-release v0.16.0-B2009033:

No additional changes.

v0.16.0-B2009033 (pre-release)

What's changed since pre-release v0.16.0-B2009024:

New features:
- Added Azure.GA_2020_09 baseline. #488
  - Includes rules released before or during September 2020 for Azure GA features.
  - Marked baseline Azure.GA_2020_06 as obsolete.
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.18.8. #504
Engineering:
- Bump PSRule dependency to v0.20.0.

v0.16.0-B2009024 (pre-release)

What's changed since pre-release v0.16.0-B2009019:

Bug fixes:
- Fixed Data Factory version not detected with template. #498

v0.16.0-B2009019 (pre-release)

What's changed since pre-release v0.16.0-B2009011:

Bug fixes:
- Fixed parameter file detection with 2019-04-01 schema. #495

v0.16.0-B2009011 (pre-release)

What's changed since pre-release v0.16.0-B2009004:

Bug fixes:
- Fixed deprecated $Rule properties. #491

v0.16.0-B2009004 (pre-release)

What's changed since v0.15.0:

New rules:
- CDN:
  - Check CDN endpoint naming requirements. #486
  - Check CDN endpoints use TLS 1.2. #487
General improvements:
- Updated rule content to align with Microsoft Azure Well-Architected Framework pillars. #481
- Improve output of template processing exceptions. #484

v0.15.0

What's changed since v0.14.1:

New rules:
- All resources:
  - Check ARM template parameters are used. #232
  - Check ARM template variables are used. #233
  - Check ARM template parameters include a metadata description. #360
  - Check ARM templates define at least one resource. #359
- Database for MySQL:
  - Check database servers reject TLS versions older than 1.2. #469
- Database for PostgreSQL:
  - Check database servers reject TLS versions older than 1.2. #470
- SQL Database:
  - Check database servers reject TLS versions older than 1.2. #471
- Storage Account:
  - Check Storage Accounts reject TLS versions older than 1.2. #455
  - Check Storage Accounts only accept authorized requests. #456
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.17.9. #452
Engineering:
- Bump PSRule dependency to v0.19.0.
Bug fixes:
- Fixed export of non-blob Storage Accounts. #464
- Fixed export of subscription Security Center data based on API version. #465
- Fixed masking of sharedKey when property does not exist. #466

What's changed since pre-release v0.15.0-B2008034:

No additional changes.

v0.15.0-B2008043 (pre-release)

What's changed since pre-release v0.15.0-B2008034:

New rules:
- Database for MySQL:
  - Check database servers reject TLS versions older than 1.2. #469
- Database for PostgreSQL:
  - Check database servers reject TLS versions older than 1.2. #470
- SQL Database:
  - Check database servers reject TLS versions older than 1.2. #471
Bug fixes:
- Fixed use variables check when no variables are defined. #462

v0.15.0-B2008034 (pre-release)

What's changed since pre-release v0.15.0-B2008026:

Bug fixes:
- Fixed export of non-blob Storage Accounts. #464
- Fixed export of subscription Security Center data based on API version. #465
- Fixed masking of sharedKey when property does not exist. #466

v0.15.0-B2008026 (pre-release)

What's changed since v0.14.1:

New rules:
- All resources:
  - Check ARM template parameters are used. #232
  - Check ARM template variables are used. #233
  - Check ARM template parameters include a metadata description. #360
  - Check ARM templates define at least one resource. #359
- Storage Account:
  - Check Storage Accounts reject TLS versions older than 1.2. #455
  - Check Storage Accounts only accept authorized requests. #456
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.17.9. #452

v0.14.1

What's changed since v0.14.0:

Bug fixes:
- Fixed resource tags rule to exclude diagnostic settings. #448

v0.14.0

What's changed since v0.13.0:

New rules:
- API Management:
  - Check API Management service name requirements. #437
  - Check API Management products have legal terms. #438
  - Check API Management products have a display name and description. #439
  - Check API Management APIs have a display name and description. #440
- Subscriptions:
  - Check subscription is managed by PIM. #422
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.17.7. #427
General improvements:
- Updated rule reasons and logic. #424
Bug fixes:
- Fixed masking for network connection resource configuration. #434
- Fixed hybrid use benefit rule to exclude Windows client OSs. #433
- Fixed VM standalone rule to exclude Windows client OSs. #442

What's changed since pre-release v0.14.0-B2007031:

No additional changes.

v0.14.0-B2007031 (pre-release)

What's changed since pre-release v0.14.0-B2007020:

New rules:
- API Management:
  - Check API Management service name requirements. #437
  - Check API Management products have legal terms. #438
  - Check API Management products have a display name and description. #439
  - Check API Management APIs have a display name and description. #440
Bug fixes:
- Fixed masking for network connection resource configuration. #434
- Fixed hybrid use benefit rule to exclude Windows client OSs. #433
- Fixed VM standalone rule to exclude Windows client OSs. #442

v0.14.0-B2007020 (pre-release)

What's changed since v0.13.0:

New rules:
- Subscriptions:
  - Check subscription is managed by PIM. #422
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.17.7. #427
General improvements:
- Updated rule reasons and logic. #424

v0.13.0

What's changed since v0.12.1:

New features:
- Added Azure.GA_2020_06 baseline. #399
  - Includes rules released before or during June 2020 for Azure GA features.
New rules:
- Azure Kubernetes Service:
  - Check AKS clusters use a Standard load balancer SKU. #334
  - Check AKS clusters use Managed Identities for cluster infrastructure. #333
  - Check AKS clusters use Azure Policy add-on (preview). #405
- Public IP:
  - Check Public IP domain name label requirements. #389
- Virtual Machines:
  - Check Availability Set name requirements. #387
  - Check Computer name requirements. #387
  - Check Managed Disk name requirements. #387
  - Check Network Interface name requirements. #387
  - Check Virtual Machine name requirements. #387
  - Check Proximity Placement Group name requirements. #387
- Virtual Machine Scale Sets:
  - Check Computer name requirements. #387
  - Check Virtual Machine Scale Set name requirements. #387
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.16.9. #394
Bug fixes:
- Fixed module default culture. #390
- Fixed exception message for object property that does not exist. #362
- Fixed substring raises an exception processing sub expressions. #413

What's changed since pre-release v0.13.0-B2006032:

Bug fixes:
- Fixed substring raises an exception processing sub expressions. #413

v0.13.0-B2006032 (pre-release)

New features:
- Added Azure.GA_2020_06 baseline. #399
  - Includes rules released before or during June 2020 for Azure GA features.
Bug fixes:
- Fixed exception message for object property that does not exist. #362

v0.13.0-B2006023 (pre-release)

New rules:
- Public IP:
  - Check Public IP domain name label requirements. #389
- Virtual Machines:
  - Check Availability Set name requirements. #387
  - Check Computer name requirements. #387
  - Check Managed Disk name requirements. #387
  - Check Network Interface name requirements. #387
  - Check Virtual Machine name requirements. #387
  - Check Proximity Placement Group name requirements. #387
- Virtual Machine Scale Sets:
  - Check Computer name requirements. #387
  - Check Virtual Machine Scale Set name requirements. #387

v0.13.0-B2006017 (pre-release)

New rules:
- Azure Kubernetes Service:
  - Check AKS clusters use a Standard load balancer SKU. #334
  - Check AKS clusters use Managed Identities for cluster infrastructure. #333
  - Check AKS clusters use Azure Policy add-on (preview). #405

v0.13.0-B2006003 (pre-release)

Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.16.9. #394
Bug fixes:
- Fixed module default culture. #390

v0.12.1

What's changed since v0.12.0:

Bug fixes:
- Fixed subnet name check for VNET with no subnets. #386

v0.12.0

What's changed since v0.11.0:

New rules:
- Azure Kubernetes Service:
  - Check AKS cluster name requirements. #373
  - Check AKS cluster DNS prefix requirements. #373
- Container Registry:
  - Check registry name requirements. #373
- Front Door:
  - Check Front Door name requirements. #373
- Load Balancer:
  - Check Load Balancer name requirements. #373
- Network Security Group:
  - Check NSG name requirements. #373
- Public IP:
  - Check Public IP name requirements. #373
- Policy:
  - Check Policy definitions use descriptive fields. #364
- Resource Group:
  - Check Resource Group name requirements. #373
- Route table
  - Check Route table name requirements. #373
- SignalR Service:
  - Check SignalR Service name requirements. #373
- SQL Database:
  - Check SQL Database uses TDE. #379
  - Check SQL Database uses AAD authentication. #378
- Storage Account:
  - Check Storage Account name requirements. #373
  - Check Storage blob containers use private access type. #365
- Virtual Network:
  - Check VNET name requirements. #373
  - Check VNET subnet name requirements. #373
- Virtual Network Gateway:
  - Check VNG name requirements. #373
  - Check VNG connection name requirements. #373
  - Check ExpressRoute Gateway uses current SKU. #369
  - Check VPN Gateway uses current SKU. #370
  - Check VPN Gateway uses active-active configuration. #371

What's changed since pre-release v0.12.0-B2005026:

No additional changes.

v0.12.0-B2005026 (pre-release)

New rules:
- SQL Database:
  - Check SQL Database uses TDE. #379
  - Check SQL Database uses AAD authentication. #378
Bug fixes:
- Fixed handling of subnet sub-resource name with slash. #381

v0.12.0-B2005019 (pre-release)

New rules:
- Azure Kubernetes Service:
  - Check AKS cluster name requirements. #373
  - Check AKS cluster DNS prefix requirements. #373
- Container Registry:
  - Check registry name requirements. #373
- Front Door:
  - Check Front Door name requirements. #373
- Load Balancer:
  - Check Load Balancer name requirements. #373
- Network Security Group:
  - Check NSG name requirements. #373
- Public IP:
  - Check Public IP name requirements. #373
- Resource Group:
  - Check Resource Group name requirements. #373
- Route table
  - Check Route table name requirements. #373
- SignalR Service:
  - Check SignalR Service name requirements. #373
- Storage Account:
  - Check Storage Account name requirements. #373
- Virtual Network:
  - Check VNET name requirements. #373
  - Check VNET subnet name requirements. #373
- Virtual Network Gateway:
  - Check VNG name requirements. #373
  - Check VNG connection name requirements. #373
  - Check ExpressRoute Gateway uses current SKU. #369
  - Check VPN Gateway uses current SKU. #370
  - Check VPN Gateway uses active-active configuration. #371

v0.12.0-B2005005 (pre-release)

New rules:
- Storage Account:
  - Check Storage blob containers use private access type. #365
- Policy:
  - Check Policy definitions use descriptive fields. #364

v0.11.0

What's changed since v0.10.1:

New rules:
- Azure Kubernetes Service:
  - Check AKS nodes use a minimum number of pods. #274
- API Management:
  - Check API Management products require a subscription. #342
  - Check API Management products require approval. #343
  - Check API Management sample products have been removed. #344
  - Check API Management uses a managed identity. #345
  - Check API Management certificates are not expired. #346
General improvements:
- Added name and type bindings for template files. #353
- Breaking change: Renamed configuration options to use a standard prefix. #327
  - Configuration options use the Azure_ prefix.
  - Update configuration settings to use the new name, old configuration names are ignored.
  - Renamed minAKSVersion to Azure_AKSMinimumVersion.
  - Renamed azureAllowedRegions to Azure_AllowedRegions.
  - Added configuration option documentation. See about_PSRule_Azure_Configuration for details.

What's changed since pre-release v0.11.0-B2004012:

General improvements:
- Added name and type bindings for template files. #353

v0.11.0-B2004012 (pre-release)

New rules:
- Azure Kubernetes Service:
  - Check AKS nodes use a minimum number of pods. #274
General improvements:
- Breaking change: Renamed configuration options to use a standard prefix. #327
  - Configuration options use the Azure_ prefix.
  - Update configuration settings to use the new name, old configuration names are ignored.
  - Renamed minAKSVersion to Azure_AKSMinimumVersion.
  - Renamed azureAllowedRegions to Azure_AllowedRegions.
  - Added configuration option documentation. See about_PSRule_Azure_Configuration for details.

v0.11.0-B2004005 (pre-release)

New rules:
- API Management:
  - Check API Management products require a subscription. #342
  - Check API Management products require approval. #343
  - Check API Management sample products have been removed. #344
  - Check API Management uses a managed identity. #345
  - Check API Management certificates are not expired. #346

v0.10.1

What's changed since v0.10.0:

Bug fixes:
- Fixed false positive for unused public IP in templates. #336
- Fixed false positive for use of managed disks in templates. #337
- Fixed false positive for disk caching when no VM data disks is null in templates. #338

v0.10.0

What's changed since v0.9.0:

New features:
- Added support for linking parameter and template files for analysis with metadata. #324
  - Added Get-AzRuleTemplateLink cmdlet to get metadata link to template files.
  - See cmdlet help for usage.
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.16.7. #330
General improvements:
- Removed warning message for azureAllowedRegions option. #328
- Improvements to verbose logging of Export-AzRuleData. #301
Bug fixes:
- Fixed unused VM resource false positives in templates. #312
- Fixed handling SKU for accelerated networking. #314
- Fixed detection of hybrid use benefit in templates. #313
- Fixed exception message when a template or parameter file is not found. #316
- Fixed detection of diagnostic logging for Front Door. #307
- Fixed Front Door WAF Policy export. #308
- Fixed union of object properties in templates. #303

What's changed since pre-release v0.10.0-B2003051:

No additional changes.

v0.10.0-B2003051 (pre-release)

New features:
- Added support for linking parameter and template files for analysis with metadata. #324
  - Added Get-AzRuleTemplateLink cmdlet to get metadata link to template files.
  - See cmdlet help for usage.
General improvements:
- Removed warning message for azureAllowedRegions option. #328
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.16.7. #330

v0.10.0-B2003032 (pre-release)

Bug fixes:
- Fixed unused VM resource false positives in templates. #312
- Fixed handling SKU for accelerated networking. #314
- Fixed detection of hybrid use benefit in templates. #313
- Fixed exception message when a template or parameter file is not found. #316

v0.10.0-B2003004 (pre-release)

Bug fixes:
- Fixed detection of diagnostic logging for Front Door. #307
- Fixed Front Door WAF Policy export. #308

v0.10.0-B2002023 (pre-release)

General improvements:
- Improvements to verbose logging of Export-AzRuleData. #301
Bug fixes:
- Fixed union of object properties in templates. #303

v0.9.0

What's changed since v0.8.0:

New rules:
- Azure Firewall:
  - Check threat intelligence is configured as deny. #266
- Front Door:
  - Check Front Door is enabled. #267
  - Check Front Door uses TLS 1.2. #268
  - Check Front Door has a configured WAF policy. #269
  - Check Front Door WAF policy is configured in prevention mode. #271
  - Check Front Door WAF policy is enabled. #270
  - Check if diagnostic logs are configured. #289
- Traffic Manager:
  - Check web-based endpoints are monitored with HTTPS. #240
  - Check at least two endpoints are enabled. #241
- Key Vault:
  - Check soft delete is enabled. #277
  - Check purge protection is enabled. #280
  - Check least privileges permissions assigned in access policy. #281
  - Check if diagnostic logs are configured. #288
- Subscriptions:
  - Check if service health alerts are configured. #290
Updated rules:
- Exclude cloud shell storage accounts from data rules. #278
  - Azure.Storage.UseReplication and Azure.Storage.SoftDelete ignore cloud shell storage accounts.
General improvements:
- Removed module dependency on Az.Security. #105
Bug fixes:
- Fixed incorrect string formatting in POSIX culture. #262
- Fixed Azure.VNET.UseNSGs to exclude AzureFirewallSubnet. #261

What's changed since pre-release v0.9.0-B2002036:

No additional changes.

v0.9.0-B2002036 (pre-release)

Exclude cloud shell storage accounts from data rules. #278
Added new rule for Subscriptions:
- Check if service health alerts are configured. #290
Added new rule for Key Vault:
- Check if diagnostic logs are configured. #288
Added new rule for Front Door:
- Check if diagnostic logs are configured. #289
Removed module dependency on Az.Security. #105

v0.9.0-B2002026 (pre-release)

Added new rules for Traffic Manager:
- Check web-based endpoints are monitored with HTTPS. #240
- Check at least two endpoints are enabled. #241
Added new rules for Key Vault:
- Check soft delete is enabled. #277
- Check purge protection is enabled. #280
- Check least privileges permissions assigned in access policy. #281

v0.9.0-B2002019 (pre-release)

Added new rule to check Azure Firewall threat intelligence is configured as deny. #266
Added new rules for Front Door:
- Check Front Door is enabled. #267
- Check Front Door uses TLS 1.2. #268
- Check Front Door has a configured WAF policy. #269
- Check Front Door WAF policy is configured in prevention mode. #271
- Check Front Door WAF policy is enabled. #270

v0.9.0-B2002011 (pre-release)

Fixed incorrect string formatting in POSIX culture. #262
Fixed Azure.VNET.UseNSGs to exclude AzureFirewallSubnet. #261

v0.8.0

What's changed since v0.7.0:

New rules:
- API Management:
  - Check API Management uses secure protocol versions. #237
  - Check API Management published APIs use HTTPS. #236
  - Check API Management backend connections use HTTPS. #238
  - Check API Management named values are encrypted. #239
- Automation Accounts:
  - Check automation accounts use encrypted variables. #211
  - Check automation account webhook expiry interval. #212
- CDN:
  - Check Azure CDN connections use HTTPS. #242
- Resource Manager Templates:
  - Check ARM template and parameter file structure. #225
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to 1.15.7. #247
- Virtual networks:
  - Updated Azure.VNET.UseNSGs to apply to subnet resources from templates. #246
General improvements:
- Improvements to rule help wording and usage of links section. #220 #224 #257
  - Documentation and reasons messages are now available for all en cultures.
- Various updates to rule implementation to take advantage of PSRule v0.12.0 language features. #220
- Breaking change: Shorten rule names to improve output display. #119
  - Application Gateway rules have been renamed from Azure.VirtualNetwork.* to Azure.AppGW.*.
  - Load balancer rules have been renamed from Azure.VirtualNetwork.* to Azure.LB.*.
  - NSG rules have been renamed from Azure.VirtualNetwork.* to Azure.NSG.*.
  - VNET rules have been renamed from Azure.VirtualNetwork.* to Azure.VNET.*.
  - NIC rules have been renamed from Azure.VirtualNetwork.* to Azure.VM.*.
  - Renamed storage account rule Azure.Storage.SecureTransferRequired to Azure.Storage.SecureTransfer.
Bug fixes:
- Fix Azure.Resource.UseTags applying to template and parameter files. #230

What's changed since pre-release v0.8.0-B2001029:

Fixed Azure.VNET.UseNSGs not populating subnet name in reason message. #256
Updated reason strings to use parent culture en. #257

v0.8.0-B2001029 (pre-release)

Updated Azure.VNET.UseNSGs to apply to subnet resources from templates. #246
Updated Azure.AKS.Version to 1.15.7. #247
Breaking change: Renamed Azure.File.* rules to Azure.Template.*. #252

v0.8.0-B2001018 (pre-release)

Fixed Azure.Resource.UseTags applying to template and parameter files. #230
Fixed ARM template and parameter schemas used to detect files. #234
Added new rule to check API Management uses secure protocol versions. #237
Added new rule to check API Management published APIs use HTTPS. #236
Added new rule to check API Management backend connections use HTTPS. #238
Added new rule to check API Management named values are encrypted. #239
Added new rule to check Azure CDN connections use HTTPS. #242

v0.8.0-B2001006 (pre-release)

Updated documentation to use parent culture en. #224
Added rules for ARM template and parameter file structure. #225
Breaking change: Application Gateway rules have been renamed from Azure.VirtualNetwork.* to Azure.AppGW.*. #119
Breaking change: Load balancer rules have been renamed from Azure.VirtualNetwork.* to Azure.LB.*. #119
Breaking change: NSG rules have been renamed from Azure.VirtualNetwork.* to Azure.NSG.*. #119
Breaking change: VNET rules have been renamed from Azure.VirtualNetwork.* to Azure.VNET.*. #119
Breaking change: NIC rules have been renamed from Azure.VirtualNetwork.* to Azure.VM.*. #119
Breaking change: Renamed storage account rule Azure.Storage.SecureTransferRequired to Azure.Storage.SecureTransfer. #119

v0.8.0-B1912026 (pre-release)

Fixed Automation account handling with no webhooks or variables. #219
Rule improvements from PSRule v0.12.0. #220
Updated Azure.AKS.Version to 1.15.5. #217

v0.8.0-B1912012 (pre-release)

Added new rule to check automation accounts use encrypted variables. #211
Added new rule to check automation account webhook expiry interval. #212

v0.7.0

What's changed since v0.6.0:

New rules:
- Role assignment:
  - Check presence of classic Co-Administrators. #188
- Azure Kubernetes Service:
  - Check AKS node pool version matches cluster version. #186
  - Check AKS clusters use pod security policies. #142
  - Check AKS clusters use network policies. #143
  - Check AKS node pools use scale sets. #187
Updated rules:
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to check for node pool version. #191
General improvements:
- Added custom bindings for common resource properties. #202
- Added new baseline to include rules for preview features. #190
- Breaking change: Shorten rule names to improve output display. #119
  - RBAC rules have been renamed from Azure.Subscription.* to Azure.RBAC.*.
  - Security Center rules have been renamed from Azure.Subscription.* to Azure.SecureCenter.*.
- Breaking change: Renamed default baseline from Azure.SubscriptionDefault to Azure.Default. #190
Bug fixes:
- Fixed handling of tags for sub-resources. #203
- Fixed missing cmdlet help. #196
- Fixed AKS templates without node pool orchestratorVersion fail. #198
- Fixed null reference without parameters file. #189

What's changed since pre-release v0.7.0-B1912024:

No additional changes.

v0.7.0-B1912024 (pre-release)

Fixed handling of tags for sub-resources. #203
Added custom bindings for common resource properties. #202

v0.7.0-B1912017 (pre-release)

Fixed missing cmdlet help. #196
Fixed AKS templates without node pool orchestratorVersion fail. #198

v0.7.0-B1912008 (pre-release)

Fixed null reference without parameters file. #189
Added new rule to check presence of classic Co-Administrators. #188
Added new rule to check AKS node pool version matches cluster version. #186
Added new rule to check AKS clusters use pod security policies. #142
Added new rule to check AKS clusters use network policies. #143
Added new rule to check AKS node pools use scale sets. #187
Added new baseline to include rules for preview features. #190
Updated Azure.AKS.Version to check for node pool version. #191
Breaking change: RBAC rules have been renamed from Azure.Subscription.* to Azure.RBAC.*. #119
Breaking change: Security Center rules have been renamed from Azure.Subscription.* to Azure.SecureCenter.*. #119
Breaking change: Renamed default baseline from Azure.SubscriptionDefault to Azure.Default. #190

v0.6.0

What's changed since v0.5.0:

New features:
- Added support for exporting rule data from templates. #145
  - Added Export-AzTemplateRuleData cmdlet to export templates. See cmdlet help for limitations.
  - Template and parameters are merged, resolving functions, copy loops and conditions.
Updated rules:
- Azure Kubernetes Services:
  - Updated Azure.AKS.Version to 1.14.8. #140
General improvements:
- Updated rules to use type pre-conditions. #144
Bug fixes:
- Fixed processing of Azure.Resource.UseTags to exclude */providers/roleAssignments. #155
  - Provider role assignments do not support tags.
- Fixed processing of Azure.Resource.AllowedRegions. #156
  - Exclude */providers/roleAssignments, Microsoft.Authorization/* and Microsoft.Consumption/*.
- Fixed processing of Azure.VirtualNetwork.NSGAssociated for templates. #150
- Fixed processing of Azure.VirtualNetwork.LateralTraversal when destinationPortRanges is used. #149

What's changed since pre-release v0.6.0-B1911046:

No additional changes.

v0.6.0-B1911046 (pre-release)

Improved template support of Export-AzTemplateRuleData cmdlet. #145
- Added support for deployment function.
- Fixed property copy loop.
Fixed Export-AzTemplateRuleData does not return FileInfo objects. #162
Fixed automatically name outputs from Export-AzTemplateRuleData. #163
Fixed resource segmentation issue when ResourceType includes trailing slash. #165
Fixed expand resource template property as null fails. #167
Fixed case-sensitivity of variables, parameters and functions. #168
Fixed out of order parameter and variables cross reference. #170
Fixed expression parser race condition. #171
Fixed handling of padding spaces in expressions. #173
Fixed property of property is parsed incorrectly. #174
Fixed root variable copy loop handling. #175

v0.6.0-B1911027 (pre-release)

Fixed processing of Azure.Resource.UseTags to exclude */providers/roleAssignments. #155
- Provider role assignments do not support tags.
Fixed processing of Azure.Resource.AllowedRegions. #156
- Exclude */providers/roleAssignments, Microsoft.Authorization/* and Microsoft.Consumption/*.

v0.6.0-B1911020 (pre-release)

Fixed processing of Azure.VirtualNetwork.NSGAssociated for templates. #150
Fixed processing of Azure.VirtualNetwork.LateralTraversal when destinationPortRanges is used. #149
Improved template support of Export-AzTemplateRuleData cmdlet. #145
- Added support for nested templates.
- Added support for array, createArray, coalesce, intersection, dataUri and dataUriToString functions.

v0.6.0-B1911011 (pre-release)

Updated Azure.AKS.Version to 1.14.8. #140
Updated rules to use type pre-conditions. #144
Experimental: Added support for exporting rule data from templates. #145
- Added Export-AzTemplateRuleData cmdlet to export templates. See cmdlet help for limitations.
- Template and parameters are merged, resolving functions, copy loops and conditions.

v0.5.0

What's changed since v0.4.0:

New rules:
- Virtual machines:
  - Check Windows automatic updates are enabled. #132
  - Check VM agent is automatically provisioned. #131
Updated rules:
- Azure Kubernetes Services:
  - Updated Azure.AKS.Version to 1.14.6. #130
General improvements:
- Shorten rule names for virtual machined to Azure.VM.* to improve output display. #119
  - Breaking change: Rules have been renamed from Azure.VirtualMachine.* to Azure.VM.*.

What's changed since pre-release v0.5.0-B1910004:

No additional changes.

v0.5.0-B1910004 (pre-release)

Added rule to verify Windows automatic updates are enabled. #132
Added rule to verify VM agent is automatically provisioned. #131
Updated Azure.AKS.Version to 1.14.6. #130
Breaking change: Renamed Azure.VirtualMachine.* rules to Azure.VM.*. #119

v0.4.0

What's changed since v0.3.0:

New rules:
- Virtual machines:
  - Added rule to verify Azure Disk Encryption. #122
  - Added rule to check if public key is used for Linux. #123
- Virtual networking:
  - Added rule to verify connectivity of VNET peers. #120
  - Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121
General improvements:
- Removed dependency on Az.Storage module. #105
- Added default baseline to module. #126

What's changed since pre-release v0.4.0-B190902:

Added default baseline to module. #126

v0.4.0-B190902 (pre-release)

Added rule to verify connectivity of VNET peers. #120
Added rule to check configuration of HTTP/ HTTPS load balancer probes. #121
Added rule to verify Azure Disk Encryption. #122
Added rule to check if public key is used for Linux. #123
Removed dependency on Az.Storage module. #105

v0.3.0

What's changed since v0.2.0:

New rules:
- App Services:
  - Enforce minimum TLS version for App Service. #99
- Resource clean up:
  - Network security groups that are not associated. #93
  - Unattached network interfaces. #92
- Role assignment:
  - Added subscription RBAC delegation rules. #107
    - Check for number of subscription owners.
    - Check for RBAC inheritance from management groups.
    - Check for user RBAC assignments.
    - Check for RBAC delegation on individual resources.
- Virtual machines:
  - VMs should avoid using expired promo SKUs. #87
  - VMs should avoid using basic SKUs. #69
- Virtual networking:
  - Added NSG rule to check for lateral traversal security rules. #103
  - Added rule to detect deny all inbound NSG rule. #94
Updated rules:
- App Services:
  - Updated App Service site rules to include slots. #100
  - Azure.AppService.ARRAffinity and Azure.AppService.UseHTTPS now run against slots.
- Azure Kubernetes Services:
  - Updated Azure.AKS.Version to 1.14.5. #109
Bug fixes:
- Fix handling of empty DNS servers in Azure.VirtualNetwork.LocalDNS. #84
- Fix handling of no peering connections in Azure.VirtualNetwork.LocalDNS. #89
- Fix export of additional properties for Microsoft.Sql/servers. #114
- Excluded global services from Azure.Resource.AllowedRegions. #96

What's changed since pre-release v0.3.0-B190807:

Fix export of additional properties for Microsoft.Sql/servers. #114

v0.3.0-B190807 (pre-release)

Updated Azure.AKS.Version to 1.14.5. #109
Added subscription RBAC delegation rules. #107
- Check for number of subscription owners.
- Check for RBAC inheritance from management groups.
- Check for user RBAC assignments.
- Check for RBAC delegation on individual resources.

v0.3.0-B190723 (pre-release)

Excluded global services from Azure.Resource.AllowedRegions. #96
Enforce minimum TLS version for App Service. #99
Updated App Service site rules to include slots. #100
- Azure.AppService.ARRAffinity and Azure.AppService.UseHTTPS now run against slots.
Added rule to detect deny all inbound NSG rule. #94
Added unused resource rules.
- Network security groups that are not associated. #93
- Unattached network interfaces. #92
Added NSG rule to check for lateral traversal security rules. #103

v0.3.0-B190710 (pre-release)

Fix handling of empty DNS servers in Azure.VirtualNetwork.LocalDNS. #84
Fix handling of no peering connections in Azure.VirtualNetwork.LocalDNS. #89
Updated AKS version in Azure.AKS.Version to 1.13.7. #83
Added VM SKU rules:
- VMs should avoid using expired promo SKUs. #87
- VMs should avoid using basic SKUs. #69

v0.2.0

What's changed since v0.1.0:

Fix rule Azure.AKS.UseRBAC returns null. #60
Fix rule Azure.Storage.SoftDelete and Azure.Storage.SecureTransferRequired returns null. #64
Fix collection of ASR vault configuration for cmdlet deprecation. #63
Updated rules to use Recommend keyword instead of Hint alias. #71
Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54
- The rules Azure.SQL.FirewallIPRange, Azure.MySQL.FirewallIPRange and Azure.PostgreSQL.FirewallIPRange were added to check SQL, MySQL and PostgreSQL.
Added parameters to filter resource export by resource group and/ or tag. #59
- Added -ResourceGroupName and -Tag parameters to Export-AzRuleData cmdlet.
Added support for Application Gateway v2. #75
Added VNET rule to check for local DNS. #68
Added WAF hardening rules for Application Gateway. #78
- Application Gateways use OWASP 3.x rules.
- Application Gateways have WAF enabled.
- Application Gateways have all OWASP rules enabled.

What's changed since pre-release v0.2.0-B190715:

No additional changes.

v0.2.0-B190715 (pre-release)

Added support for Application Gateway v2. #75
Added VNET rule to check for local DNS. #68
Added WAF hardening rules for Application Gateway. #78
- Application Gateways use OWASP 3.x rules.
- Application Gateways have WAF enabled.
- Application Gateways have all OWASP rules enabled.

v0.2.0-B190706 (pre-release)

Fix rule Azure.AKS.UseRBAC returns null. #60
Fix rule Azure.Storage.SoftDelete and Azure.Storage.SecureTransferRequired returns null. #64
Fix collection of ASR vault configuration for cmdlet deprecation. #63
Added SQL firewall rule range check to determine an excessive number of permitted IP addresses. #3 #10 #54
- The rules Azure.SQL.FirewallIPRange, Azure.MySQL.FirewallIPRange and Azure.PostgreSQL.FirewallIPRange were added to check SQL, MySQL and PostgreSQL.
Updated rules to use Recommend keyword instead of Hint alias. #71
Added parameters to filter resource export by resource group and/ or tag. #59
- Added -ResourceGroupName and -Tag parameters to Export-AzRuleData cmdlet.

v0.1.0

Initial release.

What's changed since pre-release v0.1.0-B190624:

No additional changes.

v0.1.0-B190624 (pre-release)

Added rule to check if allow access to Azure services enabled for MySQL. #4
Added rule to count the number of database server firewall rules for MySQL. #2
Added rule to check if allow access to Azure services enabled for PostgreSQL. #50
Added rule to count the number of database server firewall rules for PostgreSQL. #51
Added rule to check if SSL is enforced for PostgreSQL. #49

v0.1.0-B190607 (pre-release)

Added rule documentation. #40

v0.1.0-B190569 (pre-release)

Fix exported resource data overwritten. #34

v0.1.0-B190562 (pre-release)

Add units tests for Export-AzRuleData and update filters. #28
Export-AzRuleData returns files generated by default. #27
Export-AzRuleData passes through objects resource objects to the pipeline. #25
Breaking change - Export-AzRuleData only exports data from current subscription context by default. #24
- Data can be exported from all subscription contexts by using the -All switch, or specifying specific subscriptions with the -Subscription or -Tenant parameters.

v0.1.0-B190543 (pre-release)

Fix cannot find the type for custom attribute error. #21

v0.1.0-B190536 (pre-release)

Initial pre-release.

73 KiB Исходник Постоянная ссылка Ответственный История