Governance

Use Azure Policy and the Guest Configuration policy definitions to govern your on prem resources and prove compliance.

Contents

Introduction

Azure Policy can audit settings inside a machine, both for machines running in Azure and Arc Connected Machines. The validation is performed by the Guest Configuration extension and client. The extension, through the client, validates settings such as:

  • The configuration of the operating system
  • Application configuration or presence
  • Environment settings

At this time, most Azure Policy Guest Configuration policy definitions only audit settings inside the machine. They don’t apply configurations. Note again that using Guest Configuration policies will trigger the per server per month Azure Arc pricing.

In this challenge you are tasked with measuring the compliance state within the Azure Arc virtual machine operating system.

Compliancy

The following requirements have been provided for regularly compliance. Assign Policy to measure the guest configuration compliance of the Azure Arc virtual machines:

  • ISO 27001:2013
  • UK OFFICIAL and UK NHS

The security team is concerned about the configuration of on-premises VMs and would like to measure their configuration against the Azure Security Benchmark:

  • Windows machines should meet requirements for the Azure security baseline
  • Linux machines should meet requirements for the Azure security baseline

Inventory

The governance team has determined that servers should have specific software installed. As a starting point they have decided to audit all linux servers to see whether they have the tree package installed on Linux.

  • assign a policy to audit Linux servers without tree installed
  • Provide a report of all Linux servers without tree installed (optional)

Operational

The Windows sys admins are pleased with the automated patching regime but they are considering switching the automatic reboot off. They have asked if it is possible to audit which servers would need a reboot to complete installations.

  • audit Azure Arc-enabled Windows servers that should be rebooted

Success criteria

Tell your proctor:

  1. The required resource provider type
  2. The required outgoing connectivity and URL allowed listing
  3. What is the current per server per month price for UK South?

Screen share with your proctor:

  1. Show the current Arc virtual machine compliance against ISO 27001:2013
  2. Show the current Arc virtual machine compliance against UK OFFICIAL/UK NHS
  3. Show the current Arc virtual machine compliance against Azure security baseline
  4. Show the policy assignment auditing whether git is installed on Linux
  5. Show the policy assignment auditing whether Windows servers need rebooting

Resources


Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

Make a change