Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Built-in Policy Release cbf95f4c #1251

Merged
merged 1 commit into from
Dec 7, 2023
Merged

Built-in Policy Release cbf95f4c #1251

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions ..._GuardrailsCannotEditIndividualNodes.json → ...Kubernetes/CannotEditIndividualNodes.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@
"mode": "Microsoft.Kubernetes.Data",
"description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools.",
"metadata": {
"version": "1.0.1-preview",
"version": "1.0.2-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.1-preview",
"version": "1.0.2-preview",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -107,14 +107,14 @@
"type": "Array",
"metadata": {
"displayName": "Allowed Users",
"description": "Users that are allowed by AKS Guardrails to modify node labels on individual nodes."
"description": "Users that are allowed by AKS Safeguards to modify node labels on individual nodes."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "Allowed Groups",
"description": "Groups that are allowed by AKS Guardrails to modify node labels on individual nodes."
"description": "Groups that are allowed by AKS Safeguards to modify node labels on individual nodes."
}
}
},
Expand Down
0 ...ardrailsMustHaveAntiAffinityRulesSet.json → ...ernetes/MustHaveAntiAffinityRulesSet.json
View file
Open in desktop
File renamed without changes.
0 ...es/AKS_GuardrailsNoAKSSpecificLabels.json → ...nment/Kubernetes/NoAKSSpecificLabels.json
View file
Open in desktop
File renamed without changes.
0 ...S_GuardrailsReservedSystemPoolTaints.json → .../Kubernetes/ReservedSystemPoolTaints.json
View file
Open in desktop
File renamed without changes.
8 changes: 4 additions & 4 deletions ..._GuardrailsCannotEditIndividualNodes.json → ...Kubernetes/CannotEditIndividualNodes.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@
"mode": "Microsoft.Kubernetes.Data",
"description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools.",
"metadata": {
"version": "1.0.1-preview",
"version": "1.0.2-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.1-preview",
"version": "1.0.2-preview",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -107,14 +107,14 @@
"type": "Array",
"metadata": {
"displayName": "Allowed Users",
"description": "Users that are allowed by AKS Guardrails to modify node labels on individual nodes."
"description": "Users that are allowed by AKS Safeguards to modify node labels on individual nodes."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "Allowed Groups",
"description": "Groups that are allowed by AKS Guardrails to modify node labels on individual nodes."
"description": "Groups that are allowed by AKS Safeguards to modify node labels on individual nodes."
}
}
},
Expand Down
0 ...ardrailsMustHaveAntiAffinityRulesSet.json → ...ernetes/MustHaveAntiAffinityRulesSet.json
View file
Open in desktop
File renamed without changes.
0 ...es/AKS_GuardrailsNoAKSSpecificLabels.json → ...tions/Kubernetes/NoAKSSpecificLabels.json
View file
Open in desktop
File renamed without changes.
0 ...S_GuardrailsReservedSystemPoolTaints.json → .../Kubernetes/ReservedSystemPoolTaints.json
View file
Open in desktop
File renamed without changes.
11 changes: 6 additions & 5 deletions ...efinitions/Security Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,19 @@
{
"properties": {
"displayName": "Microsoft Defender for Storage (Classic) should be enabled",
"displayName": "[Deprecated]: Microsoft Defender for Storage (Classic) should be enabled",
"policyType": "BuiltIn",
"mode": "All",
"description": "Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.",
"metadata": {
"version": "1.0.4",
"category": "Security Center"
"version": "1.1.0-deprecated",
"category": "Security Center",
"deprecated": true
},
"version": "1.0.4",
"version": "1.1.0",
"parameters": {
"effect": {
"type": "string",
"defaultValue": "AuditIfNotExists",
"defaultValue": "Disabled",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
Expand Down
12 changes: 6 additions & 6 deletions ...Government/Kubernetes/AKS_Guardrails.json → ...Government/Kubernetes/AKS_Safeguards.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
{
"properties": {
"displayName": "[Preview]: AKS Guardrails should help guide developers towards AKS recommended best practices",
"displayName": "[Preview]: AKS Safeguards should help guide developers towards AKS recommended best practices",
"policyType": "BuiltIn",
"description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.",
"description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Deployment Safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc",
"metadata": {
"version": "1.3.1-preview",
"version": "1.3.2-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.3.1-preview",
"version": "1.3.2-preview",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -39,14 +39,14 @@
"type": "Array",
"metadata": {
"displayName": "Allowed Users",
"description": "Users that are allowed by AKS Guardrails to make changes on kubernetes object."
"description": "Users that are allowed by AKS Safeguards to make changes on kubernetes object."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "Allowed Groups",
"description": "Groups that are allowed by AKS Guardrails to make changes on kubernetes object."
"description": "Groups that are allowed by AKS Safeguards to make changes on kubernetes object."
}
},
"cpuLimit": {
Expand Down
12 changes: 6 additions & 6 deletions ...efinitions/Kubernetes/AKS_Guardrails.json → ...efinitions/Kubernetes/AKS_Safeguards.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
{
"properties": {
"displayName": "[Preview]: AKS Guardrails should help guide developers towards AKS recommended best practices",
"displayName": "[Preview]: AKS Safeguards should help guide developers towards AKS recommended best practices",
"policyType": "BuiltIn",
"description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.",
"description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Deployment Safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc",
"metadata": {
"version": "1.3.1-preview",
"version": "1.3.2-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.3.1-preview",
"version": "1.3.2-preview",
"parameters": {
"effect": {
"type": "String",
Expand Down Expand Up @@ -39,14 +39,14 @@
"type": "Array",
"metadata": {
"displayName": "Allowed Users",
"description": "Users that are allowed by AKS Guardrails to make changes on kubernetes object."
"description": "Users that are allowed by AKS Safeguards to make changes on kubernetes object."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "Allowed Groups",
"description": "Groups that are allowed by AKS Guardrails to make changes on kubernetes object."
"description": "Groups that are allowed by AKS Safeguards to make changes on kubernetes object."
}
},
"cpuLimit": {
Expand Down
8 changes: 4 additions & 4 deletions built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_1_0.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
"policyType": "BuiltIn",
"description": "The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.1.0 controls. For more information, visit https://aka.ms/cisazure110-initiative",
"metadata": {
"version": "16.2.0",
"version": "16.3.0",
"category": "Regulatory Compliance"
},
"version": "16.2.0",
"version": "16.3.0",
"policyDefinitionGroups": [
{
"name": "CIS_Azure_1.1.0_1.1",
Expand Down Expand Up @@ -572,8 +572,8 @@
]
},
{
"policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionReferenceId": "640d2586-54d2-465f-877f-9ffc1d2109f4",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4",
"definitionVersion": "1.*.*",
"parameters": {},
"groupNames": [
Expand Down
25 changes: 19 additions & 6 deletions built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_3_0.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
"policyType": "BuiltIn",
"description": "The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.3.0 controls. For more information, visit https://aka.ms/cisazure130-initiative",
"metadata": {
"version": "8.4.0",
"version": "8.5.0",
"category": "Regulatory Compliance"
},
"version": "8.4.0",
"version": "8.5.0",
"policyDefinitionGroups": [
{
"name": "CIS_Azure_1.3.0_1.1",
Expand Down Expand Up @@ -668,13 +668,26 @@
},
"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"defaultValue": "Disabled",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect for policy: Azure Defender for Storage should be enabled",
"description": "For more information about effects, visit https://aka.ms/policyeffects",
"deprecated": true
}
},
"effect-640d2586-54d2-465f-877f-9ffc1d2109f4": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect for policy: Microsoft Defender for Storage should be enabled",
"description": "For more information about effects, visit https://aka.ms/policyeffects"
}
},
Expand Down Expand Up @@ -2068,12 +2081,12 @@
]
},
{
"policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionReferenceId": "640d2586-54d2-465f-877f-9ffc1d2109f4",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4",
"definitionVersion": "1.*.*",
"parameters": {
"effect": {
"value": "[parameters('effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa')]"
"value": "[parameters('effect-640d2586-54d2-465f-877f-9ffc1d2109f4')]"
}
},
"groupNames": [
Expand Down
25 changes: 19 additions & 6 deletions built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_4_0.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
"policyType": "BuiltIn",
"description": "The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.4.0 controls. For more information, visit https://aka.ms/cisazure140-initiative",
"metadata": {
"version": "1.5.1",
"version": "1.6.0",
"category": "Regulatory Compliance"
},
"version": "1.5.1",
"version": "1.6.0",
"policyDefinitionGroups": [
{
"name": "CIS_Azure_1.4.0_1.1",
Expand Down Expand Up @@ -671,13 +671,26 @@
},
"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"defaultValue": "Disabled",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect for policy: Azure Defender for Storage should be enabled",
"description": "For more information about effects, visit https://aka.ms/policyeffects",
"deprecated": true
}
},
"effect-640d2586-54d2-465f-877f-9ffc1d2109f4": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect for policy: Microsoft Defender for Storage should be enabled",
"description": "For more information about effects, visit https://aka.ms/policyeffects"
}
},
Expand Down Expand Up @@ -2410,12 +2423,12 @@
]
},
{
"policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionReferenceId": "640d2586-54d2-465f-877f-9ffc1d2109f4",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4",
"definitionVersion": "1.*.*",
"parameters": {
"effect": {
"value": "[parameters('effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa')]"
"value": "[parameters('effect-640d2586-54d2-465f-877f-9ffc1d2109f4')]"
}
},
"groupNames": [
Expand Down
25 changes: 19 additions & 6 deletions built-in-policies/policySetDefinitions/Regulatory Compliance/CISv2_0_0.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
"policyType": "BuiltIn",
"description": "The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v2.0.0 controls. For more information, visit https://aka.ms/cisazure200-initiative",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "Regulatory Compliance"
},
"version": "1.0.0",
"version": "1.1.0",
"policyDefinitionGroups": [
{
"name": "CIS_Azure_2.0.0_1.1.1",
Expand Down Expand Up @@ -773,13 +773,26 @@
},
"effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"defaultValue": "Disabled",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect for policy: Azure Defender for Storage should be enabled",
"description": "For more information about effects, visit https://aka.ms/policyeffects",
"deprecated": true
}
},
"effect-640d2586-54d2-465f-877f-9ffc1d2109f4": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect for policy: Microsoft Defender for Storage should be enabled",
"description": "For more information about effects, visit https://aka.ms/policyeffects"
}
},
Expand Down Expand Up @@ -2863,12 +2876,12 @@
]
},
{
"policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionReferenceId": "640d2586-54d2-465f-877f-9ffc1d2109f4",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4",
"definitionVersion": "1.*.*",
"parameters": {
"effect": {
"value": "[parameters('effect-308fbb08-4ab8-4e67-9b29-592e93fb94fa')]"
"value": "[parameters('effect-640d2586-54d2-465f-877f-9ffc1d2109f4')]"
}
},
"groupNames": [
Expand Down
8 changes: 4 additions & 4 deletions built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_2_0_L2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@
"policyType": "BuiltIn",
"description": "This initiative includes policies that address a subset of CMMC 2.0 Level 2 practices. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc2l2-initiative.",
"metadata": {
"version": "2.5.1-preview",
"version": "2.6.0-preview",
"category": "Regulatory Compliance",
"preview": true
},
"version": "2.5.1-preview",
"version": "2.6.0-preview",
"policyDefinitionGroups": [
{
"name": "CMMC_2.0_L2_AC.L1-3.1.1",
Expand Down Expand Up @@ -3356,9 +3356,9 @@
]
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4",
"definitionVersion": "1.*.*",
"policyDefinitionReferenceId": "308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"policyDefinitionReferenceId": "640d2586-54d2-465f-877f-9ffc1d2109f4",
"parameters": {},
"groupNames": [
"CMMC_2.0_L2_SI.L1-3.14.1",
Expand Down
Loading