From f2c43b03d9df7973b57971cdb2928bb738f7edad Mon Sep 17 00:00:00 2001 From: Azure Policy Bot Date: Wed, 9 Oct 2024 15:55:57 +0000 Subject: [PATCH] Built-in Policy Release 2090aef3 --- .../GeoReplication_AINE.json | 48 +++++++ .../Kubernetes/CannotEditIndividualNodes.json | 28 +++- .../Kubernetes/ContainerAllowedImages.json | 28 +++- .../ContainerEnforcePreStopHook.json | 28 +++- .../Kubernetes/ContainerEnforceProbes.json | 28 +++- .../Kubernetes/ContainerResourceLimits.json | 28 +++- .../ContainerRestrictedImagePulls.json | 28 +++- .../DisallowedBadPodDisruptionBudgets.json | 28 +++- .../Kubernetes/EnforceCSIDriver.json | 28 +++- .../Kubernetes/ImagesDoNotUseLatest.json | 28 +++- .../MustHaveAntiAffinityRulesSet.json | 28 +++- .../Kubernetes/NoAKSSpecificLabels.json | 28 +++- .../Kubernetes/ReservedSystemPoolTaints.json | 28 +++- .../Kubernetes/UniqueServiceSelectors.json | 28 +++- ...aptiveApplicationControlsUpdate_Audit.json | 14 +- ...ASC_AdaptiveApplicationControls_Audit.json | 14 +- ...ioning_log_analytics_monitoring_agent.json | 14 +- .../ASC_ContainerBenchmark_Audit.json | 14 +- .../ASC_MissingSystemUpdates_Audit.json | 12 +- .../ASC_VmssOSVulnerabilities_Audit.json | 14 +- .../EnvironmentInternal_Audit.json | 9 +- ...aptiveApplicationControlsUpdate_Audit.json | 14 +- ...ASC_AdaptiveApplicationControls_Audit.json | 14 +- .../ASC_AdaptiveNetworkHardenings_Audit.json | 14 +- ...ioning_log_analytics_monitoring_agent.json | 14 +- .../ASC_ContainerBenchmark_Audit.json | 14 +- .../ASC_MissingSystemUpdates_Audit.json | 12 +- .../ASC_VmssMissingSystemUpdates_Audit.json | 12 +- .../ASC_VmssOSVulnerabilities_Audit.json | 14 +- .../Kubernetes/AKS_Safeguards.json | 126 +++++++++++++++++- .../Regulatory Compliance/CISv1_1_0.json | 15 +-- .../Regulatory Compliance/CISv1_3_0.json | 23 +--- .../Regulatory Compliance/CMMC_2_0_L2.json | 23 +--- .../Regulatory Compliance/CMMC_L3.json | 41 ++---- .../Regulatory Compliance/DOD_IL4_audit.json | 41 ++---- .../Regulatory Compliance/DOD_IL5_audit.json | 41 ++---- .../FedRAMP_H_audit.json | 32 +---- .../FedRAMP_M_audit.json | 23 +--- .../Regulatory Compliance/IRS1075_audit.json | 14 +- .../ISO27001_2013_audit.json | 14 +- .../NIST_SP_800-171_R2.json | 23 +--- .../NIST_SP_800-53_R4.json | 23 +--- .../NIST_SP_800-53_R5.json | 23 +--- .../Regulatory Compliance/PCI_DSS_V4.0.json | 19 +-- .../Regulatory Compliance/asb_audit.json | 23 +--- .../Regulatory Compliance/asb_v2.json | 28 ++-- .../Security Center/AzureSecurityCenter.json | 41 ++---- .../Kubernetes/AKS_Safeguards.json | 75 ++++++++++- .../Regulatory Compliance/CISv1_1_0.json | 15 +-- .../Regulatory Compliance/CISv1_3_0.json | 20 +-- .../Regulatory Compliance/CISv1_4_0.json | 23 +--- .../Regulatory Compliance/CMMC_2_0_L2.json | 23 +--- .../Regulatory Compliance/CMMC_L3.json | 41 ++---- .../CanadaFederalPBMM_audit.json | 23 +--- .../Regulatory Compliance/DOD_IL4_audit.json | 26 +--- .../FedRAMP_H_audit.json | 32 +---- .../FedRAMP_M_audit.json | 23 +--- .../HIPAA_HITRUST_audit.json | 41 ++---- .../Regulatory Compliance/IRAP_Audit.json | 41 ++---- .../Regulatory Compliance/IRS1075_audit.json | 23 +--- .../ISO27001_2013_audit.json | 14 +- .../Regulatory Compliance/Media_audit.json | 20 +-- .../NIST_SP_800-171_R2.json | 23 +--- .../NIST_SP_800-53_R4.json | 23 +--- .../NIST_SP_800-53_R5.json | 23 +--- .../NL_BIO_Cloud_Theme.json | 48 ++----- .../NZ_ISM_Restricted_v3_5.json | 23 +--- .../Regulatory Compliance/NewZealand_ISM.json | 23 +--- .../Regulatory Compliance/PCI_DSS_V4.0.json | 19 +-- .../PCIv3_2_1_2018_audit.json | 17 +-- .../RBI_ITF_Banks_v2016.json | 29 +--- .../RBI_ITF_NBFC_v2017.json | 25 +--- .../Regulatory Compliance/RMIT_Malaysia.json | 33 +---- .../SWIFT_CSP-CSCF_v2021.json | 33 +---- .../SWIFT_CSP-CSCF_v2022.json | 33 +---- .../SWIFTv2020_audit.json | 17 +-- .../Regulatory Compliance/Spain_ENS.json | 18 +-- .../Regulatory Compliance/asb_audit.json | 23 +--- .../Regulatory Compliance/asb_v2.json | 23 +--- .../Regulatory Compliance/nz_ism.json | 41 ++---- .../ukofficial_audit.json | 23 +--- .../Security Center/AzureSecurityCenter.json | 41 ++---- 82 files changed, 950 insertions(+), 1212 deletions(-) create mode 100644 built-in-policies/policyDefinitions/App Configuration/GeoReplication_AINE.json diff --git a/built-in-policies/policyDefinitions/App Configuration/GeoReplication_AINE.json b/built-in-policies/policyDefinitions/App Configuration/GeoReplication_AINE.json new file mode 100644 index 000000000..dfd3b968a --- /dev/null +++ b/built-in-policies/policyDefinitions/App Configuration/GeoReplication_AINE.json @@ -0,0 +1,48 @@ +{ + "properties": { + "displayName": "App Configuration should use geo-replication", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "Use the geo-replication feature to create replicas in other locations of your current configuration store for enhanced resiliency and availability. Additionally, having multi-region replicas lets you better distribute load, lower latency, protect against datacenter outages, and compartmentalize globally distributed workloads. Learn more at: https://aka.ms/appconfig/geo-replication.", + "metadata": { + "version": "1.0.0", + "category": "App Configuration" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.AppConfiguration/configurationStores" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.AppConfiguration/configurationStores/replicas", + "existenceCondition": { + "field": "Microsoft.AppConfiguration/configurationStores/replicas/provisioningState", + "equals": "Succeeded" + } + } + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/d242c24b-bac7-439e-8af7-22d7dcfd3c4f", + "name": "d242c24b-bac7-439e-8af7-22d7dcfd3c4f" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json index 329e39e50..88ee790e6 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -137,6 +158,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/restricted-node-edits/v1/template.yaml" @@ -158,6 +181,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.4-PREVIEW", "1.0.3-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json index 25ce75d93..98b050da6 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerAllowedImages.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "10.1.1", + "version": "10.2.0", "category": "Kubernetes" }, - "version": "10.1.1", + "version": "10.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -135,6 +156,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/container-allowed-images/v2/template.yaml" @@ -156,6 +179,7 @@ } }, "versions": [ + "10.2.0", "10.1.1", "10.1.0" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerEnforcePreStopHook.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerEnforcePreStopHook.json index c6d7b29e5..f784fc81c 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerEnforcePreStopHook.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerEnforcePreStopHook.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -112,6 +133,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/container-enforce-pre-stop-hook/v1/template.yaml" @@ -132,6 +155,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerEnforceProbes.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerEnforceProbes.json index 62bb34494..817ad8a96 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerEnforceProbes.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerEnforceProbes.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.", "metadata": { - "version": "4.1.0", + "version": "4.2.0", "category": "Kubernetes" }, - "version": "4.1.0", + "version": "4.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "defaultValue": "Audit", @@ -145,6 +166,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/container-enforce-probes/v2/template.yaml" @@ -167,6 +190,7 @@ } }, "versions": [ + "4.2.0", "4.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerResourceLimits.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerResourceLimits.json index f49fe53e3..2b647682e 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerResourceLimits.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerResourceLimits.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "10.1.0", + "version": "10.2.0", "category": "Kubernetes" }, - "version": "10.1.0", + "version": "10.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -152,6 +173,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/container-resource-limits/v3/template.yaml" @@ -175,6 +198,7 @@ } }, "versions": [ + "10.2.0", "10.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerRestrictedImagePulls.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerRestrictedImagePulls.json index e19e07079..52e52449c 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerRestrictedImagePulls.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerRestrictedImagePulls.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -114,6 +135,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/container-restricted-image-pulls/v1/template.yaml" @@ -133,6 +156,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/DisallowedBadPodDisruptionBudgets.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/DisallowedBadPodDisruptionBudgets.json index 15aa4050c..809806812 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/DisallowedBadPodDisruptionBudgets.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/DisallowedBadPodDisruptionBudgets.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS).", "metadata": { - "version": "1.0.1-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.1-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -112,6 +133,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/disallowed-bad-pod-disruption-budgets/v1/template.yaml" @@ -133,6 +156,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.1-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/EnforceCSIDriver.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/EnforceCSIDriver.json index 829dcfcec..825747580 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/EnforceCSIDriver.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/EnforceCSIDriver.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Kubernetes" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -116,6 +137,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/enforce-csi-driver/v1/template.yaml" @@ -133,6 +156,7 @@ } }, "versions": [ + "3.2.0", "3.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ImagesDoNotUseLatest.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ImagesDoNotUseLatest.json index 3603ba441..922245431 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ImagesDoNotUseLatest.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ImagesDoNotUseLatest.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -112,6 +133,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/container-no-latest-image/v1/template.yaml" @@ -132,6 +155,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MustHaveAntiAffinityRulesSet.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MustHaveAntiAffinityRulesSet.json index fbaba6a19..9bac603a9 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MustHaveAntiAffinityRulesSet.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MustHaveAntiAffinityRulesSet.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience.", "metadata": { - "version": "1.0.2-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.2-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -112,6 +133,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/pod-enforce-antiaffinity/v1/template.yaml" @@ -132,6 +155,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.2-PREVIEW", "1.0.1-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/NoAKSSpecificLabels.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/NoAKSSpecificLabels.json index f9a8fa34b..f5aa07fc5 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/NoAKSSpecificLabels.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/NoAKSSpecificLabels.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels.", "metadata": { - "version": "1.0.2-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.2-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -133,6 +154,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/restricted-labels/v1/template.yaml" @@ -161,6 +184,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.2-PREVIEW", "1.0.1-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ReservedSystemPoolTaints.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ReservedSystemPoolTaints.json index 93e467122..460c97ee5 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ReservedSystemPoolTaints.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ReservedSystemPoolTaints.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint.", "metadata": { - "version": "1.0.2-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.2-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -119,6 +140,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/restricted-taints/v1/template.yaml" @@ -139,6 +162,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.2-PREVIEW", "1.0.1-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/UniqueServiceSelectors.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/UniqueServiceSelectors.json index 8ab1e45a4..a5ae555fe 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/UniqueServiceSelectors.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/UniqueServiceSelectors.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS).", "metadata": { - "version": "1.0.1-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.1-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -112,6 +133,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/unique-service-selectors/v1/template.yaml" @@ -129,6 +152,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.1-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json index a6dd7d006..2812a813a 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Allowlist rules in your adaptive application control policy should be updated", + "displayName": "[Deprecated]: Allowlist rules in your adaptive application control policy should be updated", "policyType": "BuiltIn", "mode": "All", - "description": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.", + "description": "Monitor changes in behavior on machines audited by Azure Security Center's adaptive application controls. Security Center uses machine learning to suggest known-safe applications as recommended apps. This policy is deprecated due to the deprecation of the Azure Monitoring agent. Learn more at aka.ms/policydefdeprecation.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -47,6 +48,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_AdaptiveApplicationControls_Audit.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_AdaptiveApplicationControls_Audit.json index 25eb4834c..afbb9fbe8 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_AdaptiveApplicationControls_Audit.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_AdaptiveApplicationControls_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Adaptive application controls for defining safe applications should be enabled on your machines", + "displayName": "[Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines", "policyType": "BuiltIn", "mode": "All", - "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "description": "Enable application controls to define safe applications and get alerts for others, enhancing security. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -47,6 +48,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json index 23cbd8cb0..cd149b4a8 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "displayName": "[Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription", "policyType": "BuiltIn", "mode": "All", - "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", + "description": "Azure Security Center collects VM data using the Log Analytics agent for security monitoring. Enable auto provisioning for automatic deployment. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.", "metadata": { - "version": "1.0.1", - "category": "Security Center" + "version": "1.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "1.0.1", + "version": "1.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -40,6 +41,7 @@ } }, "versions": [ + "1.1.0", "1.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_ContainerBenchmark_Audit.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_ContainerBenchmark_Audit.json index 0173734a2..b8e27f113 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_ContainerBenchmark_Audit.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_ContainerBenchmark_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Vulnerabilities in container security configurations should be remediated", + "displayName": "[Deprecated]: Vulnerabilities in container security configurations should be remediated", "policyType": "BuiltIn", "mode": "All", - "description": "Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.", + "description": "Audit Docker security vulnerabilities and display recommendations in Azure Security Center. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -48,6 +49,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_MissingSystemUpdates_Audit.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_MissingSystemUpdates_Audit.json index b2c040431..831128f05 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_MissingSystemUpdates_Audit.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_MissingSystemUpdates_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "System updates should be installed on your machines", + "displayName": "[Deprecated]: System updates should be installed on your machines", "policyType": "BuiltIn", "mode": "All", "description": "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -47,6 +48,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_VmssOSVulnerabilities_Audit.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_VmssOSVulnerabilities_Audit.json index 14a9a8bc7..07d768fd8 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_VmssOSVulnerabilities_Audit.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/ASC_VmssOSVulnerabilities_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "displayName": "[Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.", + "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -44,6 +45,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Container Apps/EnvironmentInternal_Audit.json b/built-in-policies/policyDefinitions/Container Apps/EnvironmentInternal_Audit.json index f814562ca..76d90da5f 100644 --- a/built-in-policies/policyDefinitions/Container Apps/EnvironmentInternal_Audit.json +++ b/built-in-policies/policyDefinitions/Container Apps/EnvironmentInternal_Audit.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.", "metadata": { - "version": "1.0.1", + "version": "1.1.0", "category": "Container Apps" }, - "version": "1.0.1", + "version": "1.1.0", "parameters": { "effect": { "type": "String", @@ -37,6 +37,10 @@ "field": "Microsoft.App/managedEnvironments/vnetConfiguration", "exists": false }, + { + "field": "Microsoft.App/managedEnvironments/vnetConfiguration.internal", + "exists": false + }, { "field": "Microsoft.App/managedEnvironments/vnetConfiguration.internal", "equals": false @@ -50,6 +54,7 @@ } }, "versions": [ + "1.1.0", "1.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json b/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json index a6dd7d006..2812a813a 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Allowlist rules in your adaptive application control policy should be updated", + "displayName": "[Deprecated]: Allowlist rules in your adaptive application control policy should be updated", "policyType": "BuiltIn", "mode": "All", - "description": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.", + "description": "Monitor changes in behavior on machines audited by Azure Security Center's adaptive application controls. Security Center uses machine learning to suggest known-safe applications as recommended apps. This policy is deprecated due to the deprecation of the Azure Monitoring agent. Learn more at aka.ms/policydefdeprecation.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -47,6 +48,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveApplicationControls_Audit.json b/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveApplicationControls_Audit.json index 25eb4834c..afbb9fbe8 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveApplicationControls_Audit.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveApplicationControls_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Adaptive application controls for defining safe applications should be enabled on your machines", + "displayName": "[Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines", "policyType": "BuiltIn", "mode": "All", - "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", + "description": "Enable application controls to define safe applications and get alerts for others, enhancing security. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -47,6 +48,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveNetworkHardenings_Audit.json b/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveNetworkHardenings_Audit.json index 248c438d9..70db5b6e1 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveNetworkHardenings_Audit.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_AdaptiveNetworkHardenings_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "displayName": "[Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface", + "description": "Azure Security Center recommends NSG rules for Internet-facing VMs. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -44,6 +45,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json b/built-in-policies/policyDefinitions/Security Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json index 23cbd8cb0..cd149b4a8 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "displayName": "[Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription", "policyType": "BuiltIn", "mode": "All", - "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.", + "description": "Azure Security Center collects VM data using the Log Analytics agent for security monitoring. Enable auto provisioning for automatic deployment. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.", "metadata": { - "version": "1.0.1", - "category": "Security Center" + "version": "1.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "1.0.1", + "version": "1.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -40,6 +41,7 @@ } }, "versions": [ + "1.1.0", "1.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_ContainerBenchmark_Audit.json b/built-in-policies/policyDefinitions/Security Center/ASC_ContainerBenchmark_Audit.json index 0173734a2..b8e27f113 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_ContainerBenchmark_Audit.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_ContainerBenchmark_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Vulnerabilities in container security configurations should be remediated", + "displayName": "[Deprecated]: Vulnerabilities in container security configurations should be remediated", "policyType": "BuiltIn", "mode": "All", - "description": "Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.", + "description": "Audit Docker security vulnerabilities and display recommendations in Azure Security Center. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -48,6 +49,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_MissingSystemUpdates_Audit.json b/built-in-policies/policyDefinitions/Security Center/ASC_MissingSystemUpdates_Audit.json index cd1e94017..bf073afa3 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_MissingSystemUpdates_Audit.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_MissingSystemUpdates_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "System updates should be installed on your machines", + "displayName": "[Deprecated]: System updates should be installed on your machines", "policyType": "BuiltIn", "mode": "All", "description": "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations", "metadata": { - "version": "4.0.0", - "category": "Security Center" + "version": "4.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "4.0.0", + "version": "4.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -47,6 +48,7 @@ } }, "versions": [ + "4.1.0", "4.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_VmssMissingSystemUpdates_Audit.json b/built-in-policies/policyDefinitions/Security Center/ASC_VmssMissingSystemUpdates_Audit.json index 986858914..d70aa9f0a 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_VmssMissingSystemUpdates_Audit.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_VmssMissingSystemUpdates_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "System updates on virtual machine scale sets should be installed", + "displayName": "[Deprecated]: System updates on virtual machine scale sets should be installed", "policyType": "BuiltIn", "mode": "Indexed", "description": "Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -44,6 +45,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/ASC_VmssOSVulnerabilities_Audit.json b/built-in-policies/policyDefinitions/Security Center/ASC_VmssOSVulnerabilities_Audit.json index 14a9a8bc7..07d768fd8 100644 --- a/built-in-policies/policyDefinitions/Security Center/ASC_VmssOSVulnerabilities_Audit.json +++ b/built-in-policies/policyDefinitions/Security Center/ASC_VmssOSVulnerabilities_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "displayName": "[Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.", + "description": "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "metadata": { - "version": "3.0.0", - "category": "Security Center" + "version": "3.1.0-deprecated", + "category": "Security Center", + "deprecated": true }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -44,6 +45,7 @@ } }, "versions": [ + "3.1.0", "3.0.0" ] }, diff --git a/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Safeguards.json b/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Safeguards.json index 392f1f32c..daf24dcff 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Safeguards.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Safeguards.json @@ -4,12 +4,37 @@ "policyType": "BuiltIn", "description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc", "metadata": { - "version": "1.4.0-preview", + "version": "1.5.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.4.0-preview", + "version": "1.5.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "All", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -142,6 +167,12 @@ }, "allowedGroups": { "value": "[parameters('allowedGroups')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -167,6 +198,12 @@ }, "excludedImages": { "value": "[parameters('excludedImages')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -180,6 +217,12 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -202,6 +245,12 @@ }, "labels": { "value": "[parameters('labels')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -221,6 +270,12 @@ }, "excludedContainers": { "value": "[parameters('excludedContainers')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -237,6 +292,12 @@ }, "reservedTaints": { "value": "[parameters('reservedTaints')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -259,6 +320,12 @@ }, "excludedImages": { "value": "[parameters('excludedImages')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -272,6 +339,12 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -288,6 +361,12 @@ }, "excludedImages": { "value": "[parameters('excludedImages')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -301,6 +380,12 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -314,6 +399,12 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -327,6 +418,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -340,6 +434,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -353,6 +450,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -366,6 +466,12 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -379,6 +485,12 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" } } }, @@ -392,6 +504,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -405,6 +520,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -418,11 +536,15 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } } ], "versions": [ + "1.5.0-PREVIEW", "1.4.0-PREVIEW", "1.3.4-PREVIEW", "1.3.3-PREVIEW" diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CISv1_1_0.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CISv1_1_0.json index 3a91227f0..21ff94bda 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CISv1_1_0.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CISv1_1_0.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.1.0 controls. For more information, visit https://aka.ms/cisazure110-initiative", "metadata": { - "version": "15.6.0", + "version": "15.7.0", "category": "Regulatory Compliance" }, - "version": "15.6.0", + "version": "15.7.0", "policyDefinitionGroups": [ { "name": "CIS_Azure_1.1.0_1.1", @@ -589,16 +589,6 @@ "CIS_Azure_1.1.0_2.1" ] }, - { - "policyDefinitionReferenceId": "CISv110x2x3CISv110x7x5", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "CIS_Azure_1.1.0_2.3", - "CIS_Azure_1.1.0_7.5" - ] - }, { "policyDefinitionReferenceId": "CISv110x2x4", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -1155,6 +1145,7 @@ } ], "versions": [ + "15.7.0", "15.6.0", "15.5.0", "15.4.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CISv1_3_0.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CISv1_3_0.json index 1fa50cbe6..c5b12adb6 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CISv1_3_0.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CISv1_3_0.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.3.0 controls. For more information, visit https://aka.ms/cisazure130-initiative", "metadata": { - "version": "7.8.0", + "version": "7.9.0", "category": "Regulatory Compliance" }, - "version": "7.8.0", + "version": "7.9.0", "policyDefinitionGroups": [ { "name": "CIS_Azure_1.3.0_1.1", @@ -1438,14 +1438,15 @@ }, "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9": { @@ -2656,19 +2657,6 @@ "CIS_Azure_1.3.0_7.4" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" - } - }, - "groupNames": [ - "CIS_Azure_1.3.0_7.5" - ] - }, { "policyDefinitionReferenceId": "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", @@ -2862,6 +2850,7 @@ } ], "versions": [ + "7.9.0", "7.8.0", "7.7.0", "7.6.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_2_0_L2.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_2_0_L2.json index 0f970fab8..f651d5b8f 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_2_0_L2.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_2_0_L2.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of CMMC 2.0 Level 2 practices. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc2l2-initiative.", "metadata": { - "version": "1.11.0-preview", + "version": "1.12.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "1.11.0-preview", + "version": "1.12.0-preview", "policyDefinitionGroups": [ { "name": "CMMC_2.0_L2_AC.L1-3.1.1", @@ -3811,15 +3811,6 @@ "CMMC_2.0_L2_SC.L2-3.13.8" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "parameters": {}, - "groupNames": [ - "CMMC_2.0_L2_SI.L1-3.14.1" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40", "definitionVersion": "1.*.*", @@ -4667,15 +4658,6 @@ "CMMC_2.0_L2_SC.L2-3.13.8" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "parameters": {}, - "groupNames": [ - "CMMC_2.0_L2_SI.L1-3.14.1" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", "definitionVersion": "5.*.*", @@ -4783,6 +4765,7 @@ } ], "versions": [ + "1.12.0-PREVIEW", "1.11.0-PREVIEW", "1.10.0-PREVIEW", "1.9.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_L3.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_L3.json index a7fe4648a..ea14a5d6d 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_L3.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/CMMC_L3.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative.", "metadata": { - "version": "9.8.0", + "version": "9.9.0", "category": "Regulatory Compliance" }, - "version": "9.8.0", + "version": "9.9.0", "policyDefinitionGroups": [ { "name": "CMMC_L3_AC.1.001", @@ -1036,14 +1036,15 @@ }, "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-88999f4c-376a-45c8-bcb3-4058f713cf39": { @@ -1301,14 +1302,15 @@ }, "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71": { @@ -2778,19 +2780,6 @@ "CMMC_L3_AU.3.049" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" - } - }, - "groupNames": [ - "CMMC_L3_SI.1.210" - ] - }, { "policyDefinitionReferenceId": "8c122334-9d20-4eb8-89ea-ac9a705b74ae", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae", @@ -2980,19 +2969,6 @@ "CMMC_L3_SI.2.217" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]" - } - }, - "groupNames": [ - "CMMC_L3_SI.1.210" - ] - }, { "policyDefinitionReferenceId": "cb510bfd-1cba-4d9f-a230-cb0976f4bb71", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", @@ -4213,6 +4189,7 @@ } ], "versions": [ + "9.9.0", "9.8.0", "9.7.0", "9.6.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL4_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL4_audit.json index 27176bec6..289638f08 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL4_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL4_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of DoD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-initiative.", "metadata": { - "version": "22.11.0", + "version": "22.12.0", "category": "Regulatory Compliance" }, - "version": "22.11.0", + "version": "22.12.0", "policyDefinitionGroups": [ { "name": "DoD_IL4_R4_AC-1", @@ -3398,14 +3398,15 @@ }, "systemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "ensureJavaVersionLatestForAPIAppEffect": { @@ -3632,14 +3633,15 @@ }, "vmssSystemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "webAppDisableRemoteDebuggingMonitoringEffect": { @@ -5987,19 +5989,6 @@ "DoD_IL4_R4_SC-12" ] }, - { - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "DoD_IL4_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", @@ -6275,19 +6264,6 @@ "DoD_IL4_R4_SI-2" ] }, - { - "policyDefinitionReferenceId": "systemUpdatesShouldBeInstalledOnYourMachines", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('systemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "DoD_IL4_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "identityRemoveExternalAccountWithReadPermissionsMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", @@ -7033,6 +7009,7 @@ } ], "versions": [ + "22.12.0", "22.11.0", "22.10.0", "22.9.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL5_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL5_audit.json index ed88fcb3e..cce53991e 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL5_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/DOD_IL5_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of DoD Impact Level 5 (IL5) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil5-initiative.", "metadata": { - "version": "19.11.0", + "version": "19.12.0", "category": "Regulatory Compliance" }, - "version": "19.11.0", + "version": "19.12.0", "policyDefinitionGroups": [ { "name": "DoD_IL5_R4_AC-1", @@ -3422,14 +3422,15 @@ }, "systemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "ensureJavaVersionLatestForAPIAppEffect": { @@ -3656,14 +3657,15 @@ }, "vmssSystemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "webAppDisableRemoteDebuggingMonitoringEffect": { @@ -6011,19 +6013,6 @@ "DoD_IL5_R4_SC-12" ] }, - { - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "DoD_IL5_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", @@ -6299,19 +6288,6 @@ "DoD_IL5_R4_SI-2" ] }, - { - "policyDefinitionReferenceId": "systemUpdatesShouldBeInstalledOnYourMachines", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('systemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "DoD_IL5_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "identityRemoveExternalAccountWithReadPermissionsMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", @@ -7057,6 +7033,7 @@ } ], "versions": [ + "19.12.0", "19.11.0", "19.10.0", "19.9.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_H_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_H_audit.json index 9513cc625..fe0818ade 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_H_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_H_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (High) controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp", "metadata": { - "version": "17.12.0", + "version": "17.13.0", "category": "Regulatory Compliance" }, - "version": "17.12.0", + "version": "17.13.0", "policyDefinitionGroups": [ { "name": "FedRAMP_High_R4_AC-1", @@ -3164,14 +3164,15 @@ }, "vmssSystemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "identityEnableMFAForReadPermissionsMonitoringEffect": { @@ -5082,19 +5083,6 @@ "FedRAMP_High_R4_SC-12" ] }, - { - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "FedRAMP_High_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", @@ -5334,15 +5322,6 @@ "FedRAMP_High_R4_SI-2" ] }, - { - "policyDefinitionReferenceId": "systemUpdatesShouldBeInstalledOnYourMachines", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "FedRAMP_High_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "identityRemoveExternalAccountWithReadPermissionsMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", @@ -6065,6 +6044,7 @@ } ], "versions": [ + "17.13.0", "17.12.0", "17.11.0", "17.10.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_M_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_M_audit.json index 7d260e5bb..32b86abf9 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_M_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/FedRAMP_M_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (Moderate) controls. Additional policies will be added in upcoming releases. For more information, visit https://www.fedramp.gov/documents-templates/", "metadata": { - "version": "17.11.0", + "version": "17.12.0", "category": "Regulatory Compliance" }, - "version": "17.11.0", + "version": "17.12.0", "policyDefinitionGroups": [ { "name": "FedRAMP_Moderate_R4_AC-1", @@ -4404,15 +4404,6 @@ "FedRAMP_Moderate_R4_SC-12" ] }, - { - "policyDefinitionReferenceId": "SystemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "FedRAMP_Moderate_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "DeprecatedAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", @@ -4627,15 +4618,6 @@ "FedRAMP_Moderate_R4_SI-2" ] }, - { - "policyDefinitionReferenceId": "SystemUpdatesShouldBeInstalledOnYourMachines", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "FedRAMP_Moderate_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "ExternalAccountsWithReadPermissionsShouldBeRemovedFromYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", @@ -5304,6 +5286,7 @@ } ], "versions": [ + "17.12.0", "17.11.0", "17.10.0", "17.9.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/IRS1075_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/IRS1075_audit.json index b773a22c5..51a43b0ac 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/IRS1075_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/IRS1075_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/irs1075-init.", "metadata": { - "version": "8.4.0", + "version": "8.5.0", "category": "Regulatory Compliance" }, - "version": "8.4.0", + "version": "8.5.0", "policyDefinitionGroups": [ { "name": "IRS_1075_9.3.1.1", @@ -1102,15 +1102,6 @@ "IRS_1075_9.3.7.5" ] }, - { - "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "IRS_1075_9.3.17.2" - ] - }, { "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -1327,6 +1318,7 @@ } ], "versions": [ + "8.5.0", "8.4.0", "8.3.0", "8.2.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/ISO27001_2013_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/ISO27001_2013_audit.json index fa3779e9a..d943ff170 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/ISO27001_2013_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/ISO27001_2013_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The International Organization for Standardization (ISO) 27001 standard provides requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). These policies address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init", "metadata": { - "version": "7.5.0", + "version": "7.6.0", "category": "Regulatory Compliance" }, - "version": "7.5.0", + "version": "7.6.0", "policyDefinitionGroups": [ { "name": "ISO27001-2013_A.5.1.1", @@ -5943,15 +5943,6 @@ "ISO27001-2013_A.16.1.3" ] }, - { - "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "ISO27001-2013_A.12.6.1" - ] - }, { "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -6758,6 +6749,7 @@ } ], "versions": [ + "7.6.0", "7.5.0", "7.4.0", "7.3.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-171_R2.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-171_R2.json index e3a034f68..e823954e1 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-171_R2.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-171_R2.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171", "metadata": { - "version": "15.11.0", + "version": "15.12.0", "category": "Regulatory Compliance" }, - "version": "15.11.0", + "version": "15.12.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-171_R2_3.1.1", @@ -4604,24 +4604,6 @@ "NIST_SP_800-171_R2_3.13.16" ] }, - { - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-171_R2_3.14.1" - ] - }, - { - "policyDefinitionReferenceId": "systemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-171_R2_3.14.1" - ] - }, { "policyDefinitionReferenceId": "kubernetesServiceVersionUpToDateMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c", @@ -4787,6 +4769,7 @@ } ], "versions": [ + "15.12.0", "15.11.0", "15.10.0", "15.9.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R4.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R4.json index d99cb89c6..feda8fe89 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R4.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R4.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "National Institute of Standards and Technology (NIST) SP 800-53 R4 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk.These policies address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r4-initiative", "metadata": { - "version": "18.11.0", + "version": "18.12.0", "category": "Regulatory Compliance" }, - "version": "18.11.0", + "version": "18.12.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-53_R4_AC-1", @@ -6465,15 +6465,6 @@ "NIST_SP_800-53_R4_SC-12" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-53_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "PreviewAuditDeprecatedAccountsWithOwnerPermissionsOnASubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", @@ -6694,15 +6685,6 @@ "NIST_SP_800-53_R4_SI-2" ] }, - { - "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-53_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "PreviewAuditExternalAccountsWithReadPermissionsOnASubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", @@ -13956,6 +13938,7 @@ } ], "versions": [ + "18.12.0", "18.11.0", "18.10.0", "18.9.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R5.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R5.json index d13378ff6..b1c0aa873 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R5.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/NIST_SP_800-53_R5.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk. These policies address a subset of NIST SP 800-53 R5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r5-initiative", "metadata": { - "version": "14.11.0", + "version": "14.12.0", "category": "Regulatory Compliance" }, - "version": "14.11.0", + "version": "14.12.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-53_R5_AC-1", @@ -6960,15 +6960,6 @@ "NIST_SP_800-53_R5_SC-12" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-53_R5_SI-2" - ] - }, { "policyDefinitionReferenceId": "0cfea604-3201-4e14-88fc-fae4c427a6c5", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", @@ -7189,15 +7180,6 @@ "NIST_SP_800-53_R5_SI-2" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-53_R5_SI-2" - ] - }, { "policyDefinitionReferenceId": "e9ac8f8e-ce22-4355-8f04-99b911d6be52", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", @@ -14280,6 +14262,7 @@ } ], "versions": [ + "14.12.0", "14.11.0", "14.10.0", "14.9.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/PCI_DSS_V4.0.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/PCI_DSS_V4.0.json index 6805991b7..11ec24a2b 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/PCI_DSS_V4.0.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/PCI_DSS_V4.0.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data. These policies address a subset of PCI-DSS v4 controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/pci-dss-3-2-1", "metadata": { - "version": "1.3.0", + "version": "1.4.0", "category": "Regulatory Compliance" }, - "version": "1.3.0", + "version": "1.4.0", "policyDefinitionGroups": [ { "name": "PCI_DSS_v4.0_1.1.1", @@ -2315,20 +2315,6 @@ "PCI_DSS_v4.0_5.4.1" ] }, - { - "policyDefinitionReferenceId": "previewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "PCI_DSS_v4.0_5.2.1", - "PCI_DSS_v4.0_5.2.2", - "PCI_DSS_v4.0_5.2.3", - "PCI_DSS_v4.0_6.3.3", - "PCI_DSS_v4.0_6.4.1", - "PCI_DSS_v4.0_11.3.1" - ] - }, { "policyDefinitionReferenceId": "previewMonitorOSVulnerabilitiesInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -4261,6 +4247,7 @@ } ], "versions": [ + "1.4.0", "1.3.0", "1.2.0", "1.1.0" diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_audit.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_audit.json index 144168d6e..e213141cf 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_audit.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_audit.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative has been deprecated. The Azure Security Benchmark initiative now represents the Azure Security Benchmark v2 controls, and serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center.", "metadata": { - "version": "14.5.0-deprecated", + "version": "14.6.0-deprecated", "deprecated": true, "category": "Regulatory Compliance" }, - "version": "14.5.0", + "version": "14.6.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v1.0_1.1", @@ -1089,15 +1089,6 @@ "Azure_Security_Benchmark_v1.0_1.11" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "Azure_Security_Benchmark_v1.0_5.2" - ] - }, { "policyDefinitionReferenceId": "931e118d-50a1-4457-a5e4-78550e086c52", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52", @@ -1314,15 +1305,6 @@ "Azure_Security_Benchmark_v1.0_3.3" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "Azure_Security_Benchmark_v1.0_5.2" - ] - }, { "policyDefinitionReferenceId": "c43e4a30-77cb-48ab-a4dd-93f175c63b57", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57", @@ -1665,6 +1647,7 @@ } ], "versions": [ + "14.6.0", "14.5.0", "14.4.0", "14.3.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_v2.json b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_v2.json index f393508f8..6bbe85378 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_v2.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Regulatory Compliance/asb_v2.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative has been deprecated. The Azure Security Benchmark v2 policy set is now represented in the consolidated Azure Security Benchmark initiative, which also serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center", "metadata": { - "version": "10.8.0-deprecated", + "version": "10.9.0-deprecated", "deprecated": true, "category": "Regulatory Compliance" }, - "version": "10.8.0", + "version": "10.9.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v2.0_NS-1", @@ -2016,26 +2016,28 @@ }, "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba": { @@ -3678,19 +3680,6 @@ "Azure_Security_Benchmark_v2.0_PV-6" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v2.0_PV-7" - ] - }, { "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", @@ -3815,6 +3804,7 @@ } ], "versions": [ + "10.9.0", "10.8.0", "10.7.0", "10.6.0", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json index 484aa0c4d..b58beddfe 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "47.27.0", + "version": "47.28.0", "category": "Security Center" }, - "version": "47.27.0", + "version": "47.28.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -442,14 +442,15 @@ }, "vmssSystemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "System updates on virtual machine scale sets should be installed", - "description": "Enable or disable virtual machine scale sets reporting of system updates" + "description": "Enable or disable virtual machine scale sets reporting of system updates", + "deprecated": true } }, "systemUpdatesV2MonitoringEffect": { @@ -517,14 +518,15 @@ }, "systemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "System updates should be installed on your machines", - "description": "Enable or disable reporting of system updates" + "description": "Enable or disable reporting of system updates", + "deprecated": true } }, "systemUpdatesAutoAssessmentModeEffect": { @@ -4795,19 +4797,6 @@ "Azure_Security_Benchmark_v3.0_PV-4" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "parameters": { - "effect": { - "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v3.0_PV-6" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01", "definitionVersion": "2.*.*", @@ -5151,19 +5140,6 @@ "Azure_Security_Benchmark_v3.0_LT-3" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "systemUpdatesMonitoring", - "parameters": { - "effect": { - "value": "[parameters('systemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v3.0_PV-6" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b", "definitionVersion": "1.*.*-preview", @@ -7096,6 +7072,7 @@ } ], "versions": [ + "47.28.0", "47.27.0", "47.26.0", "47.25.0", diff --git a/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json b/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json index 4a5f2870c..480b4158c 100644 --- a/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json +++ b/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json @@ -4,12 +4,25 @@ "policyType": "BuiltIn", "description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc", "metadata": { - "version": "1.7.0-preview", + "version": "1.8.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.7.0-preview", + "version": "1.8.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "All", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { @@ -157,6 +170,9 @@ }, "allowedGroups": { "value": "[parameters('allowedGroups')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -185,6 +201,9 @@ }, "excludedImages": { "value": "[parameters('excludedImages')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -201,6 +220,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -226,6 +248,9 @@ }, "labels": { "value": "[parameters('labels')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -248,6 +273,9 @@ }, "excludedContainers": { "value": "[parameters('excludedContainers')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -267,6 +295,9 @@ }, "reservedTaints": { "value": "[parameters('reservedTaints')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -292,6 +323,9 @@ }, "excludedImages": { "value": "[parameters('excludedImages')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -308,6 +342,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -327,6 +364,9 @@ }, "excludedImages": { "value": "[parameters('excludedImages')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -343,6 +383,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -359,6 +402,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -372,6 +418,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -385,6 +434,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -398,6 +450,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -414,6 +469,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -430,6 +488,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -443,6 +504,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -456,6 +520,9 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } }, @@ -469,11 +536,15 @@ }, "excludedNamespaces": { "value": "[parameters('excludedNamespaces')]" + }, + "source": { + "value": "[parameters('source')]" } } } ], "versions": [ + "1.8.0-PREVIEW", "1.7.0-PREVIEW", "1.6.0-PREVIEW", "1.5.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_1_0.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_1_0.json index 53f486644..168e17096 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_1_0.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_1_0.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.1.0 controls. For more information, visit https://aka.ms/cisazure110-initiative", "metadata": { - "version": "16.7.0", + "version": "16.8.0", "category": "Regulatory Compliance" }, - "version": "16.7.0", + "version": "16.8.0", "policyDefinitionGroups": [ { "name": "CIS_Azure_1.1.0_1.1", @@ -616,16 +616,6 @@ "CIS_Azure_1.1.0_2.1" ] }, - { - "policyDefinitionReferenceId": "CISv110x2x3CISv110x7x5", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "CIS_Azure_1.1.0_2.3", - "CIS_Azure_1.1.0_7.5" - ] - }, { "policyDefinitionReferenceId": "CISv110x2x4", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -2258,6 +2248,7 @@ } ], "versions": [ + "16.8.0", "16.7.0", "16.6.0", "16.5.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_3_0.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_3_0.json index d0510b446..752167ad4 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_3_0.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_3_0.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.3.0 controls. For more information, visit https://aka.ms/cisazure130-initiative", "metadata": { - "version": "8.10.0", + "version": "8.11.0", "category": "Regulatory Compliance" }, - "version": "8.10.0", + "version": "8.11.0", "policyDefinitionGroups": [ { "name": "CIS_Azure_1.3.0_1.1", @@ -1512,14 +1512,15 @@ }, "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9": { @@ -2826,16 +2827,16 @@ ] }, { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", + "policyDefinitionReferenceId": "af6cd1bd-1635-48cb-bde7-5b15693900b9", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9", + "definitionVersion": "3.*.*", "parameters": { "effect": { - "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" + "value": "[parameters('effect-af6cd1bd-1635-48cb-bde7-5b15693900b9')]" } }, "groupNames": [ - "CIS_Azure_1.3.0_7.5" + "CIS_Azure_1.3.0_7.6" ] }, { @@ -4240,6 +4241,7 @@ } ], "versions": [ + "8.11.0", "8.10.0", "8.9.0", "8.8.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_4_0.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_4_0.json index bb3aa3916..4a7cc22ac 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_4_0.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/CISv1_4_0.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.4.0 controls. For more information, visit https://aka.ms/cisazure140-initiative", "metadata": { - "version": "1.10.0", + "version": "1.11.0", "category": "Regulatory Compliance" }, - "version": "1.10.0", + "version": "1.11.0", "policyDefinitionGroups": [ { "name": "CIS_Azure_1.4.0_1.1", @@ -1402,14 +1402,15 @@ }, "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-af6cd1bd-1635-48cb-bde7-5b15693900b9": { @@ -3738,19 +3739,6 @@ "CIS_Azure_1.4.0_7.4" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" - } - }, - "groupNames": [ - "CIS_Azure_1.4.0_7.5" - ] - }, { "policyDefinitionReferenceId": "db28735f-518f-870e-15b4-49623cbe3aa0", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db28735f-518f-870e-15b4-49623cbe3aa0", @@ -4018,6 +4006,7 @@ } ], "versions": [ + "1.11.0", "1.10.0", "1.9.0", "1.8.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_2_0_L2.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_2_0_L2.json index f3aa9b8b6..162ce65d9 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_2_0_L2.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_2_0_L2.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of CMMC 2.0 Level 2 practices. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc2l2-initiative.", "metadata": { - "version": "2.14.0-preview", + "version": "2.15.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "2.14.0-preview", + "version": "2.15.0-preview", "policyDefinitionGroups": [ { "name": "CMMC_2.0_L2_AC.L1-3.1.1", @@ -4507,15 +4507,6 @@ "CMMC_2.0_L2_SC.L2-3.13.8" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "parameters": {}, - "groupNames": [ - "CMMC_2.0_L2_SI.L1-3.14.1" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40", "definitionVersion": "2.*.*", @@ -5499,15 +5490,6 @@ "CMMC_2.0_L2_SC.L2-3.13.8" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "parameters": {}, - "groupNames": [ - "CMMC_2.0_L2_SI.L1-3.14.1" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", "definitionVersion": "5.*.*", @@ -5615,6 +5597,7 @@ } ], "versions": [ + "2.15.0-PREVIEW", "2.14.0-PREVIEW", "2.13.0-PREVIEW", "2.12.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_L3.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_L3.json index d438236ea..176e66fa1 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_L3.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/CMMC_L3.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative.", "metadata": { - "version": "11.9.0", + "version": "11.10.0", "category": "Regulatory Compliance" }, - "version": "11.9.0", + "version": "11.10.0", "policyDefinitionGroups": [ { "name": "CMMC_L3_AC.1.001", @@ -1233,14 +1233,15 @@ }, "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-88999f4c-376a-45c8-bcb3-4058f713cf39": { @@ -1535,14 +1536,15 @@ }, "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71": { @@ -4028,19 +4030,6 @@ "CMMC_L3_AU.3.049" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" - } - }, - "groupNames": [ - "CMMC_L3_SI.1.210" - ] - }, { "policyDefinitionReferenceId": "8c122334-9d20-4eb8-89ea-ac9a705b74ae", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae", @@ -4267,19 +4256,6 @@ "CMMC_L3_SI.2.217" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]" - } - }, - "groupNames": [ - "CMMC_L3_SI.1.210" - ] - }, { "policyDefinitionReferenceId": "cb510bfd-1cba-4d9f-a230-cb0976f4bb71", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", @@ -6164,6 +6140,7 @@ } ], "versions": [ + "11.10.0", "11.9.0", "11.8.0", "11.7.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/CanadaFederalPBMM_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/CanadaFederalPBMM_audit.json index af68e4288..ad9e5d694 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/CanadaFederalPBMM_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/CanadaFederalPBMM_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/canadafederalpbmm-init.", "metadata": { - "version": "8.4.0", + "version": "8.5.0", "category": "Regulatory Compliance" }, - "version": "8.4.0", + "version": "8.5.0", "policyDefinitionGroups": [ { "name": "CCCS_AC-1", @@ -1600,15 +1600,6 @@ "CCCS_IA-2(1)" ] }, - { - "policyDefinitionReferenceId": "SystemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "CCCS_SI-2" - ] - }, { "policyDefinitionReferenceId": "CorsShouldNotAllowEveryResourceToAccessYourWebApplication", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9", @@ -1925,15 +1916,6 @@ "CCCS_IA-5(1)" ] }, - { - "policyDefinitionReferenceId": "SystemUpdatesShouldBeInstalledOnYourMachines", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "CCCS_SI-2" - ] - }, { "policyDefinitionReferenceId": "VulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -2142,6 +2124,7 @@ } ], "versions": [ + "8.5.0", "8.4.0", "8.3.0", "8.2.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/DOD_IL4_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/DOD_IL4_audit.json index fb1fcb6e6..de4357750 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/DOD_IL4_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/DOD_IL4_audit.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of DoD Impact Level 4 (IL4) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/dodil4-initiative.", "metadata": { - "version": "9.4.0-deprecated", + "version": "9.5.0-deprecated", "category": "Regulatory Compliance", "deprecated": true }, - "version": "9.4.0", + "version": "9.5.0", "parameters": { "IncludeArcMachines": { "type": "string", @@ -364,14 +364,15 @@ }, "vmssSystemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "identityEnableMFAForReadPermissionsMonitoringEffect": { @@ -530,12 +531,6 @@ "policyDefinitionReferenceId": "vulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated", "parameters": {} }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "policyDefinitionReferenceId": "systemUpdatesShouldBeInstalledOnYourMachines", - "parameters": {} - }, { "policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e", @@ -888,16 +883,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "parameters": { - "effect": { - "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52", "definitionVersion": "1.*.*", @@ -1006,6 +991,7 @@ } ], "versions": [ + "9.5.0", "9.4.0", "9.3.0", "9.2.0" diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_H_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_H_audit.json index 58dd81aad..acceb097c 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_H_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_H_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (High) controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp", "metadata": { - "version": "17.15.0", + "version": "17.16.0", "category": "Regulatory Compliance" }, - "version": "17.15.0", + "version": "17.16.0", "policyDefinitionGroups": [ { "name": "FedRAMP_High_R4_AC-1", @@ -3379,14 +3379,15 @@ }, "vmssSystemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "identityEnableMFAForReadPermissionsMonitoringEffect": { @@ -5505,19 +5506,6 @@ "FedRAMP_High_R4_SC-12" ] }, - { - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "FedRAMP_High_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", @@ -5776,15 +5764,6 @@ "FedRAMP_High_R4_SI-2" ] }, - { - "policyDefinitionReferenceId": "systemUpdatesShouldBeInstalledOnYourMachines", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "FedRAMP_High_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "fc5e4038-4584-4632-8c85-c0448d374b2c", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c", @@ -11454,6 +11433,7 @@ } ], "versions": [ + "17.16.0", "17.15.0", "17.14.0", "17.13.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_M_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_M_audit.json index 8b84b9a72..1d24c1e02 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_M_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/FedRAMP_M_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (Moderate) controls. Additional policies will be added in upcoming releases. For more information, visit https://www.fedramp.gov/documents-templates/", "metadata": { - "version": "17.14.0", + "version": "17.15.0", "category": "Regulatory Compliance" }, - "version": "17.14.0", + "version": "17.15.0", "policyDefinitionGroups": [ { "name": "FedRAMP_Moderate_R4_AC-1", @@ -4783,15 +4783,6 @@ "FedRAMP_Moderate_R4_SC-12" ] }, - { - "policyDefinitionReferenceId": "SystemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "FedRAMP_Moderate_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "DeprecatedAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", @@ -5022,15 +5013,6 @@ "FedRAMP_Moderate_R4_SI-2" ] }, - { - "policyDefinitionReferenceId": "SystemUpdatesShouldBeInstalledOnYourMachines", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "FedRAMP_Moderate_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "fc5e4038-4584-4632-8c85-c0448d374b2c", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c", @@ -9991,6 +9973,7 @@ } ], "versions": [ + "17.15.0", "17.14.0", "17.13.0", "17.12.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/HIPAA_HITRUST_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/HIPAA_HITRUST_audit.json index dad8574fb..d989cee13 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/HIPAA_HITRUST_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/HIPAA_HITRUST_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "Health Information Trust Alliance (HITRUST) helps organizations from all sectors-but especially healthcare-effectively manage data, information risk, and compliance. HITRUST certification means that the organization has undergone a thorough assessment of the information security program. These policies address a subset of HITRUST controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/hipaa-hitrust-9-2", "metadata": { - "version": "14.6.0", + "version": "14.7.0", "category": "Regulatory Compliance" }, - "version": "14.6.0", + "version": "14.7.0", "policyDefinitionGroups": [ { "name": "hipaa-0101.00a1Organizational.123-00.a", @@ -2924,14 +2924,15 @@ }, "vmssSystemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "System updates on virtual machine scale sets should be installed", - "description": "Enable or disable virtual machine scale sets reporting of system updates" + "description": "Enable or disable virtual machine scale sets reporting of system updates", + "deprecated": true } }, "diagnosticsLogsInServiceFabricMonitoringEffect": { @@ -2949,14 +2950,15 @@ }, "systemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "System updates should be installed on your machines", - "description": "Enable or disable reporting of system updates" + "description": "Enable or disable reporting of system updates", + "deprecated": true } }, "DeployAzureBaselineSecurityOptionsAccountsAccountsGuestAccountStatus": { @@ -5066,19 +5068,6 @@ "hipaa-0201.09j1Organizational.124-09.j" ] }, - { - "policyDefinitionReferenceId": "systemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": { - "effect": { - "value": "[parameters('systemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "hipaa-0201.09j1Organizational.124-09.j" - ] - }, { "policyDefinitionReferenceId": "microsoftAntimalwareForAzureShouldBeConfiguredToAutomaticallyUpdateProtectionSignatures", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57", @@ -10174,19 +10163,6 @@ "hipaa-1230.09c2Organizational.1-09.c" ] }, - { - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "hipaa-1202.09aa1System.1-09.aa" - ] - }, { "policyDefinitionReferenceId": "diagnosticsLogsInDataLakeStoreMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb", @@ -11964,6 +11940,7 @@ } ], "versions": [ + "14.7.0", "14.6.0", "14.5.0", "14.4.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/IRAP_Audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/IRAP_Audit.json index e52860938..1f6440683 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/IRAP_Audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/IRAP_Audit.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/auism-initiative.", "metadata": { - "version": "8.5.0-preview", + "version": "8.6.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "8.5.0-preview", + "version": "8.6.0-preview", "policyDefinitionGroups": [ { "name": "AU_ISM_100", @@ -3477,14 +3477,15 @@ }, "systemUpdatesMonitoringEffect": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "apiAppRequireLatestTlsMonitoringEffect": { @@ -3637,14 +3638,15 @@ }, "vmssSystemUpdatesMonitoringEffect": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "webAppDisableRemoteDebuggingMonitoringEffect": { @@ -4104,19 +4106,6 @@ "AU_ISM_582" ] }, - { - "policyDefinitionReferenceId": "systemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": { - "effect": { - "value": "[parameters('systemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "AU_ISM_1407" - ] - }, { "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52", @@ -4257,19 +4246,6 @@ "AU_ISM_1546" ] }, - { - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "AU_ISM_1407" - ] - }, { "policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", @@ -4534,6 +4510,7 @@ } ], "versions": [ + "8.6.0-PREVIEW", "8.5.0-PREVIEW", "8.4.0-PREVIEW", "8.3.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/IRS1075_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/IRS1075_audit.json index a20cbbdae..c058f88a3 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/IRS1075_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/IRS1075_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/irs1075-init.", "metadata": { - "version": "8.4.0", + "version": "8.5.0", "category": "Regulatory Compliance" }, - "version": "8.4.0", + "version": "8.5.0", "policyDefinitionGroups": [ { "name": "IRS_1075_9.3.1.1", @@ -778,15 +778,6 @@ "IRS_1075_9.3.7.2" ] }, - { - "policyDefinitionReferenceId": "PreviewAuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "IRS_1075_9.3.17.2" - ] - }, { "policyDefinitionReferenceId": "PreviewAuditCORSResourceAccessRestrictionsForAWebApplication", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9", @@ -1111,15 +1102,6 @@ "IRS_1075_9.3.7.5" ] }, - { - "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "IRS_1075_9.3.17.2" - ] - }, { "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -1346,6 +1328,7 @@ } ], "versions": [ + "8.5.0", "8.4.0", "8.3.0", "8.2.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/ISO27001_2013_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/ISO27001_2013_audit.json index 8bf9ba9b3..c13881028 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/ISO27001_2013_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/ISO27001_2013_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The International Organization for Standardization (ISO) 27001 standard provides requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). These policies address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init", "metadata": { - "version": "8.4.0", + "version": "8.5.0", "category": "Regulatory Compliance" }, - "version": "8.4.0", + "version": "8.5.0", "policyDefinitionGroups": [ { "name": "ISO27001-2013_A.5.1.1", @@ -5943,15 +5943,6 @@ "ISO27001-2013_A.16.1.3" ] }, - { - "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "ISO27001-2013_A.12.6.1" - ] - }, { "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -6767,6 +6758,7 @@ } ], "versions": [ + "8.5.0", "8.4.0", "8.3.0", "8.2.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/Media_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/Media_audit.json index 01dff663b..77633229a 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/Media_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/Media_audit.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-init.", "metadata": { - "version": "4.3.0-preview", + "version": "4.4.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "4.3.0-preview", + "version": "4.4.0-preview", "parameters": { "IncludeArcMachines": { "type": "string", @@ -313,13 +313,14 @@ "type": "string", "metadata": { "displayName": "System updates should be installed on your machines", - "description": "Enable or disable reporting of system updates" + "description": "Enable or disable reporting of system updates", + "deprecated": true }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], - "defaultValue": "AuditIfNotExists" + "defaultValue": "Disabled" }, "sqlServerAuditingRetentionDaysMonitoringEffect": { "type": "string", @@ -899,16 +900,6 @@ } } }, - { - "policyDefinitionReferenceId": "systemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": { - "effect": { - "value": "[parameters('systemUpdatesMonitoringEffect')]" - } - } - }, { "policyDefinitionReferenceId": "disableIPForwardingForNetworkInterfaces", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", @@ -1182,6 +1173,7 @@ } ], "versions": [ + "4.4.0-PREVIEW", "4.3.0-PREVIEW", "4.2.0-PREVIEW", "4.1.0-PREVIEW" diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-171_R2.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-171_R2.json index e90742684..0c7ecb1f6 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-171_R2.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-171_R2.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171", "metadata": { - "version": "15.14.0", + "version": "15.15.0", "category": "Regulatory Compliance" }, - "version": "15.14.0", + "version": "15.15.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-171_R2_3.1.1", @@ -5207,24 +5207,6 @@ "NIST_SP_800-171_R2_3.13.16" ] }, - { - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-171_R2_3.14.1" - ] - }, - { - "policyDefinitionReferenceId": "systemUpdatesMonitoring", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-171_R2_3.14.1" - ] - }, { "policyDefinitionReferenceId": "kubernetesServiceVersionUpToDateMonitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c", @@ -7500,6 +7482,7 @@ } ], "versions": [ + "15.15.0", "15.14.0", "15.13.0", "15.12.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R4.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R4.json index 47f2c948e..3424035a7 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R4.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R4.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "National Institute of Standards and Technology (NIST) SP 800-53 R4 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk.These policies address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r4-initiative", "metadata": { - "version": "17.14.0", + "version": "17.15.0", "category": "Regulatory Compliance" }, - "version": "17.14.0", + "version": "17.15.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-53_R4_AC-1", @@ -12454,24 +12454,6 @@ "NIST_SP_800-53_R4_SI-2" ] }, - { - "policyDefinitionReferenceId": "PreviewAuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-53_R4_SI-2" - ] - }, - { - "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-53_R4_SI-2" - ] - }, { "policyDefinitionReferenceId": "fb893a29-21bb-418c-a157-e99480ec364c", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c", @@ -12748,6 +12730,7 @@ } ], "versions": [ + "17.15.0", "17.14.0", "17.13.0", "17.12.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R5.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R5.json index a5159cad2..b45c81e88 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R5.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NIST_SP_800-53_R5.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk. These policies address a subset of NIST SP 800-53 R5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r5-initiative", "metadata": { - "version": "14.14.0", + "version": "14.15.0", "category": "Regulatory Compliance" }, - "version": "14.14.0", + "version": "14.15.0", "policyDefinitionGroups": [ { "name": "NIST_SP_800-53_R5_AC-1", @@ -7342,15 +7342,6 @@ "NIST_SP_800-53_R5_SC-12" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-53_R5_SI-2" - ] - }, { "policyDefinitionReferenceId": "0cfea604-3201-4e14-88fc-fae4c427a6c5", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", @@ -7590,15 +7581,6 @@ "NIST_SP_800-53_R5_SI-2" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "NIST_SP_800-53_R5_SI-2" - ] - }, { "policyDefinitionReferenceId": "fc5e4038-4584-4632-8c85-c0448d374b2c", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c", @@ -13065,6 +13047,7 @@ } ], "versions": [ + "14.15.0", "14.14.0", "14.13.0", "14.12.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json index 3619e7bad..26584e6e0 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NL_BIO_Cloud_Theme.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address the Dutch Baseline Informatiebeveiliging (BIO) controls specifically for the 'thema-uitwerking Clouddiensten' and include policies covered under the SOC2 and ISO 27001:2013 controls.", "metadata": { - "version": "1.8.0", + "version": "1.9.0", "category": "Regulatory Compliance" }, - "version": "1.8.0", + "version": "1.9.0", "policyDefinitionGroups": [ { "name": "B.01 - Laws and regulations", @@ -1163,14 +1163,15 @@ }, "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15": { @@ -2925,14 +2926,15 @@ }, "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects" + "description": "The effect determines what happens when the policy rule is evaluated to match; for more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-e2c1c086-2d84-4019-bff3-c44ccd95113c": { @@ -5051,23 +5053,6 @@ "U.15.3 - Events logged" ] }, - { - "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" - } - }, - "groupNames": [ - "U.09.3 - Detection, prevention and recovery", - "C.04.3 - Timelines", - "C.04.6 - Timelines", - "C.04.7 - Evaluated", - "C.04.8 - Evaluated" - ] - }, { "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -6853,22 +6838,6 @@ "C.04.7 - Evaluated" ] }, - { - "policyDefinitionReferenceId": "SystemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]" - } - }, - "groupNames": [ - "U.09.3 - Detection, prevention and recovery", - "C.04.3 - Timelines", - "C.04.6 - Timelines", - "C.04.7 - Evaluated" - ] - }, { "policyDefinitionReferenceId": "EnsureThatHTTPVersionIsTheLatestIfUsedToRunTheFunctionApp", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c", @@ -8450,6 +8419,7 @@ } ], "versions": [ + "1.9.0", "1.8.0", "1.7.0", "1.6.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NZ_ISM_Restricted_v3_5.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NZ_ISM_Restricted_v3_5.json index ab1688ccc..bccd51fc8 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NZ_ISM_Restricted_v3_5.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NZ_ISM_Restricted_v3_5.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of New Zealand Information Security Manual v3.5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative. ", "metadata": { - "version": "2.13.0-deprecated", + "version": "2.14.0-deprecated", "category": "Regulatory Compliance", "deprecated": true }, - "version": "2.13.0", + "version": "2.14.0", "policyDefinitionGroups": [ { "name": "NZ_ISM_v3.5_AC-1", @@ -2080,15 +2080,6 @@ "NZ_ISM_v3.5_ISM-4" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "parameters": {}, - "groupNames": [ - "NZ_ISM_v3.5_PRS-5" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", "definitionVersion": "2.*.*", @@ -2490,15 +2481,6 @@ "NZ_ISM_v3.5_ISM-3" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "parameters": {}, - "groupNames": [ - "NZ_ISM_v3.5_PRS-5" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", "definitionVersion": "9.*.*", @@ -3097,6 +3079,7 @@ } ], "versions": [ + "2.14.0", "2.13.0", "2.12.0", "2.11.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json index 6b797b09f..ae5a9ddd8 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json @@ -5,9 +5,9 @@ "description": "New Zealand Information Security Manual (ISM) policy initiative. This policy set includes definitions that have a Deny effect by default", "metadata": { "category": "Regulatory Compliance", - "version": "1.3.0" + "version": "1.4.0" }, - "version": "1.3.0", + "version": "1.4.0", "policyDefinitionGroups": [ { "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.2.5.C.01", @@ -1154,24 +1154,6 @@ "definitionVersion": "1.*.*", "parameters": {} }, - { - "policyDefinitionReferenceId": "System updates on virtual machine scale sets should be installed", - "groupNames": [ - "New_Zealand_ISM_12.4.4.C.02" - ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {} - }, - { - "policyDefinitionReferenceId": "System updates should be installed on your machines", - "groupNames": [ - "New_Zealand_ISM_12.4.4.C.02" - ], - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {} - }, { "policyDefinitionReferenceId": "Machines should be configured to periodically check for missing system updates", "groupNames": [ @@ -2795,6 +2777,7 @@ } ], "versions": [ + "1.4.0", "1.3.0", "1.2.1", "1.2.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/PCI_DSS_V4.0.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/PCI_DSS_V4.0.json index ecb652b34..6de2e10b2 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/PCI_DSS_V4.0.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/PCI_DSS_V4.0.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data. These policies address a subset of PCI-DSS v4 controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/pci-dss-3-2-1", "metadata": { - "version": "1.4.0", + "version": "1.5.0", "category": "Regulatory Compliance" }, - "version": "1.4.0", + "version": "1.5.0", "policyDefinitionGroups": [ { "name": "PCI_DSS_v4.0_1.1.1", @@ -2315,20 +2315,6 @@ "PCI_DSS_v4.0_5.4.1" ] }, - { - "policyDefinitionReferenceId": "previewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "PCI_DSS_v4.0_5.2.1", - "PCI_DSS_v4.0_5.2.2", - "PCI_DSS_v4.0_5.2.3", - "PCI_DSS_v4.0_6.3.3", - "PCI_DSS_v4.0_6.4.1", - "PCI_DSS_v4.0_11.3.1" - ] - }, { "policyDefinitionReferenceId": "previewMonitorOSVulnerabilitiesInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -4285,6 +4271,7 @@ } ], "versions": [ + "1.5.0", "1.4.0", "1.3.0", "1.2.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/PCIv3_2_1_2018_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/PCIv3_2_1_2018_audit.json index 6cd017851..51551e11d 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/PCIv3_2_1_2018_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/PCIv3_2_1_2018_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/pciv321-init.", "metadata": { - "version": "6.3.0", + "version": "6.4.0", "category": "Regulatory Compliance" }, - "version": "6.3.0", + "version": "6.4.0", "policyDefinitionGroups": [ { "name": "PCI_DSS_V3.2.1_1.1.1", @@ -1250,18 +1250,6 @@ "PCI_DSS_V3.2.1_7.1.3" ] }, - { - "policyDefinitionReferenceId": "previewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "PCI_DSS_V3.2.1_11.2.1", - "PCI_DSS_V3.2.1_5.1", - "PCI_DSS_V3.2.1_6.2", - "PCI_DSS_V3.2.1_6.6" - ] - }, { "policyDefinitionReferenceId": "previewMonitorOSVulnerabilitiesInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -1441,6 +1429,7 @@ } ], "versions": [ + "6.4.0", "6.3.0", "6.2.0", "6.1.0" diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json index 6c9d54d13..2110e65f7 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Banks controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/rbiitfbanks-initiative.", "metadata": { - "version": "1.15.0-preview", + "version": "1.16.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "1.15.0-preview", + "version": "1.16.0-preview", "policyDefinitionGroups": [ { "name": "RBI_CSF_Banks_v2016_9.1", @@ -1690,30 +1690,6 @@ "RBI_CSF_Banks_v2016_13.2" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "parameters": {}, - "groupNames": [ - "RBI_CSF_Banks_v2016_2.3", - "RBI_CSF_Banks_v2016_7.1", - "RBI_CSF_Banks_v2016_7.2", - "RBI_CSF_Banks_v2016_7.6" - ] - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "parameters": {}, - "groupNames": [ - "RBI_CSF_Banks_v2016_7.1", - "RBI_CSF_Banks_v2016_7.2", - "RBI_CSF_Banks_v2016_7.6", - "RBI_CSF_Banks_v2016_2.3" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b", "definitionVersion": "1.*.*", @@ -2565,6 +2541,7 @@ } ], "versions": [ + "1.16.0-PREVIEW", "1.15.0-PREVIEW", "1.14.0-PREVIEW", "1.13.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_NBFC_v2017.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_NBFC_v2017.json index 66c3e12f3..dd8027071 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_NBFC_v2017.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_NBFC_v2017.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Non-Banking Financial Companies (NBFC) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/rbiitfnbfc-initiative.", "metadata": { - "version": "2.11.0-preview", + "version": "2.12.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "2.11.0-preview", + "version": "2.12.0-preview", "policyDefinitionGroups": [ { "name": "RBI_ITF_NBFC_v2017_6", @@ -776,16 +776,6 @@ "RBI_ITF_NBFC_v2017_3.3" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "parameters": {}, - "groupNames": [ - "RBI_ITF_NBFC_v2017_1", - "RBI_ITF_NBFC_v2017_3.3" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc", "definitionVersion": "4.*.*", @@ -919,16 +909,6 @@ "RBI_ITF_NBFC_v2017_3.8" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "parameters": {}, - "groupNames": [ - "RBI_ITF_NBFC_v2017_3.3", - "RBI_ITF_NBFC_v2017_1" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", "definitionVersion": "3.*.*", @@ -2136,6 +2116,7 @@ } ], "versions": [ + "2.12.0-PREVIEW", "2.11.0-PREVIEW", "2.10.0-PREVIEW", "2.9.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/RMIT_Malaysia.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/RMIT_Malaysia.json index 8d3212597..0ada16c98 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/RMIT_Malaysia.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/RMIT_Malaysia.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of RMIT requirements. Additional policies will be added in upcoming releases. For more information, visit aka.ms/rmit-initiative.", "metadata": { - "version": "9.11.0", + "version": "9.13.0", "category": "Regulatory Compliance" }, - "version": "9.11.0", + "version": "9.13.0", "policyDefinitionGroups": [ { "name": "RMiT_v1.0_10.1", @@ -3243,15 +3243,6 @@ "RMiT_v1.0_10.66" ] }, - { - "policyDefinitionReferenceId": "3e596b57-105f-48a6-be97-03e9243bad6e", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "RMiT_v1.0_10.66" - ] - }, { "policyDefinitionReferenceId": "41388f1c-2db0-4c25-95b2-35d7f5ccbfa9", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9", @@ -4021,15 +4012,6 @@ "RMiT_v1.0_Appendix_5.7" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "RMiT_v1.0_10.65" - ] - }, { "policyDefinitionReferenceId": "8e7da0a5-0a0e-4bbc-bfc0-7773c018b616", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e7da0a5-0a0e-4bbc-bfc0-7773c018b616", @@ -4149,15 +4131,6 @@ "RMiT_v1.0_Appendix_5.7" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "RMiT_v1.0_10.63" - ] - }, { "policyDefinitionReferenceId": "d26f7642-7545-4e18-9b75-8c9bbdee3a9a", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a", @@ -4829,6 +4802,8 @@ } ], "versions": [ + "9.13.0", + "9.12.0", "9.11.0", "9.10.0", "9.9.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFT_CSP-CSCF_v2021.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFT_CSP-CSCF_v2021.json index 341c4f3c5..96c78e414 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFT_CSP-CSCF_v2021.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFT_CSP-CSCF_v2021.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of the SWIFT Customer Security Program's Customer Security Controls Framework v2021 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2021-init.", "metadata": { - "version": "4.9.0-preview", + "version": "4.11.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "4.9.0-preview", + "version": "4.11.0-preview", "policyDefinitionGroups": [ { "name": "SWIFT_CSCF_v2021_1.1", @@ -648,15 +648,6 @@ "SWIFT_CSCF_v2021_2.2" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "parameters": {}, - "groupNames": [ - "SWIFT_CSCF_v2021_2.2" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0f98fe-a24b-4ad5-af69-bd0400233661", "definitionVersion": "2.*.*", @@ -1270,15 +1261,6 @@ "SWIFT_CSCF_v2021_6.3" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e", - "definitionVersion": "1.*.*", - "policyDefinitionReferenceId": "3e596b57-105f-48a6-be97-03e9243bad6e", - "parameters": {}, - "groupNames": [ - "SWIFT_CSCF_v2021_6.4" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7", "definitionVersion": "1.*.*", @@ -1504,15 +1486,6 @@ "SWIFT_CSCF_v2021_2.1" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "parameters": {}, - "groupNames": [ - "SWIFT_CSCF_v2021_2.2" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12", "definitionVersion": "2.*.*", @@ -1940,6 +1913,8 @@ } ], "versions": [ + "4.11.0-PREVIEW", + "4.10.0-PREVIEW", "4.9.0-PREVIEW", "4.8.0-PREVIEW", "4.7.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFT_CSP-CSCF_v2022.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFT_CSP-CSCF_v2022.json index b30eb4bee..d891a9ee1 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFT_CSP-CSCF_v2022.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFT_CSP-CSCF_v2022.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "SWIFT's Customer Security Programme (CSP) helps financial institutions ensure their defences against cyberattacks are up to date and effective, to protect the integrity of the wider financial network. Users compare the security measures they have implemented with those detailed in the Customer Security Controls Framework (CSCF). These policies address a subset of SWIFT controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/swift-cscf-v2021", "metadata": { - "version": "2.6.0", + "version": "2.8.0", "category": "Regulatory Compliance" }, - "version": "2.6.0", + "version": "2.8.0", "policyDefinitionGroups": [ { "name": "SWIFT_CSCF_v2022_1.1", @@ -1489,24 +1489,6 @@ "SWIFT_CSCF_v2022_6.4" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "SWIFT_CSCF_v2022_2.2" - ] - }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "SWIFT_CSCF_v2022_2.2" - ] - }, { "policyDefinitionReferenceId": "5e4e9685-3818-5934-0071-2620c4fa2ca5", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e4e9685-3818-5934-0071-2620c4fa2ca5", @@ -2986,15 +2968,6 @@ "SWIFT_CSCF_v2022_6.4" ] }, - { - "policyDefinitionReferenceId": "3e596b57-105f-48a6-be97-03e9243bad6e", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "SWIFT_CSCF_v2022_6.4" - ] - }, { "policyDefinitionReferenceId": "41388f1c-2db0-4c25-95b2-35d7f5ccbfa9", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9", @@ -3841,6 +3814,8 @@ } ], "versions": [ + "2.8.0", + "2.7.0", "2.6.0", "2.5.0", "2.4.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFTv2020_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFTv2020_audit.json index 30e198faf..5ee4b6e81 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFTv2020_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/SWIFTv2020_audit.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2020-init.", "metadata": { - "version": "6.3.0-preview", + "version": "6.4.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "6.3.0-preview", + "version": "6.4.0-preview", "parameters": { "IncludeArcMachines": { "type": "string", @@ -187,12 +187,6 @@ "definitionVersion": "1.*.*", "parameters": {} }, - { - "policyDefinitionReferenceId": "SystemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {} - }, { "policyDefinitionReferenceId": "DeprecatedAccountsShouldBeRemovedFromYourSubscription", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be", @@ -375,12 +369,6 @@ } } }, - { - "policyDefinitionReferenceId": "SystemUpdatesShouldBeInstalledOnYourMachines", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {} - }, { "policyDefinitionReferenceId": "VulnerabilitiesInSecurityConfigurationOnYourMachinesShouldBeRemediated", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -562,6 +550,7 @@ } ], "versions": [ + "6.4.0-PREVIEW", "6.3.0-PREVIEW", "6.2.0-PREVIEW", "6.1.0-PREVIEW" diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/Spain_ENS.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/Spain_ENS.json index bce47c9b3..a796910dd 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/Spain_ENS.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/Spain_ENS.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address National Security Scheme (ENS) controls specifically for the 'CCN-STIC 884'. This policy set includes definitions that have a Deny effect by default.", "metadata": { - "version": "1.3.0", + "version": "1.4.0", "category": "Regulatory Compliance" }, - "version": "1.3.0", + "version": "1.4.0", "policyDefinitionGroups": [ { "name": "org.1 Security policy", @@ -14731,19 +14731,6 @@ ], "definitionVersion": "4.*.*" }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionReferenceId": "SystemUpdatesShouldBeInstalledOnYourMachines", - "parameters": { - "effect": { - "value": "[parameters('effect-EnableRelatedResourceAuditingByDefaultOrDisablePolicy')]" - } - }, - "groupNames": [ - "mp.sw.2 Acceptance and commissioning" - ], - "definitionVersion": "4.*.*" - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78fc35e-1268-0bca-a798-afcba9d2330a", "policyDefinitionReferenceId": "SelectAdditionalTestingForSecurityControlAssessments", @@ -15215,6 +15202,7 @@ } ], "versions": [ + "1.4.0", "1.3.0", "1.2.0", "1.1.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_audit.json index b276d9019..bdf38c70c 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_audit.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative has been deprecated. The Azure Security Benchmark initiative now represents the Azure Security Benchmark v2 controls, and serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center.", "metadata": { - "version": "14.5.0-deprecated", + "version": "14.6.0-deprecated", "deprecated": true, "category": "Regulatory Compliance" }, - "version": "14.5.0", + "version": "14.6.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v1.0_1.1", @@ -1133,15 +1133,6 @@ "Azure_Security_Benchmark_v1.0_1.11" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "Azure_Security_Benchmark_v1.0_5.2" - ] - }, { "policyDefinitionReferenceId": "931e118d-50a1-4457-a5e4-78550e086c52", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52", @@ -1349,15 +1340,6 @@ "Azure_Security_Benchmark_v1.0_1.1" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "Azure_Security_Benchmark_v1.0_5.2" - ] - }, { "policyDefinitionReferenceId": "c43e4a30-77cb-48ab-a4dd-93f175c63b57", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57", @@ -1704,6 +1686,7 @@ } ], "versions": [ + "14.6.0", "14.5.0", "14.4.0", "14.3.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_v2.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_v2.json index 02c75727d..e2f3483d6 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_v2.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/asb_v2.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative has been deprecated. The Azure Security Benchmark v2 policy set is now represented in the consolidated Azure Security Benchmark initiative, which also serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center", "metadata": { - "version": "11.9.0-deprecated", + "version": "11.10.0-deprecated", "deprecated": true, "category": "Regulatory Compliance" }, - "version": "11.9.0", + "version": "11.10.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v2.0_NS-1", @@ -2820,14 +2820,15 @@ }, "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba": { @@ -5128,19 +5129,6 @@ "Azure_Security_Benchmark_v2.0_PV-7" ] }, - { - "policyDefinitionReferenceId": "systemUpdatesOnVirtualMachineScaleSetsShouldBeInstalled", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v2.0_PV-7" - ] - }, { "policyDefinitionReferenceId": "kubernetesServicesShouldBeUpgradedToANonVulnerableKubernetesVersion", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c", @@ -5299,6 +5287,7 @@ } ], "versions": [ + "11.10.0", "11.9.0", "11.8.0", "11.7.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/nz_ism.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/nz_ism.json index b5a6048ba..b6be60053 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/nz_ism.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/nz_ism.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of New Zealand Information Security Manual controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative.", "metadata": { - "version": "11.10.0-deprecated", + "version": "11.11.0-deprecated", "category": "Regulatory Compliance", "deprecated": true }, - "version": "11.10.0", + "version": "11.11.0", "policyDefinitionGroups": [ { "name": "NZISM_Security_Benchmark_v1.1_AC-1", @@ -1198,14 +1198,15 @@ }, "effect-86b3d65f-7626-441e-b690-81a8b71cff60": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates should be installed on your machines", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e": { @@ -1437,14 +1438,15 @@ }, "effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", - "description": "For more information about effects, visit https://aka.ms/policyeffects" + "description": "For more information about effects, visit https://aka.ms/policyeffects", + "deprecated": true } }, "effect-cb510bfd-1cba-4d9f-a230-cb0976f4bb71": { @@ -3378,19 +3380,6 @@ "NZISM_Security_Benchmark_v1.1_SS-9" ] }, - { - "policyDefinitionReferenceId": "86b3d65f-7626-441e-b690-81a8b71cff60", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-86b3d65f-7626-441e-b690-81a8b71cff60')]" - } - }, - "groupNames": [ - "NZISM_Security_Benchmark_v1.1_PRS-5" - ] - }, { "policyDefinitionReferenceId": "931e118d-50a1-4457-a5e4-78550e086c52", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52", @@ -3495,19 +3484,6 @@ "NZISM_Security_Benchmark_v1.1_AC-2" ] }, - { - "policyDefinitionReferenceId": "c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": { - "effect": { - "value": "[parameters('effect-c3f317a7-a95c-4547-b7e7-11017ebdf2fe')]" - } - }, - "groupNames": [ - "NZISM_Security_Benchmark_v1.1_PRS-5" - ] - }, { "policyDefinitionReferenceId": "cb510bfd-1cba-4d9f-a230-cb0976f4bb71", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", @@ -4650,6 +4626,7 @@ } ], "versions": [ + "11.11.0", "11.10.0", "11.9.0", "11.8.0", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/ukofficial_audit.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/ukofficial_audit.json index a3d5f9a11..ec46a26e2 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/ukofficial_audit.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/ukofficial_audit.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/ukofficial-init and https://aka.ms/uknhs-init.", "metadata": { - "version": "9.4.0", + "version": "9.5.0", "category": "Regulatory Compliance" }, - "version": "9.4.0", + "version": "9.5.0", "policyDefinitionGroups": [ { "name": "UK_NCSC_CSP_1", @@ -429,15 +429,6 @@ "UK_NCSC_CSP_10" ] }, - { - "policyDefinitionReferenceId": "PreviewMonitorMissingSystemUpdatesInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "parameters": {}, - "groupNames": [ - "UK_NCSC_CSP_5.2" - ] - }, { "policyDefinitionReferenceId": "PreviewMonitorOSVulnerabilitiesInAzureSecurityCenter", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", @@ -600,15 +591,6 @@ "UK_NCSC_CSP_1" ] }, - { - "policyDefinitionReferenceId": "AuditAnyMissingSystemUpdatesOnVirtualMachineScaleSetsInAzureSecurityCenter", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "parameters": {}, - "groupNames": [ - "UK_NCSC_CSP_5.2" - ] - }, { "policyDefinitionReferenceId": "AuditSQLManagedInstancesWithoutAdvancedDataSecurity", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9", @@ -720,6 +702,7 @@ } ], "versions": [ + "9.5.0", "9.4.0", "9.3.0", "9.2.0", diff --git a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json index 6ee18d061..6e907da49 100644 --- a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "57.44.0", + "version": "57.45.0", "category": "Security Center" }, - "version": "57.44.0", + "version": "57.45.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -525,14 +525,15 @@ }, "vmssSystemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "System updates on virtual machine scale sets should be installed", - "description": "Enable or disable virtual machine scale sets reporting of system updates" + "description": "Enable or disable virtual machine scale sets reporting of system updates", + "deprecated": true } }, "vmssEndpointProtectionMonitoringEffect": { @@ -563,14 +564,15 @@ }, "systemUpdatesMonitoringEffect": { "type": "string", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" ], "metadata": { "displayName": "System updates should be installed on your machines", - "description": "Enable or disable reporting of system updates" + "description": "Enable or disable reporting of system updates", + "deprecated": true } }, "systemUpdatesV2MonitoringEffect": { @@ -5596,19 +5598,6 @@ "Azure_Security_Benchmark_v3.0_DP-6" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", - "definitionVersion": "3.*.*", - "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring", - "parameters": { - "effect": { - "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v3.0_PV-6" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c", "definitionVersion": "1.*.*", @@ -6006,19 +5995,6 @@ "Azure_Security_Benchmark_v3.0_LT-3" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", - "definitionVersion": "4.*.*", - "policyDefinitionReferenceId": "systemUpdatesMonitoring", - "parameters": { - "effect": { - "value": "[parameters('systemUpdatesMonitoringEffect')]" - } - }, - "groupNames": [ - "Azure_Security_Benchmark_v3.0_PV-6" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f85bf3e0-d513-442e-89c3-1784ad63382b", "definitionVersion": "1.*.*-preview", @@ -8635,6 +8611,7 @@ } ], "versions": [ + "57.45.0", "57.44.0", "57.43.0", "57.42.0",