了解 Azure Policy 的来宾配置Understand Azure Policy's Guest Configuration

Azure Policy 可以审核 Azure 中计算机内部的设置。Azure Policy can audit settings inside a machine in Azure. 验证由来宾配置扩展和客户端执行。The validation is performed by the Guest Configuration extension and client. 扩展通过客户端验证设置,例如:The extension, through the client, validates settings such as:

  • 操作系统的配置The configuration of the operating system
  • 应用程序配置或状态Application configuration or presence
  • 环境设置Environment settings

目前,大多数 Azure Policy 来宾配置策略仅审核计算机内的设置。At this time, most Azure Policy Guest Configuration policies only audit settings inside the machine. 它们不会应用配置。They don't apply configurations. 例外情况是下面引用的一个内置策略The exception is one built-in policy referenced below.

启用来宾配置Enable Guest Configuration

要审核环境中计算机(包括 Azure 中的计算机)的状态,请查看以下详细信息。To audit the state of machines in your environment, including machines in Azure, review the following details.

资源提供程序Resource provider

必须注册资源提供程序,之后才能使用来宾配置。Before you can use Guest Configuration, you must register the resource provider. 如果来宾配置策略的分配是通过门户完成的,则会自动注册资源提供程序。The resource provider is registered automatically if assignment of a Guest Configuration policy is done through the portal. 可以通过门户Azure PowerShellAzure CLI 手动注册。You can manually register through the portal, Azure PowerShell, or Azure CLI.

部署 Azure 虚拟机的要求Deploy requirements for Azure virtual machines

为了审核计算机内部设置,需要启用虚拟机扩展,并且计算机必须具有系统托管标识。To audit settings inside a machine, a virtual machine extension is enabled and the machine must have a system-managed identity. 该扩展下载适用的策略分配和相应的配置定义。The extension downloads applicable policy assignment and the corresponding configuration definition. 该标识用于在计算机读取和写入来宾配置服务时对计算机进行身份验证。The identity is used to authenticate the machine as it reads and writes to the Guest Configuration service. 已连接 Arc 的计算机不需要该扩展,因为已连接 Arc 的计算机代理中包含该扩展。The extension isn't required for Arc Connected Machines because it's included in the Arc Connected Machine agent.

重要

审核 Azure 虚拟机需要来宾配置扩展和托管标识。The Guest Configuration extension and a managed identity is required to audit Azure virtual machines. 若要大规模部署扩展,请分配以下策略计划:To deploy the extension at scale, assign the following policy initiative:

对扩展设置的限制Limits set on the extension

为了限制扩展对计算机内运行的应用程序的影响,来宾配置不得超过 CPU 的5%。To limit the extension from impacting applications running inside the machine, the Guest Configuration isn't allowed to exceed more than 5% of CPU. 对于内置和自定义的定义都存在此限制。This limitation exists for both built-in and custom definitions. 对于已连接 Arc 的计算机中的来宾配置服务也是如此。The same is true for the Guest Configuration service in Arc Connected Machine agent.

验证工具Validation tools

在计算机内,来宾配置客户端使用本地工具运行审核。Inside the machine, the Guest Configuration client uses local tools to run the audit.

下表列出了每个受支持的操作系统上使用的本地工具。The following table shows a list of the local tools used on each supported operating system. 对于内置内容,来宾配置会自动处理这些工具的加载。For built-in content, Guest Configuration handles loading these tools automatically.

操作系统Operating system 验证工具Validation tool 说明Notes
WindowsWindows PowerShell Desired State Configuration v2PowerShell Desired State Configuration v2 侧加载到仅由 Azure Policy 使用的文件夹。Side-loaded to a folder only used by Azure Policy. 不会与 Windows PowerShell DSC 冲突。Won't conflict with Windows PowerShell DSC. PowerShell Core 不会添加到系统路径。PowerShell Core isn't added to system path.
LinuxLinux Chef InSpecChef InSpec 在默认位置安装 Chef InSpec 版本 2.2.61,并将其添加到系统路径。Installs Chef InSpec version 2.2.61 in default location and added to system path. 还会安装 InSpec 包的依赖项,包括 Ruby 和 Python。Dependencies for the InSpec package including Ruby and Python are installed as well.

验证频率Validation frequency

来宾配置客户端每 5 分钟检查一次新内容。The Guest Configuration client checks for new content every 5 minutes. 在收到来宾分配后,将按 15 分钟的时间间隔重新检查该配置的设置。Once a guest assignment is received, the settings for that configuration are rechecked on a 15-minute interval. 审核完成后,结果会发送到来宾配置资源提供程序。Results are sent to the Guest Configuration resource provider when the audit completes. 当策略评估触发器执行时,会将计算机状态写入到来宾配置资源提供程序。When a policy evaluation trigger occurs, the state of the machine is written to the Guest Configuration resource provider. 此更新会使 Azure Policy 评估 Azure 资源管理器属性。This update causes Azure Policy to evaluate the Azure Resource Manager properties. 按需 Azure Policy 评估从来宾配置资源提供程序检索最新值。An on-demand Azure Policy evaluation retrieves the latest value from the Guest Configuration resource provider. 但是,它不会触发对计算机中的配置执行新的审核。However, it doesn't trigger a new audit of the configuration within the machine.

支持的客户端类型Supported client types

来宾配置策略包含新版本。Guest Configuration policies are inclusive of new versions. 如果来宾配置代理不兼容,则会排除 Azure 市场中提供的较早版本的操作系统。Older versions of operating systems available in the Azure Marketplace are excluded if the Guest Configuration agent isn't compatible. 下表显示了 Azure 映像上支持的操作系统列表:The following table shows a list of supported operating systems on Azure images:

发布者Publisher 名称Name 版本Versions
CanonicalCanonical Ubuntu ServerUbuntu Server 14.04 及更高版本14.04 and later
CredativCredativ DebianDebian 8 及更高版本8 and later
MicrosoftMicrosoft Windows ServerWindows Server 2012 及更高版本2012 and later
MicrosoftMicrosoft Windows 客户端Windows Client Windows 10Windows 10
OpenLogicOpenLogic CentOSCentOS 7.3 及更高版本7.3 and later
Red HatRed Hat Red Hat Enterprise LinuxRed Hat Enterprise Linux 7.4 - 7.87.4 - 7.8
SuseSuse SLESSLES 12 SP3 及更高版本12 SP3 and later

来宾配置策略支持自定义虚拟机映像,只要它们是上表中的操作系统之一。Custom virtual machine images are supported by Guest Configuration policies as long as they're one of the operating systems in the table above.

网络要求Network requirements

Azure 中的虚拟机可以使用其本地网络适配器与 Guest Configuration 服务通信。Virtual machines in Azure can use their local network adapter to communicate with the Guest Configuration service.

通过 Azure 中的虚拟网络进行通信Communicate over virtual networks in Azure

使用虚拟网络通信的虚拟机将需要在端口 443 上对 Azure 数据中心进行出站访问。Virtual machines using virtual networks for communication will require outbound access to Azure datacenters on port 443.

托管标识要求Managed identity requirements

部署先决条件以在虚拟机上启用 Guest Configuration 策略计划中的策略定义会启用系统分配的托管标识(如果不存在)。Policy definitions in the initiative Deploy prerequisites to enable Guest Configuration policies on virtual machines enable a system-assigned managed identity, if one doesn't exist. 计划中有两个管理标识创建的策略定义。There are two policy definitions in the initiative that manage identity creation. 策略定义中的 IF 条件基于 Azure 中计算机资源的当前状态确保行为正确。The IF conditions in the policy definitions ensure the correct behavior based on the current state of the machine resource in Azure.

如果计算机当前没有任何托管标识,则有效策略将为:[预览版]:添加系统分配的托管标识,在没有标识的虚拟机上启用来宾配置分配If the machine doesn't currently have any managed identities, the effective policy will be: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

如果计算机当前具有用户分配的系统标识,则有效策略将为:[预览版]:添加系统分配的托管标识,在具有用户分配的标识的虚拟机上启用来宾配置分配If the machine currently has a user-assigned system identity, the effective policy will be: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity

来宾配置定义要求Guest Configuration definition requirements

来宾配置运行的每个审核都需要两个策略定义:“DeployIfNotExists”定义和“AuditIfNotExists”定义 。Each audit run by Guest Configuration requires two policy definitions, a DeployIfNotExists definition and an AuditIfNotExists definition. “DeployIfNotExists”策略定义用于管理在每台计算机上执行审核所用的依赖项。The DeployIfNotExists policy definitions manage dependencies for performing audits on each machine.

“DeployIfNotExists”策略定义验证并更正以下项目:The DeployIfNotExists policy definition validates and corrects the following items:

  • 验证计算机确已分配要评估的配置。Validate the machine has been assigned a configuration to evaluate. 如果当前不存在任何分配,则获取分配并通过以下操作准备计算机:If no assignment is currently present, get the assignment and prepare the machine by:
    • 使用托管标识对计算机进行身份验证Authenticating to the machine using a managed identity
    • 安装 Microsoft.GuestConfiguration 扩展的最新版本Installing the latest version of the Microsoft.GuestConfiguration extension
    • 安装验证工具和依赖项(如果需要)Installing validation tools and dependencies, if needed

如果 DeployIfNotExists 分配不符合要求,则可使用修正任务If the DeployIfNotExists assignment is Non-compliant, a remediation task can be used.

DeployIfNotExists 分配符合要求后,AuditIfNotExists 策略分配将确定来宾分配是否符合要求。Once the DeployIfNotExists assignment is Compliant, the AuditIfNotExists policy assignment determines if the guest assignment is Compliant or Non-compliant. 验证工具向来宾配置客户端提供结果。The validation tool provides the results to the Guest Configuration client. 客户端将结果转发给来宾扩展,使其可通过来宾配置资源提供程序使用。The client forwards the results to the Guest Extension, which makes them available through the Guest Configuration resource provider.

Azure Policy 使用来宾配置资源提供程序 complianceStatus 属性在“符合性”节点中报告符合性。Azure Policy uses the Guest Configuration resource providers complianceStatus property to report compliance in the Compliance node. 有关详细信息,请参阅获取符合性数据For more information, see getting compliance data.

备注

AuditIfNotExists 策略需要 DeployIfNotExists 策略才能返回结果。The DeployIfNotExists policy is required for the AuditIfNotExists policy to return results. 如果没有 DeployIfNotExists,则 AuditIfNotExists 策略显示资源状态为“0/0”。Without the DeployIfNotExists, the AuditIfNotExists policy shows "0 of 0" resources as status.

来宾配置的所有内置策略包含在一个计划内,以对分配中使用的定义分组。All built-in policies for Guest Configuration are included in an initiative to group the definitions for use in assignments. 名为 _[预览]:审核 Linux 和 Windows 计算机内的密码安全_的内置计划包含 18 个策略。The built-in initiative named [Preview]: Audit Password security inside Linux and Windows machines contains 18 policies. 对于 Windows 有六个 DeployIfNotExists 和 AuditIfNotExists 对,对于 Linux 有三个对。There are six DeployIfNotExists and AuditIfNotExists pairs for Windows and three pairs for Linux. 策略定义逻辑验证是否只评估目标操作系统。The policy definition logic validates that only the target operating system is evaluated.

按照行业基线审核操作系统设置Auditing operating system settings following industry baselines

Azure Policy 中的一个计划提供了按照“基线”审核操作系统设置的功能。One initiative in Azure Policy provides the ability to audit operating system settings following a "baseline". 定义 [预览]:审核不匹配 Azure 安全基线设置的 Windows VM 包含一组基于 Active Directory 组策略的规则。The definition, [Preview]: Audit Windows VMs that do not match Azure security baseline settings includes a set of rules based on Active Directory Group Policy.

大多数设置都可用作参数。Most of the settings are available as parameters. 参数允许你自定义要审核的内容。Parameters allow you to customize what is audited. 根据你的要求调整策略,或将策略映射到第三方信息(如行业监管标准)。Align the policy with your requirements or map the policy to third-party information such as industry regulatory standards.

某些参数支持整数值范围。Some parameters support an integer value range. 例如,“密码最长期限”设置可以审核有效组策略设置。For example, the Maximum Password Age setting could audit the effective Group Policy setting. “1,70”范围将确认用户必须至少每 70 天更改一次密码,但不得少于一天。A "1,70" range would confirm that users are required to change their passwords at least every 70 days, but no less than one day.

如果使用 Azure 资源管理器模板(ARM 模板)分配策略,请使用参数文件管理异常。If you assign the policy using an Azure Resource Manager template (ARM template), use a parameters file to manage exceptions. 将文件签入到版本控制系统(如 Git)。Check in the files to a version control system such as Git. 有关文件更改的注释证明了赋值为何是预期值的例外情况。Comments about file changes provide evidence why an assignment is an exception to the expected value.

使用来宾配置应用配置Applying configurations using Guest Configuration

Azure Policy 的最新功能可用于配置计算机内部的设置。The latest feature of Azure Policy configures settings inside machines. “在 Windows 计算机上配置时区”这一定义通过配置时区对计算机进行更改。The definition Configure the time zone on Windows machines makes changes to the machine by configuring the time zone.

分配以“配置”开头的定义时,还必须分配定义“部署必备组件以在 Windows VM 上启用来宾配置策略”。When assigning definitions that begin with Configure, you must also assign the definition Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. 如果需要,可将这些定义合并到一个计划中。You can combine these definitions in an initiative if you choose.

多个分配Multiple assignments

来宾配置策略目前仅支持对每台计算机分配相同的来宾分配,即使策略分配使用不同的参数也是如此。Guest Configuration policies currently only support assigning the same Guest Assignment once per machine, even if the Policy assignment uses different parameters.

客户端日志文件Client log files

来宾配置扩展将日志文件写入以下位置:The Guest Configuration extension writes log files to the following locations:

Windows: C:\ProgramData\GuestConfig\gc_agent_logs\gc_agent.logWindows: C:\ProgramData\GuestConfig\gc_agent_logs\gc_agent.log

Linux:/var/lib/GuestConfig/gc_agent_logs/gc_agent.logLinux: /var/lib/GuestConfig/gc_agent_logs/gc_agent.log

其中 <version> 指的是当前版本号。Where <version> refers to the current version number.

远程收集日志Collecting logs remotely

对来宾配置相关配置或模块进行故障排除的第一步应该是使用 Test-GuestConfigurationPackage cmdlet,具体步骤请参阅如何为 Windows 创建自定义来宾配置审核策略The first step in troubleshooting Guest Configuration configurations or modules should be to use the Test-GuestConfigurationPackage cmdlet following the steps how to create a custom Guest Configuration audit policy for Windows. 如果未成功,则收集客户端日志有助于诊断问题。If that isn't successful, collecting client logs can help diagnose issues.

WindowsWindows

使用 Azure VM 运行命令从日志文件中捕获信息,下面的示例 PowerShell 脚本可能会很有帮助。Capture information from log files using Azure VM Run Command, the following example PowerShell script can be helpful.

$linesToIncludeBeforeMatch = 0
$linesToIncludeAfterMatch = 10
$logPath = 'C:\ProgramData\GuestConfig\gc_agent_logs\gc_agent.log'
Select-String -Path $logPath -pattern 'DSCEngine','DSCManagedEngine' -CaseSensitive -Context $linesToIncludeBeforeMatch,$linesToIncludeAfterMatch | Select-Object -Last 10

LinuxLinux

使用 Azure VM 运行命令从日志文件中捕获信息,下面的示例 Bash 脚本可能会很有帮助。Capture information from log files using Azure VM Run Command, the following example Bash script can be helpful.

linesToIncludeBeforeMatch=0
linesToIncludeAfterMatch=10
logPath=/var/lib/GuestConfig/gc_agent_logs/gc_agent.log
egrep -B $linesToIncludeBeforeMatch -A $linesToIncludeAfterMatch 'DSCEngine|DSCManagedEngine' $logPath | tail

来宾配置示例Guest Configuration samples

来宾配置内置策略示例在以下位置提供:Guest Configuration built-in policy samples are available in the following locations:

后续步骤Next steps