了解 Azure Policy 的来宾配置Understand Azure Policy's Guest Configuration

除了审核和修正 Azure 资源以外,Azure Policy 还可以审核计算机内部的设置。Beyond auditing and remediating Azure resources, Azure Policy can audit settings inside a machine. 验证由来宾配置扩展和客户端执行。The validation is performed by the Guest Configuration extension and client. 该扩展将通过客户端验证如下所述的设置:The extension, through the client, validates settings such as:

  • 操作系统的配置The configuration of the operating system
  • 应用程序配置或存在性Application configuration or presence
  • 环境设置Environment settings

目前,Azure Policy Guest Configuration 只会审核计算机内部的设置。At this time, Azure Policy Guest Configuration only audits settings inside the machine. 它不会应用配置。It doesn't apply configurations.

扩展和客户端Extension and client

为了审核计算机内部的设置,将会启用一个虚拟机扩展To audit settings inside a machine, a virtual machine extension is enabled. 该扩展下载适用的策略分配和相应的配置定义。The extension downloads applicable policy assignment and the corresponding configuration definition.

在扩展中设置的限制Limits set on the extension

为了限制该扩展对计算机内部运行的应用程序造成影响,将不允许 Guest Configuration 的 CPU 利用率超过 5%。To limit the extension from impacting applications running inside the machine, the Guest Configuration isn't allowed to exceed more than 5% of CPU utilization. 内置定义和自定义定义都存在此限制。This limitation exists for both built-in and custom definitions.

注册来宾配置资源提供程序Register Guest Configuration resource provider

必须注册资源提供程序,之后才能使用来宾配置。Before you can use Guest Configuration, you must register the resource provider. 可以通过门户或通过 PowerShell 注册。You can register through the portal or through PowerShell. 如果 Guest Configuration 策略的分配是通过门户完成的,则会自动注册资源提供程序。The resource provider is registered automatically if assignment of a Guest Configuration policy is done through the portal.

注册 - 门户Registration - Portal

若要通过 Azure 门户注册资源提供程序的来宾配置,请按照下列步骤操作:To register the resource provider for Guest Configuration through the Azure portal, follow these steps:

  1. 启动 Azure 门户,单击“所有服务” 。Launch the Azure portal and click on All services. 搜索并选择“订阅” 。Search for and select Subscriptions.

  2. 找到并单击要启用来宾配置的订阅。Find and click on the subscription that you want to enable Guest Configuration for.

  3. 在“订阅” 页的左侧菜单中,单击“资源提供程序” 。In the left menu of the Subscription page, click Resource providers.

  4. 筛选或滚动直至找到“Microsoft.GuestConfiguration” ,然后在同一行上单击“注册” 。Filter for or scroll until you locate Microsoft.GuestConfiguration, then click Register on the same row.

注册 - PowerShellRegistration - PowerShell

若要通过 PowerShell 注册资源提供程序的来宾配置,请运行以下命令:To register the resource provider for Guest Configuration through PowerShell, run the following command:

# Login first with Connect-AzAccount -EnvironmentName AzureChinaCloud command
Register-AzResourceProvider -ProviderNamespace 'Microsoft.GuestConfiguration'

验证工具Validation tools

在计算机中,Guest Configuration 客户端使用本地工具运行审核。Inside the machine, the Guest Configuration client uses local tools to run the audit.

下表显示了每个受支持操作系统上本地工具的列表:The following table shows a list of the local tools used on each supported operating system:

操作系统Operating system 验证工具Validation tool 注释Notes
WindowsWindows Windows PowerShell Desired State Configuration v2Windows PowerShell Desired State Configuration v2
LinuxLinux Chef InSpecChef InSpec Ruby 和 Python 由来宾配置扩展安装。Ruby and Python are installed by the Guest Configuration extension.

验证频率Validation frequency

来宾配置客户端每 5 分钟检查一次新内容。The Guest Configuration client checks for new content every 5 minutes. 在收到来宾分配后,将按 15 分钟的时间间隔检查设置。Once a guest assignment is received, the settings are checked on a 15-minute interval. 在审核完成后,结果会立即发送到来宾配置资源提供程序。Results are sent to the Guest Configuration resource provider as soon as the audit completes. 当策略评估触发器执行时,会将计算机状态写入到来宾配置资源提供程序。When a policy evaluation trigger occurs, the state of the machine is written to the Guest Configuration resource provider. 此项更新会导致 Azure Policy 评估 Azure 资源管理器属性。This update causes Azure Policy to evaluate the Azure Resource Manager properties. 按需 Azure Policy 评估从 Guest Configuration 资源提供程序检索最新值。An on-demand Azure Policy evaluation retrieves the latest value from the Guest Configuration resource provider. 但是,它不会触发对计算机中的配置执行新的审核。However, it doesn't trigger a new audit of the configuration within the machine.

支持的客户端类型Supported client types

下表显示了 Azure 映像上支持的操作系统列表:The following table shows a list of supported operating system on Azure images:

发布者Publisher 名称Name 版本Versions
CanonicalCanonical Ubuntu ServerUbuntu Server 14.04、16.04、18.0414.04, 16.04, 18.04
CredativCredativ DebianDebian 8、98, 9
MicrosoftMicrosoft Windows ServerWindows Server 2012 Datacenter、2012 R2 Datacenter、2016 Datacenter、2019 Datacenter2012 Datacenter, 2012 R2 Datacenter, 2016 Datacenter, 2019 Datacenter
MicrosoftMicrosoft Windows 客户端Windows Client Windows 10Windows 10
OpenLogicOpenLogic CentOSCentOS 7.3、7.4、7.57.3, 7.4, 7.5
Red HatRed Hat Red Hat Enterprise LinuxRed Hat Enterprise Linux 7.4、7.57.4, 7.5
SuseSuse SLESSLES 12 SP312 SP3

Important

Guest Configuration 可以审核运行受支持 OS 的节点。Guest Configuration can audit nodes running a supported OS. 若要审核使用自定义映像的虚拟机,需要复制 DeployIfNotExists 定义,并修改 If 节以包含你的映像属性。If you would like to audit virtual machines that use a custom image, you need to duplicate the DeployIfNotExists definition and modify the If section to include your image properties.

不支持的客户端类型Unsupported client types

任何版本都不支持 Windows Server Nano Server。Windows Server Nano Server isn't supported in any version.

Guest Configuration 扩展网络要求Guest Configuration Extension network requirements

若要与 Azure 中的 Guest Configuration 资源提供程序通信,计算机需要对端口 443 上的 Azure 数据中心拥有出站访问权限。To communicate with the Guest Configuration resource provider in Azure, machines require outbound access to Azure datacenters on port 443. 如果在 Azure 中使用不允许出站流量的专用虚拟网络,请使用网络安全组规则配置例外。If you're using a private virtual network in Azure that doesn't allow outbound traffic, configure exceptions with Network Security Group rules. Azure Policy Guest Configuration 目前不存在服务标记。A service tag doesn't currently exist for Azure Policy Guest Configuration.

如需 IP 地址列表,可以下载 Microsoft Azure 数据中心 IP 范围For IP address lists, you can download Microsoft Azure Datacenter IP Ranges. 此文件每周更新,包含当前部署的范围以及即将对 IP 范围进行的更新。This file is updated weekly, and has the currently deployed ranges and any upcoming changes to the IP ranges. 只需允许对部署了 VM 的区域中的 IP 进行出站访问。You only need to allow outbound access to the IPs in the regions where your VMs are deployed.

Note

Azure 数据中心 IP 地址 XML 文件列出了 Microsoft Azure 数据中心使用的 IP 地址范围。The Azure Datacenter IP address XML file lists the IP address ranges that are used in the Microsoft Azure datacenters. 文件中包含计算、SQL 和存储范围。The file includes compute, SQL, and storage ranges. 每周都将发布更新的文件。An updated file is posted weekly. 该文件反映当前已部署的范围和任何即将对 IP 范围进行的更改。The file reflects the currently deployed ranges and any upcoming changes to the IP ranges. 数据中心至少在一周后才会使用文件中显示的新范围。New ranges that appear in the file aren't used in the datacenters for at least one week. 建议每周下载新的 XML 文件。It's a good idea to download the new XML file every week. 然后,更新网站以正确地标识 Azure 中运行的服务。Then, update your site to correctly identify services running in Azure. Azure ExpressRoute 用户应注意,此文件过去经常在每个月的第一周更新 Azure 空间的边界网关协议 (BGP) 播发。Azure ExpressRoute users should note that this file is used to update the Border Gateway Protocol (BGP) advertisement of Azure space in the first week of each month.

来宾配置定义要求Guest Configuration definition requirements

Guest Configuration 运行的每个审核需要两个策略定义:DeployIfNotExists 定义和 AuditIfNotExists 定义。Each audit run by Guest Configuration requires two policy definitions, a DeployIfNotExists definition and an AuditIfNotExists definition. DeployIfNotExists 定义用于在计算机上准备 Guest Configuration 代理,以及其他用于支持验证工具的组件。The DeployIfNotExists definition is used to prepare the machine with the Guest Configuration agent and other components to support the validation tools.

“DeployIfNotExists”策略定义验证并更正以下项目 :The DeployIfNotExists policy definition validates and corrects the following items:

  • 验证是否为计算机分配了要评估的配置。Validate the machine has been assigned a configuration to evaluate. 如果当前不存在任何分配,请通过以下方式获取分配并准备计算机:If no assignment is currently present, get the assignment and prepare the machine by:
    • 使用托管标识对计算机进行身份验证Authenticating to the machine using a managed identity
    • 安装 Microsoft.GuestConfiguration 扩展的最新版本Installing the latest version of the Microsoft.GuestConfiguration extension
    • 安装验证工具和依赖项(如果需要)Installing validation tools and dependencies, if needed

如果 DeployIfNotExists 分配不合规,可以使用修正任务If the DeployIfNotExists assignment is Non-compliant, a remediation task can be used.

一旦 DeployIfNotExists 分配合规,AuditIfNotExists 策略分配就会使用本地验证工具来确定配置分配是合规还是不合规。Once the DeployIfNotExists assignment is Compliant, the AuditIfNotExists policy assignment uses the local validation tools to determine if the configuration assignment is Compliant or Non-compliant. 验证工具向来宾配置客户端提供结果。The validation tool provides the results to the Guest Configuration client. 客户端将结果转发给来宾扩展,使其可通过来宾配置资源提供程序使用。The client forwards the results to the Guest Extension, which makes them available through the Guest Configuration resource provider.

Azure Policy 使用来宾配置资源提供程序 complianceStatus 属性在“符合性” 节点中报告符合性。Azure Policy uses the Guest Configuration resource providers complianceStatus property to report compliance in the Compliance node. 有关详细信息,请参阅获取符合性数据For more information, see getting compliance data.

Note

需有 DeployIfNotExists 策略,才能让 AuditIfNotExists 策略返回结果。The DeployIfNotExists policy is required for the AuditIfNotExists policy to return results. 如果没有 DeployIfNotExistsAuditIfNotExists 策略会将状态显示为“第 0 个,共 0 个”资源。Without the DeployIfNotExists, the AuditIfNotExists policy shows "0 of 0" resources as status.

来宾配置的所有内置策略包含在一个计划内,以对分配中使用的定义分组。All built-in policies for Guest Configuration are included in an initiative to group the definitions for use in assignments. 名为“[预览]: 审核 Linux 和 Windows 计算机中的密码安全设置”的内置计划包含 18 个策略。The built-in initiative named [Preview]: Audit Password security settings inside Linux and Windows machines contains 18 policies. 对于 Windows 有六个 DeployIfNotExists 和 AuditIfNotExists 对,对于 Linux 有三个对。There are six DeployIfNotExists and AuditIfNotExists pairs for Windows and three pairs for Linux. 策略定义逻辑将验证是否只评估目标操作系统。The policy definition logic validates that only the target operating system is evaluated.

根据行业基线审核操作系统设置Auditing operating system settings following industry baselines

Azure Policy 中的某个计划提供根据 Microsoft“基线”审核虚拟机中的操作系统设置的功能。One of the initiatives available in Azure Policy provides the ability to audit operating system settings inside virtual machines following a "baseline" from Microsoft. 定义“[预览]: 审核不匹配 Azure 安全基线设置的 Windows VM”包含一组完整的审核规则,这些规则基于 Active Directory 组策略中的设置。The definition, [Preview]: Audit Windows VMs that do not match Azure security baseline settings includes a complete set of audit rules based on settings from Active Directory Group Policy.

大多数设置以参数的形式提供。Most of the settings are available as parameters. 使用此功能可以自定义要根据策略和组织要求审核的内容,或者将策略映射为行业法规标准等第三方信息。This functionality allows you to customize what is audited to align the policy with your organizational requirements or to map the policy to third party information such as industry regulatory standards.

某些参数支持整数值范围。Some parameters support an integer value range. 例如,可以使用范围运算符设置“最长密码期限”参数,以便为计算机所有者提供灵活性。For example, the Maximum Password Age parameter can be set using a range operator to give flexibility to machine owners. 可以审核生效的“组策略”设置是否要求用户在 70 天之内,但至少在一天之后更改其密码。You could audit that the effective Group Policy setting requiring users to change their passwords should be no more than 70 days, but shouldn't be less than one day. 如参数的信息泡泡中所述,若要为此业务策略设置有效的审核值,请将值设置为“1,70”。As described in the info-bubble for the parameter, to make this business policy the effective audit value, set the value to "1,70".

如果使用 Azure 资源管理器部署模板分配策略,则可以使用参数文件从源代码管理管理这些设置。If you assign the policy using an Azure Resource Manager deployment template, you can use a parameters file to manage these settings from source control. 使用 Git 之类的工具管理对审核策略的更改,并在每次签入时提供备注,以阐述为何不能将某个赋值用作预期值的理由。Using a tool such as Git to manage changes to Audit policies with comments at each check-in documents evidence as to why an assignment should be an exception to the expected value.

使用 Guest Configuration 应用配置Applying configurations using Guest Configuration

Azure Policy 的最新功能可以配置计算机内部的设置。The latest feature of Azure Policy configures settings inside machines. 定义“在 Windows 计算机上配置时区”通过配置时区对计算机进行更改。 The definition Configure the time zone on Windows machines makes changes to the machine by configuring the time zone.

分配以“配置”开头的定义时,还必须分配定义“部署必备组件以在 Windows VM 上启用 Guest Configuration 策略”。 When assigning definitions that begin with Configure, you must also assign the definition Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. 如果需要,可将这些定义合并到一个计划中。You can combine these definitions in an initiative if you choose.

多个分配Multiple assignments

Guest Configuration 策略目前仅支持为每台计算机分配相同的来宾分配,即使策略分配使用不同的参数,也是如此。Guest Configuration policies currently only support assigning the same Guest Assignment once per machine, even if the Policy assignment uses different parameters.

内置资源模块Built-in resource modules

安装 Guest Configuration 扩展时,“GuestConfiguration”PowerShell 模块将包含在最新版本的 DSC 资源模块中。When installing the Guest Configuration extension, the 'GuestConfiguration' PowerShell module is included with the latest version of DSC resource modules. 可以使用模块页 GuestConfiguration 中的“手动下载”链接从 PowerShell 库下载此模块。This module can be downloaded from the PowerShell Gallery by using the 'Manual Download' link from the module page GuestConfiguration. 可将“.nupkg”文件格式重命名为“.zip”,以便于解压缩和查看。The '.nupkg' file format can be renamed to '.zip' to uncompress and review.

客户端日志文件Client log files

Guest Configuration 扩展将日志文件写入以下位置:The Guest Configuration extension writes log files to the following locations:

Windows: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\<version>\dsc\logs\dsc.logWindows: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\<version>\dsc\logs\dsc.log

Linux:/var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-<version>/GCAgent/logs/dsc.logLinux: /var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-<version>/GCAgent/logs/dsc.log

其中 <version> 表示当前版本号。Where <version> refers to the current version number.

远程收集日志Collecting logs remotely

排查 Guest Configuration 配置或模块问题的第一步应该是遵循测试 Guest Configuration 包中的步骤使用 Test-GuestConfigurationPackage cmdlet。The first step in troubleshooting Guest Configuration configurations or modules should be to use the Test-GuestConfigurationPackage cmdlet following the steps in Test a Guest Configuration package. 如果这种做法无效,收集客户端日志可能会有助于诊断问题。If that isn't successful, collecting client logs can help diagnose issues.

WindowsWindows

若要使用 Azure VM 的“运行命令”功能从 Windows 计算机中的日志文件捕获信息,可以参考以下示例 PowerShell 脚本。To use the Azure VM Run Command capability to capture information from log files in Windows machines, the following example PowerShell script can be helpful. 有关详细信息,请参阅使用“运行命令”在 Windows VM 中运行 PowerShell 脚本For more information, see Run PowerShell scripts in your Windows VM with Run Command.

$linesToIncludeBeforeMatch = 0
$linesToIncludeAfterMatch = 10
$latestVersion = Get-ChildItem -Path 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' | ForEach-Object {$_.FullName} | Sort-Object -Descending | Select-Object -First 1
Select-String -Path "$latestVersion\dsc\logs\dsc.log" -pattern 'DSCEngine','DSCManagedEngine' -CaseSensitive -Context $linesToIncludeBeforeMatch,$linesToIncludeAfterMatch | Select-Object -Last 10

LinuxLinux

若要使用 Azure VM 的“运行命令”功能从 Linux 计算机中的日志文件捕获信息,可以参考以下示例 Bash 脚本。To use the Azure VM Run Command capability to capture information from log files in Linux machines, the following example Bash script can be helpful. 有关详细信息,请参阅使用“运行命令”在 Linux VM 中运行 shell 脚本For more information, see Run shell scripts in your Linux VM with Run Command

linesToIncludeBeforeMatch=0
linesToIncludeAfterMatch=10
latestVersion=$(find /var/lib/waagent/ -type d -name "Microsoft.GuestConfiguration.ConfigurationforLinux-*" -maxdepth 1 -print | sort -z | sed -n 1p)
egrep -B $linesToIncludeBeforeMatch -A $linesToIncludeAfterMatch 'DSCEngine|DSCManagedEngine' "$latestVersion/GCAgent/logs/dsc.log" | tail

Guest Configuration 示例Guest Configuration samples

以下位置提供了 Policy Guest Configuration 的示例:Samples for Policy Guest Configuration are available in the following locations:

后续步骤Next steps