确定导致非符合性的原因Determine causes of non-compliance

在判定某个 Azure 资源不符合某个策略规则时,了解该资源不符合该规则的哪个部分会很有帮助。When an Azure resource is determined to be non-compliant to a policy rule, it's helpful to understand which portion of the rule the resource isn't compliant with. 这还有助于了解哪项更改改变了以前合规的资源,导致它现在不合规。It's also useful to understand what change altered a previously compliant resource to make it non-compliant. 可通过两种方式查找此信息:There are two ways to find this information:

合规性详细信息Compliance details

当某个资源不合规时,“策略合规性”页中会提供该资源的合规性详细信息。 When a resource is non-compliant, the compliance details for that resource are available from the Policy compliance page. 合规性详细信息窗格包含以下信息:The compliance details pane includes the following information:

  • 资源详细信息,例如名称、类型、位置和资源 IDResource details such as name, type, location, and resource ID
  • 上次评估当前策略分配时的合规状态和时间戳Compliance state and timestamp of the last evaluation for the current policy assignment
  • 资源不合规的原因列表 A list of reasons for the resource non-compliance

Important

由于不合规资源的合规性详细信息显示有关该资源的属性的当前值,因此,用户必须对资源类型拥有读取操作权限。 As the compliance details for a Non-compliant resource shows the current value of properties on that resource, the user must have read operation to the type of resource. 例如,如果不合规的资源为 Microsoft.Compute/virtualMachines,则用户必须拥有 Microsoft/virtualMachines/read 操作权限。 For example, if the Non-compliant resource is Microsoft.Compute/virtualMachines then the user must have the Microsoft.Compute/virtualMachines/read operation. 如果用户没有所需的操作权限,将显示访问权限错误。If the user doesn't have the needed operation, an access error is displayed.

若要查看合规性详细信息,请执行以下步骤:To view the compliance details, follow these steps:

  1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。 Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. 在“概述”或“合规性”页上,选择合规性状态为“不合规”的策略。 On the Overview or Compliance page, select a policy in a compliance state that is Non-compliant.

  3. 在“策略合规性”页的“资源合规性”选项卡下,右键单击合规性状态为“不合规”的资源或选择其对应的省略号。 Under the Resource compliance tab of the Policy compliance page, right-click or select the ellipsis of a resource in a compliance state that is Non-compliant. 然后选择“查看合规性详细信息”。 Then select View compliance details.

    “查看合规性详细信息”选项

  4. “合规性详细信息”窗格将显示最近评估当前策略分配中的资源时的信息。 The Compliance details pane displays information from the latest evaluation of the resource to the current policy assignment. 在此示例中,Microsoft.Sql/servers/version 字段值为 12.0,而策略定义预期该值为 14.0In this example, the field Microsoft.Sql/servers/version is found to be 12.0 while the policy definition expected 14.0. 如果资源出于多种原因而不合规,此窗格中会列出每种原因。If the resource is non-compliant for multiple reasons, each is listed on this pane.

    “合规性详细信息”窗格和不合规的原因

    对于 auditIfNotExistsdeployIfNotExists 策略定义,详细信息包含 details.type 属性和所有可选属性。For an auditIfNotExists or deployIfNotExists policy definition, the details include the details.type property and any optional properties. 有关列表,请参阅 auditIfNotExists 属性deployIfNotExists 属性For a list, see auditIfNotExists properties and deployIfNotExists properties. “上次评估的资源”是定义的 details 节中的相关资源。 Last evaluated resource is a related resource from the details section of the definition.

    部分 deployIfNotExists 定义示例:Example partial deployIfNotExists definition:

    {
        "if": {
            "field": "type",
            "equals": "[parameters('resourceType')]"
        },
        "then": {
            "effect": "DeployIfNotExists",
            "details": {
                "type": "Microsoft.Insights/metricAlerts",
                "existenceCondition": {
                    "field": "name",
                    "equals": "[concat(parameters('alertNamePrefix'), '-', resourcegroup().name, '-', field('name'))]"
                },
                "existenceScope": "subscription",
                "deployment": {
                    ...
                }
            }
        }
    }
    

    “合规性详细信息”窗格 - *ifNotExists

Note

若要保护数据,当属性值是机密时,当前值将显示星号。 To protect data, when a property value is a secret the current value displays asterisks.

这些详细信息将解释资源当前不合规的原因,但不显示何时对该资源做出了更改,导致它不合规。These details explain why a resource is currently non-compliant, but don't show when the change was made to the resource that caused it to become non-compliant.

合规性原因Compliance reasons

以下矩阵将每个可能的原因映射到策略定义中的控制 条件: The following matrix maps each possible reason to the responsible condition in the policy definition:

ReasonReason 条件Condition
当前值必须包含目标值作为键。Current value must contain the target value as a key. containsKey,或 notContainsKey 的求反containsKey or not notContainsKey
当前值必须包含目标值。Current value must contain the target value. contains,或 notContains 的求反contains or not notContains
当前值必须等于目标值。Current value must be equal to the target value. equals,或 notEquals 的求反equals or not notEquals
当前值必须小于目标值。Current value must be less than the target value. less,或 greaterOrEquals 的求反less or not greaterOrEquals
当前值必须大于或等于目标值。Current value must be greater than or equal to the target value. greaterOrEquals,或 less 的求反greaterOrEquals or not less
当前值必须大于目标值。Current value must be greater than the target value. greater,或 lessOrEquals 的求反greater or not lessOrEquals
当前值必须小于或等于目标值。Current value must be less than or equal to the target value. lessOrEquals,或 greater 的求反lessOrEquals or not greater
必须存在当前值。Current value must exist. existsexists
当前值必须在目标值中。Current value must be in the target value. in,或 notIn 的求反in or not notIn
当前值必须与目标值类似。Current value must be like the target value. like,或 notLike 的求反like or not notLike
当前值必须与目标值匹配(区分大小写)。Current value must case-sensitive match the target value. match,或 notMatch 的求反match or not notMatch
当前值必须与目标值匹配(不区分大小写)。Current value must case-insensitive match the target value. matchInsensitively,或 notMatchInsensitively 的求反matchInsensitively or not notMatchInsensitively
当前值不得包含目标值作为键。Current value must not contain the target value as a key. notContainsKey,或 containsKey 的求反notContainsKey or not containsKey
当前值不得包含目标值。Current value must not contain the target value. notContains,或 contains 的求反notContains or not contains
当前值不得等于目标值。Current value must not be equal to the target value. notEquals,或 equals 的求反notEquals or not equals
不得存在当前值。Current value must not exist. exists 的求反not exists
当前值不得在目标值中。Current value must not be in the target value. notIn,或 in 的求反notIn or not in
当前值不得与目标值类似。Current value must not be like the target value. notLike,或 like 的求反notLike or not like
当前值不得与目标值匹配(区分大小写)。Current value must not case-sensitive match the target value. notMatch,或 match 的求反notMatch or not match
当前值不得与目标值匹配(不区分大小写)。Current value must not case-insensitive match the target value. notMatchInsensitively,或 matchInsensitively 的求反notMatchInsensitively or not matchInsensitively
没有与策略定义中的效果详细信息匹配的相关资源。No related resources match the effect details in the policy definition. then.details.type 中定义的类型的、与策略规则的 if 部分中定义的资源相关的资源不存在。A resource of the type defined in then.details.type and related to the resource defined in the if portion of the policy rule doesn't exist.

Guest Configuration 的合规性详细信息Compliance details for Guest Configuration

对于 Guest Configuration 类别中的 auditIfNotExists 策略,可能会在 VM 中评估多个设置,而你需要查看每个设置的详细信息。For auditIfNotExists policies in the Guest Configuration category, there could be multiple settings evaluated inside the VM and you'll need to view per-setting details. 例如,如果你要审核密码策略列表,而其中只有一个策略的状态为“不合规”,则你需要知道哪个特定的密码策略不合规,以及不合规的原因。 For example, if you're auditing for a list of password policies and only one of them has status Non-compliant, you'll need to know which specific password policies are out of compliance and why.

此外,你可能无权直接登录到 VM,但需要报告 VM 为何不合规。 You also might not have access to sign in to the VM directly but you need to report on why the VM is Non-compliant.

Azure 门户Azure portal

首先,遵循前面部分所述的有关查看策略合规性详细信息的相同步骤。Begin by following the same steps in the section above for viewing policy compliance details.

在“合规性详细信息”窗格视图中,单击“上次评估的资源”链接。 In the Compliance details pane view click the link Last evaluated resource.

查看 auditIfNotExists 定义详细信息

“来宾分配”页将显示提供的所有合规性详细信息。 The Guest Assignment page displays all available compliance details. 视图中的每一行代表在计算机中执行的一项评估。Each row in the view represents an evaluation that was performed inside the machine. “原因”列中会显示一条短语,描述来宾分配为何不合规。 In the Reason column, a phrase describing why the Guest Assignment is Non-compliant is shown. 例如,如果你要审核密码策略,则“原因”列将显示包含每项设置的当前值的文本。 For example, if you're auditing password policies, the Reason column would display text including the current value for each setting.

查看合规性详细信息

Azure PowerShellAzure PowerShell

也可以从 Azure PowerShell 查看合规性详细信息。You can also view compliance details from Azure PowerShell. 首先,确保已安装 Guest Configuration 模块。First, make sure you have the Guest Configuration module installed.

Install-Module Az.GuestConfiguration

可使用以下命令查看 VM 的所有来宾分配的当前状态:You can view the current status of all Guest Assignments for a VM using the following command:

Get-AzVMGuestPolicyReport -ResourceGroupName <resourcegroupname> -VMName <vmname>
PolicyDisplayName                                                         ComplianceReasons
-----------------                                                         -----------------
Audit that an application is installed inside Windows VMs                 {[InstalledApplication]bwhitelistedapp}
Audit that an application is not installed inside Windows VMs.            {[InstalledApplication]NotInstalledApplica...

如果只想查看描述 VM 为何不合规的原因短语,请仅返回 Reason 子属性。 To view only the reason phrase that describes why the VM is Non-compliant, return only the Reason child property.

Get-AzVMGuestPolicyReport -ResourceGroupName <resourcegroupname> -VMName <vmname> | % ComplianceReasons | % Reasons | % Reason
The following applications are not installed: '<name>'.

还可以输出来宾分配在该计算机范围内的合规性历史记录。You can also output a compliance history for Guest Assignments in scope for the machine. 此命令的输出包括每份 VM 报告的详细信息。The output from this command includes the details of each report for the VM.

Note

输出中可能会返回大量的数据。The output may return a large volume of data. 建议将输出存储在变量中。It's recommended to store the output in a variable.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname>
$guestHistory
PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
[Preview]: Audit that an application is installed inside Windows VMs      NonCompliant                       02/10/2019 12:00:38 PM 02/10/2019 12:00:41 PM VM01  ../17fg0...
<truncated>

若要简化此视图,请使用 ShowChanged 参数。To simplify this view, use the ShowChanged parameter. 此命令的输出仅包括报告,后接合规性状态的变化。The output from this command only includes the reports that followed a change in compliance status.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname> -ShowChanged
$guestHistory
PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/10/2019 10:00:38 PM 02/10/2019 10:00:41 PM VM01  ../12ab0...
Audit that an application is installed inside Windows VMs.                Compliant                          02/09/2019 11:00:38 AM 02/09/2019 11:00:39 AM VM01  ../e3665...
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/09/2019 09:00:20 AM 02/09/2019 09:00:23 AM VM01  ../15ze1...

后续步骤Next steps