确定导致非符合性的原因Determine causes of non-compliance

当 Azure 资源被确定为不符合策略规则时,了解该资源的哪一部分不符合规则很有用。When an Azure resource is determined to be non-compliant to a policy rule, it's helpful to understand which portion of the rule the resource isn't compliant with. 这也有助于了解哪些更改内容更改了以前符合的资源,使其变得不符合。It's also useful to understand what change altered a previously compliant resource to make it non-compliant. 可通过两种方法查找此信息:There are two ways to find this information:

合规性详细信息Compliance details

当资源不符合时,“策略符合性”页中将提供该资源的符合性详细信息。When a resource is non-compliant, the compliance details for that resource are available from the Policy compliance page. 符合性详细信息窗格包含以下信息:The compliance details pane includes the following information:

  • 名称、类型、位置和资源 ID 等资源详细信息Resource details such as name, type, location, and resource ID
  • 当前策略分配的上一个计算的符合性状态和时间戳Compliance state and timestamp of the last evaluation for the current policy assignment
  • 资源不符合性的原因列表A list of reasons for the resource non-compliance

重要

由于不符合资源的符合性详细信息显示该资源属性的当前值,因此用户必须对资源类型进行读取操作。As the compliance details for a Non-compliant resource shows the current value of properties on that resource, the user must have read operation to the type of resource. 例如,如果不符合资源为 Microsoft.Compute/virtualMachines,则用户必须进行 Microsoft.Compute/virtualMachines/read 操作。For example, if the Non-compliant resource is Microsoft.Compute/virtualMachines then the user must have the Microsoft.Compute/virtualMachines/read operation. 如果用户没有进行所需操作,则会显示访问错误。If the user doesn't have the needed operation, an access error is displayed.

若要查看符合性详细信息,请执行以下步骤:To view the compliance details, follow these steps:

  1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。 Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. 在“概览”或“符合性”页,选择“符合性状态”为“不符合”的策略 。On the Overview or Compliance page, select a policy in a compliance state that is Non-compliant.

  3. 在“策略符合性”页的“资源符合性”选项卡下,右键单击或选择“符合性状态”为“不符合”的资源的省略号。Under the Resource compliance tab of the Policy compliance page, right-click or select the ellipsis of a resource in a compliance state that is Non-compliant. 然后选择“查看符合性详细信息”。Then select View compliance details.

    查看符合性详细信息选项

  4. “符合性详细信息”窗格显示对当前策略分配最近进行的计算得出的信息。The Compliance details pane displays information from the latest evaluation of the resource to the current policy assignment. 在此示例中,发现字段“Microsoft.Sql/servers/version”为“12.0”,而策略定义预期为“14.0”。In this example, the field Microsoft.Sql/servers/version is found to be 12.0 while the policy definition expected 14.0. 如果资源不符合有多种原因,则此窗格将列出每个原因。If the resource is non-compliant for multiple reasons, each is listed on this pane.

    符合性详细信息窗格和不符合性原因

    对于“auditIfNotExists”或“deployIfNotExists”策略定义,详细信息包括“details.type”属性和任何可选属性。For an auditIfNotExists or deployIfNotExists policy definition, the details include the details.type property and any optional properties. 有关列表,请参阅 auditIfNotExists 属性deployIfNotExists 属性For a list, see auditIfNotExists properties and deployIfNotExists properties. “上一个计算资源”为定义的“详细信息”部分中的相关资源。Last evaluated resource is a related resource from the details section of the definition.

    部分“deployIfNotExists”定义示例:Example partial deployIfNotExists definition:

    {
        "if": {
            "field": "type",
            "equals": "[parameters('resourceType')]"
        },
        "then": {
            "effect": "DeployIfNotExists",
            "details": {
                "type": "Microsoft.Insights/metricAlerts",
                "existenceCondition": {
                    "field": "name",
                    "equals": "[concat(parameters('alertNamePrefix'), '-', resourcegroup().name, '-', field('name'))]"
                },
                "existenceScope": "subscription",
                "deployment": {
                    ...
                }
            }
        }
    }
    

    符合性详细信息窗格 - *ifNotExists

备注

为保护数据,当属性值为“secret”时,当前值显示星号。To protect data, when a property value is a secret the current value displays asterisks.

这些详细信息将解释资源当前不合规的原因,但不显示何时对该资源做出了更改,导致它不合规。These details explain why a resource is currently non-compliant, but don't show when the change was made to the resource that caused it to become non-compliant.

合规性原因Compliance reasons

以下矩阵将每个可能原因映射到策略定义中的负责条件The following matrix maps each possible reason to the responsible condition in the policy definition:

原因Reason 条件Condition
当前值必须包含目标值作为关键值。Current value must contain the target value as a key. containsKey 或不为 notContainsKeycontainsKey or not notContainsKey
当前值必须包含目标值。Current value must contain the target value. contains 或不为 notContainscontains or not notContains
当前值必须等于目标值。Current value must be equal to the target value. equals 或不为 notEqualsequals or not notEquals
当前值必须小于目标值。Current value must be less than the target value. less 或不为 greaterOrEqualsless or not greaterOrEquals
当前值必须大于或等于目标值。Current value must be greater than or equal to the target value. greaterOrEquals 或不为 lessgreaterOrEquals or not less
当前值必须大于目标值。Current value must be greater than the target value. greater 或不为 lessOrEqualsgreater or not lessOrEquals
当前值必须小于或等于目标值。Current value must be less than or equal to the target value. lessOrEquals 或不为 greaterlessOrEquals or not greater
当前值必须存在。Current value must exist. existsexists
当前值必须在目标值中。Current value must be in the target value. in 或不为 notInin or not notIn
当前值必须与目标值类似。Current value must be like the target value. like 或不为 notLikelike or not notLike
当前值必须与目标值匹配(区分大小写)。Current value must case-sensitive match the target value. match 或不为 notMatchmatch or not notMatch
当前值必须与目标值匹配(不区分大小写)。Current value must case-insensitive match the target value. matchInsensitively 或不为 notMatchInsensitivelymatchInsensitively or not notMatchInsensitively
当前值不得包含目标值作为关键值。Current value must not contain the target value as a key. notContainsKey 或不为 containsKeynotContainsKey or not containsKey
当前值不得包含目标值。Current value must not contain the target value. notContains 或不为 containsnotContains or not contains
当前值不得等于目标值。Current value must not be equal to the target value. notEquals 或不为 equalsnotEquals or not equals
不能存在当前值。Current value must not exist. 不能为 existsnot exists
当前值不得存在于目标值中。Current value must not be in the target value. notIn 或不为 innotIn or not in
当前值不得与目标值类似。Current value must not be like the target value. notLike 或不为 likenotLike or not like
当前值不得与目标值匹配(区分大小写)。Current value must not case-sensitive match the target value. notMatch 或不为 matchnotMatch or not match
当前值不得与目标值匹配(不区分大小写)。Current value must not case-insensitive match the target value. notMatchInsensitively 或不为 matchInsensitivelynotMatchInsensitively or not matchInsensitively
没有与策略定义中的效果详细信息匹配的相关资源。No related resources match the effect details in the policy definition. 类型在“then.details.type”中定义,且与策略规则“if”部分定义的资源相关的资源不存在。A resource of the type defined in then.details.type and related to the resource defined in the if portion of the policy rule doesn't exist.

来宾配置的符合性详细信息Compliance details for Guest Configuration

对于"来宾配置”类别中的“auditIfNotExists”策略,VM 内可能有多个计算设置,需要查看各个设置的详细信息。For auditIfNotExists policies in the Guest Configuration category, there could be multiple settings evaluated inside the VM and you'll need to view per-setting details. 例如,如果你正在审核一个密码策略列表,其中只有一个密码策略的状态为“不符合”,这时你需要了解具体哪些密码策略不符合以及不符合的原因。For example, if you're auditing for a list of password policies and only one of them has status Non-compliant, you'll need to know which specific password policies are out of compliance and why.

你也可能无权直接登录到 VM,但需要报告 VM 不符合的原因。You also might not have access to sign in to the VM directly but you need to report on why the VM is Non-compliant.

Azure 门户Azure portal

首先遵循上述部分中的相同步骤查看策略符合性详细信息。Begin by following the same steps in the section above for viewing policy compliance details.

在符合性详细信息窗格视图中,单击“上一个计算资源”。In the Compliance details pane view, click the link Last evaluated resource.

查看 auditIfNotExists 定义详细信息

“来宾分配”页显示所有可用的符合性详细信息。The Guest Assignment page displays all available compliance details. 视图中的每一行都代表在计算机中执行的计算。Each row in the view represents an evaluation that was performed inside the machine. “原因”列中显示描述来宾分配“不符合”原因的短语。In the Reason column, a phrase is shown describing why the Guest Assignment is Non-compliant. 例如,如果要审核密码策略,“原因”列将显示包含每个设置当前值的文本。For example, if you're auditing password policies, the Reason column would display text including the current value for each setting.

查看符合性详细信息

Azure PowerShellAzure PowerShell

还可以在 Azure PowerShell 上查看符合性详细信息。You can also view compliance details from Azure PowerShell. 首先,请确保已安装来宾配置模块。First, make sure you have the Guest Configuration module installed.

Install-Module Az.GuestConfiguration

可以使用以下命令查看 VM 所有来宾分配的当前状态:You can view the current status of all Guest Assignments for a VM using the following command:

Get-AzVMGuestPolicyStatus -ResourceGroupName <resourcegroupname> -VMName <vmname>
PolicyDisplayName                                                         ComplianceReasons
-----------------                                                         -----------------
Audit that an application is installed inside Windows VMs                 {[InstalledApplication]bwhitelistedapp}
Audit that an application is not installed inside Windows VMs.            {[InstalledApplication]NotInstalledApplica...

若要仅查看描述 VM 不符合原因的原因短语,只需返回原因子属性。To view only the reason phrase that describes why the VM is Non-compliant, return only the Reason child property.

Get-AzVMGuestPolicyStatus -ResourceGroupName <resourcegroupname> -VMName <vmname> | % ComplianceReasons | % Reasons | % Reason
The following applications are not installed: '<name>'.

还可以输出计算机范围内来宾分配的符合性历史记录。You can also output a compliance history for Guest Assignments in scope for the machine. 此命令的输出包含 VM 的每个报告的详细信息。The output from this command includes the details of each report for the VM.

备注

输出可能会返回大量数据。The output may return a large volume of data. 建议将输出存储在变量中。It's recommended to store the output in a variable.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname>
$guestHistory
PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
[Preview]: Audit that an application is installed inside Windows VMs      NonCompliant                       02/10/2019 12:00:38 PM 02/10/2019 12:00:41 PM VM01  ../17fg0...
<truncated>

若要简化视图,请使用“ShowChanged”参数。To simplify this view, use the ShowChanged parameter. 此命令的输出仅包括报告,后接合规性状态的变化。The output from this command only includes the reports that followed a change in compliance status.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname> -ShowChanged
$guestHistory
PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/10/2019 10:00:38 PM 02/10/2019 10:00:41 PM VM01  ../12ab0...
Audit that an application is installed inside Windows VMs.                Compliant                          02/09/2019 11:00:38 AM 02/09/2019 11:00:39 AM VM01  ../e3665...
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/09/2019 09:00:20 AM 02/09/2019 09:00:23 AM VM01  ../15ze1...

后续步骤Next steps