如何创建适用于 Linux 的来宾配置策略How to create Guest Configuration policies for Linux

创建自定义策略前,请先阅读 Azure Policy 来宾配置中的概述信息。Before creating custom policies, read the overview information at Azure Policy Guest Configuration.

若要了解如何创建适用于 Windows 的来宾配置策略,请参阅如何创建适用于 Windows 的来宾配置策略To learn about creating Guest Configuration policies for Windows, see the page How to create Guest Configuration policies for Windows

当审核 Linux 时,来宾配置使用 Chef InSpecWhen auditing Linux, Guest Configuration uses Chef InSpec. InSpec 配置文件定义了计算机应处于的条件。The InSpec profile defines the condition that the machine should be in. 如果配置评估失败,则会触发策略效果 auditIfNotExists,并将计算机视为不符合。If the evaluation of the configuration fails, the policy effect auditIfNotExists is triggered and the machine is considered non-compliant.

Azure Policy 来宾配置只能用于审核计算机内部的设置。Azure Policy Guest Configuration can only be used to audit settings inside machines. 还不能修正计算机内部的设置。Remediation of settings inside machines isn't yet available.

请执行以下操作来创建你自己的配置,用于验证 Azure 或非 Azure 计算机的状态。Use the following actions to create your own configuration for validating the state of an Azure or non-Azure machine.


包含来宾配置的自定义策略是一项预览功能。Custom policies with Guest Configuration is a Preview feature.

必须有来宾配置扩展,才能在 Azure 虚拟机中执行审核。The Guest Configuration extension is required to perform audits in Azure virtual machines. 若要在所有 Linux 计算机上大规模部署此扩展,请分配以下策略定义:To deploy the extension at scale across all Linux machines, assign the following policy definition:

安装 PowerShell 模块Install the PowerShell module

来宾配置模块自动执行创建自定义内容的过程,包括:The Guest Configuration module automates the process of creating custom content including:

  • 创建来宾配置内容项目 (.zip)Creating a Guest Configuration content artifact (.zip)
  • 自动测试项目Automated testing of the artifact
  • 创建策略定义Creating a policy definition
  • 发布策略Publishing the policy

该模块可以安装在运行 Windows、macOS 或 Linux 并装有 PowerShell 6.2 或更高版本的计算机本地,或者与 Azure PowerShell Core Docker 映像一起安装。The module can be installed on a machine running Windows, macOS, or Linux with PowerShell 6.2 or later running locally, or with the Azure PowerShell Core Docker image.


Linux 上不支持编译配置。Compilation of configurations isn't supported on Linux.

基本要求Base requirements

可以安装模块的操作系统:Operating Systems where the module can be installed:

  • LinuxLinux
  • macOSmacOS
  • WindowsWindows


由于 cmdlet“Test-GuestConfigurationPackage”依赖于 OMI,因此它需要 OpenSSL 版本 1.0。The cmdlet 'Test-GuestConfigurationPackage' requires OpenSSL version 1.0, due to a dependency on OMI. 这会导致使用 OpenSSL 1.1 或更高版本的任何环境出现错误。This causes an error on any environment with OpenSSL 1.1 or later.

来宾配置资源模块需要以下软件:The Guest Configuration resource module requires the following software:

  • PowerShell 6.2 或更高版本。PowerShell 6.2 or later. 若尚未安装,请遵循这些说明If it isn't yet installed, follow these instructions.
  • Azure PowerShell 1.5.0 或更高版本。Azure PowerShell 1.5.0 or higher. 若尚未安装,请遵循这些说明If it isn't yet installed, follow these instructions.
    • 只需要 AZ 模块“Az.Accounts”和“Az.Resources”。Only the AZ modules 'Az.Accounts' and 'Az.Resources' are required.

安装模块Install the module

若要在 PowerShell 中安装 GuestConfiguration 模块,请执行以下操作:To install the GuestConfiguration module in PowerShell:

  1. 在 PowerShell 提示符下,运行以下命令:From a PowerShell prompt, run the following command:

    # Install the Guest Configuration DSC resource module from PowerShell Gallery
    Install-Module -Name GuestConfiguration
  2. 验证模块是否已导入:Validate that the module has been imported:

    # Get a list of commands for the imported GuestConfiguration module
    Get-Command -Module 'GuestConfiguration'

适用于 Linux 的来宾配置项目和策略Guest Configuration artifacts and policy for Linux

即使在 Linux 环境中,来宾配置也使用 Desired State Configuration 作为语言抽象。Even in Linux environments, Guest Configuration uses Desired State Configuration as a language abstraction. 实现基于本机代码 (C++),因此不需要加载 PowerShell。The implementation is based in native code (C++) so it doesn't require loading PowerShell. 不过,它需要描述环境详细信息的配置 MOF。However, it does require a configuration MOF describing details about the environment. DSC 充当 InSpec 的包装器,用于标准化它的执行方式、参数提供方式,以及如何将输出返回到服务。DSC is acting as a wrapper for InSpec to standardize how it's executed, how parameters are provided, and how output is returned to the service. 处理自定义 InSpec 内容时,需要掌握的 DSC 知识很少。Little knowledge of DSC is required when working with custom InSpec content.

配置要求Configuration requirements

自定义配置的名称必须在所有位置都保持一致。The name of the custom configuration must be consistent everywhere. 内容包的 .zip 文件名称、MOF 文件中的配置名称,以及 Azure 资源管理器模板(ARM 模板)中的来宾分配名称必须相同。The name of the .zip file for the content package, the configuration name in the MOF file, and the guest assignment name in the Azure Resource Manager template (ARM template), must be the same.

Linux 上的自定义来宾配置Custom Guest Configuration configuration on Linux

Linux 上的来宾配置使用 ChefInSpecResource 资源为引擎提供 InSpec 配置文件的名称。Guest Configuration on Linux uses the ChefInSpecResource resource to provide the engine with the name of the InSpec profile. “名称”是唯一必需的资源属性。Name is the only required resource property. 创建 YaML 文件和 Ruby 脚本文件,如下所详述。Create a YaML file and a Ruby script file, as detailed below.

首先,创建 InSpec 使用的 YaML 文件。First, create the YaML file used by InSpec. 此文件提供了环境的基本信息。The file provides basic information about the environment. 下面给出了一个示例:An example is given below:

name: linux-path
title: Linux path
maintainer: Test
summary: Test profile
license: MIT
version: 1.0.0
    - os-family: unix

将这个名为 inspec.yml 的文件保存到项目目录中名为 linux-path 的文件夹。Save this file with name inspec.yml to a folder named linux-path in your project directory.

接下来,使用用于审核计算机的 InSpec 语言抽象来创建 Ruby 文件。Next, create the Ruby file with the InSpec language abstraction used to audit the machine.

describe file('/tmp') do
    it { should exist }

将这个名为 linux-path.rb 的文件保存到 linux-path 目录内名为 controls 的新文件夹。Save this file with name linux-path.rb in a new folder named controls inside the linux-path directory.

最后,创建一个配置,导入 PSDesiredStateConfiguration 资源模块,然后编译配置。Finally, create a configuration, import the PSDesiredStateConfiguration resource module, and compile the configuration.

# Define the configuration and import GuestConfiguration
Configuration AuditFilePathExists
    Import-DscResource -ModuleName 'GuestConfiguration'

    Node AuditFilePathExists
        ChefInSpecResource 'Audit Linux path exists'
            Name = 'linux-path'

# Compile the configuration to create the MOF files
import-module PSDesiredStateConfiguration
AuditFilePathExists -out ./Config

将这个名为 config.ps1 的文件保存到项目文件夹中。Save this file with name config.ps1 in the project folder. 通过在终端中执行 ./config.ps1,在 PowerShell 中运行它。Run it in PowerShell by executing ./config.ps1 in the terminal. 将创建一个新的 mof 文件。A new mof file will be created.

从技术上讲,Node AuditFilePathExists 命令不是必需的,但它会生成一个名为 AuditFilePathExists.mof(而不是默认的 localhost.mof)的文件。The Node AuditFilePathExists command isn't technically required but it produces a file named AuditFilePathExists.mof rather than the default, localhost.mof. 让 .mof 文件名遵循配置,可以在大规模操作时轻松地组织许多文件。Having the .mof file name follow the configuration makes it easy to organize many files when operating at scale.

你现在应该有如下所示的项目结构:You should now have a project structure as below:

/ AuditFilePathExists
    / Config
    / linux-path
        / controls

支持文件必须打包在一起。The supporting files must be packaged together. 来宾配置使用已完成的包来创建 Azure Policy 定义。The completed package is used by Guest Configuration to create the Azure Policy definitions.

New-GuestConfigurationPackage cmdlet 创建包。The New-GuestConfigurationPackage cmdlet creates the package. 创建 Linux 内容时 New-GuestConfigurationPackage cmdlet 的参数:Parameters of the New-GuestConfigurationPackage cmdlet when creating Linux content:

  • Name:来宾配置包名称。Name: Guest Configuration package name.
  • 配置:已编译的配置文档完整路径。Configuration: Compiled configuration document full path.
  • 路径:输出文件夹路径。Path: Output folder path. 此参数是可选的。This parameter is optional. 如果未指定,则在当前目录中创建包。If not specified, the package is created in current directory.
  • ChefProfilePath:InSpec 配置文件的完整路径。ChefProfilePath: Full path to InSpec profile. 仅当创建内容来审核 Linux 时,才支持此参数。This parameter is supported only when creating content to audit Linux.

运行下面的命令,以使用上一步中给出的配置来创建包:Run the following command to create a package using the configuration given in the previous step:

New-GuestConfigurationPackage `
  -Name 'AuditFilePathExists' `
  -Configuration './Config/AuditFilePathExists.mof' `
  -ChefInSpecProfilePath './'

创建配置包后,但在将它发布到 Azure 之前,可以在工作站或 CI/CD 环境中测试包。After creating the Configuration package but before publishing it to Azure, you can test the package from your workstation or CI/CD environment. GuestConfiguration cmdlet Test-GuestConfigurationPackage 在开发环境中包含与 Azure 计算机内使用的相同的代理。The GuestConfiguration cmdlet Test-GuestConfigurationPackage includes the same agent in your development environment as is used inside Azure machines. 使用此解决方案,可以在发布到计费的云环境之前,在本地执行集成测试。Using this solution, you can perform integration testing locally before releasing to billed cloud environments.

由于代理实际上是在评估本地环境,因此在大多数情况下,你需要在计划审核的同一 OS 平台上运行 Test- cmdlet。Since the agent is actually evaluating the local environment, in most cases you need to run the Test- cmdlet on the same OS platform as you plan to audit.

Test-GuestConfigurationPackage cmdlet 的参数:Parameters of the Test-GuestConfigurationPackage cmdlet:

  • Name:来宾配置策略名称。Name: Guest Configuration policy name.
  • Parameter:以哈希表格式提供的策略参数。Parameter: Policy parameters provided in hashtable format.
  • 路径:来宾配置包的完整路径。Path: Full path of the Guest Configuration package.

运行下面的命令,以测试由上一步创建的包:Run the following command to test the package created by the previous step:

Test-GuestConfigurationPackage `
  -Path ./AuditFilePathExists/AuditFilePathExists.zip

此 cmdlet 还支持来自 PowerShell 管道的输入。The cmdlet also supports input from the PowerShell pipeline. New-GuestConfigurationPackage cmdlet 的输出通过管道传输到 Test-GuestConfigurationPackage cmdlet。Pipe the output of New-GuestConfigurationPackage cmdlet to the Test-GuestConfigurationPackage cmdlet.

New-GuestConfigurationPackage -Name AuditFilePathExists -Configuration ./Config/AuditFilePathExists.mof -ChefProfilePath './' | Test-GuestConfigurationPackage

下一步是将文件发布到 Blob 存储。The next step is to publish the file to blob storage. 下面的脚本包含可用于自动执行此任务的函数。The script below contains a function you can use to automate this task. publish 函数中使用的命令需要 Az.Storage 模块。The commands used in the publish function require the Az.Storage module.

function publish {

    # Get Storage Context
    $Context = Get-AzStorageAccount -ResourceGroupName $resourceGroup `
        -Name $storageAccountName | `
        ForEach-Object { $_.Context }

    # Upload file
    $Blob = Set-AzStorageBlobContent -Context $Context `
        -Container $storageContainerName `
        -File $filePath `
        -Blob $blobName `

    # Get url with SAS token
    $StartTime = (Get-Date)
    $ExpiryTime = $StartTime.AddYears('3')  # THREE YEAR EXPIRATION
    $SAS = New-AzStorageBlobSASToken -Context $Context `
        -Container $storageContainerName `
        -Blob $blobName `
        -StartTime $StartTime `
        -ExpiryTime $ExpiryTime `
        -Permission rl `

    # Output
    return $SAS

# replace the $storageAccountName value below, it must be globally unique
$resourceGroup        = 'policyfiles'
$storageAccountName   = 'youraccountname'
$storageContainerName = 'artifacts'

$uri = publish `
  -resourceGroup $resourceGroup `
  -storageAccountName $storageAccountName `
  -storageContainerName $storageContainerName `
  -filePath ./AuditFilePathExists.zip `
  -blobName 'AuditFilePathExists'

在创建并上传来宾配置自定义策略包后,创建来宾配置策略定义。Once a Guest Configuration custom policy package has been created and uploaded, create the Guest Configuration policy definition. New-GuestConfigurationPolicy cmdlet 需要使用自定义策略包,并创建策略定义。The New-GuestConfigurationPolicy cmdlet takes a custom policy package and creates a policy definition.

New-GuestConfigurationPolicy cmdlet 的参数:Parameters of the New-GuestConfigurationPolicy cmdlet:

  • ContentUri:来宾配置内容包的公共 http(s) URI。ContentUri: Public http(s) uri of Guest Configuration content package.
  • DisplayName:策略显示名称。DisplayName: Policy display name.
  • 说明:策略说明。Description: Policy description.
  • Parameter:以哈希表格式提供的策略参数。Parameter: Policy parameters provided in hashtable format.
  • 版本:策略版本。Version: Policy version.
  • 路径:在其中创建策略定义的目标路径。Path: Destination path where policy definitions are created.
  • Platform:来宾配置策略和内容包的目标平台 (Windows/Linux)。Platform: Target platform (Windows/Linux) for Guest Configuration policy and content package.
  • Tag 向策略定义添加一个或多个标记筛选器Tag adds one or more tag filters to the policy definition
  • Category 在策略定义中设置类别元数据字段Category sets the category metadata field in the policy definition

下面的示例在自定义策略包的指定路径中创建策略定义:The following example creates the policy definitions in a specified path from a custom policy package:

New-GuestConfigurationPolicy `
    -ContentUri 'https://storageaccountname.blob.core.chinacloudapi.cn/packages/AuditFilePathExists.zip?st=2019-07-01T00%3A00%3A00Z&se=2024-07-01T00%3A00%3A00Z&sp=rl&sv=2018-03-28&sr=b&sig=JdUf4nOCo8fvuflOoX%2FnGo4sXqVfP5BYXHzTl3%2BovJo%3D' `
    -DisplayName 'Audit Linux file path.' `
    -Description 'Audit that a file path exists on a Linux machine.' `
    -Path './policies' `
    -Platform 'Linux' `
    -Version 1.0.0 `

New-GuestConfigurationPolicy 创建以下文件:The following files are created by New-GuestConfigurationPolicy:

  • auditIfNotExists.jsonauditIfNotExists.json
  • deployIfNotExists.jsondeployIfNotExists.json
  • Initiative.jsonInitiative.json

cmdlet 输出中会返回一个对象,其中包含策略文件的计划显示名称和路径。The cmdlet output returns an object containing the initiative display name and path of the policy files.

最后,使用 Publish-GuestConfigurationPolicy cmdlet 发布策略定义。Finally, publish the policy definitions using the Publish-GuestConfigurationPolicy cmdlet. cmdlet 只有 Path 参数,此参数指向 New-GuestConfigurationPolicy 创建的 JSON 文件的位置。The cmdlet only has the Path parameter that points to the location of the JSON files created by New-GuestConfigurationPolicy.

必须有权在 Azure 中创建策略,才能运行发布命令。To run the Publish command, you need access to create Policies in Azure. Azure Policy 概述页中收录了具体的授权要求。The specific authorization requirements are documented in the Azure Policy Overview page. 最合适的内置角色是“资源策略参与者”。The best built-in role is Resource Policy Contributor.

Publish-GuestConfigurationPolicy `
  -Path '.\policyDefinitions'

Publish-GuestConfigurationPolicy cmdlet 接受来自 PowerShell 管道的路径。The Publish-GuestConfigurationPolicy cmdlet accepts the path from the PowerShell pipeline. 此功能意味着可以创建策略文件,并在一组管道命令中发布它们。This feature means you can create the policy files and publish them in a single set of piped commands.

New-GuestConfigurationPolicy `
 -ContentUri 'https://storageaccountname.blob.core.chinacloudapi.cn/packages/AuditFilePathExists.zip?st=2019-07-01T00%3A00%3A00Z&se=2024-07-01T00%3A00%3A00Z&sp=rl&sv=2018-03-28&sr=b&sig=JdUf4nOCo8fvuflOoX%2FnGo4sXqVfP5BYXHzTl3%2BovJo%3D' `
 -DisplayName 'Audit Linux file path.' `
 -Description 'Audit that a file path exists on a Linux machine.' `
 -Path './policies' `
| Publish-GuestConfigurationPolicy

在 Azure 中创建策略后,最后一步是分配计划。With the policy created in Azure, the last step is to assign the initiative. 请参阅“如何使用门户Azure CLIAzure PowerShell 分配计划”。See how to assign the initiative with Portal, Azure CLI, and Azure PowerShell.


必须始终使用组合 AuditIfNotExists 和 DeployIfNotExists 策略的计划来分配来宾配置策略。Guest Configuration policies must always be assigned using the initiative that combines the AuditIfNotExists and DeployIfNotExists policies. 如果只分配了 AuditIfNotExists 策略,则不会部署必备组件,并且策略始终显示“0”个服务器是符合的。If only the AuditIfNotExists policy is assigned, the prerequisites aren't deployed and the policy always shows that '0' servers are compliant.

分配具有 DeployIfNotExists 效果的策略定义需要额外级别的访问权限。Assigning an policy definition with DeployIfNotExists effect requires an additional level of access. 若要授予最小特权,可以创建扩展“资源策略参与者”的自定义角色定义。To grant the least privilege, you can create a custom role definition that extends Resource Policy Contributor. 下面的示例创建具有额外权限 Microsoft.Authorization/roleAssignments/write 的“资源策略参与者 DINE”角色。The example below creates a role named Resource Policy Contributor DINE with the additional permission Microsoft.Authorization/roleAssignments/write.

$subscriptionid = '00000000-0000-0000-0000-000000000000'
$role = Get-AzRoleDefinition "Resource Policy Contributor"
$role.Id = $null
$role.Name = "Resource Policy Contributor DINE"
$role.Description = "Can assign Policies that require remediation."
New-AzRoleDefinition -Role $role

使用自定义来宾配置策略中的参数Using parameters in custom Guest Configuration policies

来宾配置支持在运行时替代配置属性。Guest Configuration supports overriding properties of a Configuration at run time. 此功能意味着包中 MOF 文件内的值不必被认为是静态的。This feature means that the values in the MOF file in the package don't have to be considered static. 替代值是通过 Azure Policy 提供的,并不影响配置的创作或编译方式。The override values are provided through Azure Policy and don't impact how the Configurations are authored or compiled.

借助 InSpec,参数通常在运行时作为输入处理,或使用特性作为代码处理。With InSpec, parameters are typically handled as input either at runtime or as code using attributes. 来宾配置令此过程变得混淆,因此可以在分配策略时提供输入。Guest Configuration obfuscates this process so input can be provided when policy is assigned. 特性文件在计算机中自动创建。An attributes file is automatically created within the machine. 不需要在项目中创建和添加文件。You don't need to create and add a file in your project. 向 Linux 审核项目添加参数需要执行两个步骤。There are two steps to adding parameters to your Linux audit project.

在编写要在计算机上审核什么的脚本的 Ruby 文件中定义输入。Define the input in the Ruby file where you script what to audit on the machine. 下面给出了一个示例。An example is given below.

attr_path = attribute('path', description: 'The file path to validate.')

describe file(attr_path) do
    it { should exist }

cmdlet New-GuestConfigurationPolicyTest-GuestConfigurationPolicyPackage 包含名为“Parameter”的参数。The cmdlets New-GuestConfigurationPolicy and Test-GuestConfigurationPolicyPackage include a parameter named Parameter. 此参数需要使用包含每个参数的所有详细信息的哈希表,并自动创建用于创建每个 Azure Policy 定义的文件的所有必需部分。This parameter takes a hashtable including all details about each parameter and automatically creates all the required sections of the files used to create each Azure Policy definition.

下面的示例创建策略定义来审核文件路径,其中用户在策略分配时提供路径。The following example creates an policy definition to audit a file path, where the user provides the path at the time of policy assignment.

$PolicyParameterInfo = @(
        Name = 'FilePath'                             # Policy parameter name (mandatory)
        DisplayName = 'File path.'                    # Policy parameter display name (mandatory)
        Description = "File path to be audited."      # Policy parameter description (optional)
        ResourceType = "ChefInSpecResource"           # Configuration resource type (mandatory)
        ResourceId = 'Audit Linux path exists'        # Configuration resource property name (mandatory)
        ResourcePropertyName = "AttributesYmlContent" # Configuration resource property name (mandatory)
        DefaultValue = '/tmp'                         # Policy parameter default value (optional)

# The hashtable also supports a property named 'AllowedValues' with an array of strings to limit input to a list

    -ContentUri 'https://storageaccountname.blob.core.chinacloudapi.cn/packages/AuditFilePathExists.zip?st=2019-07-01T00%3A00%3A00Z&se=2024-07-01T00%3A00%3A00Z&sp=rl&sv=2018-03-28&sr=b&sig=JdUf4nOCo8fvuflOoX%2FnGo4sXqVfP5BYXHzTl3%2BovJo%3D' `
    -DisplayName 'Audit Linux file path.' `
    -Description 'Audit that a file path exists on a Linux machine.' `
    -Path './policies' `
    -Parameter $PolicyParameterInfo `
    -Version 1.0.0

对于 Linux 策略,请在配置中添加属性 AttributesYmlContent,并根据需要覆盖这些值。For Linux policies, include the property AttributesYmlContent in your configuration and overwrite the values as needed. 来宾配置代理自动创建 InSpec 用于存储特性的 YAML 文件。The Guest Configuration agent automatically creates the YAML file used by InSpec to store attributes. 请参阅以下示例。See the example below.

Configuration AuditFilePathExists
    Import-DscResource -ModuleName 'GuestConfiguration'

    Node AuditFilePathExists
        ChefInSpecResource 'Audit Linux path exists'
            Name = 'linux-path'
            AttributesYmlContent = "path: /tmp"

策略生命周期Policy lifecycle

若要发布策略定义的更新,需要注意以下两个字段。To release an update to the policy definition, there are two fields that require attention.

  • 版本:运行 New-GuestConfigurationPolicy cmdlet 时,必须指定高于当前发布版本的版本号。Version: When you run the New-GuestConfigurationPolicy cmdlet, you must specify a version number greater than what is currently published. 此属性更新来宾配置分配版本,这样代理就能识别更新后的包。The property updates the version of the Guest Configuration assignment so the agent recognizes the updated package.
  • contentHash:此属性由 New-GuestConfigurationPolicy cmdlet 自动更新。contentHash: This property is updated automatically by the New-GuestConfigurationPolicy cmdlet. 它是 New-GuestConfigurationPackage 创建的包的哈希值。It's a hash value of the package created by New-GuestConfigurationPackage. 对于你发布的 .zip 文件,此属性必须是正确的。The property must be correct for the .zip file you publish. 如果只更新了 contentUri 属性,扩展就不会接受内容包。If only the contentUri property is updated, the Extension won't accept the content package.

发布更新后的包的最简单方法是,重复本文中描述的过程,并提供更新后的版本号。The easiest way to release an updated package is to repeat the process described in this article and provide an updated version number. 此过程保证所有属性都已正确更新。That process guarantees all properties have been correctly updated.

使用标记筛选来宾配置策略Filtering Guest Configuration policies using Tags

来宾配置模块中由 cmdlet 创建的策略可以视需要选择包括标记筛选器。The policies created by cmdlets in the Guest Configuration module can optionally include a filter for tags. New-GuestConfigurationPolicy 的 -Tag 参数支持包含各个标记条目的哈希表数组。The -Tag parameter of New-GuestConfigurationPolicy supports an array of hashtables containing individual tag entires. 标记会被添加到策略定义的 If 部分,并且不能通过策略分配进行修改。The tags will be added to the If section of the policy definition and cannot be modified by a policy assignment.

下面给出了筛选标记的策略定义的示例代码片段。An example snippet of a policy definition that will filter for tags is given below.

"if": {
  "allOf" : [
      "allOf": [
          "field": "tags.Owner",
          "equals": "BusinessUnit"
          "field": "tags.Role",
          "equals": "Web"
      // Original Guest Configuration content will follow

可选:对来宾配置包进行签名Optional: Signing Guest Configuration packages

来宾配置自定义策略使用 SHA256 哈希来验证策略包是否没有更改。Guest Configuration custom policies use SHA256 hash to validate the policy package hasn't changed. 客户还可以选择使用证书对包进行签名,并强制来宾配置扩展只允许已签名的内容。Optionally, customers may also use a certificate to sign packages and force the Guest Configuration extension to only allow signed content.

若要启用此方案,需要完成两个步骤。To enable this scenario, there are two steps you need to complete. 运行 cmdlet 对内容包进行签名,并将标记追加到应需要对代码进行签名的计算机。Run the cmdlet to sign the content package, and append a tag to the machines that should require code to be signed.

若要使用签名验证功能,请运行 Protect-GuestConfigurationPackage cmdlet,以在发布前对包进行签名。To use the Signature Validation feature, run the Protect-GuestConfigurationPackage cmdlet to sign the package before it's published. 此 cmdlet 需要“代码签名”证书。This cmdlet requires a 'Code Signing' certificate.

Protect-GuestConfigurationPackage cmdlet 的参数:Parameters of the Protect-GuestConfigurationPackage cmdlet:

  • 路径:来宾配置包的完整路径。Path: Full path of the Guest Configuration package.
  • PublicGpgKeyPath:公共 GPG 密钥路径。PublicGpgKeyPath: Public GPG key path. 只有在对 Linux 内容进行签名时,才支持此参数。This parameter is only supported when signing content for Linux.

GitHub 上的文章生成新 GPG 密钥为创建用于 Linux 计算机的 GPG 密钥提供了很好的参考。A good reference for creating GPG keys to use with Linux machines is provided by an article on GitHub, Generating a new GPG key.

GuestConfiguration 代理需要在 Linux 计算机上的路径 /usr/local/share/ca-certificates/extra 中显示证书公钥。GuestConfiguration agent expects the certificate public key to be present in the path /usr/local/share/ca-certificates/extra on Linux machines. 为了让节点能够验证已签名的内容,请先在计算机上安装证书公钥,再应用自定义策略。For the node to verify signed content, install the certificate public key on the machine before applying the custom policy. 可以使用 VM 内的任何技术或使用 Azure Policy 来完成此过程。This process can be done using any technique inside the VM, or by using Azure Policy. 此处提供了一个示例模板。An example template is provided here. Key Vault 访问策略必须允许计算资源提供程序在部署过程中访问证书。The Key Vault access policy must allow the Compute resource provider to access certificates during deployments. 有关详细步骤,请参阅在 Azure 资源管理器中为虚拟机设置 Key VaultFor detailed steps, see Set up Key Vault for virtual machines in Azure Resource Manager.

在内容发布后,将名为 GuestConfigPolicyCertificateValidation 且值为 enabled 的标记追加到所有应需要进行代码签名的虚拟机。After your content is published, append a tag with name GuestConfigPolicyCertificateValidation and value enabled to all virtual machines where code signing should be required. 请参阅标记示例,了解如何使用 Azure Policy 大规模传递标记。See the Tag samples for how tags can be delivered at scale using Azure Policy. 在此标记就位后,使用 New-GuestConfigurationPolicy cmdlet 生成的策略定义通过来宾配置扩展启用要求。Once this tag is in place, the policy definition generated using the New-GuestConfigurationPolicy cmdlet enables the requirement through the Guest Configuration extension.

来宾配置策略分配故障排除(预览)Troubleshooting Guest Configuration policy assignments (Preview)

有一项工具处于预览状态,有助于对 Azure Policy 来宾配置分配进行故障排除。A tool is available in preview to assist in troubleshooting Azure Policy Guest Configuration assignments. 此工具处于预览状态,已作为模块名称来宾配置故障排除程序发布到 PowerShell 库中。The tool is in preview and has been published to the PowerShell Gallery as module name Guest Configuration Troubleshooter.

若要详细了解此工具中的 cmdlet,请使用 PowerShell 中的 Get-Help 命令来显示内置的指导。For more information about the cmdlets in this tool, use the Get-Help command in PowerShell to show the built-in guidance. 因为此工具经常更新,所以这是获取最新信息的最佳方式。As the tool is getting frequent updates, that is the best way to get most recent information.

后续步骤Next steps