使用自定义安全策略Using custom security policies

为了帮助保护系统和环境,Azure 安全中心会生成安全建议。To help secure your systems and environment, Azure Security Center generates security recommendations. 这些建议基于行业最佳做法,并已合并在提供给所有客户的通用默认安全策略中。These recommendations are based on industry best practices, which are incorporated into the generic, default security policy supplied to all customers. 此外,还可能会基于安全中心内有关行业和法规标准的知识来提供建议。They can also come from Security Center's knowledge of industry and regulatory standards.

你可以利用此功能添加自己的自定义计划。With this feature, you can add your own custom initiatives. 如果环境未遵循所创建的策略,则你会收到建议。You'll then receive recommendations if your environment doesn't follow the policies you create. 你创建的任何自定义计划将连同内置计划一起显示在法规符合性仪表板中,如教程改善法规符合性中所述。Any custom initiatives you create will appear alongside the built-in initiatives in the regulatory compliance dashboard, as described in the tutorial Improve your regulatory compliance.

Azure Policy 文档中所述,当你为自定义计划指定位置时,该位置必须是某个管理组或订阅。As discussed in the Azure Policy documentation, when you specify a location for your custom initiative, it must be a management group or a subscription.

将自定义计划添加到订阅To add a custom initiative to your subscription

  1. 在安全中心的边栏中,打开“安全策略”页。From Security Center's sidebar, open the Security policy page.

  2. 选择要将自定义计划添加到的订阅或管理组。Select a subscription or Management Group to which you would like to add a custom initiative.

    选择要为其创建自定义策略的订阅Selecting a subscription for which you'll create your custom policy

    备注

    必须在订阅级别(或更高级别)添加自定义标准,只有这样,才会评估这些标准并在安全中心显示它们。You must add custom standards at the subscription level (or higher) for them to be evaluated and displayed in Security Center.

    添加自定义标准时,它会将一个计划分配到该范围。When you add a custom standard, it assigns an initiative to that scope. 因此,建议选择该分配所需的最广泛范围。We therefore recommend that you select the widest scope required for that assignment.

  3. 在“安全策略”页中的“你的自定义计划”下,单击“添加自定义计划”。In the Security policy page, under Your custom initiatives, click Add a custom initiative.

    单击“添加自定义计划”Click Add a custom initiative

    此时会显示以下页:The following page appears:

    创建或添加策略

  4. 在“添加自定义计划”页中,复查已在组织中创建的自定义策略的列表。In the Add custom initiatives page, review the list of custom policies already created in your organization. 如果看到了你要分配到订阅的某个策略,请单击“添加”。If you see one you want to assign to your subscription, click Add. 如果列表中没有符合需要的计划,请跳过此步骤。If there isn't an initiative in the list that meets your needs, skip this step.

  5. 若要创建新的自定义计划,请执行以下操作:To create a new custom initiative:

    1. 单击“新建”。Click Create new.
    2. 输入定义的位置和名称。Enter the definition's location and name.
    3. 选择要包含的策略,然后单击“添加”。Select the policies to include and click Add.
    4. 输入任何所需参数。Enter any desired parameters.
    5. 单击“ 保存”。Click Save.
    6. 在“添加自定义计划”页中,单击“刷新”。In the Add custom initiatives page, click refresh. 新计划将显示为可用。Your new initiative will be shown as available.
    7. 单击“添加”并将其分配到订阅。Click Add and assign it to your subscription.

    备注

    创建新计划需要使用订阅所有者凭据。Creating new initiatives requires subscription owner credentials. 有关 Azure 角色的详细信息,请参阅 Azure 安全中心内的权限For more information about Azure roles, see Permissions in Azure Security Center.

    新计划将会生效,你可以发现以下两个方面的影响:Your new initiative takes effect and you can see the impact in the following two ways:

    • 在安全中心边栏中的“策略和符合性”下,选择“法规符合性”。From the Security Center sidebar, under Policy & Compliance, select Regulatory compliance. 符合性仪表板将会打开,其中显示了新的自定义计划以及内置计划。The compliance dashboard opens to show your new custom initiative alongside the built-in initiatives.

    • 如果环境未遵循你已定义的策略,则你会开始收到建议。You'll begin to receive recommendations if your environment doesn't follow the policies you've defined.

  6. 若要查看针对策略生成的建议,请在边栏中单击“建议”打开“建议”页。To see the resulting recommendations for your policy, click Recommendations from the sidebar to open the recommendations page. 显示的建议带有“自定义”标签,在大约一小时内会一直显示。The recommendations will appear with a "Custom" label and be available within approximately one hour.

    自定义建议Custom recommendations

利用详细信息增强自定义建议Enhance your custom recommendations with detailed information

Azure 安全中心提供的内置建议包括严重性级别和修正说明等详细信息。The built-in recommendations supplied with Azure Security Center include details such as severity levels and remediation instructions. 如果要将此类信息添加到自定义建议,使其显示在 Azure 门户中或任何可供访问建议的位置,则需要使用 REST API。If you want to add this type of information to your custom recommendations so that it appears in the Azure portal or wherever you access your recommendations, you'll need to use the REST API.

可添加的两种类型的信息为:The two types of information you can add are:

  • RemediationDescription - 字符串RemediationDescription - String
  • Severity - 枚举 [Low、Medium、High]Severity - Enum [Low, Medium, High]

对于属于自定义计划一部分的策略,应将元数据添加到策略定义中。The metadata should be added to the policy definition for a policy that is part of the custom initiative. 它应位于“securityCenter”属性中,如下所示:It should be in the �securityCenter� property, as shown:

 "metadata": {
    "securityCenter": {
        "RemediationDescription": "Custom description goes here",
        "Severity": "High",
    },

下面是包含 metadata/securityCenter 属性的自定义策略示例:Below is an example of a custom policy including the metadata/securityCenter property:

{
"properties": {
  "displayName": "Security - ERvNet - AuditRGLock",
  "policyType": "Custom",
  "mode": "All",
  "description": "Audit required resource groups lock",
  "metadata": {
      "securityCenter": {
          "remediationDescription": "Resource Group locks can be set via Azure Portal -> Resource Group -> Locks",
          "severity": "High"
      }
  },
  "parameters": {
      "expressRouteLockLevel": {
          "type": "String",
          "metadata": {
              "displayName": "Lock level",
              "description": "Required lock level for ExpressRoute resource groups."
          },
          "allowedValues": [
              "CanNotDelete",
              "ReadOnly"
          ]
      }
  },
  "policyRule": {
      "if": {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
      },
      "then": {
          "effect": "auditIfNotExists",
          "details": {
              "type": "Microsoft.Authorization/locks",
              "existenceCondition": {
                  "field": "Microsoft.Authorization/locks/level",
                  "equals": "[parameters('expressRouteLockLevel')]"
              }
          }
      }
  }
}
}

有关使用 securityCenter 属性的另一个示例,请参阅 REST API 文档的此部分For another example of using the securityCenter property, see this section of the REST API documentation.

后续步骤Next steps

在本文中,你已了解如何创建自定义安全策略。In this article, you learned how to create custom security policies.

如需其他相关材料,请参阅以下文章:For other related material, see the following articles: