创建自定义安全计划和策略Create custom security initiatives and policies

为了帮助保护系统和环境,Azure 安全中心会生成安全建议。To help secure your systems and environment, Azure Security Center generates security recommendations. 这些建议基于行业最佳做法,并已合并在提供给所有客户的通用默认安全策略中。These recommendations are based on industry best practices, which are incorporated into the generic, default security policy supplied to all customers. 此外,还可能会基于安全中心内有关行业和法规标准的知识来提供建议。They can also come from Security Center's knowledge of industry and regulatory standards.

你可以利用此功能添加自己的自定义计划。With this feature, you can add your own custom initiatives. 如果环境未遵循所创建的策略,则你会收到建议。You'll then receive recommendations if your environment doesn't follow the policies you create. 你创建的任何自定义计划将连同内置计划一起显示在法规符合性仪表板中,如教程改善法规符合性中所述。Any custom initiatives you create will appear alongside the built-in initiatives in the regulatory compliance dashboard, as described in the tutorial Improve your regulatory compliance.

Azure Policy 文档中所述,当你为自定义计划指定位置时,该位置必须是某个管理组或订阅。As discussed in the Azure Policy documentation, when you specify a location for your custom initiative, it must be a management group or a subscription.

提示

有关本页关键概念的概述,请参阅什么是安全策略、计划和建议?For an overview of the key concepts on this page, see What are security policies, initiatives, and recommendations?.

将自定义计划添加到订阅To add a custom initiative to your subscription

  1. 在安全中心的边栏中,打开“安全策略”页。From Security Center's sidebar, open the Security policy page.

  2. 选择要将自定义计划添加到的订阅或管理组。Select a subscription or Management Group to which you would like to add a custom initiative.

    选择要为其创建自定义策略的订阅Selecting a subscription for which you'll create your custom policy

    备注

    必须在订阅级别(或更高级别)添加自定义标准,只有这样,才会评估这些标准并在安全中心显示它们。You must add custom standards at the subscription level (or higher) for them to be evaluated and displayed in Security Center.

    添加自定义标准时,它会将一个计划分配到该范围。When you add a custom standard, it assigns an initiative to that scope. 因此,建议选择该分配所需的最广泛范围。We therefore recommend that you select the widest scope required for that assignment.

  3. 在“安全策略”页中的“你的自定义计划”下,单击“添加自定义计划”。In the Security policy page, under Your custom initiatives, click Add a custom initiative.

    单击“添加自定义计划”Click Add a custom initiative

    此时会显示以下页:The following page appears:

    创建或添加策略

  4. 在“添加自定义计划”页中,复查已在组织中创建的自定义策略的列表。In the Add custom initiatives page, review the list of custom policies already created in your organization. 如果看到了你要分配到订阅的某个策略,请单击“添加”。If you see one you want to assign to your subscription, click Add. 如果列表中没有符合需要的计划,请跳过此步骤。If there isn't an initiative in the list that meets your needs, skip this step.

  5. 若要创建新的自定义计划,请执行以下操作:To create a new custom initiative:

    1. 单击“新建”。Click Create new.
    2. 输入定义的位置和名称。Enter the definition's location and name.
    3. 选择要包含的策略,然后单击“添加”。Select the policies to include and click Add.
    4. 输入任何所需参数。Enter any desired parameters.
    5. 单击“ 保存”。Click Save.
    6. 在“添加自定义计划”页中,单击“刷新”。In the Add custom initiatives page, click refresh. 新计划将显示为可用。Your new initiative will be shown as available.
    7. 单击“添加”并将其分配到订阅。Click Add and assign it to your subscription.

    备注

    创建新计划需要使用订阅所有者凭据。Creating new initiatives requires subscription owner credentials. 有关 Azure 角色的详细信息,请参阅 Azure 安全中心内的权限For more information about Azure roles, see Permissions in Azure Security Center.

    新计划将会生效,你可以发现以下两个方面的影响:Your new initiative takes effect and you can see the impact in the following two ways:

    • 在安全中心边栏中的“策略和符合性”下,选择“法规符合性”。From the Security Center sidebar, under Policy & Compliance, select Regulatory compliance. 符合性仪表板将会打开,其中显示了新的自定义计划以及内置计划。The compliance dashboard opens to show your new custom initiative alongside the built-in initiatives.

    • 如果环境未遵循你已定义的策略,则你会开始收到建议。You'll begin to receive recommendations if your environment doesn't follow the policies you've defined.

  6. 若要查看针对策略生成的建议,请在边栏中单击“建议”打开“建议”页。To see the resulting recommendations for your policy, click Recommendations from the sidebar to open the recommendations page. 显示的建议带有“自定义”标签,在大约一小时内会一直显示。The recommendations will appear with a "Custom" label and be available within approximately one hour.

    自定义建议Custom recommendations

使用 REST API 在 Azure Policy 中配置安全策略Configure a security policy in Azure Policy using the REST API

Azure 安全中心与 Azure Policy 实现了本机集成,借助它,可以利用 Azure Policy 的 REST API 来创建策略分配。As part of the native integration with Azure Policy, Azure Security Center enables you to take advantage Azure Policy's REST API to create policy assignments. 以下说明演示如何创建策略分配以及如何自定义现有的分配。The following instructions walk you through creation of policy assignments, as well as customization of existing assignments.

Azure Policy 中的重要概念:Important concepts in Azure Policy:

  • 策略定义 是一种规则A policy definition is a rule

  • 计划 是策略定义(规则)的集合An initiative is a collection of policy definitions (rules)

  • 分配 是将计划或策略应用于特定的范围(管理组、订阅等)An assignment is an application of an initiative or a policy to a specific scope (management group, subscription, etc.)

安全中心有一项内置计划(Azure 安全基准),它包括中心内的所有安全策略。Security Center has a built-in initiative, Azure Security Benchmark, that includes all of its security policies. 要评估对 Azure 资源的安全中心策略,应对管理组或需要评估的订阅创建一个分配。To assess Security Center's policies on your Azure resources, you should create an assignment on the management group, or subscription you want to assess.

内置计划默认启用所有安全中心策略。The built-in initiative has all of Security Center's policies enabled by default. 可以选择禁用内置计划中的某些策略。You can choose to disable certain policies from the built-in initiative. 例如,若要应用除 Web 应用程序防火墙之外的所有安全中心策略,请将策略的效果参数的值更改为“禁用”。For example, to apply all of Security Center's policies except web application firewall, change the value of the policy's effect parameter to Disabled.

API 示例API examples

在下面的示例中,替换以下三个变量:In the following examples, replace these variables:

  • {scope},用于输入要应用策略的管理组或订阅的名称{scope} enter the name of the management group or subscription to which you're applying the policy
  • {policyAssignmentName},用于输入相关策略分配的名称{policyAssignmentName} enter the name of the relevant policy assignment
  • {name},用于输入你的名字或批准策略更改的管理员的名字{name} enter your name, or the name of the administrator who approved the policy change

本示例演示如何对订阅或管理组分配内置的安全中心计划This example shows you how to assign the built-in Security Center initiative on a subscription or management group

   PUT  
   https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 

   Request Body (JSON) 

   { 

     "properties":{ 

   "displayName":"Enable Monitoring in Azure Security Center", 

   "metadata":{ 

   "assignedBy":"{Name}" 

   }, 

   "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", 

   "parameters":{}, 

   } 

   } 

本示例演示如何对订阅分配内置的安全中心计划,且禁用以下策略:This example shows you how to assign the built-in Security Center initiative on a subscription, with the following policies disabled:

  • 系统更新 ("systemUpdatesMonitoringEffect")System updates ("systemUpdatesMonitoringEffect")

  • 安全配置 ("systemConfigurationsMonitoringEffect")Security configurations ("systemConfigurationsMonitoringEffect")

  • 终结点保护 ("endpointProtectionMonitoringEffect")Endpoint protection ("endpointProtectionMonitoringEffect")

   PUT https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 

   Request Body (JSON) 

   { 

     "properties":{ 

   "displayName":"Enable Monitoring in Azure Security Center", 

   "metadata":{ 

   "assignedBy":"{Name}" 

   }, 

   "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", 

   "parameters":{ 

   "systemUpdatesMonitoringEffect":{"value":"Disabled"}, 

   "systemConfigurationsMonitoringEffect":{"value":"Disabled"}, 

   "endpointProtectionMonitoringEffect":{"value":"Disabled"}, 

   }, 

    } 

   } 

此示例演示如何删除分配:This example shows you how to remove an assignment:

   DELETE   
   https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 

利用详细信息增强自定义建议Enhance your custom recommendations with detailed information

Azure 安全中心提供的内置建议包括严重性级别和修正说明等详细信息。The built-in recommendations supplied with Azure Security Center include details such as severity levels and remediation instructions. 如果要将此类信息添加到自定义建议,使其显示在 Azure 门户中或任何可供访问建议的位置,则需要使用 REST API。If you want to add this type of information to your custom recommendations so that it appears in the Azure portal or wherever you access your recommendations, you'll need to use the REST API.

可添加的两种类型的信息为:The two types of information you can add are:

  • RemediationDescription - 字符串RemediationDescription - String
  • Severity - 枚举 [Low、Medium、High]Severity - Enum [Low, Medium, High]

对于属于自定义计划一部分的策略,应将元数据添加到策略定义中。The metadata should be added to the policy definition for a policy that is part of the custom initiative. 它应在“securityCenter”属性中,如下所示:It should be in the 'securityCenter' property, as shown:

 "metadata": {
    "securityCenter": {
        "RemediationDescription": "Custom description goes here",
        "Severity": "High"
    },

下面是包含 metadata/securityCenter 属性的自定义策略示例:Below is an example of a custom policy including the metadata/securityCenter property:

{
"properties": {
  "displayName": "Security - ERvNet - AuditRGLock",
  "policyType": "Custom",
  "mode": "All",
  "description": "Audit required resource groups lock",
  "metadata": {
      "securityCenter": {
          "RemediationDescription": "Resource Group locks can be set via Azure Portal -> Resource Group -> Locks",
          "Severity": "High"
      }
  },
  "parameters": {
      "expressRouteLockLevel": {
          "type": "String",
          "metadata": {
              "displayName": "Lock level",
              "description": "Required lock level for ExpressRoute resource groups."
          },
          "allowedValues": [
              "CanNotDelete",
              "ReadOnly"
          ]
      }
  },
  "policyRule": {
      "if": {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
      },
      "then": {
          "effect": "auditIfNotExists",
          "details": {
              "type": "Microsoft.Authorization/locks",
              "existenceCondition": {
                  "field": "Microsoft.Authorization/locks/level",
                  "equals": "[parameters('expressRouteLockLevel')]"
              }
          }
      }
  }
}
}

有关使用 securityCenter 属性的另一个示例,请参阅 REST API 文档的此部分For another example of using the securityCenter property, see this section of the REST API documentation.

后续步骤Next steps

在本文中,你已了解如何创建自定义安全策略。In this article, you learned how to create custom security policies.

其他相关材料,请参阅以下文章:For other related material, see the following articles: