适用于 Azure 市场映像的安全建议Security Recommendations for Azure Marketplace Images

映像必须满足这些安全配置建议的要求。Your image must meet these security configuration recommendations. 这些建议不仅有助于为 Azure 市场中的合作伙伴解决方案映像保持高级别的安全性。This helps maintain a high level of security for partner solution images in the Azure Marketplace.

提交之前,始终对映像运行安全漏洞检测。Always run a security vulnerability detection on your image prior to submitting. 如果在自己发布的映像中检测到安全漏洞,则必须及时将漏洞及其更正方式通知客户。If you detect a security vulnerability in your own published image, you must inform your customers in a timely manner of both the vulnerability and how to correct it.

打开基于源的映像Open Source-based Images

类别Category 勾选标记Check
安全性Security 安装 Linux 发行版的所有最新安全修补程序。Install all the latest security patches for the Linux distribution.
安全性Security 请遵循行业准则,以保护特定 Linux 发行版的 VM 映像。Follow industry guidelines to secure the VM image for the specific Linux distribution.
安全性Security 限制攻击面,仅保留必要的 Windows Server 角色、功能、服务和网络端口来保持最小的占用空间。Limit the attack surface by keeping minimal footprint with only necessary Windows Server roles, features, services, and networking ports.
安全性Security 扫描源代码和生成的 VM 映像中的恶意软件。Scan source code and resulting VM image for malware.
安全性Security 该 VHD 映像只包括必要的锁定帐户,这些帐户没有允许交互式登录的默认密码;没有后门。The VHD image only includes necessary locked accounts that do not have default passwords that would allow interactive login; no back doors.
安全性Security 禁用防火墙规则,除非应用程序在功能上依赖于这些规则,例如防火墙设备。Disable firewall rules unless application functionally relies on them, such as a firewall appliance.
安全性Security 删除 VHD 映像中的所有敏感信息,例如测试 SSH 密钥、已知 hosts 文件、日志文件和不必要的证书。Remove all sensitive information from the VHD image, such as test SSH keys, known hosts file, log files, and unnecessary certificates.
安全性Security 避免使用 LVM。Avoid using LVM.
安全性Security 包含所需库的最新版本:Include the latest versions of required libraries:
- OpenSSL v1.0 或更高版本- OpenSSL v1.0 or greater
- Python 2.5 或更高版本(强烈建议使用 Python 2.6+)- Python 2.5 or above (Python 2.6+ is highly recommended)
- Python pyasn1 包(如果尚未安装)- Python pyasn1 package if not already installed
- d.OpenSSL v 1.0 或更高版本- d.OpenSSL v 1.0 or greater
安全性Security 清除 Bash/Shell 历史记录项。Clear Bash/Shell history entries.
网络Networking 默认情况下包括 SSH 服务器。Include the SSH server by default. 使用以下选项将 SSH 保持活动时间设置到 sshd 配置:ClientAliveInterval 180。Set SSH keep alive to sshd config with the following option: ClientAliveInterval 180.
网络Networking 从映像中删除任何自定义网络配置。Remove any custom network configuration from the image. 删除 resolv.conf:rm /etc/resolv.confDelete the resolv.conf: rm /etc/resolv.conf.
部署Deployment 安装最新的 Azure Linux 代理。Install the latest Azure Linux Agent.
- 使用 RPM 或 Deb 包进行安装。- Install using the RPM or Deb package.
- 也可使用手动安装进程,但建议首选安装包。- You may also use the manual install process, but the installer packages are recommended and preferred.
- 如果要从 GitHub 存储库手动安装代理,首先请将 waagent 文件复制到 /usr/sbin 中并(以 root 身份)运行:- If installing the agent manually from the GitHub repository, first copy the waagent file to /usr/sbin and run (as root):
# chmod 755 /usr/sbin/waagent
# /usr/sbin/waagent -install
代理配置文件放置在 /etc/waagent.conf 中。The agent configuration file is placed at /etc/waagent.conf.
部署Deployment 确保 Azure 支持可在需要时为合作伙伴提供串行控制台输出,并为从云存储装载的 OS 磁盘提供足够的超时时间。Ensure Azure Support can provide our partners with serial console output when needed and provide adequate timeout for OS disk mounting from cloud storage. 将以下参数添加到映像内核引导行:console=ttyS0 earlyprintk=ttyS0 rootdelay=300Add the following parameters to the image Kernel Boot Line: console=ttyS0 earlyprintk=ttyS0 rootdelay=300.
部署Deployment OS 磁盘上无需交换分区。No swap partition on the OS disk. 可通过 Linux 代理在本地资源磁盘上请求创建交换。Swap can be requested for creation on the local resource disk by the Linux Agent.
部署Deployment 为 OS 磁盘创建一个根分区。Create a single root partition for the OS disk.
部署Deployment 仅支持 64 位 操作系统。64-bit operating system only.

基于 Windows Server 的映像Windows Server-based Images

类别Category 勾选标记Check
安全性Security 使用安全 OS 的基础映像。Use a secure OS base image. 用于任何基于 Windows Server 的映像源的 VHD 必须来自通过 Azure 提供的 Windows Server OS 映像。The VHD used for the source of any image based on Windows Server must be from the Windows Server OS images provided through Azure.
安全性Security 安装所有最新的安全更新。Install all latest security updates.
安全性Security 应用程序不应依赖于受限的用户名,例如 administrator、root 和 admin。Applications should not depend on restricted user names like administrator, root, or admin.
安全性Security 为 OS 硬盘驱动器和数据硬盘驱动器启用 BitLocker 驱动器加密。Enable BitLocker Drive Encryption for both OS hard drives and data hard drives.
安全性Security 限制攻击面,仅保留必要的 Windows Server 角色、功能、服务和网络端口来保持最小的占用空间。Limit the attack surface by keeping minimal footprint with only necessary Windows Server roles, features, services, and networking ports enabled.
安全性Security 扫描源代码和生成的 VM 映像中的恶意软件。Scan source code and resulting VM image for malware.
安全性Security 将 Windows Server 映像安全更新设置为自动更新。Set Windows Server images security update to auto-update.
安全性Security 该 VHD 映像只包括必要的锁定帐户,这些帐户没有允许交互式登录的默认密码;没有后门。The VHD image only includes necessary locked accounts that do not have default passwords that would allow interactive login; no back doors.
安全性Security 禁用防火墙规则,除非应用程序在功能上依赖于这些规则,例如防火墙设备。Disable firewall rules unless application functionally relies on them, such as a firewall appliance.
安全性Security 删除 VHD 映像中的所有敏感信息,包括 HOSTS 文件、日志文件和不必要的证书。Remove all sensitive information from the VHD image, including HOSTS files, log files, and unnecessary certificates.
部署Deployment 仅支持 64 位 操作系统。64-bit operating system only.

即使你的组织没有 Azure 市场中的映像,也请考虑根据这些建议检查 Windows 和 Linux 映像配置。Even if your organization does not have images in the Azure marketplace, consider checking your Windows and Linux image configurations against these recommendations.