Forum Discussion
Fixing "Authentication to Linux machines should require SSH keys"
I have many Linux VMs running Centos 7.8 that are currently failing on this policy.
Policy source is https://github.com/Azure/azure-policy/blob/58fcf068ecb5e96d23958d9799cf872e687a1a4a/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json
and the "then" clause is:
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
"name": "LinuxNoPasswordForSSH",
"existenceCondition": {
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
"equals": "Compliant"
}
}
}
My VMs are configured as follows without the "guestConfiguration" but with password login disabled.
{
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/virtualMachines/REDACTED",
"name": "REDACTED",
"type": "Microsoft.Compute/virtualMachines",
"location": "westeurope",
"tags": {
...
},
"properties": {
"vmId": "REDACTED",
"hardwareProfile": {
"vmSize": "Standard_B1ms"
},
"storageProfile": {
"imageReference": {
"publisher": "OpenLogic",
"offer": "CentOS",
"sku": "7_8",
"version": "7.8.2021020400",
"exactVersion": "7.8.2021020400"
},
"osDisk": {
"osType": "Linux",
"name": "REDACTED",
"createOption": "FromImage",
"caching": "ReadOnly",
"managedDisk": {
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/disks/REDACTED"
},
"deleteOption": "Detach"
},
"dataDisks": [
{
"lun": 0,
"name": "REDACTED",
"createOption": "Empty",
"caching": "ReadOnly",
"managedDisk": {
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/disks/REDACTED"
},
"deleteOption": "Detach",
"toBeDetached": false
}
]
},
"osProfile": {
"computerName": "REDACTED",
"adminUsername": "REDACTED",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "REDACTED",
"keyData": "REDACTED"
}
]
},
"provisionVMAgent": true,
"patchSettings": {
"patchMode": "ImageDefault",
"assessmentMode": "ImageDefault"
},
"enableVMAgentPlatformUpdates": false
},
"secrets": [],
"allowExtensionOperations": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/networkInterfaces/REDACTED",
"properties": {
"primary": true
}
}
]
},
"provisioningState": "Succeeded",
"timeCreated": "2023-01-16T00:14:48.5932025+00:00"
},
"resources": [
{
"name": "LinuxAgent.AzureSecurityCenter",
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/virtualMachines/REDACTED/extensions/LinuxAgent.AzureSecurityCenter",
"type": "Microsoft.Compute/virtualMachines/extensions",
"location": "westeurope",
"properties": {
"autoUpgradeMinorVersion": false,
"provisioningState": "Succeeded",
"publisher": "Qualys",
"type": "LinuxAgent.AzureSecurityCenter",
"typeHandlerVersion": "1.0",
"settings": {
"LicenseCode": "REDACTED",
"GrayLabel": {
"CustomerID": "REDACTED",
"ResourceID": "REDACTED"
}
}
}
},
{
"name": "OmsAgentForLinux",
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/virtualMachines/REDACTED/extensions/OmsAgentForLinux",
"type": "Microsoft.Compute/virtualMachines/extensions",
"location": "westeurope",
"properties": {
"autoUpgradeMinorVersion": true,
"provisioningState": "Succeeded",
"enableAutomaticUpgrade": false,
"publisher": "Microsoft.EnterpriseCloud.Monitoring",
"type": "OmsAgentForLinux",
"typeHandlerVersion": "1.0",
"settings": {
"workspaceId": "REDACTED"
}
}
}
]
}
What is the added value of having guest configuration in this case and how to deploy the resources needed to comply with this policy?
I deploy VMs using Ansible
No RepliesBe the first to reply
