如何解决所有受网络安全组限制的具有 dev 标签的网络端口
我正在根据我的要求创建自定义策略,我想要定义策略,其中“所有 网络端口 应限制在具有 仅开发的标记”。
错误: 无法解析策略规则:在类型为“LeafExpressionDeFinition”的对象上找不到成员“exits”。路径“退出”。
azure 策略定义中有两个内置策略:
-
所有网络端口都应限制在与您的虚拟机关联的网络安全组上。 链接https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f9daedab3-fb2d-461e-b861-71790eead4f6
-
需要在资源组上添加标签。 链接https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F871b6d14-10aa-478d-b590-94f262ecfa99
我结合并更新我的需求,你可以查看创建的自定义策略,我认为一切正常。
{
"properties": {
"displayName": "All network ports should be restricted on network security groups associated to your virtual machine","policyType":"Indexed","mode": "All","description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.","Metadata": {
"version": "3.0.0","category": "Security Center"
},"parameters": {
"effect": {
"type": "String","Metadata": {
"displayName": "Effect","description": "Enable or disable the execution of the policy"
},"allowedValues": [
"AuditIfNotExists","disabled"
],"defaultValue": "AuditIfNotExists"
},"tagName": {
"type": "String","Metadata": {
"displayName": "dev","description": "Name of the tag,such as 'develpment'"
}
}
},"policyRule": {
"if": {
"allOf": [
{
"field":"Microsoft.Network/networkInterfaces/networkSecurityGroup.id","exits": "true"
},{
"field": "[concat('tags[',parameters('dev'),']')]","Equals": "[parameters('tagValue')]"
}
]
},"then": {
"effect": "[parameters('effect')]","details": {
"type": "Microsoft.Security/assessments","name": "3b20e985-f71f-483b-b078-f30d73936d43","existenceCondition": {
"field": "Microsoft.Security/assessments/status.code","in": [
"NotApplicable","Healthy"
]
}
}
}
}
},"id": "/providers/Microsoft.Authorization/policyDeFinitions/9daedab3-fb2d-461e-b861-71790eead4f6","type": "Microsoft.Authorization/policyDeFinitions","name": "9daedab3-fb2d-461e-b861-71790eead4f6"
}
解决方法
- 您似乎在“exists”--“exits”-->“exists”中打错了
- 我认为您无法根据依赖于评估代码的内置安全中心策略(“字段”:“Microsoft.Security/assessments/status.code”)创建自定义策略。这些是由内部 API 实现的,因此无法复制以进行自定义。
我为这个问题制定了解决方案,阻止网络安全组或订阅级别范围内的所有端口。但是需要设置端口值“*”来阻止所有,你可以阻止任何端口,只要在端口参数中输入你需要的端口号就可以了。
{
"mode": "all","policyRule": {
"if": {
"allOf": [
{
"field": "type","equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access","equals": "Allow"
},{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction","equals": "Inbound"
},{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange","in": "[parameters('deniedPorts')]"
},{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]","notIn": "[parameters('deniedPorts')]"
}
}
]
},{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix","in": [
"*","Internet"
]
}
]
}
]
}
]
},"then": {
"effect": "audit"
}
},"parameters": {
"deniedPorts": {
"type": "Array","metadata": {
"displayName": "Ports to block","description": "The inbound ports that should be blocked"
}
}
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
