Built-in Policy Release cdc0131b (#1394)

Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>
Azure · Oct 21, 2024 · 99d9bcf · 99d9bcf
1 parent 70b6f1f
commit 99d9bcf
Show file tree

Hide file tree

Showing 5 changed files with 1,181 additions and 979 deletions.
diff --git a/...cyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json b/...cyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json
@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
     "metadata": {
-      "version": "2.2.1",
+      "version": "2.3.0",
       "category": "Azure Update Manager"
     },
-    "version": "2.2.1",
+    "version": "2.3.0",
     "parameters": {
       "assessmentMode": {
         "type": "String",
@@ -71,6 +71,10 @@
             "field": "type",
             "equals": "Microsoft.HybridCompute/machines"
           },
+          {
+            "value": "[requestContext().apiVersion]",
+            "greaterOrEquals": "2022-03-10"
+          },
           {
             "field": "Microsoft.HybridCompute/machines/osName",
             "equals": "[parameters('osType')]"
@@ -150,6 +154,7 @@
       }
     },
     "versions": [
+      "2.3.0",
       "2.2.1"
     ]
   },

diff --git a/...n-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_AINE.json b/...n-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_AINE.json
@@ -1,13 +1,12 @@
 {
   "properties": {
-    "displayName": "[Preview]: Audit SSH Posture Control on Linux machines",
+    "displayName": "Audit SSH security posture for Linux (powered by OSConfig)",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if SSH Server is not securely configured on the Linux machines.",
+    "description": "This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.0.1",
       "category": "Guest Configuration",
-      "preview": true,
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
       ],
@@ -37,7 +36,7 @@
         }
       }
     },
-    "version": "1.0.0-preview",
+    "version": "1.0.1",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -470,6 +469,7 @@
       }
     },
     "versions": [
+      "1.0.1",
       "1.0.0-PREVIEW"
     ]
   },

diff --git a/...n-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_DINE.json b/...n-policies/policyDefinitions/Guest Configuration/LinuxSshServerSecurityBaseline_DINE.json
@@ -1,13 +1,12 @@
 {
   "properties": {
-    "displayName": "[Preview]: Configure SSH Posture Control on Linux machines",
+    "displayName": "Configure SSH security posture for Linux (powered by OSConfig)",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "This policy creates a Guest Configuration assignment to set SSH Posture Control on Linux machines.",
+    "description": "This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.0.1",
       "category": "Guest Configuration",
-      "preview": true,
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
       ],
@@ -37,7 +36,7 @@
         }
       }
     },
-    "version": "1.0.0-preview",
+    "version": "1.0.1",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -902,6 +901,7 @@
       }
     },
     "versions": [
+      "1.0.1",
       "1.0.0-PREVIEW"
     ]
   },

diff --git a/built-in-policies/policyDefinitions/Machine Learning/AllowDeployRegistryModels_Audit.json b/built-in-policies/policyDefinitions/Machine Learning/AllowDeployRegistryModels_Audit.json
@@ -0,0 +1,86 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Azure Machine Learning Deployments should only use approved Registry Models",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.MachineLearningServices.v2.Data",
+    "description": "Restrict the deployment of Registry models to control externally created models used within your organization",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Machine Learning",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "string",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy."
+        }
+      },
+      "allowedPublishers": {
+        "type": "Array",
+        "defaultValue": [],
+        "metadata": {
+          "displayName": "Allowed Model Publishers",
+          "description": "List of Publishers whose Models are allowed to be deployed."
+        }
+      },
+      "allowedAssetIds": {
+        "type": "Array",
+        "defaultValue": [],
+        "metadata": {
+          "displayName": "Allowed Asset Ids",
+          "description": "List of AssetIds of Models that are allowed to be deployed. This can include partial assetIds to allow all Models under a given scope."
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.MachineLearningServices.v2.Data/workspaces/deployments"
+          },
+          {
+            "field": "Microsoft.MachineLearningServices.v2.Data/workspaces/deployments/model.registryName",
+            "exists": true
+          },
+          {
+            "allOf": [
+              {
+                "field": "Microsoft.MachineLearningServices.v2.Data/workspaces/deployments/model.publisher",
+                "notin": "[parameters('allowedPublishers')]"
+              },
+              {
+                "count": {
+                  "value": "[parameters('allowedAssetIds')]",
+                  "name": "allowedAssetId",
+                  "where": {
+                    "field": "Microsoft.MachineLearningServices.v2.Data/workspaces/deployments/model.assetId",
+                    "contains": "[current('allowedAssetId')]"
+                  }
+                },
+                "equals": 0
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/12e5dd16-d201-47ff-849b-8454061c293d",
+  "name": "12e5dd16-d201-47ff-849b-8454061c293d"
+}