-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Policy resource #558
Comments
Thinking about this, it might make sense to simplify this by having the ability to inform name: Disable SMB v1 server
type: Microsoft.Windows/Registry
metadata:
Microsoft.DSC:
policy:
testOperation: EqualsOrNotExist
remediation:
_exist: false
properties:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
valueName: SMB1
valueData:
DWord: 0 I think I prefer this rather than adding another group type resource. Adapters would have to advertise they support the |
In this case, I think I disagree about group resource vs capability/metadata - this is a specific behavior to apply to other, existing resources for a specific model. I'm also not a huge fan of the remediation field in On the other hand, I find the Maybe something like: name: Disable SMB v1 server
type: Microsoft.DSC/Audit
properties:
analyzeOperation: EqualsOrNotExist
# resource sent as-is to `get`
resource:
type: Microsoft.Windows/Registry
properties:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
valueName: SMB1
# Audit resource only checks result of get against key-value pairs in expected
expected:
valueData: { DWord: 0 }
# remediation sent as-is to set
remediation:
type: Microsoft.Windows/Registry
properties:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
valueName: SMB1
_exist: false With slightly more work on the resource side itself, the remediation field could be simplified for cases where you are using the same resource for set by merging the values: name: Disable SMB v1 server
type: Microsoft.DSC/Audit
properties:
analyzeOperation: EqualsOrNotExist
# resource sent as-is to `get`
resource:
type: Microsoft.Windows/Registry
properties:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
valueName: SMB1
# Audit resource only checks result of get against key-value pairs in expected
expected:
valueData: { DWord: 0 }
# remediation merged on top of resource to send to set - only specify type/etc if needed.
remediation:
properties:
_exist: false It's also worth noting that regardless of what we do for this sort of resource, we can't get purely static analysis of either instance from the JSON schema, I don't think. We could maybe do it with some clever Footnotes
|
Summary of the new feature / enhancement
Looking at existing Azure policies defined in https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/AzureWindowsBaseline/AzureWindowsBaseline.mof, it seems that it may be useful to have a common Policy resource that can leverage use another resource for the actual
get
andset
, but has a way within the config to have a customtest
:Here's an example policy in mof:
Here's what it could look like in DSCv3:
In this example if the
SMB1
property exists or doesn't equal 0, then the remediation is to delete it.Proposed technical implementation details (optional)
No response
The text was updated successfully, but these errors were encountered: