Forum Discussion

Stanislav_Zhelyazkov's avatar
Feb 11, 2019

Feedback: Some ASC policies do not work

Hi,

I want to flag this specific issues that I have encountered but I was not sure if this was very good for user voice. In ASC we have both recommendations and Security policies in Azure Policy. We can see that some of the recommendations are also available as policies. I do not know if the idea is that policies to replace recommendations or to compliment them but I've noticed this strange behavior. In ASC I have this recommendation:

but when I go to Azure Policy the policy that is the same for the recommendation I get compliant.

I think this issue is probably caused by the API the policy uses:

"then": {
    "effect": "[parameters('effect')]",
    "details": {
      "type": "Microsoft.Security/complianceResults",
      "name": "EnforceHttps",
      "existenceCondition": {
        "field": "Microsoft.Security/complianceResults/resourceStatus",
        "in": [
          "Monitored",
          "NotApplicable",
          "OffByPolicy",
          "Healthy"
        ]
      }
    }
  }
}

I am not sure what are not the acceptable values for this API but the resource in question is shown as Monitored by this API. There are a lot of policies build that way so may be if the API does not work for one recommendation does not work for all so all these policies might give wrong results.

  • Rob_Burton's avatar
    Rob_Burton
    Copper Contributor

    Stanislav_Zhelyazkov 

    Another one that does not work is

    [Preview]: Audit maximum number of owners for a subscription

    "if": {
    "field": "type",
    "equals": "Microsoft.Resources/subscriptions"
    },
    "then": {
    "effect": "[parameters('effect')]",
    "details": {
    "type": "Microsoft.Security/complianceResults",
    "name": "DesignateLessThanXOwners",
    "existenceCondition": {
    "field": "Microsoft.Security/complianceResults/resourceStatus",
    "in": [
    "Monitored",
    "NotApplicable",
    "OffByPolicy",
    "Healty" <-------- Spelling mistake if you change to "Healthy" it reports correctly

    • Meital Taran- Gutman's avatar
      Meital Taran- Gutman
      Icon for Microsoft rankMicrosoft

      in the last few months, ASC moved to Azure Policy as the main platform for running its security assessments. This means that since then, all ASC recommendations are manifested as policy definitions in Azure Policy. 

      Unfortunately we had an issue of inconsistency between the compliance results shown in Policy vs. those shows in ASC. This has been fixed already. Can you confirm if this issue still reproduced in your environment? 

       

Resources