Customized Security Center Audit Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-1181788%22%20slang%3D%22en-US%22%3ECustomized%20Security%20Center%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1181788%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wanted%20to%20add%20a%20few%20extra%20controls%20in%20the%26nbsp%3B%2Fopt%2Fmicrosoft%2Fomsagent%2Fplugin%2Foms_audits.xml.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20eg.%20I%20wanted%20to%20add%20some%20controls%20from%20CIS%20Benchmark%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKindly%20help%20me%20out%20please.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20i%20changed%20the%20time%20interval%20in%26nbsp%3Bsecurity_baseline.conf%20to%205minutes%20from%2024%20hours.%20However%20it%20keeps%20on%20reverting%20to%2024%20hours.%20Kindly%20advise%2C%20how%20the%20time%20interval%20can%20be%20changed%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSOURCE%3E%3CBR%20%2F%3Etype%20exec%3CBR%20%2F%3Etag%20oms.security_baseline%3CBR%20%2F%3Ecommand%20sleep%2060%20%26amp%3B%26amp%3B%20%2Fopt%2Fmicrosoft%2Fomsagent%2Fplugin%2Fomsbaseline%20-d%20%2Fopt%2Fmicrosoft%2Fomsagent%2Fplugin%2F%3CBR%20%2F%3Eformat%20json%3CBR%20%2F%3E%3CSTRONG%3Erun_interval%2024h%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FSOURCE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%40%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F267544%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EMiri%26nbsp%3BLandau%26nbsp%3B(%40Miri_Landau)%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22user-login%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F112685%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Michael%20Carrabine%3C%2FA%3E%3C%2FDIV%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F238106%22%20target%3D%22_blank%22%3E%40Ben%20Kliger%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F73750%22%20target%3D%22_blank%22%3E%40Meital%20Taran-%20Gutman%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1209943%22%20slang%3D%22en-US%22%3ERe%3A%20Customized%20Security%20Center%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1209943%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503472%22%20target%3D%22_blank%22%3E%40kmanish%3C%2FA%3E%26nbsp%3BCurrently%2C%20we%20do%20not%20support%20either%20of%20the%20scenarios%20to%20customize%20security%20baseline%20or%20to%20increase%20baseline%20assessment%20frequency.%20The%20default%20behavior%20for%20changes%20will%20be%20as%20below%3A%3C%2FP%3E%0A%3CP%3E1.%26nbsp%3B%20Any%20change%20to%20oms_audits.xml%20will%20result%20in%20omsbaseline%20rejecting%20the%20file%20as%20corrupted.%20The%20file%20will%20get%20reset%20withing%2015%20minutes%20by%20omsconfig.%3C%2FP%3E%0A%3CP%3E2.%26nbsp%3B%20The%20file%20'%3CSPAN%3Esecurity_baseline.conf%3C%2FSPAN%3E'%20mentioned%20is%20managed%20by%20the%20nxOMSPlugin%20DSC%20module%20and%20will%20reset%20the%20file%20to%20%E2%80%9Cdesired%20state%E2%80%9D%20within%2015%20minutes.%3C%2FP%3E%0A%3CP%3ELong%20term%2C%20Azure%20intents%20to%20support%20customization%20security%20baselines%20via%20In-Guest%20policy.%20We%20do%20not%20have%20a%20definitive%20timeline%20for%20it.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F73750%22%20target%3D%22_blank%22%3E%40Meital%20Taran-%20Gutman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%40%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F267544%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EMiri%26nbsp%3BLandau%26nbsp%3B(%40Miri_Landau)%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22user-login%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F112685%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Michael%20Carrabine%3C%2FA%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I wanted to add a few extra controls in the /opt/microsoft/omsagent/plugin/oms_audits.xml.

 

For eg. I wanted to add some controls from CIS Benchmark

 

Kindly help me out please.

 

Also i changed the time interval in security_baseline.conf to 5minutes from 24 hours. However it keeps on reverting to 24 hours. Kindly advise, how the time interval can be changed:

 

<source>
type exec
tag oms.security_baseline
command sleep 60 && /opt/microsoft/omsagent/plugin/omsbaseline -d /opt/microsoft/omsagent/plugin/
format json
run_interval 24h
</source>

 

@Miri Landau (@Miri_Landau) 

@Ben Kliger @Meital Taran- Gutman 

 

 

1 Reply
Highlighted

@kmanish Currently, we do not support either of the scenarios to customize security baseline or to increase baseline assessment frequency. The default behavior for changes will be as below:

1.  Any change to oms_audits.xml will result in omsbaseline rejecting the file as corrupted. The file will get reset withing 15 minutes by omsconfig.

2.  The file 'security_baseline.conf' mentioned is managed by the nxOMSPlugin DSC module and will reset the file to “desired state” within 15 minutes.

Long term, Azure intents to support customization security baselines via In-Guest policy. We do not have a definitive timeline for it.

@Meital Taran- Gutman 

@Miri Landau (@Miri_Landau)