Feb 11 2019 12:07 AM
Hi,
I want to flag this specific issues that I have encountered but I was not sure if this was very good for user voice. In ASC we have both recommendations and Security policies in Azure Policy. We can see that some of the recommendations are also available as policies. I do not know if the idea is that policies to replace recommendations or to compliment them but I've noticed this strange behavior. In ASC I have this recommendation:
but when I go to Azure Policy the policy that is the same for the recommendation I get compliant.
I think this issue is probably caused by the API the policy uses:
"then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Security/complianceResults", "name": "EnforceHttps", "existenceCondition": { "field": "Microsoft.Security/complianceResults/resourceStatus", "in": [ "Monitored", "NotApplicable", "OffByPolicy", "Healthy" ] } } } }
I am not sure what are not the acceptable values for this API but the resource in question is shown as Monitored by this API. There are a lot of policies build that way so may be if the API does not work for one recommendation does not work for all so all these policies might give wrong results.
Mar 03 2019 01:00 PM
Adding @Ben Kliger and @Meital Taran- Gutman. Can either of you speak to this?
Mar 03 2019 01:39 PM
in the last few months, ASC moved to Azure Policy as the main platform for running its security assessments. This means that since then, all ASC recommendations are manifested as policy definitions in Azure Policy.
Unfortunately we had an issue of inconsistency between the compliance results shown in Policy vs. those shows in ASC. This has been fixed already. Can you confirm if this issue still reproduced in your environment?
Mar 13 2019 11:24 PM
Hi Meital,
There is no change in the behavior example I have posted. Still ASC shows the https recommendation for function app, ASC policy marks that as compliant. ASC recommendation is correct as my function is enabled for both https and http.
Apr 04 2019 04:41 AM
@Meital Taran- Gutman This policy still does not work and I never got reply on why is this. Are you looking into this problem?
Apr 04 2019 07:56 AM
@Stanislav_Zhelyazkov it should show the correct result however there might be data freshness issues. is the resource live more than 12 hours? Also, we'd like to take a closer look and make sure, can you send me the resource name and subscription ID to metaran@microsoft.com
Apr 08 2019 04:42 AM
Another one that does not work is
[Preview]: Audit maximum number of owners for a subscription
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Security/complianceResults",
"name": "DesignateLessThanXOwners",
"existenceCondition": {
"field": "Microsoft.Security/complianceResults/resourceStatus",
"in": [
"Monitored",
"NotApplicable",
"OffByPolicy",
"Healty" <-------- Spelling mistake if you change to "Healthy" it reports correctly