CIS 7.4. Ensure that only approved extensions are installed - unable to set approval

Luke Murray 16 Reputation points
2021-08-20T15:49:04.227+00:00

As part of the CIS Policy Framework, I'm trying to authorize our extensions. I've added the policy and set the parameters.
I'm unable to approve the below extensions, despite adding them to our exclusions (Parameters):

  1. windowsagent.azuresecuritycenter
  2. SqlIaasExtension
  3. siterecovery-windows
  4. microsoft.powershell.dsc
  5. enablevmaccess
  6. azurepolicyforwindows
  7. azurebackupwindowsworkload

Current Parameters:

[ "DependencyAgentWindows", "IaaSAntimalware", "MicrosoftMonitoringAgent", "Windows", "SqlIaaSAgent", "DSC", "ConfigurationforWindows", "NetworkWatcherAgentWindows", "windowsagent.azuresecuritycenter", "sqliaasextension", "siterecovery-windows", "enablevmaccess", "azurepolicyforwindows", "azurebackupwindowsworkload", "microsoft.powershell.dsc", "IaaSDiagnostics", "VMAccessAgent", "WindowsAgent.AzureSecurityCenter", "SqlIaasExtension", "SiteRecovery-Windows", "AzureBackupWindowsWorkload", "Microsoft.GuestConfiguration"]

I've ensured there are no white spaces and have tried uppper/lower case and matched the export from get-azvmextension exactly.
The above extensions remain "non-compliant" - how do I make them compliant?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
798 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luke Murray 16 Reputation points
    2021-08-23T13:22:19.333+00:00

    @SwathiDhanwada-MSFT Thank you for your time.

    To make non-complaint resources complaint, you need to go to respective resource and install the extensions

    • My understanding was that the policy checked for 'installed' extensions against a list of "allowed" extenions, and highlighted/failed those that
      were not previously defined in the policy exemptions.
      is there a requirement that the extenison is also installed? ( I cant see this to be true as, for example, there would be no need to install
      "SqlIaasExtension" on a non-SQL VM). But you would need to add it to the policy exclusions for the applicable VM's.
    • Please Clarify.

    Which effect are you using for this Policy (Audit , Deny, Disabled)

    Audit

    • Screenshot

    125656-exterr1.png

    Although not shown in the screenshot, the extension is clearly listed (1st post 7th parameter). This is the same with all of the "non-compliant" extensions - they have all been added to parameters however are still showing as non-compliant.

    0 comments
  2. neok-g 36 Reputation points
    2021-11-03T20:34:13.967+00:00

    You should use the following az command to get all extensions for a given VM:

    az vm extension list -g MyResourceGroup --vm-name MyVm (see https://learn.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest#az_vm_extension_list)

    Inspect the typePropertiesType for the actual extension name that must included in the list of approved extensions. For instance I had to approve the extension enablevmaccess. The name is indeed enablevmacces but the typePropertiesType is VMAccessAgent which must be included in the list of approved extensions.

    0 comments