Customizing Azure policy definitions

Azure policies help you to monitor, identify, and remediate noncompliant resources. Azure assigns a default set of policies to each subscription. If needed, you can customize these default Azure policies to match BigAnimal's resource configurations.

Note

BigAnimal doesn't customize your Azure policies to prevent conflicts with external workloads.

Customize default policy definitions in Azure

Customize the policy definitions in each of your BigAnimal-enabled Azure subscriptions.

Note

You need Microsoft.Authorizations/PolicyAssignments/write permissions to update policy initiatives (sets of policies) in Azure.

  1. In the Azure portal, enter Policy in the search box at the top and open the Policy service.

  2. On the left side of the Policy page, Select Compliance.

  3. On the Compliance page, set the scope by selecting the ellipsis and then selecting all subscriptions. At the bottom of the Scope page, select Select to add your selection.

    You can see a list of all the policy initiatives (sets of policies) assigned by Azure's onboarding process. The policy initiative for each subscription is labeled ASC Default (subscription: <Subscription_ID>).

  4. From the list, select a policy initiative and select Edit assignment.

  5. On the Edit Initiative Assignment page, select the Parameters tab.

  6. Clear the Only show parameters that need input or review check box.

  7. Configure your default ASC policy parameters to allow only BigAnimal's specific configurations. Use the parameter values specified in Customizable policy definition parameters to update the parameters.

  8. Select the Review + create tab at the top of the wizard.

  9. Review your selections. At the bottom of the page, select Create.

You're now ready to monitor, identify, and remediate noncompliant resources to improve the compliance state of the resources in your subscription.

Customizable policy definition parameters

The following are the recommended parameters and values that are based on BigAnimal's resource configurations.

Use the values below each parameter while configuring the default ASC policy of a subscription.

Note

JSON values are provided wherever applicable.

Allowed service ports list in Kubernetes cluster

BigAnimal runs services on several ports in Kubernetes clusters in your cloud account to provide the BigAnimal services. You must allow the following ports:

["5432",  "9402",  "443", "8080",
  "9090",  "3000",  "8443",  "9443",  "9100", "9201", "8088"]

Allowed AppArmor profiles

BigAnimal requires the runtime/default AppArmor security profile:

["runtime/default"]

Allowed capabilities

Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. BigAnimal generally runs containers with limited capability to limit the attack surface of Kubernetes clusters but requires some capabilities to function:

["FOWNER"]

Allowed host paths for pod in Kubernetes cluster

BigAnimal requires the following HostPath mounts:

{
 "paths": [
   {
     "pathPrefix": "/var/log",
     "readOnly": false
   },
   {
     "pathPrefix": "/var/lib/docker/containers",
     "readOnly": true
   },
   {
     "pathPrefix": "/",
     "readOnly": true
   },
   {
     "pathPrefix": "/sys",
     "readOnly": true
   },
   {
     "pathPrefix": "/proc",
     "readOnly": true
   },
   {
     "pathPrefix": "/var/run/docker.sock",
     "readOnly": false
   },
   {
     "pathPrefix": "/run/containerd/containerd.sock",
     "readOnly": false
   },
   {
     "pathPrefix": "/dev",
     "readOnly": false
   },
   {
     "pathPrefix": "/boot",
     "readOnly": true
   },
   {
     "pathPrefix": "/lib/modules",
     "readOnly": false
   },
   {
     "pathPrefix": "/usr",
     "readOnly": true
   },
   {
     "pathPrefix": "/etc",
     "readOnly": true
   }
 ]
}

Other recommendations from Microsoft Defender for Cloud

Microsoft Defender for Cloud (which includes Azure Secure Center and Azure Defender) analyzes the configurations of your Azure resources to identify potential vulnerabilities.

You might see recommendations from Microsoft Defender for Cloud even after customizing your policies and remediating noncompliant resources. Microsoft offers these recommendations for the reasons that follow.

Restrict unauthorized network access

  • Restrict use of host networking and ports.

    BigAnimal runs containers that use the node network namespace to monitor network traffic statistics of Kubernetes cluster worker nodes. To prevent traffic sniffing and configuration changes to the worker node system, BigAnimal has removed all security capabilities for those containers.

  • Protect virtual networks with Azure Firewall.

    BigAnimal doesn't enable the Azure Firewall. Instead, BigAnimal uses Azure Network Security Group allowlists to specify allowed inbound and outbound traffic.

    If your organization requires an Azure Firewall for compliance purposes, contact Big Animal support.

Manage access and permissions

  • Avoid privileged containers.

    Avoid running containers as root user. However, to achieve some management functionality like securing and monitoring the application, BigAnimal needs to run some containers in privileged mode.

  • Enforce immutable (read-only) root filesystem for containers.

    Avoid running containers with a read-only root filesystem. However, for BigAnimal to achieve some control plane functionality, BigAnimal needs to run some containers with a read-only root filesystem. For example, for BigAnimal to use system calls to secure and monitor the BigAnimal application, it needs to run containers with a read-only root filesystem.

  • Avoid running containers as root user.

    BigAnimal must run some containers as the root user to provide some aspects of control plane functionality, such as logging. BigAnimal tightly restricts the use of the root user, and no containers running as root expose network connectivity.

  • Avoid containers sharing sensitive host namespaces.

    BigAnimal must run some containers that can share the host process ID namespace to monitor network traffic statistics for cluster worker nodes. To prevent traffic sniffing and configuration changes to the worker node system, BigAnimal has removed all security capabilities for those containers.

  • Avoid containers with privilege escalation.

    To enable some monitoring capabilities for Kubernetes, BigAnimal must run some containers that might allow privilege escalation.

Implement security best practices

  • Disable auto mounting API credentials for Kubernetes clusters.

    Microsoft recommends disabling auto mounting API credentials to prevent a potentially compromised pod from running API commands against a Kubernetes cluster.

    BigAnimal creates service accounts and roles with the least privileges for Kubernetes operators and operands to prevent this scenario.

Enable auditing and logging

Microsoft recommends enabling diagnostic logs in Kubernetes services, Key Vault, and Virtual Machine Scale Sets.

BigAnimal doesn't enable diagnostic logs for Kubernetes services and Key Vault, but it does enable diagnostic logs for Virtual Machine Scale Sets. Resources managed by BigAnimal are logged in Virtual Machine Scale Sets logs. If you must enable other logs for compliance purposes, contact BigAnimal support.

Enable enhanced security features

Microsoft Defender for Cloud includes the capabilities of Microsoft Defender for open-source relational databases.

BigAnimal doesn't enable any of the following capabilities:

  • Microsoft Defender for Servers

  • Microsoft Defender for Storage

  • Microsoft Defender for Key Vault

  • Microsoft Defender for Containers

  • Microsoft Defender for Kubernetes Service clusters

  • Microsoft Defender for Resources Manager

  • Microsoft Defender for DNS

If you have questions about enabling any of those capabilities for BigAnimal, contact BigAnimal support.