Quickstart: Apply SSH Posture Control to a test machine

2025-01-17

In the following steps, you will use Azure Policy to deploy SSH Posture Control settings to a test Linux VM.

For background and conceptual reference, see What is SSH Posture Control?.

For a more advanced walkthrough, see Manage your sshd settings using SSH Posture Control.

If you don't have an Azure account, you can create a free trial.

Caution

This Quickstart demonstrates applying a restrictive sshd configuration intended for a new disposable test machine. If you were to apply this configuration to other machines you could lock outself out. When trying out security controls such as SSH Posture Control, use an isolated sandbox environment such that even a mistake in policy assignment would not re-configure unintended machines.

Prerequisites

Before attempting the steps in this article, ensure that you already have:

An Azure account where you have rights to create a resource group, policy assignments, and a virtual machine.
Your preferred environment for interacting with Azure, such as:
1. Azure Cloud Shell (recommended)
  1. Note: Examples will use bash mode. Readers may adapt examples to other shell environments including PowerShell.
2. or your own shell environment with Azure CLI installed and signed in
3. or Azure Portal in a web browser

Check that you are signed in to your test environment

Azure portal
Azure CLI

Use the account information in the portal to see your current context.

Create a resource group

The choice of eastus location in this example is not significant. You can use any available Azure location.

Azure portal
Azure CLI

Screen capture of creating resource group via portal

az group create --name sshdemo01 --location eastus

Assign the policy to the resource group

This Quickstart applies audit-and-configure behavior, using the built-in policy definition Configure SSH Posture Control on Linux machines.

The example assignment will rely largely on SSH Posture Control defaults (e.g., port 22, root access not allowed), with limited customization (banner text).

Azure portal
Azure CLI

Navigate to Policy, then Definitions
Filter the list to find and select Configure SSH Posture Control on Linux machines
From the policy definition page, click Assign
In the policy assignment workflow
1. Choose the new empty resource group (created earlier) as the scope.
2. Optional: Choose a name for this policy assignment. By default the name of the policy definition is used.
3. Optional: On the parameters tab, override a default value such as the "banner" value.
4. Note: The rule 'port' should be configured with a single value to ensure proper functionality and compliance for auditing and configuring scenarios.
5. Complete the creation of the policy assignment.

# Note this example is from a bash shell. Other shells may require different handling of special characters and variables
RG_ID=$(az group show --resource-group sshdemo01 --query id --output tsv)
az policy assignment create --policy "e22a2f03-0534-4d10-8ea0-aa25a6113233" --name "Configure SSH Posture test machine" --scope "$RG_ID" --params '{"banner":{"value":"CONTOSO SYSTEMS. Unauthorized use will be prosecuted."}}' --mi-system-assigned --role "Guest Configuration Resource Contributor" --identity-scope "$RG_ID" --location eastus

Caution

Whether you used the Portal or CLI, inspect the scope of the policy assignment you just created before proceeding. If the scope was mistakenly set to anything other than the new empty resource group created earlier, it should be corrected immediately to avoid configuing unintended machines.

Create a test VM and prepare it for Machine Configuration

Azure portal
Azure CLI

Create a Linux virtual machine
Add a system assigned identity, if not already present
Add the Machine Configuration extension (labeled in portal as Azure Machine Configuration for Linux)

Create a Linux VM with a system assigned identity

az vm create --name sshdemo01 --resource-group sshdemo01 --image Ubuntu2204 --assign-identity [system]

Install the Machine Configuration agent, as an Azure VM extension

az vm extension set --resource-group sshdemo01 --vm-name sshdemo01 --name ConfigurationForLinux --publisher Microsoft.GuestConfiguration --enable-auto-upgrade

Tip

In this Quickstart the pre-requisites for Machine Configuration (VM has managed identity and agent extension) were addressed directly during VM creation. At scale, these pre-requisites can be satisfied using the Deploy prerequisites to enable Guest Configuration policies on virtual machines built-in Policy Initiative.

Take a break before proceeding

Several steps will now happen automatically. Each of these steps can take a few minutes. Accordingly, please wait at least 15 minutes before proceeding.

Observe results

Using the following steps, you can see:

How many machines are compliant (or not)
1. Particularly useful at production scales, where you may have thousands of machines
Which machines are compliant (or not)
For a given machine, which individual rules are compliant (or not)

Azure portal
Azure CLI

The following Azure CLI examples are from a bash environment. To use another shell environment, you may need to adjust examples for line ending behavior, quote rules, character escaping, and so on.

How many machines are compliant (or not):

QUERY="guestconfigurationresources
   | where name contains 'LinuxSshServerSecurityBaseline'
   | extend complianceStatus = tostring(properties.complianceStatus)
   | summarize machineCount = count() by complianceStatus
"
az graph query -q "$QUERY" --query data --output table

# Sample output from an environment with two machines:
# 
# complianceStatus machineCount
# ---------------- ------------
# Pending                     1
# Compliant                   1

Which machines are compliant (or not):

QUERY="guestconfigurationresources
| where name contains 'LinuxSshServerSecurityBaseline'
| project 
    machine = split(properties.targetResourceId,'/')[-1],
    complianceStatus = properties.complianceStatus,
    lastComplianceStatusChecked = properties.lastComplianceStatusChecked
"

az graph query -q "$QUERY" --query data --output table

# Sample output from an environment with two machines:
#
# machine     complianceStatus lastComplianceStatusChecked
# -------     ---------------- ---------------------------
# sshdemovm01 Compliant        2/15/2024 11:07:21 PM
# sshdemovm02 Pending          1/1/0001 12:00:00 AM

For a given machine, which individual rules are compliant (or not):

QUERY="GuestConfigurationResources
| where name contains 'LinuxSshServerSecurityBaseline'
| project report = properties.latestAssignmentReport,
  machine = split(properties.targetResourceId,'/')[-1],
  lastComplianceStatusChecked=properties.lastComplianceStatusChecked
| mv-expand report.resources
| project machine,
  rule = report_resources.resourceId,
  ruleComplianceStatus = report_resources.complianceStatus,
  ruleComplianceReason = report_resources.reasons[0].phrase,
  lastComplianceStatusChecked
"
az graph query -q "$QUERY" --query data --output table
# Sample output from an environment where audit-and-configure behavior was selected, such that all settings became compliant:
# 
# machine     rule                                                            ruleComplianceStatus     ruleComplianceReason
# -------     ---------------                                                  ------               ------
# sshdemovm01 Ensure permissions on /etc/ssh/sshd_config are configured        true            Access to '/etc/ssh/sshd_config' matches required ...
# sshdemovm01 Ensure SSH is configured to meet best practices (protocol 2)     true            'Protocol 2' is found uncommented in /etc/ssh/sshd_config
# sshdemovm01 Ensure SSH is configured to ignore rhosts                        true            The sshd service reports that 'ignorerhosts' is set to 'yes'
# sshdemovm01 Ensure SSH LogLevel is set to INFO                               true            The sshd service reports that 'loglevel' is set to 'INFO'
# sshdemovm01 Ensure SSH MaxAuthTries is configured                            true            The sshd service reports that 'maxauthtries' is set to '6'
# sshdemovm01 Ensure allowed users for SSH access are configured               true            The sshd service reports that 'allowusers' is set to '*@*'
# sshdemovm01 Ensure denied users for SSH are configured                       true            The sshd service reports that 'denyusers' is set to 'root'
# sshdemovm01 Ensure allowed groups for SSH are configured                     true            The sshd service reports that 'allowgroups' is set to '*'
# sshdemovm01 Ensure denied groups for SSH are configured                      true            The sshd service reports that 'denygroups' is set to 'root'
# sshdemovm01 Ensure SSH host-based authenticationis disabled                  true            The sshd service reports that 'hostbasedauthentication' is ...
# ...

Optional: Add more test machines to experience scale

In this article the policy was assigned to a resource group which was initially empty and then gained one VM. While this demonstrates the system working end-to-end, it doesn't provide a sense of at-scale operations. For example, in the policy assignment compliance view a pie chart of one machine can feel artificial.

Consider adding more test machines to the resource group, whether manually or via automation. These could be Azure VMs or Arc-enabled machines. As you see those machines come into compliance (or even fail) you can gain a keener sense of operationalizing SSH Posture Control at scale.

Optional: Manually inspect test machine to confirm results

When getting started with a new feature such as SSH Posture Control, it can be valuable to manually inspect the results out of band. This helps to build confidence and clarity. The steps in this article, for example, should have resulted in a modified logon banner configuration on your test VM. You can confirm this by attempting an SSH connection to the machine to see the banner, or by inspecting the sshd_config file.

Clean up resources

To avoid ongoing charges, consider deleting the resource group used in this article. For example, the Azure CLI command would be az group delete --name "sshdemo01"

What is SSH Posture Control?
Safely deploying SSH server settings with Azure Policy
To provide feedback, discuss feature requests, etc. contact: linux_sec_config_mgmt@service.microsoft.com

Share via