status

alexbuckgit · alexbuckgit · commit 4622e71aad87 · 2024-06-05T17:34:02.000-04:00
diff --git a/articles/cost-management-billing/dataset-schema/cost-usage-details-mca-partner-subscription.md b/articles/cost-management-billing/dataset-schema/cost-usage-details-mca-partner-subscription.md
@@ -46,7 +46,7 @@ This article applies to cost and usage details file schema for a Microsoft Partn
 |26|publisherType|Supported values: Microsoft, Azure, AWS, Marketplace. Values are microsoft for MCA accounts and Azure for EA and pay-as-you-go accounts.|
 |27|publisherId|The ID of the publisher. It's only available after the invoice is generated.|
 |28|publisherName|Publisher for Marketplace services.|
-|29|resourceGroupName|Name of the resource group the resource is in. Not all charges come from resources deployed to resource groups. Charges that don't have a resource group are shown as null or empty, `Others`, or` Not applicable`.|
+|29|resourceGroupName|Name of the resource group the resource is in. Not all charges come from resources deployed to resource groups. Charges that don't have a resource group are shown as null or empty, `Others`, or `Not applicable`.|
 |30|ResourceId|Unique identifier of the Azure Resource Manager resource.|
 |31|resourceLocation|Datacenter location where the resource is running. See `Location`.|
 |32|location|Normalized location of the resource, if different resource locations are configured for the same regions.|
diff --git a/articles/data-factory/data-factory-troubleshoot-guide.md b/articles/data-factory/data-factory-troubleshoot-guide.md
@@ -99,7 +99,7 @@ For connector issues such as an encounter error using the copy activity, refer t
 
 <br/> 
 
-- **Message**: `User: `SimpleUserContext{userId=..., name=user@company.com, orgId=...}` is not authorized to access cluster.`
+- **Message**: `User: 'SimpleUserContext{userId=..., name=user@company.com, orgId=...}' is not authorized to access cluster.`
 
 - **Cause**: The user who generated the access token isn't allowed to access the Databricks cluster specified in the linked service.
 
diff --git a/articles/governance/policy/samples/guest-configuration-baseline-linux.md b/articles/governance/policy/samples/guest-configuration-baseline-linux.md
@@ -148,8 +148,8 @@ For more information, see [Azure Policy guest configuration](../concepts/guest-c
 |Ensure at/cron is restricted to authorized users<br /><sub>(98)</sub> |Description: On many systems, only the system administrator is authorized to schedule `cron` jobs. Using the `cron.allow` file to control who can run `cron` jobs enforces this policy. It's easier to manage an allowlist than a denylist. In a denylist, you could potentially add a user ID to the system and forget to add it to the deny files. |Replace /etc/cron.deny and /etc/at.deny with their respective `allow` files or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-job-allow' |
 |SSH must be configured and managed to meet best practices. - '/etc/ssh/sshd_config Protocol = 2'<br /><sub>(106.1)</sub> |Description: An attacker could use flaws in an earlier version of the SSH protocol to gain access |Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r configure-ssh-protocol'. This will set 'Protocol 2' in the file '/etc/ssh/sshd_config' |
 |SSH must be configured and managed to meet best practices. - '/etc/ssh/sshd_config IgnoreRhosts = yes'<br /><sub>(106.3)</sub> |Description: An attacker could use flaws in the Rhosts protocol to gain access |Run the command '/usr/local/bin/azsecd remediate (/opt/microsoft/omsagent/plugin/omsremediate) -r enable-ssh-ignore-rhosts'. This will add the line 'IgnoreRhosts yes' to the file '/etc/ssh/sshd_config' |
-|Ensure SSH LogLevel is set to INFO<br /><sub>(106.5)</sub> |Description: SSH provides several logging levels with varying amounts of verbosity. `DEBUG `is specifically _not_ recommended other than strictly for debugging SSH communications since it provides so much data that it's difficult to identify important security information. `INFO `level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it's important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. |Edit the `/etc/ssh/sshd_config` file to set the parameter as follows:         ```         LogLevel INFO         ``` |
-|Ensure SSH MaxAuthTries is set to 6 or less<br /><sub>(106.7)</sub> |Description: Setting the `MaxAuthTries `parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. |Ensure SSH MaxAuthTries is set to 6 or less         Edit the `/etc/ssh/sshd_config` file to set the parameter as follows:         ```         MaxAuthTries 6         ``` |
+|Ensure SSH LogLevel is set to INFO<br /><sub>(106.5)</sub> |Description: SSH provides several logging levels with varying amounts of verbosity. `DEBUG` is specifically _not_ recommended other than strictly for debugging SSH communications since it provides so much data that it's difficult to identify important security information. `INFO` level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it's important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. |Edit the `/etc/ssh/sshd_config` file to set the parameter as follows:         ```         LogLevel INFO         ``` |
+|Ensure SSH MaxAuthTries is set to 6 or less<br /><sub>(106.7)</sub> |Description: Setting the `MaxAuthTries` parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. |Ensure SSH MaxAuthTries is set to 6 or less         Edit the `/etc/ssh/sshd_config` file to set the parameter as follows:         ```         MaxAuthTries 6         ``` |
 |Ensure SSH access is limited<br /><sub>(106.11)</sub> |Description: Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system. |Ensure SSH access is limited          Edit the `/etc/ssh/sshd_config` file to set one or more of the parameter as follows:         ```         AllowUsers          AllowGroups          DenyUsers          DenyGroups          ``` |
 |Emulation of the rsh command through the ssh server should be disabled. - '/etc/ssh/sshd_config RhostsRSAAuthentication = no'<br /><sub>(107)</sub> |Description: An attacker could use flaws in the RHosts protocol to gain access |Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-ssh-rhost-rsa-auth'. This will add the line 'RhostsRSAAuthentication no' to the file '/etc/ssh/sshd_config' |
 |SSH host-based authentication should be disabled. - '/etc/ssh/sshd_config HostbasedAuthentication = no'<br /><sub>(108)</sub> |Description: An attacker could use host-based authentication to gain access from a compromised host |Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-ssh-host-based-auth'. This will add the line 'HostbasedAuthentication no' to the file '/etc/ssh/sshd_config' |
@@ -190,15 +190,15 @@ For more information, see [Azure Policy guest configuration](../concepts/guest-c
 |Ensure minimum days between password changes is 7 or more.<br /><sub>(157.12)</sub> |Description: By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls. |Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs`: `PASS_MIN_DAYS 7`. Modify user parameters for all users with a password set to match: `chage --mindays 7`  or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-pass-min-days' |
 |Ensure all users last password change date is in the past<br /><sub>(157.14)</sub> |Description: If a users recorded password change date is in the future, then they could bypass any set password expiration. |Ensure inactive password lock is 30 days or less Run the following command to set the default password inactivity period to 30 days: ``` # useradd -D -f 30 ``` Modify user parameters for all users with a password set to match: ``` # chage --inactive 30  ``` |
 |Ensure system accounts are non-login<br /><sub>(157.15)</sub> |Description: It's important to make sure that accounts that aren't being used by regular users are prevented from being used to provide an interactive shell. By default, Ubuntu sets the password field for these accounts to an invalid string, but it's also recommended that the shell field in the password file be set to `/usr/sbin/nologin`. This prevents the account from potentially being used to run any commands. |Set the shell for any accounts returned by the audit script to `/sbin/nologin` |
-|Ensure default group for the root account is GID 0<br /><sub>(157.16)</sub> |Description: Using GID 0 for the `_root_ `account helps prevent `_root_`-owned files from accidentally becoming accessible to non-privileged users. |Run the following command to set the `root` user default group to GID `0` : ``` # usermod -g 0 root ``` |
-|Ensure root is the only UID 0 account<br /><sub>(157.18)</sub> |Description: This access must be limited to only the default `root `account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism. |Remove any users other than `root` with UID `0` or assign them a new UID if appropriate. |
+|Ensure default group for the root account is GID 0<br /><sub>(157.16)</sub> |Description: Using GID 0 for the `root` account helps prevent `root`-owned files from accidentally becoming accessible to non-privileged users. |Run the following command to set the `root` user default group to GID `0` : ``` # usermod -g 0 root ``` |
+|Ensure root is the only UID 0 account<br /><sub>(157.18)</sub> |Description: This access must be limited to only the default `root` account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism. |Remove any users other than `root` with UID `0` or assign them a new UID if appropriate. |
 |Remove unnecessary accounts<br /><sub>(159)</sub> |Description: For compliance |Remove the unnecessary accounts |
 |Ensure auditd service is enabled<br /><sub>(162)</sub> |Description: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. |Install audit package (systemctl enable auditd) |
 |Run AuditD service<br /><sub>(163)</sub> |Description: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. |Run AuditD service (systemctl start auditd) |
 |Ensure SNMP Server is not enabled<br /><sub>(179)</sub> |Description: The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it's recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1. |Run one of the following commands to disable `snmpd`: ``` # chkconfig snmpd off ``` ``` # systemctl disable snmpd ``` ``` # update-rc.d snmpd disable ``` |
 |Ensure rsync service is not enabled<br /><sub>(181)</sub> |Description: The `rsyncd` service presents a security risk as it uses unencrypted protocols for communication. |Run one of the following commands to disable `rsyncd` : `chkconfig rsyncd off`, `systemctl disable rsyncd`, `update-rc.d rsyncd disable` or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rsync' |
 |Ensure NIS server is not enabled<br /><sub>(182)</sub> |Description: The NIS service is an inherently insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS is generally replaced by protocols like Lightweight Directory Access Protocol (LDAP). It's recommended that the service be disabled and more secure services be used |Run one of the following commands to disable `ypserv` : ``` # chkconfig ypserv off ``` ``` # systemctl disable ypserv ``` ``` # update-rc.d ypserv disable ``` |
-|Ensure rsh client is not installed<br /><sub>(183)</sub> |Description: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it's best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the `rsh `package removes the clients for `rsh`, `rcp `and `rlogin`. |Uninstall `rsh` using the appropriate package manager or manual installation: ``` yum remove rsh ``` ``` apt-get remove rsh ``` ``` zypper remove rsh ``` |
+|Ensure rsh client is not installed<br /><sub>(183)</sub> |Description: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it's best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the `rsh` package removes the clients for `rsh`, `rcp` and `rlogin`. |Uninstall `rsh` using the appropriate package manager or manual installation: ``` yum remove rsh ``` ``` apt-get remove rsh ``` ``` zypper remove rsh ``` |
 |Disable SMB V1 with Samba<br /><sub>(185)</sub> |Description: SMB v1 has well-known, serious vulnerabilities and does not encrypt data in transit. If it must be used for business reasons, it's strongly recommended that additional steps be taken to mitigate the risks inherent to this protocol. |If Samba is not running, remove package, otherwise there should be a line in the [global] section of /etc/samba/smb.conf: min protocol = SMB2 or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-smb-min-version |
 
 > [!NOTE]
diff --git a/articles/hdinsight-aks/secure-traffic-by-firewall.md b/articles/hdinsight-aks/secure-traffic-by-firewall.md
@@ -215,7 +215,7 @@ The following steps provide details about the specific network and application r
     az network firewall application-rule create -g $RG -f $FWNAME --collection-name 'aksfwar' -n 'dfs' --source-addresses '*' --protocols 'https=443' --target-fqdns "*.dfs.core.windows.net"
     ```
   
-   **Change the `Sql.<Region> `in the following syntax to your region as per your requirement. For example: `Sql.EastUS`**
+   **Change the `Sql.<Region>` in the following syntax to your region as per your requirement. For example: `Sql.EastUS`**
 
    ```azurecli
     az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'mysql' --protocols 'TCP' --source-addresses '*' --destination-addresses "Sql.<Region>" --destination-ports '11000-11999'

-Original file line number
+Diff line change
 <br/>
 -- **Message**: `User: `SimpleUserContext{userId=..., name=[email protected], orgId=...}` is not authorized to access cluster.`
 +- **Message**: `User: 'SimpleUserContext{userId=..., [email protected], orgId=...}' is not authorized to access cluster.`
 - **Cause**: The user who generated the access token isn't allowed to access the Databricks cluster specified in the linked service.