Add Azure.Fleet.PublicKey rule for Linux Azure Fleet VM profiles (AZR-000541) (#3719)

Author: Copilot

docs/changelog.md

@@ -44,6 +44,8 @@ What's changed since v1.47.0:
   - Azure Container Registry:
     - Check that audit diagnostic logs are enabled for Container Registry by @BernieWhite.
       [#3445](https://github.com/Azure/PSRule.Rules.Azure/issues/3445)
+  - Azure Fleet:
+    - Check for public key usage on Linux fleet VM profiles by @BernieWhite.
   - Container Apps:
     - Check that liveness and readiness health probes use HTTP checks for HTTP-based ingress by @BernieWhite.
       [#3111](https://github.com/Azure/PSRule.Rules.Azure/issues/3111)

docs/en/rules/Azure.Fleet.PublicKey.md

@@ -0,0 +1,201 @@
+---
+reviewed: 2026-04-04
+severity: Important
+pillar: Security
+category: SE:08 Hardening resources
+resource: Azure Fleet
+resourceType: Microsoft.AzureFleet/fleets
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Fleet.PublicKey/
+---
+
+# Azure Fleet password-based authentication is enabled
+
+## SYNOPSIS
+
+Use SSH keys instead of common credentials to secure Linux Azure Fleet VMs against malicious activities.
+
+## DESCRIPTION
+
+Linux Azure Fleet virtual machine profiles should have password authentication disabled to help with eliminating password-based attacks.
+
+## RECOMMENDATION
+
+Consider disabling password-based authentication on Linux Azure Fleet VM profiles and instead use public keys.
+
+## EXAMPLES
+
+### Configure with Bicep
+
+To deploy an Azure Fleet that passes this rule:
+
+- Set the `properties.computeProfile.baseVirtualMachineProfile.osProfile.linuxConfiguration.disablePasswordAuthentication` property to `true`.
+
+For example:
+
+```bicep
+resource linux_fleet 'Microsoft.AzureFleet/fleets@2024-11-01' = {
+  name: name
+  location: location
+  properties: {
+    computeProfile: {
+      baseVirtualMachineProfile: {
+        osProfile: {
+          computerNamePrefix: 'fleet'
+          adminUsername: adminUsername
+          linuxConfiguration: {
+            disablePasswordAuthentication: true
+            provisionVMAgent: true
+            ssh: {
+              publicKeys: [
+                {
+                  path: '/home/azureuser/.ssh/authorized_keys'
+                  keyData: sshPublicKey
+                }
+              ]
+            }
+          }
+        }
+        storageProfile: {
+          imageReference: {
+            publisher: 'MicrosoftCblMariner'
+            offer: 'azure-linux-3'
+            sku: 'azure-linux-3-gen2'
+            version: 'latest'
+          }
+          osDisk: {
+            createOption: 'FromImage'
+            caching: 'ReadWrite'
+            managedDisk: {
+              storageAccountType: 'Premium_LRS'
+            }
+          }
+        }
+        networkProfile: {
+          networkInterfaceConfigurations: [
+            {
+              name: 'netconfig'
+              properties: {
+                ipConfigurations: [
+                  {
+                    name: 'ipconfig'
+                    properties: {
+                      primary: true
+                      subnet: {
+                        id: subnetId
+                      }
+                    }
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      }
+    }
+    vmSizesProfile: [
+      {
+        name: 'Standard_D8ds_v6'
+        rank: 0
+      }
+    ]
+    regularPriorityProfile: {
+      minCapacity: 1
+      capacity: 5
+      allocationStrategy: 'Prioritized'
+    }
+  }
+}
+```
+
+### Configure with Azure template
+
+To deploy an Azure Fleet that passes this rule:
+
+- Set the `properties.computeProfile.baseVirtualMachineProfile.osProfile.linuxConfiguration.disablePasswordAuthentication` property to `true`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.AzureFleet/fleets",
+  "apiVersion": "2024-11-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "computeProfile": {
+      "baseVirtualMachineProfile": {
+        "osProfile": {
+          "computerNamePrefix": "fleet",
+          "adminUsername": "[parameters('adminUsername')]",
+          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
+            "provisionVMAgent": true,
+            "ssh": {
+              "publicKeys": [
+                {
+                  "path": "/home/azureuser/.ssh/authorized_keys",
+                  "keyData": "[parameters('sshPublicKey')]"
+                }
+              ]
+            }
+          }
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "MicrosoftCblMariner",
+            "offer": "Cbl-Mariner",
+            "sku": "cbl-mariner-2-gen2",
+            "version": "latest"
+          },
+          "osDisk": {
+            "createOption": "FromImage",
+            "caching": "ReadWrite",
+            "managedDisk": {
+              "storageAccountType": "Premium_LRS"
+            }
+          }
+        },
+        "networkProfile": {
+          "networkInterfaceConfigurations": [
+            {
+              "name": "netconfig",
+              "properties": {
+                "ipConfigurations": [
+                  {
+                    "name": "ipconfig",
+                    "properties": {
+                      "primary": true,
+                      "subnet": {
+                        "id": "[parameters('subnetId')]"
+                      }
+                    }
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      }
+    },
+    "vmSizesProfile": [
+      {
+        "name": "Standard_D8ds_v6",
+        "rank": 0
+      }
+    ],
+    "regularPriorityProfile": {
+      "minCapacity": 1,
+      "capacity": 5,
+      "allocationStrategy": "Prioritized"
+    }
+  }
+}
+```
+
+## LINKS
+
+- [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
+- [Azure security baseline for Linux Virtual Machines](https://learn.microsoft.com/security/benchmark/azure/baselines/virtual-machines-linux-virtual-machines-security-baseline)
+- [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.azurefleet/fleets)

docs/en/rules/Azure.VMSS.PublicKey.md

@@ -212,6 +212,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2024-07-01' = {
 ## LINKS
 
 - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources)
-- [Azure security baseline for Linux Virtual Machines](https://learn.microsoft.com/security/benchmark/azure/baselines/virtual-machines-linux-security-baseline)
+- [Security: Level 2](https://learn.microsoft.com/azure/well-architected/security/maturity-model?tabs=level2)
+- [Azure security baseline for Linux Virtual Machines](https://learn.microsoft.com/security/benchmark/azure/baselines/virtual-machines-linux-virtual-machines-security-baseline)
 - [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets)

docs/examples/resources/fleet.bicep

@@ -19,6 +19,9 @@ param secret string
 @description('The ID of the subnet where the fleet will be deployed.')
 param subnetId string
 
+@description('The SSH public key for the local administrator account.')
+param sshPublicKey string
+
 // An example of creating a fleet resource with a Trusted Launch security profile.
 resource windows_fleet 'Microsoft.AzureFleet/fleets@2024-11-01' = {
   name: name
@@ -79,3 +82,82 @@ resource windows_fleet 'Microsoft.AzureFleet/fleets@2024-11-01' = {
     '3'
   ]
 }
+
+// An example of creating a Linux fleet resource with SSH public key authentication.
+resource linux_fleet 'Microsoft.AzureFleet/fleets@2024-11-01' = {
+  name: name
+  location: location
+  properties: {
+    computeProfile: {
+      baseVirtualMachineProfile: {
+        osProfile: {
+          computerNamePrefix: 'fleet'
+          adminUsername: adminUsername
+          linuxConfiguration: {
+            disablePasswordAuthentication: true
+            provisionVMAgent: true
+            ssh: {
+              publicKeys: [
+                {
+                  path: '/home/azureuser/.ssh/authorized_keys'
+                  keyData: sshPublicKey
+                }
+              ]
+            }
+          }
+        }
+        storageProfile: {
+          imageReference: {
+            publisher: 'MicrosoftCblMariner'
+            offer: 'azure-linux-3'
+            sku: 'azure-linux-3-gen2'
+            version: 'latest'
+          }
+          osDisk: {
+            createOption: 'FromImage'
+            caching: 'ReadWrite'
+            managedDisk: {
+              storageAccountType: 'Premium_LRS'
+            }
+          }
+        }
+        networkProfile: {
+          networkInterfaceConfigurations: [
+            {
+              name: 'netconfig'
+              properties: {
+                ipConfigurations: [
+                  {
+                    name: 'ipconfig'
+                    properties: {
+                      primary: true
+                      subnet: {
+                        id: subnetId
+                      }
+                    }
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      }
+    }
+    vmSizesProfile: [
+      {
+        name: 'Standard_D8ds_v6'
+        rank: 0
+      }
+    ]
+    regularPriorityProfile: {
+      minCapacity: 1
+      capacity: 5
+      allocationStrategy: 'Prioritized'
+    }
+  }
+  zones: [
+    '1'
+    '2'
+    '3'
+  ]
+}