A new feature Microsoft has been working on for its Azure Linux operating system is OS Guard as a container-host platform that enforces immutability, code integrity, mandatory access control, and other features. Microsoft quietly revealed more about OS Guard last month and yesterday’s release of Azure Linux 3.0.20250822 builds out more of the OS Guard functionality.
The new release of Azure Linux 3.0.20250822 on Wednesday added “osguard-ci” as code integrity support to OS Guard. Plus this Linux distribution update also had several other changes around OS Guard “osguard” too with this monthly feature release. Those v3.0.20250822 details can be found via the releases page.
Via this pull request the Microsoft engineers involved shared more details on their OS Guard Code Integrity feature:
“Add new image configuration definition for OS Guard that enables code integrity enhancements.
To enable code integrity checking for containers, this image activates the containerd erofs-snapshotter with an updated /etc/containerd/config.toml configuration, and also configures cni appropriately for pod networking.
Additionally this image enables SELinux in enforcing mode for another important security layer.
Finally, update the OS Guard generation script to handle generating OS Guard image configurations using different delta files, and simplify the process of adding new delta configurations by creating the GEN_JOBS array.”
After first talking about OS Guard at this year’s BUILD conference, Microsoft revealed more information on OS Guard last month via a blog post. OS Guard is described as offering Azure Linux greater cloud-native security with:
“OS Guard (codename Linux Guard) is a container host that builds on the FedRAMP-certified Azure Linux 3.0 base and its sovereign supply chain by enforcing immutability, code integrity and mandatory access control.”
OS Guard brings code integrity features, immutability via dm-verity and other protections, Mandatory Access Control with SELinux, Trusted Launch via TPM integration, and a number of other security features. As a sign of the times, Microsoft also promotes OS Guard as being open-source.
Those wanting to learn more about Microsoft’s OS Guard functionality can do so via this Microsoft blog post.
