89ebdb952a | ||
---|---|---|
.build/tasks | ||
.github | ||
Tests | ||
Tools | ||
source | ||
.gitignore | ||
CHANGELOG.md | ||
FILEHASH.md | ||
GitVersion.yml | ||
HISTORIC_CHANGELOG.md | ||
LICENSE | ||
README.CONTRIBUTING.md | ||
README.TESTGUIDELINES.md | ||
README.md | ||
Resolve-Dependency.ps1 | ||
Resolve-Dependency.psd1 | ||
SECURITY.md | ||
azure-pipelines.yml | ||
build.ps1 | ||
build.yaml |
README.md
PowerSTIG
PowerStig is a PowerShell module that contains several components to automate different DISA Security Technical Implementation Guides (STIGs) where possible.
Name | Description | Published to PS Gallery |
---|---|---|
PowerStig.Convert | Extract configuration objects from the xccdf | No |
PowerStig.Data | A PowerShell class to access the PowerSTIG "database" | Yes |
PowerStig.DSC | Compsite DSC resources to apply and/or audit STIG settings | Yes |
PowerStig.Document | An experimental module to create prefilled out checklists | Yes |
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Released Module
To see the released PowerStig module, go to the PowerShell Gallery. We recommend that you use PowerShellGet to install PowerStig:
For example:
Install-Module -Name PowerStig -Scope CurrentUser
Once PowerStig is installed, you can view the list of STIGs that are currently available. The Get-Stig function queries the StigData and returns a full list. This will give you an idea of what you can target in your environment.
Import-Module PowerStig
Get-Stig -ListAvailable
To update a previously installed module use this command:
Update-Module -Name PowerStig
PowerStig.Convert
A utility module that we use to generate PowerStig XML to store in PowerStig.Data. The module uses PowerShell classes to extract settings from check-content elements of the xccdf. This nested module is NOT published to the PS Gallery. The extracted settings are converted into a new PowerStig XML schema. The XML file is saved into a processed StigData folder and released to the PS Gallery on a regular cadence.
For detailed information, please see the Convert Wiki
PowerStig.Data
A module with PowerShell classes and a directory of PowerStig XML to provide a way of retrieving StigData and documenting deviations. The PowerStig.Data classes provide methods to:
- Override a setting defined in a STIG and automatically document the exception to policy
- Apply settings that have a valid range of values (Organizational Settings)
- Exclude a rule if it is already defined in another STIG (de-duplication) and automatically document the exception to policy
- Exclude an entire class of rules (intended for testing and integration) and automatically document the exception to policy
For detailed information, please see the StigData Wiki. For STIG xml file hashes please refer to File Hashes.
PowerStig.DSC
PowerStig.DSC is not really a specific module, but rather a collection of PowerShell Desired State Configuration (DSC) composite resources to manage the configurable items in each STIG. Each composite uses PowerStig.Data classes to retrieve PowerStig XML. This allows the PowerStig.Data classes to manage exceptions, Org settings, and skipped rules uniformly across all composite resources. The standard DSC ResourceID's can then be used by additional automation to automatically generate compliance reports or trigger other automation solutions.
Composite Resources
The list of STIGs that we are currently covering.
Name | Description |
---|---|
Adobe | Provides a mechanism to manage Adobe STIG settings. |
Chrome | Provides a mechanism to manage Google Chrome STIG settings. |
DotNetFramework | Provides a mechanism to manage .Net Framework STIG settings. |
Edge | Provides a mechanism to manage Microsoft Edge STIG settings. |
Firefox | Provides a mechanism to manage Firefox STIG settings. |
IisServer | Provides a mechanism to manage IIS Server settings. |
IisSite | Provides a mechanism to manage IIS Site settings. |
InternetExplorer | Provides a mechanism to manage Microsoft Internet Explorer settings. |
McAfee | Provides a mechanism to manage McAfee settings. |
Office | Provides a mechanism to manage Microsoft Office STIG settings. |
OracleJRE | Provides a mechanism to manage Oracle Java Runtime Environment STIG settings. |
RHEL | Provides a mechanism to manage RedHat Enterprise Linux STIG settings. |
SqlServer | Provides a mechanism to manage SqlServer STIG settings. |
Ubuntu | Provides a mechanism to manage Ubuntu Linux STIG settings. |
Vsphere | Provides a mechanism to manage VMware Vsphere STIG settings. |
WindowsClient | Provides a mechanism to manage Windows Client STIG settings. |
WindowsDefender | Provides a mechanism to manage Windows Defender STIG settings. |
WindowsDnsServer | Provides a mechanism to manage Windows DNS Server STIG settings. |
WindowsFirewall | Provides a mechanism to manage the Windows Firewall STIG settings. |
WindowsServer | Provides a mechanism to manage the Windows Server STIG settings. |
For detailed information, please see the Composite Resources Wiki
PowerStig.Document
An Experimental module to create checklists and other types of documentation based on the results of the DSC compliance report. This module generates a checklist, but we are not 100% sure on the workflow, so we wanted to publish the idea and build on it.
For detailed information, please see the Document Wiki
Contributing
We welcome all contributions to the development of PowerStig. There are several different ways you can help. You can create new convert modules, add test automation, improve documentation, fix existing issues, or open new ones. See our contributing guide for more info on how to become a contributor. If you would like to contribute to a Composite Resource, please check out common DSC Resources contributing guidelines.
Thank you to everyone that has reviewed the project and provided feedback through issues. We are especially thankful for those who have contributed pull requests to the code and documentation.
Contributors
- @addavenp1 (Adam Davenport)
- @ALichtenberg (Adam Lichtenberg)
- @athaynes (Adam Haynes)
- @bcwilhite (Brian Wilhite)
- @bgouldman (Brian Gouldman)
- @camusicjunkie (John Steele)
- @chasewilson (Chase Wilson)
- @clcaldwell (Coby Caldwell)
- @davbowman (David Bowman)
- @erjenkin (Eric Jenkins)
- @JakeDean3631 (Jake Dean)
- @japatton (Jason Patton)
- @jcwalker (Jason Walker)
- @jesal858 (Jeff Salas)
- @ldillonel (LaNika Dillon)
- @LLansey (La'Neice Lansey)
- @mcollera (Matthew Collera)
- @nehrua (Nehru Ali)
- @regedit32 (Reggie Gibson)
- @stevehose (Steve Hose)
- @winthrop28 (Drew Taylor)
- @mikedzikowski (Mike Dzikowski)
- @pgc1a (Tony Griffith)
- @hinderjd (James Hinders)
- @ruandersMSFT (Russell Anderson)