Skip to content

microsoft/PowerStig

Repository files navigation

PowerSTIG

PowerStig is a PowerShell module that contains several components to automate different DISA Security Technical Implementation Guides (STIGs) where possible.

Name Description Published to PS Gallery
PowerStig.Convert Extract configuration objects from the xccdf No
PowerStig.Data A PowerShell class to access the PowerSTIG "database" Yes
PowerStig.DSC Compsite DSC resources to apply and/or audit STIG settings Yes
PowerStig.Document An experimental module to create prefilled out checklists Yes

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Branch Status Description
master Build status Contains the latest release - no contributions are made directly to this branch.
dev Build status Where contributions should be proposed by contributors as pull requests. This branch is merged into the master branch, and be released to PowerShell Gallery.

Released Module

To see the released PowerStig module, go to the PowerShell Gallery. We recommend that you use PowerShellGet to install PowerStig:

For example:

Install-Module -Name PowerStig -Scope CurrentUser

Once PowerStig is installed, you can view the list of STIGs that are currently available. The Get-Stig function queries the StigData and returns a full list. This will give you an idea of what you can target in your environment.

Import-Module PowerStig
Get-Stig -ListAvailable

To update a previously installed module use this command:

Update-Module -Name PowerStig

PowerStig.Convert

A utility module that we use to generate PowerStig XML to store in PowerStig.Data. The module uses PowerShell classes to extract settings from check-content elements of the xccdf. This nested module is NOT published to the PS Gallery. The extracted settings are converted into a new PowerStig XML schema. The XML file is saved into a processed StigData folder and released to the PS Gallery on a regular cadence.

For detailed information, please see the Convert Wiki

PowerStig.Data

A module with PowerShell classes and a directory of PowerStig XML to provide a way of retrieving StigData and documenting deviations. The PowerStig.Data classes provide methods to:

  1. Override a setting defined in a STIG and automatically document the exception to policy
  2. Apply settings that have a valid range of values (Organizational Settings)
  3. Exclude a rule if it is already defined in another STIG (de-duplication) and automatically document the exception to policy
  4. Exclude an entire class of rules (intended for testing and integration) and automatically document the exception to policy

For detailed information, please see the StigData Wiki. For STIG xml file hashes please refer to File Hashes.

PowerStig.DSC

PowerStig.DSC is not really a specific module, but rather a collection of PowerShell Desired State Configuration (DSC) composite resources to manage the configurable items in each STIG. Each composite uses PowerStig.Data classes to retrieve PowerStig XML. This allows the PowerStig.Data classes to manage exceptions, Org settings, and skipped rules uniformly across all composite resources. The standard DSC ResourceID's can then be used by additional automation to automatically generate compliance reports or trigger other automation solutions.

Composite Resources

The list of STIGs that we are currently covering.

Name Description
Adobe Provides a mechanism to manage Adobe STIG settings.
Chrome Provides a mechanism to manage Google Chrome STIG settings.
DotNetFramework Provides a mechanism to manage .Net Framework STIG settings.
Edge Provides a mechanism to manage Microsoft Edge STIG settings.
Firefox Provides a mechanism to manage Firefox STIG settings.
IisServer Provides a mechanism to manage IIS Server settings.
IisSite Provides a mechanism to manage IIS Site settings.
InternetExplorer Provides a mechanism to manage Microsoft Internet Explorer settings.
McAfee Provides a mechanism to manage McAfee settings.
Office Provides a mechanism to manage Microsoft Office STIG settings.
OracleJRE Provides a mechanism to manage Oracle Java Runtime Environment STIG settings.
RHEL Provides a mechanism to manage RedHat Enterprise Linux STIG settings.
SqlServer Provides a mechanism to manage SqlServer STIG settings.
Ubuntu Provides a mechanism to manage Ubuntu Linux STIG settings.
Vsphere Provides a mechanism to manage VMware Vsphere STIG settings.
WindowsClient Provides a mechanism to manage Windows Client STIG settings.
WindowsDefender Provides a mechanism to manage Windows Defender STIG settings.
WindowsDnsServer Provides a mechanism to manage Windows DNS Server STIG settings.
WindowsFirewall Provides a mechanism to manage the Windows Firewall STIG settings.
WindowsServer Provides a mechanism to manage the Windows Server STIG settings.

For detailed information, please see the Composite Resources Wiki

PowerStig.Document

An Experimental module to create checklists and other types of documentation based on the results of the DSC compliance report. This module generates a checklist, but we are not 100% sure on the workflow, so we wanted to publish the idea and build on it.

For detailed information, please see the Document Wiki

Contributing

We welcome all contributions to the development of PowerStig. There are several different ways you can help. You can create new convert modules, add test automation, improve documentation, fix existing issues, or open new ones. See our contributing guide for more info on how to become a contributor. If you would like to contribute to a Composite Resource, please check out common DSC Resources contributing guidelines.

Thank you to everyone that has reviewed the project and provided feedback through issues. We are especially thankful for those who have contributed pull requests to the code and documentation.

Contributors