PowerStig is a PowerShell module that contains several components to automate different DISA Security Technical Implementation Guides (STIGs) where possible.
Name | Description | Published to PS Gallery |
---|---|---|
PowerStig.Convert | Extract configuration objects from the xccdf | No |
PowerStig.Data | A PowerShell class to access the PowerSTIG "database" | Yes |
PowerStig.DSC | Compsite DSC resources to apply and/or audit STIG settings | Yes |
PowerStig.Document | An experimental module to create prefilled out checklists | Yes |
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
To see the released PowerStig module, go to the PowerShell Gallery. We recommend that you use PowerShellGet to install PowerStig:
For example:
Install-Module -Name PowerStig -Scope CurrentUser
Once PowerStig is installed, you can view the list of STIGs that are currently available. The Get-Stig function queries the StigData and returns a full list. This will give you an idea of what you can target in your environment.
Import-Module PowerStig
Get-Stig -ListAvailable
To update a previously installed module use this command:
Update-Module -Name PowerStig
A utility module that we use to generate PowerStig XML to store in PowerStig.Data. The module uses PowerShell classes to extract settings from check-content elements of the xccdf. This nested module is NOT published to the PS Gallery. The extracted settings are converted into a new PowerStig XML schema. The XML file is saved into a processed StigData folder and released to the PS Gallery on a regular cadence.
For detailed information, please see the Convert Wiki
A module with PowerShell classes and a directory of PowerStig XML to provide a way of retrieving StigData and documenting deviations. The PowerStig.Data classes provide methods to:
- Override a setting defined in a STIG and automatically document the exception to policy
- Apply settings that have a valid range of values (Organizational Settings)
- Exclude a rule if it is already defined in another STIG (de-duplication) and automatically document the exception to policy
- Exclude an entire class of rules (intended for testing and integration) and automatically document the exception to policy
For detailed information, please see the StigData Wiki. For STIG xml file hashes please refer to File Hashes.
PowerStig.DSC is not really a specific module, but rather a collection of PowerShell Desired State Configuration (DSC) composite resources to manage the configurable items in each STIG. Each composite uses PowerStig.Data classes to retrieve PowerStig XML. This allows the PowerStig.Data classes to manage exceptions, Org settings, and skipped rules uniformly across all composite resources. The standard DSC ResourceID's can them be used by additional automation to automatically generate compliance reports or trigger other automation solutions.
The list of STIGs that we are currently covering.
Name | Description |
---|---|
Browser | Provides a mechanism to manage Browser STIG settings. |
DotNetFramework | Provides a mechanism to manage .Net Framework STIG settings. |
Office | Provides a mechanism to manage Microsoft Office STIG settings. |
SqlServer | Provides a mechanism to manage SqlServer STIG settings. |
WindowsDnsServer | Provides a mechanism to manage Windows DNS Server STIG settings. |
WindowsFirewall | Provides a mechanism to manage the Windows Firewall STIG settings. |
WindowsServer | Provides a mechanism to manage the Windows Server STIG settings. |
For detailed information, please see the Composite Resources Wiki
An Experimental module to create checklists and other types of documentation based on the results of the DSC compliance report. This module generates a checklist, but we are not 100% sure on the workflow, so we wanted to publish the idea and build on it.
For detailed information, please see the Document Wiki
We welcome all contributions to the development of PowerStig. There are several different ways you can help. You can create new convert modules, add test automation, improve documentation, fix existing issues, or open new ones. See our contributing guide for more info on how to become a contributor. If you would like to contribute to a Composite Resource, please check out common DSC Resources contributing guidelines.
Thank you to everyone that has reviewed the project and provided feedback through issues. We are especially thankful for those who have contributed pull requests to the code and documentation.
- @ALichtenberg (Adam Lichtenberg)
- @athaynes (Adam Haynes)
- @bcwilhite (Brian Wilhite)
- @bgouldman (Brian Gouldman)
- @camusicjunkie (John Steele)
- @chasewilson (Chase Wilson)
- @clcaldwell (Coby Caldwell)
- @davbowman (David Bowman)
- @erjenkin (Eric Jenkins)
- @JakeDean3631 (Jake Dean)
- @japatton (Jason Patton)
- @jcwalker (Jason Walker)
- @jesal858 (Jeff Salas)
- @ldillonel (LaNika Dillon)
- @LLansey (La'Neice Lansey)
- @mcollera (Matthew Collera)
- @nehrua (Nehru Ali)
- @regedit32 (Reggie Gibson)
- @stevehose (Steve Hose)
- @winthrop28 (Drew Taylor)
- @mikedzikowski (Mike Dzikowski)
- @togriffith (Tony Griffith)