├── .gitignore
├── LICENSE
├── SECURITY.md
├── azuredeploy.json
├── example
└── singleimagetemplate.json
├── imageTemplates
├── centos7.json
├── redhat7.json
├── redhat8.json
├── windows10Evd.json
├── windows2016.json
├── windows2019.json
└── windows2019small.json
├── images
├── architecture.jpg
├── sentinelworkbook.jpg
├── winser2019image.jpg
└── workbook.jpg
├── mof
├── CentOs7test
│ └── localhost.mof
├── Windows10v1r23
│ └── localhost.mof
├── Windows10v2r1
│ ├── MOF_Creation_Output.txt
│ └── localhost.mof
├── WindowsServer2016DCv1r12
│ └── localhost.mof
├── WindowsServer2016v1r12
│ └── localhost.mof
├── WindowsServer2019DCv1r5
│ └── localhost.mof
├── WindowsServer2019DCv2r1
│ ├── MOF_Creation_Output.txt
│ └── localhost.mof
├── WindowsServer2019v1r5
│ └── localhost.mof
├── WindowsServer2019v2r1
│ ├── MOF_Creation_Output.txt
│ └── localhost.mof
└── WindowsServer2019v2r4
│ ├── localhost.meta.mof
│ └── localhost.mof
├── nested
├── dashboard.json
├── imageDefinition.json
├── imageGallery.json
├── managedIdentity.json
└── workspace.json
├── readme.md
├── scripts
├── MOFcreation
│ ├── CentOs7test.ps1
│ ├── Windows10v1r23.ps1
│ ├── Windows10v2r1.ps1
│ ├── WindowsServer2012R2v2r12.ps1
│ ├── WindowsServer2016v1r12.ps1
│ ├── WindowsServer2016v1r12DC.ps1
│ ├── WindowsServer2019DCv1r5.ps1
│ ├── WindowsServer2019DCv2r1.ps1
│ ├── WindowsServer2019v1r5.ps1
│ ├── WindowsServer2019v2r1.ps1
│ ├── WindowsServer2019v2r3-nododca-required.ps1
│ └── WindowsServer2019v2r4.ps1
├── auditStig.ps1
├── redhat7stig.sh
├── redhat8stig.sh
├── setPowerStig.ps1
├── setPowerStigLinux.sh
└── setPowerStignoaudit.ps1
└── stig.zip
/.gitignore:
--------------------------------------------------------------------------------
1 | # ignore files that maybe temp files
2 | *~
3 |
4 | # ignore files in following directories
5 | PowerStigTemp/
6 | xccdf/
7 | scripts/Tools/
8 |
9 | # ignore temporary VM deploy test scripts
10 | testDeployVm.ps1
11 | testDeployVm2.ps1
12 | deploy.ps1
13 | scripts/MOFcreation/WindowsServerMOFcreation.zip
14 | scripts/setPowerStigLinux.sh
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | PROJECT-STIG
2 |
3 | Copyright (c) Microsoft Corporation. All rights reserved.
4 |
5 | MIT License
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, includingwithout limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
8 |
9 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
10 |
11 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
1 | # Security Policy
2 |
3 | ## Supported Versions
4 |
5 |
6 | ## Reporting a Vulnerability
7 |
8 |
9 |
--------------------------------------------------------------------------------
/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "rgName": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Name of the resourceGroup to create"
9 | }
10 | },
11 | "rgLocation": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Location for the resourceGroup"
15 | }
16 | },
17 | "powerStigVersion": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "Version of PowerSTIG to use. Previous default was 4.7.1"
21 | },
22 | "defaultValue": "4.13.1"
23 | }
24 | },
25 | "functions": [],
26 | "variables": {
27 | "workspaceUrl": "[uri(deployment().properties.templateLink.uri, 'nested/workspace.json')]",
28 | "workspaceDashboardUrl": "[uri(deployment().properties.templateLink.uri, 'nested/dashboard.json')]",
29 | "managedIdentityUrl": "[uri(deployment().properties.templateLink.uri, 'nested/managedIdentity.json')]",
30 | "imageGalleryUrl": "[uri(deployment().properties.templateLink.uri, 'nested/imageGallery.json')]",
31 | "win10mageTemplateUrl": "[uri(deployment().properties.templateLink.uri, 'imageTemplates/windows10Evd.json')]",
32 | "srv2016imageTemplateUrl": "[uri(deployment().properties.templateLink.uri, 'imageTemplates/windows2016.json')]",
33 | "srv2019imageTemplateUrl": "[uri(deployment().properties.templateLink.uri, 'imageTemplates/windows2019.json')]",
34 | "srv2019smallimageTemplateUrl": "[uri(deployment().properties.templateLink.uri, 'imageTemplates/windows2019small.json')]",
35 | "rhel7imageTemplateUrl": "[uri(deployment().properties.templateLink.uri, 'imageTemplates/redhat7.json')]",
36 | "rhel8imageTemplateUrl": "[uri(deployment().properties.templateLink.uri, 'imageTemplates/redhat8.json')]",
37 | "imageDefinitionUrl": "[uri(deployment().properties.templateLink.uri, 'nested/imageDefinition.json')]",
38 | "win10MofUrl": "[uri(deployment().properties.templateLink.uri, 'mof/Windows10v2r1/localhost.mof')]",
39 | "srv2019MofUrl": "[uri(deployment().properties.templateLink.uri, 'mof/WindowsServer2019v2r4/localhost.mof')]",
40 | "srv2019DCMofUrl": "[uri(deployment().properties.templateLink.uri, 'mof/WindowsServer2019DCv2r1/localhost.mof')]",
41 | "srv2016MofUrl": "[uri(deployment().properties.templateLink.uri, 'mof/WindowsServer2016v1r12/localhost.mof')]",
42 | "srv2016DCMofUrl": "[uri(deployment().properties.templateLink.uri, 'mof/WindowsServer2016DCv1r12/localhost.mof')]"
43 | },
44 | "resources": [
45 | {
46 | "type": "Microsoft.Resources/resourceGroups",
47 | "apiVersion": "2019-10-01",
48 | "name": "[parameters('rgName')]",
49 | "location": "[parameters('rgLocation')]",
50 | "tags": {
51 | "Note": "subscription level deployment"
52 | },
53 | "properties": {}
54 | },
55 | {
56 | "name": "workspaceDeploy",
57 | "type": "Microsoft.Resources/deployments",
58 | "apiVersion": "2019-10-01",
59 | "resourceGroup": "[parameters('rgName')]",
60 | "dependsOn": [
61 | "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
62 | ],
63 | "properties": {
64 | "mode": "Incremental",
65 | "templateLink": {
66 | "uri": "[variables('workspaceUrl')]",
67 | "contentVersion": "1.0.0.0"
68 | },
69 | "parameters": {
70 | "name":{
71 | "value": "[parameters('rgName')]"
72 | }
73 | }
74 | }
75 | },
76 | /* {
77 | "name": "workspaceDashboardDeploy",
78 | "type": "Microsoft.Resources/deployments",
79 | "apiVersion": "2019-10-01",
80 | "resourceGroup": "[parameters('rgName')]",
81 | "dependsOn": [
82 | "workspaceDeploy"
83 | ],
84 | "properties": {
85 | "mode": "Incremental",
86 | "templateLink": {
87 | "uri": "[variables('workspaceDashboardUrl')]",
88 | "contentVersion": "1.0.0.0"
89 | },
90 | "parameters": {
91 | "workspaceName":{
92 | "value": "[reference('workspaceDeploy').outputs.workspaceName.value]"
93 | }
94 | }
95 | }
96 | }, */
97 | {
98 | "name": "managedIdentityDeploy",
99 | "type": "Microsoft.Resources/deployments",
100 | "apiVersion": "2019-10-01",
101 | "resourceGroup": "[parameters('rgName')]",
102 | "dependsOn": [
103 | "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
104 | ],
105 | "properties": {
106 | "mode": "Incremental",
107 | "templateLink": {
108 | "uri": "[variables('managedIdentityUrl')]",
109 | "contentVersion": "1.0.0.0"
110 | },
111 | "parameters": {
112 | "name":{
113 | "value": "[parameters('rgName')]"
114 | }
115 | }
116 | }
117 | },
118 | {
119 | "name": "imageGalleryDeploy",
120 | "type": "Microsoft.Resources/deployments",
121 | "apiVersion": "2019-10-01",
122 | "resourceGroup": "[parameters('rgName')]",
123 | "dependsOn": [
124 | "managedIdentityDeploy"
125 | ],
126 | "properties": {
127 | "mode": "Incremental",
128 | "templateLink": {
129 | "uri": "[variables('imageGalleryUrl')]",
130 | "contentVersion": "1.0.0.0"
131 | },
132 | "parameters": {
133 | "name": {
134 | "value": "[parameters('rgName')]"
135 | }
136 | }
137 | }
138 | },
139 | {
140 | "name": "imageDefinitionsDeploy",
141 | "type": "Microsoft.Resources/deployments",
142 | "apiVersion": "2019-10-01",
143 | "resourceGroup": "[parameters('rgName')]",
144 | "dependsOn": [
145 | "imageGalleryDeploy"
146 | ],
147 | "properties": {
148 | "mode": "Incremental",
149 | "templateLink": {
150 | "uri": "[variables('imageDefinitionUrl')]",
151 | "contentVersion": "1.0.0.0"
152 | },
153 | "parameters": {
154 | "galleryName":{
155 | "value": "[reference('imageGalleryDeploy').outputs.galleryName.value]"
156 | }
157 | }
158 | }
159 | },
160 | /* {
161 | "name": "windows10STIGtemplate",
162 | "type": "Microsoft.Resources/deployments",
163 | "apiVersion": "2019-10-01",
164 | "resourceGroup": "[parameters('rgName')]",
165 | "dependsOn": [
166 | "imageDefinitionsDeploy"
167 | ],
168 | "properties": {
169 | "mode": "Incremental",
170 | "templateLink": {
171 | "uri": "[variables('win10mageTemplateUrl')]",
172 | "contentVersion": "1.0.0.0"
173 | },
174 | "parameters": {
175 | "identityId":{
176 | "value": "[reference('managedIdentityDeploy').outputs.identityName.value]"
177 | },
178 | "mofUrl":{
179 | "value": "[variables('win10MofUrl')]"
180 | },
181 | "galleryName":{
182 | "value": "[reference('imageGalleryDeploy').outputs.galleryName.value]"
183 | },
184 | "workspaceName": {
185 | "value": "[reference('workspaceDeploy').outputs.workspaceName.value]"
186 | },
187 | "imageTemplateName": {
188 | "value" :"Win10WVDw365_STIG"
189 | },
190 | "powerStigVersion": {
191 | "value": "[parameters('powerStigVersion')]"
192 | },
193 | "stigVersion" : {
194 | "value": "2.1"
195 | },
196 | "osVersion" : {
197 | "value": "10"
198 | }
199 | }
200 | }
201 | }, */
202 | {
203 | "name": "windows2019smallSTIGtemplate",
204 | "type": "Microsoft.Resources/deployments",
205 | "apiVersion": "2019-10-01",
206 | "resourceGroup": "[parameters('rgName')]",
207 | "dependsOn": [
208 | "imageDefinitionsDeploy"
209 | ],
210 | "properties": {
211 | "mode": "Incremental",
212 | "templateLink": {
213 | "uri": "[variables('srv2019smallimageTemplateUrl')]",
214 | "contentVersion": "1.0.0.0"
215 | },
216 | "parameters": {
217 | "identityId":{
218 | "value": "[reference('managedIdentityDeploy').outputs.identityName.value]"
219 | },
220 | "mofUrl":{
221 | "value": "[variables('srv2019MofUrl')]"
222 | },
223 | "galleryName":{
224 | "value": "[reference('imageGalleryDeploy').outputs.galleryName.value]"
225 | },
226 | "workspaceName": {
227 | "value": "[reference('workspaceDeploy').outputs.workspaceName.value]"
228 | },
229 | "imageTemplateName": {
230 | "value" :"Win2019_STIG_Small"
231 | },
232 | "powerStigVersion": {
233 | "value": "[parameters('powerStigVersion')]"
234 | },
235 | "stigVersion" : {
236 | "value": "2.4"
237 | },
238 | "osVersion" : {
239 | "value": "2019"
240 | },
241 | "osRole": {
242 | "value": "MS"
243 | }
244 | }
245 | }
246 | },
247 | {
248 | "name": "windows2019STIGtemplate",
249 | "type": "Microsoft.Resources/deployments",
250 | "apiVersion": "2019-10-01",
251 | "resourceGroup": "[parameters('rgName')]",
252 | "dependsOn": [
253 | "imageDefinitionsDeploy"
254 | ],
255 | "properties": {
256 | "mode": "Incremental",
257 | "templateLink": {
258 | "uri": "[variables('srv2019imageTemplateUrl')]",
259 | "contentVersion": "1.0.0.0"
260 | },
261 | "parameters": {
262 | "identityId":{
263 | "value": "[reference('managedIdentityDeploy').outputs.identityName.value]"
264 | },
265 | "mofUrl":{
266 | "value": "[variables('srv2019MofUrl')]"
267 | },
268 | "galleryName":{
269 | "value": "[reference('imageGalleryDeploy').outputs.galleryName.value]"
270 | },
271 | "workspaceName": {
272 | "value": "[reference('workspaceDeploy').outputs.workspaceName.value]"
273 | },
274 | "imageTemplateName": {
275 | "value" :"Win2019_STIG"
276 | },
277 | "powerStigVersion": {
278 | "value": "[parameters('powerStigVersion')]"
279 | },
280 | "stigVersion" : {
281 | "value": "2.4"
282 | },
283 | "osVersion" : {
284 | "value": "2019"
285 | },
286 | "osRole": {
287 | "value": "MS"
288 | }
289 | }
290 | }
291 | }/* ,
292 | {
293 | "name": "windows2019DCSTIGtemplate",
294 | "type": "Microsoft.Resources/deployments",
295 | "apiVersion": "2019-10-01",
296 | "resourceGroup": "[parameters('rgName')]",
297 | "dependsOn": [
298 | "imageDefinitionsDeploy"
299 | ],
300 | "properties": {
301 | "mode": "Incremental",
302 | "templateLink": {
303 | "uri": "[variables('srv2019imageTemplateUrl')]",
304 | "contentVersion": "1.0.0.0"
305 | },
306 | "parameters": {
307 | "identityId":{
308 | "value": "[reference('managedIdentityDeploy').outputs.identityName.value]"
309 | },
310 | "mofUrl":{
311 | "value": "[variables('srv2019DCMofUrl')]"
312 | },
313 | "galleryName":{
314 | "value": "[reference('imageGalleryDeploy').outputs.galleryName.value]"
315 | },
316 | "workspaceName": {
317 | "value": "[reference('workspaceDeploy').outputs.workspaceName.value]"
318 | },
319 | "imageTemplateName": {
320 | "value" :"Win2019DC_STIG"
321 | },
322 | "powerStigVersion": {
323 | "value": "[parameters('powerStigVersion')]"
324 | },
325 | "stigVersion" : {
326 | "value": "2.1"
327 | },
328 | "osVersion" : {
329 | "value": "2019"
330 | },
331 | "osRole": {
332 | "value": "DC"
333 | }
334 | }
335 | }
336 | },
337 | {
338 | "name": "windows2016STIGtemplate",
339 | "type": "Microsoft.Resources/deployments",
340 | "apiVersion": "2019-10-01",
341 | "resourceGroup": "[parameters('rgName')]",
342 | "dependsOn": [
343 | "imageDefinitionsDeploy"
344 | ],
345 | "properties": {
346 | "mode": "Incremental",
347 | "templateLink": {
348 | "uri": "[variables('srv2016imageTemplateUrl')]",
349 | "contentVersion": "1.0.0.0"
350 | },
351 | "parameters": {
352 | "identityId":{
353 | "value": "[reference('managedIdentityDeploy').outputs.identityName.value]"
354 | },
355 | "mofUrl":{
356 | "value": "[variables('srv2016MofUrl')]"
357 | },
358 | "galleryName":{
359 | "value": "[reference('imageGalleryDeploy').outputs.galleryName.value]"
360 | },
361 | "workspaceName": {
362 | "value": "[reference('workspaceDeploy').outputs.workspaceName.value]"
363 | },
364 | "imageTemplateName": {
365 | "value" :"Win2016_STIG"
366 | },
367 | "powerStigVersion": {
368 | "value": "[parameters('powerStigVersion')]"
369 | },
370 | "stigVersion" : {
371 | "value": "2.1"
372 | },
373 | "osVersion" : {
374 | "value": "2016"
375 | },
376 | "osRole": {
377 | "value": "MS"
378 | }
379 | }
380 | }
381 | },
382 | {
383 | "name": "windows2016DCSTIGtemplate",
384 | "type": "Microsoft.Resources/deployments",
385 | "apiVersion": "2019-10-01",
386 | "resourceGroup": "[parameters('rgName')]",
387 | "dependsOn": [
388 | "imageDefinitionsDeploy"
389 | ],
390 | "properties": {
391 | "mode": "Incremental",
392 | "templateLink": {
393 | "uri": "[variables('srv2016imageTemplateUrl')]",
394 | "contentVersion": "1.0.0.0"
395 | },
396 | "parameters": {
397 | "identityId":{
398 | "value": "[reference('managedIdentityDeploy').outputs.identityName.value]"
399 | },
400 | "mofUrl":{
401 | "value": "[variables('srv2016DCMofUrl')]"
402 | },
403 | "galleryName":{
404 | "value": "[reference('imageGalleryDeploy').outputs.galleryName.value]"
405 | },
406 | "workspaceName": {
407 | "value": "[reference('workspaceDeploy').outputs.workspaceName.value]"
408 | },
409 | "imageTemplateName": {
410 | "value" :"Win2016DC_STIG"
411 | },
412 | "powerStigVersion": {
413 | "value": "[parameters('powerStigVersion')]"
414 | },
415 | "stigVersion" : {
416 | "value": "2.1"
417 | },
418 | "osVersion" : {
419 | "value": "2016"
420 | },
421 | "osRole": {
422 | "value": "DC"
423 | }
424 | }
425 | }
426 | },
427 | {
428 | "name": "redhatlinux8STIGtemplate",
429 | "type": "Microsoft.Resources/deployments",
430 | "apiVersion": "2019-10-01",
431 | "resourceGroup": "[parameters('rgName')]",
432 | "dependsOn": [
433 | "imageDefinitionsDeploy"
434 | ],
435 | "properties": {
436 | "mode": "Incremental",
437 | "templateLink": {
438 | "uri": "[variables('rhel8imageTemplateUrl')]",
439 | "contentVersion": "1.0.0.0"
440 | },
441 | "parameters": {
442 | "identityId":{
443 | "value": "[reference('managedIdentityDeploy').outputs.identityName.value]"
444 | },
445 | "galleryName":{
446 | "value": "[reference('imageGalleryDeploy').outputs.galleryName.value]"
447 | },
448 | "workspaceName": {
449 | "value": "[reference('workspaceDeploy').outputs.workspaceName.value]"
450 | },
451 | "imageTemplateName": {
452 | "value" :"RHEL8_STIG"
453 | },
454 | "powerStigVersion": {
455 | "value": "[parameters('powerStigVersion')]"
456 | },
457 | "stigVersion" : {
458 | "value": "2.1"
459 | },
460 | "osVersion" : {
461 | "value": "8"
462 | }
463 | }
464 | }
465 | },
466 | {
467 | "name": "redhatlinux7STIGtemplate",
468 | "type": "Microsoft.Resources/deployments",
469 | "apiVersion": "2019-10-01",
470 | "resourceGroup": "[parameters('rgName')]",
471 | "dependsOn": [
472 | "imageDefinitionsDeploy"
473 | ],
474 | "properties": {
475 | "mode": "Incremental",
476 | "templateLink": {
477 | "uri": "[variables('rhel7imageTemplateUrl')]",
478 | "contentVersion": "1.0.0.0"
479 | },
480 | "parameters": {
481 | "identityId":{
482 | "value": "[reference('managedIdentityDeploy').outputs.identityName.value]"
483 | },
484 | "galleryName":{
485 | "value": "[reference('imageGalleryDeploy').outputs.galleryName.value]"
486 | },
487 | "workspaceName": {
488 | "value": "[reference('workspaceDeploy').outputs.workspaceName.value]"
489 | },
490 | "imageTemplateName": {
491 | "value" :"RHEL7_STIG"
492 | },
493 | "powerStigVersion": {
494 | "value": "[parameters('powerStigVersion')]"
495 | },
496 | "stigVersion" : {
497 | "value": "2.1"
498 | },
499 | "osVersion" : {
500 | "value": "7"
501 | }
502 | }
503 | }
504 | } */
505 | ],
506 | "outputs": {}
507 | }
--------------------------------------------------------------------------------
/example/singleimagetemplate.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "rgName": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Name of the resourceGroup to create"
9 | }
10 | },
11 | "rgLocation": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Location for the resourceGroup"
15 | }
16 | },
17 | "powerStigVersion": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "Version of PowerSTIG to use. Previous default was 4.7.1"
21 | },
22 | "defaultValue": "4.13.1"
23 | },
24 | "galleryName": {
25 | "type": "string",
26 | "metadata": {
27 | "description": "Name of the gallery to use."
28 | }
29 | },
30 | "workspaceName": {
31 | "type": "string",
32 | "metadata": {
33 | "description": "Name of the log ananlytics workspace to use."
34 | }
35 | }
36 | },
37 | "functions": [],
38 | "variables": {
39 | "srv2019imageTemplateUrl": "[uri(deployment().properties.templateLink.uri, 'imageTemplates/windows2019.json')]",
40 | "srv2019MofUrl": "[uri(deployment().properties.templateLink.uri, 'mof/WindowsServer2019v2r4/localhost.mof')]"
41 | },
42 | "resources": [
43 | {
44 | "name": "windows2019STIGtemplate",
45 | "type": "Microsoft.Resources/deployments",
46 | "apiVersion": "2019-10-01",
47 | "resourceGroup": "[parameters('rgName')]",
48 | "dependsOn": [
49 | ],
50 | "properties": {
51 | "mode": "Incremental",
52 | "templateLink": {
53 | "uri": "[variables('srv2019imageTemplateUrl')]",
54 | "contentVersion": "1.0.0.0"
55 | },
56 | "parameters": {
57 | "identityId":{
58 | "value": "[reference('managedIdentityDeploy').outputs.identityName.value]"
59 | },
60 | "mofUrl":{
61 | "value": "[variables('srv2019MofUrl')]"
62 | },
63 | "galleryName":{
64 | "value": "[parameters('galleryName')]"
65 | },
66 | "workspaceName": {
67 | "value": "[parameters('workspaceName')]"
68 | },
69 | "imageTemplateName": {
70 | "value" :"Win2019_STIG"
71 | },
72 | "powerStigVersion": {
73 | "value": "[parameters('powerStigVersion')]"
74 | },
75 | "stigVersion" : {
76 | "value": "2.4"
77 | },
78 | "osVersion" : {
79 | "value": "2019"
80 | },
81 | "osRole": {
82 | "value": "MS"
83 | }
84 | }
85 | }
86 | }
87 | ],
88 | "outputs": {}
89 | }
--------------------------------------------------------------------------------
/imageTemplates/centos7.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "mofUrl":{
6 | "type": "string"
7 | },
8 | "identityId": {
9 | "type": "string"
10 | },
11 | "galleryName": {
12 | "type": "string"
13 | },
14 | "workspaceName": {
15 | "type": "string"
16 | },
17 | "imageTemplateName": {
18 | "type": "string"
19 | },
20 | "powerStigVersion": {
21 | "type": "string"
22 | },
23 | "stigVersion" : {
24 | "type": "string"
25 | },
26 | "osVersion" : {
27 | "type": "string"
28 | },
29 | "hyperVGeneration": {
30 | "type": "string",
31 | "defaultValue": "V1"
32 | }
33 | },
34 | "variables": {
35 | "customizescriptpath": "https://raw.githubusercontent.com/shawngib/project-stig/linux-test/scripts/setPowerStigLinux.sh",
36 | "wsResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name, '/providers/','Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
37 | },
38 | "resources": [
39 | {
40 | "type": "Microsoft.Compute/galleries/images",
41 | "name": "[concat(parameters('galleryName'), '/', parameters('imageTemplateName'))]",
42 | "apiVersion": "2019-07-01",
43 | "location": "[resourceGroup().location]",
44 | "properties": {
45 | "osType": "Linux",
46 | "osState": "Generalized",
47 | "identifier": {
48 | "publisher": "OpenLogic",
49 | "offer": "CentOS",
50 | "sku": "centos-7-stig",
51 | },
52 | "recommended": {
53 | "vCPUs": {
54 | "min": "2",
55 | "max": "8"
56 | },
57 | "memory": {
58 | "min": "32",
59 | "max": "48"
60 | }
61 | },
62 | "hyperVGeneration": "[parameters('hyperVGeneration')]"
63 | },
64 | "tags": {}
65 | },
66 | {
67 | "name": "[concat(parameters('imageTemplateName'),'1')]",
68 | "type": "Microsoft.VirtualMachineImages/imageTemplates",
69 | "apiVersion": "2020-02-14",
70 | "location": "[resourceGroup().location]",
71 | "identity":{
72 | "type": "UserAssigned",
73 | "userAssignedIdentities": {
74 | "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityId'))]": {}
75 | }
76 | },
77 | "dependsOn": [
78 | "[resourceID('Microsoft.Compute/galleries/images/',parameters('galleryName'),parameters('imageTemplateName'))]"
79 | ],
80 | "tags": {
81 | "imagebuilderTemplate": "AzureImageBuilderSIG",
82 | "userIdentity": "enabled"
83 | },
84 | "properties": {
85 | "buildTimeoutInMinutes": 100,
86 | "vmProfile":
87 | {
88 | "vmSize": "Standard_D1_v2",
89 | "osDiskSizeGB": 100
90 | },
91 | "source": {
92 | "type": "PlatformImage",
93 | "publisher": "OpenLogic",
94 | "offer": "CentOS",
95 | "sku": "7_8",
96 | "version": "latest"
97 | },
98 | "customize": [
99 | {
100 | "type": "Shell",
101 | "name": "Update",
102 | "inline": [
103 | "sudo touch /etc/profile.d/imagebuilder.sh",
104 | "[concat('sudo echo ''export WORKSPACE_ID=',reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')),'2017-03-15-preview').customerId,''' >> /etc/profile.d/imagebuilder.sh')]",
105 | "[concat('sudo echo ''export WORKSPACE_KEY=',listKeys(variables('wsResourceId'), '2015-11-01-preview').primarySharedKey,''' >> /etc/profile.d/imagebuilder.sh')]",
106 | "[concat('sudo echo ''export POWERSTIG_VER=', parameters('powerStigVersion'),''' >> /etc/profile.d/imagebuilder.sh')]",
107 | "[concat('sudo echo ''export STIG_OSVER=', parameters('osVersion'),''' >> /etc/profile.d/imagebuilder.sh')]",
108 | "[concat('sudo echo ''export STIG_VER=', parameters('stigVersion'),''' >> /etc/profile.d/imagebuilder.sh')]",
109 | "sudo yum update"
110 | ]
111 | },
112 | {
113 | "type": "Shell",
114 | "name": "scriptRun",
115 | "scriptUri": "[variables('customizescriptpath')]"
116 | }
117 | ],
118 | "distribute": [
119 | {
120 | "type": "SharedImage",
121 | "galleryImageId": "[concat(resourceGroup().id,'/providers/Microsoft.Compute/galleries/',parameters('galleryName'),'/images/', parameters('imageTemplateName'),'/versions/1.0.1')]",
122 | "runOutputName": "[parameters('imageTemplateName')]",
123 | "artifactTags": {
124 | "source": "azureVmImageBuilder",
125 | "baseosimg": "linux"
126 | },
127 | "replicationRegions": [
128 | "eastus",
129 | "eastus2",
130 | "southcentralus"
131 | ]
132 | }
133 | ]
134 | }
135 | }
136 | ]
137 | }
--------------------------------------------------------------------------------
/imageTemplates/redhat7.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "identityId": {
6 | "type": "string"
7 | },
8 | "galleryName": {
9 | "type": "string"
10 | },
11 | "workspaceName": {
12 | "type": "string"
13 | },
14 | "imageTemplateName": {
15 | "type": "string"
16 | },
17 | "powerStigVersion": {
18 | "type": "string"
19 | },
20 | "stigVersion" : {
21 | "type": "string"
22 | },
23 | "osVersion" : {
24 | "type": "string"
25 | },
26 | "hyperVGeneration": {
27 | "type": "string",
28 | "defaultValue": "V1"
29 | }
30 | },
31 | "variables": {
32 | "customizescriptpath": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/redhat7stig.sh",
33 | "wsResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name, '/providers/','Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
34 | },
35 | "resources": [
36 | {
37 | "type": "Microsoft.Compute/galleries/images",
38 | "name": "[concat(parameters('galleryName'), '/', parameters('imageTemplateName'))]",
39 | "apiVersion": "2019-07-01",
40 | "location": "[resourceGroup().location]",
41 | "properties": {
42 | "osType": "Linux",
43 | "osState": "Generalized",
44 | "identifier": {
45 | "publisher": "RedHat",
46 | "offer": "RedHat",
47 | "sku": "redhat-7-stig"
48 | },
49 | "recommended": {
50 | "vCPUs": {
51 | "min": "2",
52 | "max": "8"
53 | },
54 | "memory": {
55 | "min": "32",
56 | "max": "48"
57 | }
58 | },
59 | "hyperVGeneration": "[parameters('hyperVGeneration')]"
60 | },
61 | "tags": {}
62 | },
63 | {
64 | "name": "[concat(parameters('imageTemplateName'),'1')]",
65 | "type": "Microsoft.VirtualMachineImages/imageTemplates",
66 | "apiVersion": "2020-02-14",
67 | "location": "[resourceGroup().location]",
68 | "identity":{
69 | "type": "UserAssigned",
70 | "userAssignedIdentities": {
71 | "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityId'))]": {}
72 | }
73 | },
74 | "dependsOn": [
75 | "[resourceID('Microsoft.Compute/galleries/images/',parameters('galleryName'),parameters('imageTemplateName'))]"
76 | ],
77 | "tags": {
78 | "imagebuilderTemplate": "AzureImageBuilderSIG",
79 | "userIdentity": "enabled"
80 | },
81 | "properties": {
82 | "buildTimeoutInMinutes": 100,
83 | "vmProfile":
84 | {
85 | "vmSize": "Standard_D1_v2",
86 | "osDiskSizeGB": 100
87 | },
88 | "source": {
89 | "type": "PlatformImage",
90 | "publisher": "RedHat",
91 | "offer": "RHEL",
92 | "sku": "7_9",
93 | "version": "latest"
94 | },
95 | "customize": [
96 | {
97 | "type": "Shell",
98 | "name": "Update",
99 | "inline": [
100 | "sudo touch /etc/profile.d/imagebuilder.sh",
101 | "[concat('sudo echo ''export WORKSPACE_ID=',reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')),'2017-03-15-preview').customerId,''' >> /etc/profile.d/imagebuilder.sh')]",
102 | "[concat('sudo echo ''export WORKSPACE_KEY=',listKeys(variables('wsResourceId'), '2015-11-01-preview').primarySharedKey,''' >> /etc/profile.d/imagebuilder.sh')]",
103 | "[concat('sudo echo ''export POWERSTIG_VER=', parameters('powerStigVersion'),''' >> /etc/profile.d/imagebuilder.sh')]",
104 | "[concat('sudo echo ''export STIG_OSVER=', parameters('osVersion'),''' >> /etc/profile.d/imagebuilder.sh')]",
105 | "[concat('sudo echo ''export STIG_VER=', parameters('stigVersion'),''' >> /etc/profile.d/imagebuilder.sh')]",
106 | "sudo yum update"
107 | ]
108 | },
109 | {
110 | "type": "Shell",
111 | "name": "scriptRun",
112 | "scriptUri": "[variables('customizescriptpath')]"
113 | }
114 | ],
115 | "distribute": [
116 | {
117 | "type": "SharedImage",
118 | "galleryImageId": "[concat(resourceGroup().id,'/providers/Microsoft.Compute/galleries/',parameters('galleryName'),'/images/', parameters('imageTemplateName'),'/versions/1.0.1')]",
119 | "runOutputName": "[parameters('imageTemplateName')]",
120 | "artifactTags": {
121 | "source": "azureVmImageBuilder",
122 | "baseosimg": "linux"
123 | },
124 | "replicationRegions": [
125 | "eastus",
126 | "eastus2",
127 | "southcentralus"
128 | ]
129 | },
130 | {
131 | "type": "VHD",
132 | "runOutputName": "Redhat7_STIG_V2R1"
133 | }
134 | ]
135 | }
136 | }
137 | ]
138 | }
--------------------------------------------------------------------------------
/imageTemplates/redhat8.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "identityId": {
6 | "type": "string"
7 | },
8 | "galleryName": {
9 | "type": "string"
10 | },
11 | "workspaceName": {
12 | "type": "string"
13 | },
14 | "imageTemplateName": {
15 | "type": "string"
16 | },
17 | "powerStigVersion": {
18 | "type": "string"
19 | },
20 | "stigVersion" : {
21 | "type": "string"
22 | },
23 | "osVersion" : {
24 | "type": "string"
25 | },
26 | "hyperVGeneration": {
27 | "type": "string",
28 | "defaultValue": "V1"
29 | }
30 | },
31 | "variables": {
32 | "customizescriptpath": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/redhat8stig.sh",
33 | "wsResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name, '/providers/','Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
34 | },
35 | "resources": [
36 | {
37 | "type": "Microsoft.Compute/galleries/images",
38 | "name": "[concat(parameters('galleryName'), '/', parameters('imageTemplateName'))]",
39 | "apiVersion": "2019-07-01",
40 | "location": "[resourceGroup().location]",
41 | "properties": {
42 | "osType": "Linux",
43 | "osState": "Generalized",
44 | "identifier": {
45 | "publisher": "RedHat",
46 | "offer": "RedHat",
47 | "sku": "redhat-8-stig"
48 | },
49 | "recommended": {
50 | "vCPUs": {
51 | "min": "2",
52 | "max": "8"
53 | },
54 | "memory": {
55 | "min": "32",
56 | "max": "48"
57 | }
58 | },
59 | "hyperVGeneration": "[parameters('hyperVGeneration')]"
60 | },
61 | "tags": {}
62 | },
63 | {
64 | "name": "[concat(parameters('imageTemplateName'),'1')]",
65 | "type": "Microsoft.VirtualMachineImages/imageTemplates",
66 | "apiVersion": "2020-02-14",
67 | "location": "[resourceGroup().location]",
68 | "identity":{
69 | "type": "UserAssigned",
70 | "userAssignedIdentities": {
71 | "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityId'))]": {}
72 | }
73 | },
74 | "dependsOn": [
75 | "[resourceID('Microsoft.Compute/galleries/images/',parameters('galleryName'),parameters('imageTemplateName'))]"
76 | ],
77 | "tags": {
78 | "imagebuilderTemplate": "AzureImageBuilderSIG",
79 | "userIdentity": "enabled"
80 | },
81 | "properties": {
82 | "buildTimeoutInMinutes": 100,
83 | "vmProfile":
84 | {
85 | "vmSize": "Standard_D1_v2",
86 | "osDiskSizeGB": 100
87 | },
88 | "source": {
89 | "type": "PlatformImage",
90 | "publisher": "RedHat",
91 | "offer": "RHEL",
92 | "sku": "8-LVM",
93 | "version": "8.0.20210422" // added support for currently supported RHEL versions
94 | },
95 | "customize": [
96 | {
97 | "type": "Shell",
98 | "name": "Update",
99 | "inline": [
100 | "sudo touch /etc/profile.d/imagebuilder.sh",
101 | "[concat('sudo echo ''export WORKSPACE_ID=',reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')),'2017-03-15-preview').customerId,''' >> /etc/profile.d/imagebuilder.sh')]",
102 | "[concat('sudo echo ''export WORKSPACE_KEY=',listKeys(variables('wsResourceId'), '2015-11-01-preview').primarySharedKey,''' >> /etc/profile.d/imagebuilder.sh')]",
103 | "[concat('sudo echo ''export POWERSTIG_VER=', parameters('powerStigVersion'),''' >> /etc/profile.d/imagebuilder.sh')]",
104 | "[concat('sudo echo ''export STIG_OSVER=', parameters('osVersion'),''' >> /etc/profile.d/imagebuilder.sh')]",
105 | "[concat('sudo echo ''export STIG_VER=', parameters('stigVersion'),''' >> /etc/profile.d/imagebuilder.sh')]"
106 | ]
107 | }
108 | ],
109 | "distribute": [
110 | {
111 | "type": "SharedImage",
112 | "galleryImageId": "[concat(resourceGroup().id,'/providers/Microsoft.Compute/galleries/',parameters('galleryName'),'/images/', parameters('imageTemplateName'),'/versions/1.0.1')]",
113 | "runOutputName": "[parameters('imageTemplateName')]",
114 | "artifactTags": {
115 | "source": "azureVmImageBuilder",
116 | "baseosimg": "linux"
117 | },
118 | "replicationRegions": [
119 | "eastus",
120 | "eastus2",
121 | "southcentralus"
122 | ]
123 | },
124 | {
125 | "type": "VHD",
126 | "runOutputName": "Redhat8_STIG_V2R1"
127 | }
128 | ]
129 | }
130 | }
131 | ]
132 | }
--------------------------------------------------------------------------------
/imageTemplates/windows10Evd.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "mofUrl":{
6 | "type": "string"
7 | },
8 | "identityId": {
9 | "type": "string"
10 | },
11 | "galleryName": {
12 | "type": "string"
13 | },
14 | "workspaceName": {
15 | "type": "string"
16 | },
17 | "imageTemplateName": {
18 | "type": "string"
19 | },
20 | "powerStigVersion": {
21 | "type": "string"
22 | },
23 | "stigVersion" : {
24 | "type": "string"
25 | },
26 | "osVersion" : {
27 | "type": "string"
28 | }
29 | },
30 | "variables": {
31 | "setPowerStigUrl": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/setPowerStig.ps1",
32 | "setAuditingStigUrl": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/auditStig.ps1",
33 | "wsResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name, '/providers/','Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
34 | },
35 | "resources": [
36 | {
37 | "name": "[parameters('imageTemplateName')]",
38 | "type": "Microsoft.VirtualMachineImages/imageTemplates",
39 | "apiVersion": "2020-02-14",
40 | "location": "[resourceGroup().location]",
41 | "dependsOn": [],
42 | "tags": {
43 | "imagebuilderTemplate": "AzureImageBuilderSIG",
44 | "userIdentity": "enabled"
45 | },
46 | "identity": {
47 | "type": "UserAssigned",
48 | "userAssignedIdentities": {
49 | "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityId'))]": {
50 |
51 | }
52 | }
53 | },
54 | "properties": {
55 | "buildTimeoutInMinutes": 100,
56 | "vmProfile": {
57 | "vmSize": "Standard_D1_v2",
58 | "osDiskSizeGB": 127
59 | },
60 | "source": {
61 | "type": "PlatformImage",
62 | "publisher": "MicrosoftWindowsDesktop",
63 | "offer": "office-365",
64 | "sku": "20h1-evd-o365pp",
65 | "version": "latest"
66 | },
67 | "customize": [
68 | {
69 | "type": "PowerShell",
70 | "name": "setEnvVariables",
71 | "inline": [
72 | "[concat('[System.Environment]::SetEnvironmentVariable(''WORKSPACE_ID'',''',reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')),'2017-03-15-preview').customerId,''',[System.EnvironmentVariableTarget]::Machine)')]",
73 | "[concat('[System.Environment]::SetEnvironmentVariable(''WORKSPACE_KEY'',''',listKeys(variables('wsResourceId'), '2015-11-01-preview').primarySharedKey,''', [System.EnvironmentVariableTarget]::Machine)')]",
74 | "[concat('[System.Environment]::SetEnvironmentVariable(''POWERSTIG_VER'',''',parameters('powerStigVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]",
75 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_OSVER'',''',parameters('osVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]",
76 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_VER'',''',parameters('stigVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]"
77 | ]
78 | },
79 | {
80 | "type": "File",
81 | "name": "mofFileDownload",
82 | "sourceUri": "[parameters('mofUrl')]",
83 | "destination": "c:\\localhost.mof"
84 | },
85 | {
86 | "type": "File",
87 | "name": "AuditScriptDownload",
88 | "sourceUri": "[variables('setAuditingStigUrl')]",
89 | "destination": "c:\\auditStig.ps1"
90 | },
91 | {
92 | "type": "PowerShell",
93 | "name": "SetUpPowerStig",
94 | "runElevated": true,
95 | "scriptUri": "[variables('setPowerStigUrl')]"
96 | },
97 | {
98 | "type": "WindowsUpdate",
99 | "searchCriteria": "IsInstalled=0",
100 | "filters": [
101 | "exclude:$_.Title -like '*Preview*'",
102 | "include:$true"
103 | ],
104 | "updateLimit": 40
105 | }
106 | ],
107 | "distribute": [
108 | {
109 | "type": "SharedImage",
110 | "galleryImageId": "[concat(resourceGroup().id,'/providers/Microsoft.Compute/galleries/',parameters('galleryName'),'/images/', parameters('imageTemplateName'),'/versions/',parameters('stigVersion'),'.0')]",
111 | "runOutputName": "[parameters('imageTemplateName')]",
112 | "artifactTags": {
113 | "source": "azureVmImageBuilder",
114 | "baseosimg": "windowsclient"
115 | },
116 | "replicationRegions": [
117 | "eastus",
118 | "eastus2",
119 | "southcentralus"
120 | ]
121 | }
122 | ]
123 | }
124 | }
125 | ]
126 | }
--------------------------------------------------------------------------------
/imageTemplates/windows2016.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "mofUrl":{
6 | "type": "string"
7 | },
8 | "identityId": {
9 | "type": "string"
10 | },
11 | "galleryName": {
12 | "type": "string"
13 | },
14 | "workspaceName": {
15 | "type": "string"
16 | },
17 | "imageTemplateName": {
18 | "type": "string"
19 | },
20 | "powerStigVersion": {
21 | "type": "string"
22 | },
23 | "stigVersion" : {
24 | "type": "string"
25 | },
26 | "osVersion" : {
27 | "type": "string"
28 | },
29 | "osRole": {
30 | "type": "string"
31 | }
32 | },
33 | "variables": {
34 | "setPowerStigUrl": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/setPowerStig.ps1",
35 | "setAuditingStigUrl": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/auditStig.ps1",
36 | "wsResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name, '/providers/','Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
37 | },
38 | "resources": [
39 | {
40 | "name": "[parameters('imageTemplateName')]",
41 | "type": "Microsoft.VirtualMachineImages/imageTemplates",
42 | "apiVersion": "2020-02-14",
43 | "location": "[resourceGroup().location]",
44 | "dependsOn": [
45 |
46 | ],
47 | "tags": {
48 | "imagebuilderTemplate": "AzureImageBuilderSIG",
49 | "userIdentity": "enabled"
50 | },
51 | "identity": {
52 | "type": "UserAssigned",
53 | "userAssignedIdentities": {
54 | "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityId'))]": {
55 |
56 | }
57 | }
58 | },
59 | "properties": {
60 | "buildTimeoutInMinutes": 100,
61 | "vmProfile": {
62 | "vmSize": "Standard_D1_v2",
63 | "osDiskSizeGB": 127
64 | },
65 | "source": {
66 | "type": "PlatformImage",
67 | "publisher": "MicrosoftWindowsServer",
68 | "offer": "WindowsServer",
69 | "sku": "2016-Datacenter",
70 | "version": "latest"
71 | },
72 | "customize": [
73 | {
74 | "type": "PowerShell",
75 | "name": "setEnvVariables",
76 | "inline": [
77 | "[concat('[System.Environment]::SetEnvironmentVariable(''WORKSPACE_ID'',''',reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')),'2017-03-15-preview').customerId,''',[System.EnvironmentVariableTarget]::Machine)')]",
78 | "[concat('[System.Environment]::SetEnvironmentVariable(''WORKSPACE_KEY'',''',listKeys(variables('wsResourceId'), '2015-11-01-preview').primarySharedKey,''', [System.EnvironmentVariableTarget]::Machine)')]",
79 | "[concat('[System.Environment]::SetEnvironmentVariable(''POWERSTIG_VER'',''',parameters('powerStigVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]",
80 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_OSVER'',''',parameters('osVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]",
81 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_OSROLE'',''',parameters('osRole'),''', [System.EnvironmentVariableTarget]::Machine)')]",
82 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_VER'',''',parameters('stigVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]"
83 | ]
84 | },
85 | {
86 | "type": "PowerShell",
87 | "name": "addFeatures",
88 | "inline": [
89 | "[if(contains(parameters('osRole'), 'DC'),'Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools','get-windowsfeature')]"
90 | ]
91 | },
92 | {
93 | "type": "File",
94 | "name": "mofFileDownload",
95 | "sourceUri": "[parameters('mofUrl')]",
96 | "destination": "c:\\localhost.mof"
97 | },
98 | {
99 | "type": "File",
100 | "name": "AuditScriptDownload",
101 | "sourceUri": "[variables('setAuditingStigUrl')]",
102 | "destination": "c:\\auditStig.ps1"
103 | },
104 | {
105 | "type": "PowerShell",
106 | "name": "SetUpPowerStig",
107 | "runElevated": true,
108 | "scriptUri": "[variables('setPowerStigUrl')]"
109 | }
110 | ],
111 | "distribute": [
112 | {
113 | "type": "SharedImage",
114 | "galleryImageId": "[concat(resourceGroup().id,'/providers/Microsoft.Compute/galleries/',parameters('galleryName'),'/images/',parameters('imageTemplateName'),'/versions/',parameters('stigVersion'),'.0')]",
115 | "runOutputName": "[parameters('imageTemplateName')]",
116 | "artifactTags": {
117 | "source": "azureVmImageBuilder",
118 | "baseosimg": "WindowsServer"
119 | },
120 | "replicationRegions": [
121 | "eastus",
122 | "eastus2",
123 | "southcentralus"
124 | ]
125 | },
126 | {
127 | "type": "VHD",
128 | "runOutputName": "Win2016_STIG_V2R1"
129 | }
130 | ]
131 | }
132 | }
133 | ]
134 | }
--------------------------------------------------------------------------------
/imageTemplates/windows2019.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "mofUrl":{
6 | "type": "string"
7 | },
8 | "identityId": {
9 | "type": "string"
10 | },
11 | "galleryName": {
12 | "type": "string"
13 | },
14 | "workspaceName": {
15 | "type": "string"
16 | },
17 | "imageTemplateName": {
18 | "type": "string"
19 | },
20 | "powerStigVersion": {
21 | "type": "string"
22 | },
23 | "stigVersion" : {
24 | "type": "string"
25 | },
26 | "osVersion" : {
27 | "type": "string"
28 | },
29 | "osRole": {
30 | "type": "string"
31 | }
32 | },
33 | "variables": {
34 | "setPowerStigUrl": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/setPowerStignoaudit.ps1",
35 | "setAuditingStigUrl": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/auditStig.ps1",
36 | "wsResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name, '/providers/','Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
37 | },
38 | "resources": [
39 | {
40 | "name": "[parameters('imageTemplateName')]",
41 | "type": "Microsoft.VirtualMachineImages/imageTemplates",
42 | "apiVersion": "2020-02-14",
43 | "location": "[resourceGroup().location]",
44 | "dependsOn": [
45 |
46 | ],
47 | "tags": {
48 | "imagebuilderTemplate": "AzureImageBuilderSIG",
49 | "userIdentity": "enabled"
50 | },
51 | "identity": {
52 | "type": "UserAssigned",
53 | "userAssignedIdentities": {
54 | "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityId'))]": {
55 |
56 | }
57 | }
58 | },
59 | "properties": {
60 | "buildTimeoutInMinutes": 100,
61 | "vmProfile": {
62 | "vmSize": "Standard_D8_v5",
63 | "osDiskSizeGB": 127
64 | },
65 | "source": {
66 | "type": "PlatformImage",
67 | "publisher": "MicrosoftWindowsServer",
68 | "offer": "WindowsServer",
69 | "sku": "2019-datacenter-gensecond",
70 | "version": "latest"
71 | },
72 | "customize": [
73 | {
74 | "type": "PowerShell",
75 | "name": "setEnvVariables",
76 | "inline": [
77 | "[concat('[System.Environment]::SetEnvironmentVariable(''WORKSPACE_ID'',''',reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')),'2017-03-15-preview').customerId,''',[System.EnvironmentVariableTarget]::Machine)')]",
78 | "[concat('[System.Environment]::SetEnvironmentVariable(''WORKSPACE_KEY'',''',listKeys(variables('wsResourceId'), '2015-11-01-preview').primarySharedKey,''', [System.EnvironmentVariableTarget]::Machine)')]",
79 | "[concat('[System.Environment]::SetEnvironmentVariable(''POWERSTIG_VER'',''',parameters('powerStigVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]",
80 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_OSVER'',''',parameters('osVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]",
81 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_OSROLE'',''',parameters('osRole'),''', [System.EnvironmentVariableTarget]::Machine)')]",
82 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_VER'',''',parameters('stigVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]"
83 | ]
84 | },
85 | {
86 | "type": "PowerShell",
87 | "name": "addFeatures",
88 | "inline": [
89 | "[if(contains(parameters('osRole'), 'DC'),'Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools','get-windowsfeature')]"
90 | ]
91 | },
92 | {
93 | "type": "File",
94 | "name": "mofFileDownload",
95 | "sourceUri": "[parameters('mofUrl')]",
96 | "destination": "c:\\localhost.mof"
97 | },
98 | {
99 | "type": "File",
100 | "name": "AuditScriptDownload",
101 | "sourceUri": "[variables('setAuditingStigUrl')]",
102 | "destination": "c:\\auditStig.ps1"
103 | },
104 | {
105 | "type": "PowerShell",
106 | "name": "SetUpPowerStig",
107 | "runElevated": true,
108 | "scriptUri": "[variables('setPowerStigUrl')]"
109 | },
110 | {
111 | "type": "WindowsUpdate",
112 | "searchCriteria": "IsInstalled=0",
113 | "filters": [
114 | "exclude:$_.Title -like '*Preview*'",
115 | "include:$true"
116 | ],
117 | "updateLimit": 40
118 | },
119 | {
120 | "type": "WindowsRestart",
121 | "restartCommand": "shutdown /r /f /t 0",
122 | "restartCheckCommand": "echo Azure-Image-Builder-Restarted-the-VM > c:\\azureImageBuilderRestart.txt",
123 | "restartTimeout": "2h"
124 | }
125 | ],
126 | "distribute": [
127 | {
128 | "type": "SharedImage",
129 | "galleryImageId": "[concat(resourceGroup().id,'/providers/Microsoft.Compute/galleries/',parameters('galleryName'),'/images/',parameters('imageTemplateName'),'/versions/',parameters('stigVersion'),'.1')]",
130 | "runOutputName": "[parameters('imageTemplateName')]",
131 | "artifactTags": {
132 | "source": "azureVmImageBuilder",
133 | "baseosimg": "WindowsServer"
134 | },
135 | "replicationRegions": [
136 | "eastus",
137 | "eastus2",
138 | "southcentralus"
139 | ]
140 | },
141 | {
142 | "type": "VHD",
143 | "runOutputName": "Win2019gen2_STIG_V2R4"
144 | }
145 | ]
146 | }
147 | }
148 | ]
149 | }
--------------------------------------------------------------------------------
/imageTemplates/windows2019small.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "mofUrl":{
6 | "type": "string"
7 | },
8 | "identityId": {
9 | "type": "string"
10 | },
11 | "galleryName": {
12 | "type": "string"
13 | },
14 | "workspaceName": {
15 | "type": "string"
16 | },
17 | "imageTemplateName": {
18 | "type": "string"
19 | },
20 | "powerStigVersion": {
21 | "type": "string"
22 | },
23 | "stigVersion" : {
24 | "type": "string"
25 | },
26 | "osVersion" : {
27 | "type": "string"
28 | },
29 | "osRole": {
30 | "type": "string"
31 | }
32 | },
33 | "variables": {
34 | "setPowerStigUrl": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/setPowerStignoaudit.ps1",
35 | "setAuditingStigUrl": "https://raw.githubusercontent.com/shawngib/project-stig/main/scripts/auditStig.ps1",
36 | "wsResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name, '/providers/','Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
37 | },
38 | "resources": [
39 | {
40 | "name": "[parameters('imageTemplateName')]",
41 | "type": "Microsoft.VirtualMachineImages/imageTemplates",
42 | "apiVersion": "2020-02-14",
43 | "location": "[resourceGroup().location]",
44 | "dependsOn": [
45 |
46 | ],
47 | "tags": {
48 | "imagebuilderTemplate": "AzureImageBuilderSIG",
49 | "userIdentity": "enabled"
50 | },
51 | "identity": {
52 | "type": "UserAssigned",
53 | "userAssignedIdentities": {
54 | "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityId'))]": {
55 |
56 | }
57 | }
58 | },
59 | "properties": {
60 | "buildTimeoutInMinutes": 100,
61 | "vmProfile": {
62 | "vmSize": "Standard_D8_v5",
63 | "osDiskSizeGB": 30
64 | },
65 | "source": {
66 | "type": "PlatformImage",
67 | "publisher": "MicrosoftWindowsServer",
68 | "offer": "WindowsServer",
69 | "sku": "2019-datacenter-smalldisk-g2",
70 | "version": "latest"
71 | },
72 | "customize": [
73 | {
74 | "type": "PowerShell",
75 | "name": "setEnvVariables",
76 | "inline": [
77 | "[concat('[System.Environment]::SetEnvironmentVariable(''WORKSPACE_ID'',''',reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName')),'2017-03-15-preview').customerId,''',[System.EnvironmentVariableTarget]::Machine)')]",
78 | "[concat('[System.Environment]::SetEnvironmentVariable(''WORKSPACE_KEY'',''',listKeys(variables('wsResourceId'), '2015-11-01-preview').primarySharedKey,''', [System.EnvironmentVariableTarget]::Machine)')]",
79 | "[concat('[System.Environment]::SetEnvironmentVariable(''POWERSTIG_VER'',''',parameters('powerStigVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]",
80 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_OSVER'',''',parameters('osVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]",
81 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_OSROLE'',''',parameters('osRole'),''', [System.EnvironmentVariableTarget]::Machine)')]",
82 | "[concat('[System.Environment]::SetEnvironmentVariable(''STIG_VER'',''',parameters('stigVersion'),''', [System.EnvironmentVariableTarget]::Machine)')]"
83 | ]
84 | },
85 | {
86 | "type": "PowerShell",
87 | "name": "addFeatures",
88 | "inline": [
89 | "[if(contains(parameters('osRole'), 'DC'),'Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools','get-windowsfeature')]"
90 | ]
91 | },
92 | {
93 | "type": "File",
94 | "name": "mofFileDownload",
95 | "sourceUri": "[parameters('mofUrl')]",
96 | "destination": "c:\\localhost.mof"
97 | },
98 | {
99 | "type": "File",
100 | "name": "AuditScriptDownload",
101 | "sourceUri": "[variables('setAuditingStigUrl')]",
102 | "destination": "c:\\auditStig.ps1"
103 | },
104 | {
105 | "type": "PowerShell",
106 | "name": "SetUpPowerStig",
107 | "runElevated": true,
108 | "scriptUri": "[variables('setPowerStigUrl')]"
109 | },
110 | {
111 | "type": "WindowsUpdate",
112 | "searchCriteria": "IsInstalled=0",
113 | "filters": [
114 | "exclude:$_.Title -like '*Preview*'",
115 | "include:$true"
116 | ],
117 | "updateLimit": 40
118 | },
119 | {
120 | "type": "WindowsRestart",
121 | "restartCommand": "shutdown /r /f /t 0",
122 | "restartCheckCommand": "echo Azure-Image-Builder-Restarted-the-VM > c:\\azureImageBuilderRestart.txt",
123 | "restartTimeout": "2h"
124 | }
125 | ],
126 | "distribute": [
127 | {
128 | "type": "SharedImage",
129 | "galleryImageId": "[concat(resourceGroup().id,'/providers/Microsoft.Compute/galleries/',parameters('galleryName'),'/images/',parameters('imageTemplateName'),'/versions/',parameters('stigVersion'),'.1')]",
130 | "runOutputName": "[parameters('imageTemplateName')]",
131 | "artifactTags": {
132 | "source": "azureVmImageBuilder",
133 | "baseosimg": "WindowsServer"
134 | },
135 | "replicationRegions": [
136 | "eastus",
137 | "eastus2",
138 | "southcentralus"
139 | ]
140 | },
141 | {
142 | "type": "VHD",
143 | "runOutputName": "Win2019gen2_small_STIG_V2R4"
144 | }
145 | ]
146 | }
147 | }
148 | ]
149 | }
--------------------------------------------------------------------------------
/images/architecture.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/images/architecture.jpg
--------------------------------------------------------------------------------
/images/sentinelworkbook.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/images/sentinelworkbook.jpg
--------------------------------------------------------------------------------
/images/winser2019image.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/images/winser2019image.jpg
--------------------------------------------------------------------------------
/images/workbook.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/images/workbook.jpg
--------------------------------------------------------------------------------
/mof/CentOs7test/localhost.mof:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/mof/CentOs7test/localhost.mof
--------------------------------------------------------------------------------
/mof/Windows10v1r23/localhost.mof:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/mof/Windows10v1r23/localhost.mof
--------------------------------------------------------------------------------
/mof/Windows10v2r1/MOF_Creation_Output.txt:
--------------------------------------------------------------------------------
1 | Windows10v2r1 -Output c:\imagebuilder
2 | WARNING: Windows_10_STIG: V-220704/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
3 | WARNING: Windows_10_STIG: V-220903.a/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
4 | WARNING: Windows_10_STIG: V-220903.b/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
5 | WARNING: Windows_10_STIG: V-220903.c/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
6 | WARNING: Windows_10_STIG: V-220903.d/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
7 | WARNING: Windows_10_STIG: V-220905.a/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
8 | WARNING: Windows_10_STIG: V-220905.b/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
9 | WARNING: Windows_10_STIG: V-220906/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
10 | WARNING: Windows_10_STIG: V-220911/SecurityOptionRule/medium contains an empty Organizational Value, setting rule as Skipped
11 | WARNING: Windows_10_STIG: V-220912/SecurityOptionRule/medium contains an empty Organizational Value, setting rule as Skipped
12 | WARNING: Windows_10_STIG: V-220957/UserRightRule/medium will be Skipped as specified by the configuration
13 | WARNING: Windows_10_STIG: V-220972/UserRightRule/medium will be Skipped as specified by the configuration
14 | WARNING: Google_Chrome_Current_Windows: V-221564/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
15 | WARNING: Google_Chrome_Current_Windows: V-221565/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
16 | WARNING: Google_Chrome_Current_Windows: V-221585/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
17 | WARNING: Google_Chrome_Current_Windows: V-221596/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
--------------------------------------------------------------------------------
/mof/Windows10v2r1/localhost.mof:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/mof/Windows10v2r1/localhost.mof
--------------------------------------------------------------------------------
/mof/WindowsServer2019DCv2r1/MOF_Creation_Output.txt:
--------------------------------------------------------------------------------
1 | WARNING: Windows_Server_2019_DC_STIG: V-205737.b/PermissionRule/medium will be Skipped as specified by the configuration
2 | WARNING: Windows_Server_2019_DC_STIG: V-205810/RegistryRule/medium will be Skipped as specified by the configuration
3 | WARNING: Windows_Server_2019_DC_STIG: V-205648.a/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
4 | WARNING: Windows_Server_2019_DC_STIG: V-205648.b/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
5 | WARNING: Windows_Server_2019_DC_STIG: V-205648.c/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
6 | WARNING: Windows_Server_2019_DC_STIG: V-205648.d/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
7 | WARNING: Windows_Server_2019_DC_STIG: V-205649.a/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
8 | WARNING: Windows_Server_2019_DC_STIG: V-205649.b/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
9 | WARNING: Windows_Server_2019_DC_STIG: V-205650.a/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
10 | WARNING: Windows_Server_2019_DC_STIG: V-205650.b/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
11 | WARNING: Windows_Server_2019_DC_STIG: V-205909/SecurityOptionRule/medium contains an empty Organizational Value, setting rule as Skipped
12 | WARNING: Windows_Server_2019_DC_STIG: V-205910/SecurityOptionRule/medium contains an empty Organizational Value, setting rule as Skipped
13 | WARNING: Windows_Server_2019_DC_STIG: V-205850/ServiceRule/high will be Skipped as specified by the configuration
14 | WARNING: Windows_Server_2019_DC_STIG: V-214936/ServiceRule/medium will be Skipped as specified by the configuration
15 | WARNING: Google_Chrome_Current_Windows: V-221564/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
16 | WARNING: Google_Chrome_Current_Windows: V-221565/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
17 | WARNING: Google_Chrome_Current_Windows: V-221585/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
18 | WARNING: Google_Chrome_Current_Windows: V-221596/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
--------------------------------------------------------------------------------
/mof/WindowsServer2019DCv2r1/localhost.mof:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/mof/WindowsServer2019DCv2r1/localhost.mof
--------------------------------------------------------------------------------
/mof/WindowsServer2019v2r1/MOF_Creation_Output.txt:
--------------------------------------------------------------------------------
1 | WARNING: Windows_Server_2019_MS_STIG: V-205737.b/PermissionRule/medium will be Skipped as specified by the configuration
2 | WARNING: Windows_Server_2019_MS_STIG: V-205810/RegistryRule/medium will be Skipped as specified by the configuration
3 | WARNING: Windows_Server_2019_MS_STIG: V-205648.a/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
4 | WARNING: Windows_Server_2019_MS_STIG: V-205648.b/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
5 | WARNING: Windows_Server_2019_MS_STIG: V-205648.c/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
6 | WARNING: Windows_Server_2019_MS_STIG: V-205648.d/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
7 | WARNING: Windows_Server_2019_MS_STIG: V-205649.a/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
8 | WARNING: Windows_Server_2019_MS_STIG: V-205649.b/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
9 | WARNING: Windows_Server_2019_MS_STIG: V-205650.a/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
10 | WARNING: Windows_Server_2019_MS_STIG: V-205650.b/RootCertificateRule/medium contains an empty Organizational Value, setting rule as Skipped
11 | WARNING: Windows_Server_2019_MS_STIG: V-205909/SecurityOptionRule/medium contains an empty Organizational Value, setting rule as Skipped
12 | WARNING: Windows_Server_2019_MS_STIG: V-205910/SecurityOptionRule/medium contains an empty Organizational Value, setting rule as Skipped
13 | WARNING: Windows_Server_2019_MS_STIG: V-205850/ServiceRule/high will be Skipped as specified by the configuration
14 | WARNING: Windows_Server_2019_MS_STIG: V-214936/ServiceRule/medium will be Skipped as specified by the configuration
15 | WARNING: Google_Chrome_Current_Windows: V-221564/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
16 | WARNING: Google_Chrome_Current_Windows: V-221565/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
17 | WARNING: Google_Chrome_Current_Windows: V-221585/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
18 | WARNING: Google_Chrome_Current_Windows: V-221596/RegistryRule/medium contains an empty Organizational Value, setting rule as Skipped
--------------------------------------------------------------------------------
/mof/WindowsServer2019v2r1/localhost.mof:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/mof/WindowsServer2019v2r1/localhost.mof
--------------------------------------------------------------------------------
/mof/WindowsServer2019v2r4/localhost.meta.mof:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/mof/WindowsServer2019v2r4/localhost.meta.mof
--------------------------------------------------------------------------------
/nested/dashboard.json:
--------------------------------------------------------------------------------
1 | {
2 | "contentVersion": "1.0.0.0",
3 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
4 | "parameters": {
5 | "workbookDisplayName": {
6 | "type": "string",
7 | "defaultValue": "STIG Compliance",
8 | "metadata": {
9 | "description": "The friendly name for the workbook that is used in the Gallery or Saved List. This name must be unique within a resource group."
10 | }
11 | },
12 | "workbookType": {
13 | "type": "string",
14 | "defaultValue": "sentinel",
15 | "metadata": {
16 | "description": "The gallery that the workbook will been shown under. Supported values include workbook, tsg, etc. Usually, this is 'workbook'"
17 | }
18 | },
19 | "workspaceName": {
20 | "type": "string",
21 | "metadata": {
22 | "description": "The id of resource instance to which the workbook will be associated"
23 | }
24 | },
25 | "workbookId": {
26 | "type": "string",
27 | "defaultValue": "[newGuid()]",
28 | "metadata": {
29 | "description": "The unique guid for this workbook instance"
30 | }
31 | }
32 | },
33 | "variables": {
34 | "workbookSourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
35 | },
36 | "resources": [
37 | {
38 | "name": "[parameters('workbookId')]",
39 | "type": "microsoft.insights/workbooks",
40 | "location": "[resourceGroup().location]",
41 | "apiVersion": "2018-06-17-preview",
42 | "dependsOn": [],
43 | "kind": "shared",
44 | "properties": {
45 | "displayName": "[parameters('workbookDisplayName')]",
46 | "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure DISA STIG Workbook\\n---\\n\\nWelcome to the Azure DISA STIG Compliance workbook. This workbook provides visualized compliance data generated by the Azure Image Builder STIG solution.\\n\\n\\n\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"STIG_Compliance_CL\\n| distinct FindingID_s, DesiredState_b\\n| summarize count() by tostring(DesiredState_b)\",\"size\":1,\"showAnalytics\":true,\"title\":\"Overall STIG Status\",\"timeContext\":{\"durationMs\":1800000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"False\",\"label\":\"Not Applied\",\"color\":\"redBright\"},{\"seriesName\":\"True\",\"label\":\"Applied\",\"color\":\"green\"},{\"seriesName\":\"\",\"label\":\"Manual\"}]}},\"customWidth\":\"40\",\"showPin\":true,\"name\":\"Computers\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"STIG_Compliance_CL\\r\\n| where DesiredState_b == false\\r\\n| distinct FindingID_s, Computer\\r\\n| summarize count(FindingID_s) by Computer\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Open STIGs by Computer\",\"timeContext\":{\"durationMs\":1800000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"showPin\":true,\"name\":\"Open STIGs by Computer\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"STIG_Compliance_CL\\r\\n| where DesiredState_b == false\\r\\n| distinct FindingID_s, Severity_s, DesiredState_b\\r\\n| summarize count(FindingID_s) by Severity_s \\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Open STIGs by Severity\",\"timeContext\":{\"durationMs\":1800000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"STIG_Compliance_CL\",\"label\":\"STIG Compliance\"},{\"seriesName\":\"\",\"label\":\"informational\"}]}},\"customWidth\":\"30\",\"showPin\":true,\"name\":\"Open STIGs by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"STIG_Compliance_Computer_CL | distinct Computer, DesiredState_b, Domain_s\",\"size\":1,\"showAnalytics\":true,\"title\":\"Overall Compliance State by Computer\",\"timeContext\":{\"durationMs\":1800000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"showPin\":true,\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"STIG_Compliance_CL \\r\\n| distinct Computer, FindingID_s, Severity_s, DesiredState_b \\r\\n| extend Success = case(DesiredState_b == true, \\\"Applied\\\",\\r\\n DesiredState_b == false, \\\"Not-Applied\\\",\\r\\n \\\"Question\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"STIG Status and Details by Computer\",\"timeContext\":{\"durationMs\":1800000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Computer\",\"Success\",\"Severity_s\"]}}},\"customWidth\":\"66\",\"showPin\":true,\"name\":\"STIG Status and Details by Computer\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"/subscriptions/bf031e99-23ef-4cc3-b5a9-b2761eb6126d/resourceGroups/STIG_DEMO/providers/Microsoft.OperationalInsights/workspaces/STIGDEMO-WS-eastus\"],\"styleSettings\":{\"paddingStyle\":\"narrow\",\"spacingStyle\":\"narrow\"}}",
47 | "version": "1.0",
48 | "sourceId": "[variables('workbookSourceId')]",
49 | "category": "[parameters('workbookType')]"
50 | }
51 | }
52 | ]
53 | }
--------------------------------------------------------------------------------
/nested/imageDefinition.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "definitions": {
6 | "type": "array",
7 | "defaultValue":
8 | [
9 | // {
10 | // "imageDefinitionName": "Win10WVDw365_STIG",
11 | // "osType": "Windows",
12 | // "osState": "Generalized",
13 | // "publisher": "AzureGlobalDesktop",
14 | // "offer": "office-365",
15 | // "sku": "20h1-evd-o365pp-stig",
16 | // "minRecommendedvCPUs": "2",
17 | // "maxRecommendedvCPUs": "8",
18 | // "minRecommendedMemory": "32",
19 | // "maxRecommendedMemory": "48"
20 | // },
21 | {
22 | "imageDefinitionName": "Win2019_STIG",
23 | "osType": "Windows",
24 | "osState": "Generalized",
25 | "publisher": "MicrosoftWindowsServer",
26 | "offer": "WindowsServer",
27 | "sku": "2019-Datacenter-Stig",
28 | "minRecommendedvCPUs": "2",
29 | "maxRecommendedvCPUs": "8",
30 | "minRecommendedMemory": "32",
31 | "maxRecommendedMemory": "48"
32 | },
33 | {
34 | "imageDefinitionName": "Win2019_STIG_Small",
35 | "osType": "Windows",
36 | "osState": "Generalized",
37 | "publisher": "MicrosoftWindowsServer",
38 | "offer": "WindowsServer",
39 | "sku": "2019-Datacenter-Stig-Small",
40 | "minRecommendedvCPUs": "2",
41 | "maxRecommendedvCPUs": "8",
42 | "minRecommendedMemory": "32",
43 | "maxRecommendedMemory": "48"
44 | }
45 | // },
46 | // {
47 | // "imageDefinitionName": "Win2016_STIG",
48 | // "osType": "Windows",
49 | // "osState": "Generalized",
50 | // "publisher": "MicrosoftWindowsServer",
51 | // "offer": "WindowsServer",
52 | // "sku": "2016-Datacenter-Stig",
53 | // "minRecommendedvCPUs": "2",
54 | // "maxRecommendedvCPUs": "8",
55 | // "minRecommendedMemory": "32",
56 | // "maxRecommendedMemory": "48"
57 | // },
58 | // {
59 | // "imageDefinitionName": "Win2016DC_STIG",
60 | // "osType": "Windows",
61 | // "osState": "Generalized",
62 | // "publisher": "MicrosoftWindowsServer",
63 | // "offer": "WindowsServer",
64 | // "sku": "2016-Datacenter-DC-Stig",
65 | // "minRecommendedvCPUs": "2",
66 | // "maxRecommendedvCPUs": "8",
67 | // "minRecommendedMemory": "32",
68 | // "maxRecommendedMemory": "48"
69 | // },
70 | // {
71 | // "imageDefinitionName": "Redhat8_STIG",
72 | // "osType": "Linux",
73 | // "osState": "Generalized",
74 | // "publisher": "Redhat",
75 | // "offer": "RHEL",
76 | // "sku": "8-RedHat-Stig",
77 | // "minRecommendedvCPUs": "2",
78 | // "maxRecommendedvCPUs": "8",
79 | // "minRecommendedMemory": "32",
80 | // "maxRecommendedMemory": "48"
81 | // }
82 | ]
83 | },
84 | "galleryName": {
85 | "type": "string"
86 | },
87 | "hyperVGeneration": {
88 | "type": "string",
89 | "defaultValue": "V2"
90 | }
91 | },
92 | "variables": {},
93 | "resources": [
94 | {
95 | "type": "Microsoft.Compute/galleries/images",
96 | "name": "[concat(parameters('galleryName'), '/', parameters('definitions')[copyIndex()].imageDefinitionName)]",
97 | "apiVersion": "2019-07-01",
98 | "location": "[resourceGroup().location]",
99 | "copy":
100 | {
101 | "name": "Image Definition Copy",
102 | "count": "[length(parameters('definitions'))]"
103 | },
104 | "properties": {
105 | "osType": "[parameters('definitions')[copyIndex()].osType]",
106 | "osState": "[parameters('definitions')[copyIndex()].osState]",
107 | "identifier": {
108 | "publisher": "[parameters('definitions')[copyIndex()].publisher]",
109 | "offer": "[parameters('definitions')[copyIndex()].offer]",
110 | "sku": "[parameters('definitions')[copyIndex()].sku]"
111 | },
112 | "recommended": {
113 | "vCPUs": {
114 | "min": "[parameters('definitions')[copyIndex()].minRecommendedvCPUs]",
115 | "max": "[parameters('definitions')[copyIndex()].maxRecommendedvCPUs]"
116 | },
117 | "memory": {
118 | "min": "[parameters('definitions')[copyIndex()].minRecommendedMemory]",
119 | "max": "[parameters('definitions')[copyIndex()].maxRecommendedMemory]"
120 | }
121 | },
122 | "hyperVGeneration": "V2"
123 | },
124 | "tags": {}
125 | }
126 | ],
127 | "outputs": {}
128 | }
--------------------------------------------------------------------------------
/nested/imageGallery.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | }
8 | },
9 | "variables": {
10 | "imageGalleryName":"[concat(replace(parameters('name'),'-',''), '_SIG')]"
11 | },
12 | "resources": [
13 | {
14 | "type": "Microsoft.Compute/galleries",
15 | "name": "[variables('imageGalleryName')]",
16 | "apiVersion": "2019-03-01",
17 | "location": "[resourceGroup().location]",
18 | "properties": {},
19 | "tags": {}
20 | }
21 | ],
22 | "outputs": {
23 | "galleryName" : {
24 | "type": "string",
25 | "value": "[variables('imageGalleryName')]"
26 | }
27 | }
28 | }
--------------------------------------------------------------------------------
/nested/managedIdentity.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string",
7 | "defaultValue" : "tempManagedIdentity"
8 | }
9 | },
10 | "functions": [],
11 | "variables": {
12 | "identityName": "[concat(parameters('name'), 'identity', uniqueString(resourceGroup().id))]",
13 | "bootstrapRoleAssignmentId": "[guid(concat(resourceGroup().id, 'contributor'))]"
14 | },
15 | "resources": [
16 | {
17 | "name": "[variables('identityName')]",
18 | "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
19 | "apiVersion": "2018-11-30",
20 | "location": "[resourceGroup().location]"
21 | },
22 | {
23 | "type": "Microsoft.Authorization/roleAssignments",
24 | "apiVersion": "2018-09-01-preview",
25 | "name": "[variables('bootstrapRoleAssignmentId')]",
26 | "dependsOn": [
27 | "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]"
28 | ],
29 | "properties": {
30 | "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
31 | "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName')), '2018-11-30').principalId]",
32 | "scope": "[resourceGroup().id]",
33 | "principalType": "ServicePrincipal"
34 | }
35 | }
36 | ],
37 | "outputs": {
38 | "identityName" : {
39 | "type": "string",
40 | "value": "[variables('identityName')]"
41 | }
42 | }
43 | }
--------------------------------------------------------------------------------
/nested/workspace.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name" : {
6 | "type": "string"
7 | }
8 | },
9 | "functions": [],
10 | "variables": {
11 | "workspaceName": "[replace(concat(parameters('name'),'-WS-', resourceGroup().location),'_','')]",
12 | "automationAccountName": "[replace(concat(parameters('name'),'-AA'),'_','')]",
13 | "solutionArray": {
14 | "solutions" : [
15 | {
16 | "name": "[concat('SecurityInsights', '(', variables('workspaceName'), ')')]",
17 | "galleryName": "SecurityInsights"
18 | }
19 | ]
20 | }
21 | },
22 | "resources": [
23 | {
24 | "name": "[variables('workspaceName')]",
25 | "type": "Microsoft.OperationalInsights/workspaces",
26 | "apiVersion": "2015-11-01-preview",
27 | "location": "[resourceGroup().location]",
28 | "properties": {
29 | "sku": {
30 | "name": "PerGB2018"
31 | },
32 | "features": {
33 | "searchVersion": 1
34 | }
35 | }
36 | },
37 | {
38 | "name": "[variables('automationAccountName')]",
39 | "type": "Microsoft.Automation/automationAccounts",
40 | "apiVersion": "2015-10-31",
41 | "location": "[resourceGroup().location]",
42 | "tags": {
43 | },
44 | "properties": {
45 | "sku": {
46 | "name": "Free"
47 | }
48 | }
49 | },
50 | {
51 | "apiVersion": "2015-11-01-preview",
52 | "location": "[resourceGroup().location]",
53 | "name": "[concat(variables('solutionArray').solutions[copyIndex()].Name)]",
54 | "type": "Microsoft.OperationsManagement/solutions",
55 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.OperationsManagement/solutions/', variables('solutionArray').solutions[copyIndex()].Name)]",
56 | "dependsOn": [
57 | "[concat('Microsoft.OperationalInsights/workspaces/', variables('workspaceName'))]"
58 | ],
59 | "copy": {
60 | "name": "solutionCopy",
61 | "count": "[length(variables('solutionArray').solutions)]"
62 | },
63 | "properties": {
64 | "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', variables('workspaceName'))]"
65 | },
66 | "plan": {
67 | "name": "[variables('solutionArray').solutions[copyIndex()].Name]",
68 | "publisher": "Microsoft",
69 | "promotionCode": "",
70 | "product": "[concat('OMSGallery/', variables('solutionArray').solutions[copyIndex()].galleryName)]"
71 | }
72 | }
73 | ],
74 | "outputs": {
75 | "workspaceName": {
76 | "type": "string",
77 | "value": "[variables('workspaceName')]"
78 | }
79 | }
80 | }
81 |
--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 | [](https://shawnstestdevops.visualstudio.com/fbaec535-ce2b-404c-b23e-62b303dfb0b8/_boards/board/t/7e54e29c-a555-4e0d-b74c-19912e166813/Microsoft.RequirementCategory)
2 | # Create Custom STIG Images
3 |
4 | UPDATE 2/1/2021:
5 | - Some bug fixes in setPowerStig script to reflect variance between server and client.
6 | - Updated to latest PowerSTIG and 4.7.1 and STIG versions 2.1
7 | - Also added IE and Chrome STIGs to MOF file for example. New MOF creation scripts added to /scripts/MOFcreation folder
8 |
9 | -------
10 |
11 | At Microsoft, our security and compliance story is one of our greatest differentiators. Microsoft recognizes the criticality of security compliance accreditations for Defense Industrial Base (DIB) and Department of Defense (DoD) customers. Maintaining Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) compliance is critical and often time consuming. Azure provides automation and compliance dashboarding capabilities at cloud speed and scale, allowing customers to shortcut the heavy costs of compliance when they choose Azure.
12 |
13 |
14 |
15 |
16 |
17 | The Azure Team has created sample solutions using first-party Azure tooling to deliver STIG automation and compliance reporting. The STIG
18 | Automation GitHub Repository, enables customers to:
19 |
20 |
21 | * Automate STIG implementation and baseline updates with Azure Image Builder
22 |
23 |
24 | * Visualize compliance with Azure Monitor Log Analytics or Sentinel
25 |
26 | ## STIG Automation POC Primary Goals
27 | - Microsoft Azure 1st party services
28 | - Some level of ongoing reporting
29 | - As hands free as possible
30 | - Some level of ongoing maintenance
31 |
32 | ### Current Architecture
33 | 
34 |
35 | The overall architecture is to use a set of resources deployed via nested ARM templates from this repo. The result is an automated VM image creation via Azure Image Builder and final STIG'd images stored in the resource groups Shared Image Gallery for use in that subscription. Logging is the HTTPS ingestion API for Log Analytics and DSC Audit logs of PowerSTIG and it will not interfere with any agents monitoring for other purposes.
36 |
37 | Basic resources used:
38 |
39 | 1. Shared Image Gallery
40 | 2. Image Definitions
41 | 3. Image Builder Templates
42 | 4. GitHub
43 | 5. Log Analytics Workspace
44 | 6. Azure Automation (for future use)
45 | 7. Managed Identity
46 | 8. Azure Workbook for Sentinel and Log Analytics
47 | 9. PowerShell during creation and for reporting audits.
48 | *Note: This is scheduled every 20 minutes and can be modified prior to deploying in the setPowerStig.ps1 script on the second to last line.*
49 |
50 | Resources used in the Image building and STIG process:
51 |
52 | 1. PowerSTIG DSC - STIG and Audit STIG
53 | 2. Custom scripts
54 | a. setPowerStig.ps1 = enables DSC and PowerSTIG requirements and creates scheduled task to audit for Windows.
55 | b. audit.ps1 = Audits current state and parses state values to log for Windows.
56 | c. Desired state MOF files, one for each image required.
57 | d. Image Definition files, one for each.
58 |
59 | Resources used in the reporting and deployed as part of solution:
60 | 1. Log Analytics Workspace - logged telemetry varies per OS. See here for Azure Monitor Log Analytics pricing.
61 | 2. 2 x Log Analytics workbooks, one for use in Sentinel.
62 | 3. Sentinel Solution - connects workspace to Sentinel. See here for Sentinel pricing. This connector can be removed and the workbook used in Log Analytics if desired.
63 |
64 | *Note: Logging by default is over public network, for isolated systems please set up a private link to Azure Monitor.*
65 |
66 |
67 | ### Current supported OSes
68 | See Azure Image Builder for more support information on locations and customization services.
69 | * Windows 10 RS5 Enterprise/Enterprise multi-session/Professional
70 | * Windows 2016
71 | * Windows 2019
72 |
73 | Not yet supported by this project are:
74 | * Ubuntu 18.04
75 | * Ubuntu 16.04
76 | * RHEL 7.6, 7.7, 8
77 | * CentOS 7.6, 7.7, 8
78 | * SLES 12 SP4
79 | * SLES 15, SLES 15 SP1
80 |
81 | ### Getting Started
82 |
83 | To deploy the correct resources that enable a base of STIG'd images be created in your subscription run the following:
84 |
85 | 1. Ensure you have the required resource registrations in your subscription:
86 |
87 | ```
88 | Register-AzProviderFeature -FeatureName VirtualMachineTemplatePreview -ProviderNamespace Microsoft.VirtualMachineImages
89 | Register-AzResourceProvider Microsoft.KeyVault
90 | Register-AzResourceProvider Microsoft.VirtualMachineImages
91 | Register-AzResourceProvider Microsoft.Compute
92 | Register-AzResourceProvider Microsoft.Storage
93 | ```
94 | 2. Deploy the solution to create the images:
95 | ```
96 | $url = "https://raw.githubusercontent.com/shawngib/project-stig/main/azuredeploy.json"
97 | $imageResourceGroup = ""
98 | $deploymentName = "" + (Get-Random)
99 | New-AzSubscriptionDeployment `
100 | -Name $deploymentName `
101 | -Location eastus `
102 | -TemplateUri $url `
103 | -rgName $imageResourceGroup `
104 | -rgLocation eastus `
105 | -DeploymentDebugLogLevel All
106 | ```
107 | 3. Create the images:
108 |
109 | At this point you should have the needed resources to create STIG'd images. Run the following for each image template created that you wish an image to be created in the shared image gallery. These are a result of the image template json files in the imageTemplate folder. These files also reflect how and where to create images and/or VHDs. This automation includes these 5 images with the following names:
110 | - Windows 10 STIG v1r23 - 'Win10WVDw365_STIG'
111 | - Windows Server 2019 v1r5 - 'Win2019_STIG'
112 | - Windows Server 2019 Domain Controller v1r5 - 'Win2019DC_STIG'
113 | - Windows Server 2016 v1r12 - 'Win2016_STIG'
114 | - Windows Server 2016 Domain Controller v1r12 - 'Win2016DC_STIG'
115 |
116 | ```
117 | Invoke-AzResourceAction `
118 | -ResourceName '' ` # Example: Win2019_STIG
119 | -ResourceGroupName '' `
120 | -ResourceType Microsoft.VirtualMachineImages/imageTemplates `
121 | -ApiVersion "2020-02-14" `
122 | -Action Run `
123 | -Force
124 | ```
125 | UPDATE: The above invoke command will continue to work but new PowerShell commands will expedite this. For example, the following script will get all image templates in the resource group and run Start-AzImageBuilderTemplate as a job for each.
126 |
127 | ```
128 | $imageTemplates = Get-AzImageBuilderTemplate -ResourceGroupName ''
129 | foreach($template in $imageTemplates){
130 | Start-AzImageBuilderTemplate -ResourceGroupName '' -Name $template.Name -AsJob
131 | }
132 | ```
133 |
134 | 4. Confirm images are created. In the resource group you can find the Share Image Gallery which will be named after you resource group and appened with -SIG-(6 random characters). Here you should see the 5 image definitions, by selecting one you should see the created images:
135 | 
136 |
137 | *Note: A VHD copy is also sysprepped and stored in the image builders resource groups storage account. The name starts with IT_ and has your RG name and the definition name followed by a random GUID. example: IT_STIG_DEMO_Win2019_STIG_de6b0de8-5766-4e3d-9488-66b510fedb79*
138 |
139 | 5. Test the image by selecting 'Create VM' in the image gallery image view blade.
140 |
141 | 6. After a VM is created and running you view the logs created in the Log Ananlytics workspace that was created as part of the deployment. A schduled task has been added to the images which will run every 20 minutes which audits the PowerSTIG DSC resource and parses the response to send to the LA workspaces rest API. Two custom logs are created, the first is 'STIG_Compliance_Computer_CL
142 | ' and represents each VM with some additional telemetry about the VM and the second is 'STIG_Compliance_CL' which represents each control and includes document and/or manual controls. More detail about the logs to come soon.
143 |
144 | ###
145 | Once virtual machines are deployed, they start to report in to the Log Analytics Workspace and the following workbook can be viewed:
146 | 
147 |
148 | ### Ongoing Maintenance
149 | While there is little to do ongoing outside of monitoring and reporting updated STIGs which are quarterly can be created by simply creating a MOF file as directed by PowerSTIG documentation and a new image template uploaded using image builder.
150 |
151 | Specifically, when new STIG's are released or updated, you'll need do three things.
152 | - First create a MOF file which will be used by desired state configuration (DSC), one used for WS 2019 can be found here. It is a PowerStig DSC configuration script. Note: Pay close attention to naming convention of the configuration file since it will be the name of the output MOF file.
153 | - create a new image definition template. An example can be found here. Note: the example template is designed to operate as a nested template for the solution but can be adapted to run separately with some modifications.
154 |
155 |
156 | Sample PowerShell to upload the new image definition:
157 | ```
158 | # Image gallery name
159 | $sigGalleryName= "myIBSIG"
160 |
161 | # Image definition name
162 | $imageDefName ="winSvrimage"
163 |
164 | # additional replication region
165 | $replRegion2="eastus"
166 |
167 | # Create the gallery
168 | New-AzGallery `
169 | -GalleryName $sigGalleryName `
170 | -ResourceGroupName $imageResourceGroup `
171 | -Location $location
172 |
173 | # Create the image definition
174 | New-AzGalleryImageDefinition `
175 | -GalleryName $sigGalleryName `
176 | -ResourceGroupName $imageResourceGroup `
177 | -Location $location `
178 | -Name $imageDefName `
179 | -OsState generalized `
180 | -OsType Windows `
181 | -Publisher 'myCompany' `
182 | -Offer 'WindowsServer' `
183 | -Sku 'WinSrv2019'
184 | ```
185 | *Note: Naming is important since image templates are not idempotent. Also versioning is important, for example our deployment uses the STIG version to properly audit with PowerSTIG and to place the newly created images in the image gallery.*
186 |
187 | ### Current Roadmap
188 |
189 | As of 10/28/2020 this project is beta but in working order. You can find updates here as they are published.
190 |
191 | 12/16/2020 - Publish first release for consumption. To do items include full how-to wiki and additional image templates for broader coverage.
192 |
193 | Copyright
194 |
195 | Copyright (c) 2020 Microsoft Corporation. All rights reserved.
--------------------------------------------------------------------------------
/scripts/MOFcreation/CentOs7test.ps1:
--------------------------------------------------------------------------------
1 | Configuration ExampleConfiguration
2 | {
3 | Import-DscResource -Module nx
4 |
5 | Node "linuxhost.contoso.com"
6 | {
7 | nxFile ExampleFile
8 | {
9 | DestinationPath = "/tmp/example"
10 | Contents = "hello world `n"
11 | Ensure = "Present"
12 | Type = "File"
13 | }
14 | }
15 | }
16 |
17 | ExampleConfiguration
--------------------------------------------------------------------------------
/scripts/MOFcreation/Windows10v1r23.ps1:
--------------------------------------------------------------------------------
1 | configuration Windows10v1r23
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.5.1
5 | Node localhost
6 | {
7 | WindowsClient BaseLine
8 | {
9 | OsVersion = '10'
10 | StigVersion = '1.23'
11 | SkipRule = 'V-63879','V-63845','V-63403'
12 | Exception = @{
13 | 'V-63597' = @{
14 | ValueData = '1' # Required for using Azure Image Builder access to creation
15 | }
16 | 'V-63871' = @{
17 | Identity = 'Guests'
18 | }
19 | }
20 | }
21 | }
22 | }
23 | Windows10v1r23 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/MOFcreation/Windows10v2r1.ps1:
--------------------------------------------------------------------------------
1 | configuration Windows10v2r1
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.7.1
5 | Node localhost
6 | {
7 | WindowsClient BaseLine
8 | {
9 | OsVersion = '10'
10 | StigVersion = '2.1'
11 | SkipRule = 'V-220972','V-220957','V-220725'
12 | Exception = @{
13 | 'V-220799' = @{
14 | ValueData = '1' # Required for using Azure Image Builder access to creation
15 | }
16 | 'V-220968' = @{
17 | Identity = 'Guests'
18 | }
19 | }
20 | }
21 | Chrome ChromeSettings
22 | {
23 | StigVersion = '2.1'
24 | }
25 | Office OfficeSystem
26 | {
27 | OfficeApp = 'System2016'
28 | Stigversion = '1.1'
29 | }
30 | }
31 | }
32 | Windows10v2r1 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/MOFcreation/WindowsServer2012R2v2r12.ps1:
--------------------------------------------------------------------------------
1 | configuration WindowsServer2012R2v2r12
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.5.1
5 | Node localhost
6 | {
7 | WindowsClient BaseLine
8 | {
9 | OsVersion = '2012R2'
10 | OsRole = 'MS'
11 | StigVersion = '2.12'
12 | SkipRule = 'V-63879','V-63845','V-63403' # TODO: set for 2012 R2
13 | Exception = @{
14 | 'V-63597' = @{
15 | ValueData = '1' # Required for using Azure Image Builder access to creation
16 | }
17 | 'V-' = @{
18 | Identity = 'Guests'
19 | }
20 | 'V-63871' = @{
21 | Identity = 'Guests'
22 | }
23 | }
24 | }
25 | }
26 | }
27 | WindowsServer2012R2v2r12 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/MOFcreation/WindowsServer2016v1r12.ps1:
--------------------------------------------------------------------------------
1 | configuration WindowsServer2016v1r12
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.5.1
5 | Node localhost
6 | {
7 | WindowsServer BaseLine
8 | {
9 | OsVersion = '2016'
10 | OsRole = 'MS'
11 | SkipRule = 'V-73241', 'V-73279', 'V-73603' # must use an anti-virus program, host-based firewall, 'V-93335' Exploit Protection mitigations must be configured for iexplore.exe, The Windows Remote Management (WinRM) service must not store RunAs credentials
12 | StigVersion = '1.12'
13 | Exception = @{
14 | 'V-73495' = @{
15 | ValueData = '1' # Required for using Azure Image Builder access to creation
16 | }
17 | 'V-73775' = @{
18 | Identity = 'Guests'
19 | }
20 | 'V-73759' = @{
21 | Identity = 'Guests'
22 | }
23 | 'V-73763' = @{
24 | Identity = 'Guests'
25 | }
26 | 'V-73771' = @{
27 | Identity = 'Guests'
28 | }
29 | }
30 | }
31 | }
32 | }
33 | WindowsServer2016v1r12 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/MOFcreation/WindowsServer2016v1r12DC.ps1:
--------------------------------------------------------------------------------
1 | configuration WindowsServer2016DCv1r12
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.5.1
5 | Node localhost
6 | {
7 | WindowsServer BaseLine
8 | {
9 | OsVersion = '2016'
10 | OsRole = 'DC'
11 | SkipRule = 'V-73241', 'V-73279', 'V-73603' # must use an anti-virus program, host-based firewall, 'V-93335' Exploit Protection mitigations must be configured for iexplore.exe, The Windows Remote Management (WinRM) service must not store RunAs credentials
12 | StigVersion = '1.12'
13 | Exception = @{
14 | 'V-73495' = @{
15 | ValueData = '1' # Required for using Azure Image Builder access to creation
16 | }
17 | 'V-73775' = @{
18 | Identity = 'Guests'
19 | }
20 | 'V-73759' = @{
21 | Identity = 'Guests'
22 | }
23 | 'V-73763' = @{
24 | Identity = 'Guests'
25 | }
26 | 'V-73771' = @{
27 | Identity = 'Guests'
28 | }
29 | }
30 | }
31 | }
32 | }
33 | WindowsServer2016DCv1r12 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/MOFcreation/WindowsServer2019DCv1r5.ps1:
--------------------------------------------------------------------------------
1 | configuration WindowsServer2019DCv1r5
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.5.1
5 | Node localhost
6 | {
7 | WindowsServer BaseLine
8 | {
9 | OsVersion = '2019'
10 | OsRole = 'DC'
11 | SkipRule = 'V-93217', 'V-93571', 'V-93335', 'V-93429'
12 | StigVersion = '1.5'
13 | Exception = @{
14 | 'V-93519' = @{
15 | ValueData = '1' # Required for using Azure Image Builder access to creation
16 | }
17 | 'V-92965' = @{
18 | Identity = 'Guests'
19 | }
20 | 'V-93009' = @{
21 | Identity = 'Guests'
22 | }
23 | 'V-93011' = @{
24 | Identity = 'Guests'
25 | }
26 | 'V-93015' = @{
27 | Identity = 'Guests'
28 | }
29 | }
30 | }
31 | }
32 | }
33 | WindowsServer2019DCv1r5 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/MOFcreation/WindowsServer2019DCv2r1.ps1:
--------------------------------------------------------------------------------
1 | configuration WindowsServer2019DCv2r1
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.7.1
5 | Node localhost
6 | {
7 | WindowsServer BaseLine
8 | {
9 | OsVersion = '2019'
10 | OsRole = 'DC'
11 | SkipRule = 'V-205850', 'V-214936', 'V-205889', 'V-205810', 'V-205737.b'
12 | StigVersion = '2.1'
13 | Exception = @{
14 | 'V-205715' = @{
15 | ValueData = '1' # Required for using Azure Image Builder access to creation
16 | }
17 | 'V-205733' = @{
18 | Identity = 'Guests'
19 | }
20 | 'V-205672' = @{
21 | Identity = 'Guests'
22 | }
23 | 'V-205673' = @{
24 | Identity = 'Guests'
25 | }
26 | 'V-205675' = @{
27 | Identity = 'Guests'
28 | }
29 | }
30 | }
31 | Chrome ChromeSettings
32 | {
33 | StigVersion = '2.1'
34 | }
35 | }
36 | }
37 | WindowsServer2019DCv2r1 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/MOFcreation/WindowsServer2019v1r5.ps1:
--------------------------------------------------------------------------------
1 | configuration WindowsServer2019v1r5
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.5.1
5 | Node localhost
6 | {
7 | WindowsServer BaseLine
8 | {
9 | OsVersion = '2019'
10 | OsRole = 'MS'
11 | SkipRule = 'V-93217', 'V-93571', 'V-93335', 'V-93429'
12 | StigVersion = '1.5'
13 | Exception = @{
14 | 'V-93519' = @{
15 | ValueData = '1' # Required for using Azure Image Builder access to creation
16 | }
17 | 'V-92965' = @{
18 | Identity = 'Guests'
19 | }
20 | 'V-93009' = @{
21 | Identity = 'Guests'
22 | }
23 | 'V-93011' = @{
24 | Identity = 'Guests'
25 | }
26 | 'V-93015' = @{
27 | Identity = 'Guests'
28 | }
29 | }
30 | }
31 | }
32 | }
33 | WindowsServer2019v1r5 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/MOFcreation/WindowsServer2019v2r1.ps1:
--------------------------------------------------------------------------------
1 | configuration WindowsServer2019v2r1
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.7.1
5 | Node localhost
6 | {
7 | WindowsServer BaseLine
8 | {
9 | OsVersion = '2019'
10 | OsRole = 'MS'
11 | SkipRule = 'V-205850', 'V-214936', 'V-205889', 'V-205810', 'V-205737.b'
12 | StigVersion = '2.1'
13 | Exception = @{
14 | 'V-205715' = @{
15 | ValueData = '1' # Required for using Azure Image Builder access to creation
16 | }
17 | 'V-205733' = @{
18 | Identity = 'Guests'
19 | }
20 | 'V-205672' = @{
21 | Identity = 'Guests'
22 | }
23 | 'V-205673' = @{
24 | Identity = 'Guests'
25 | }
26 | 'V-205675' = @{
27 | Identity = 'Guests'
28 | }
29 | }
30 | }
31 | Chrome ChromeSettings
32 | {
33 | StigVersion = '2.1'
34 | }
35 | }
36 | }
37 | WindowsServer2019v2r1 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/MOFcreation/WindowsServer2019v2r3-nododca-required.ps1:
--------------------------------------------------------------------------------
1 | configuration WindowsServer2019v12r3
2 | {
3 | param()
4 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.11.0
5 | Node localhost
6 | {
7 | WindowsServer BaseLine
8 | {
9 | OsVersion = '2019'
10 | OsRole = 'MS'
11 | SkipRule = 'V-205850', 'V-214936', 'V-205810', 'V-205737.b','V-205648.a', 'V-205648.b', 'V-205648.c', 'V-205648.d', 'V-205649.a', 'V-205649.b', 'V-205650.d', 'V-205650.b'
12 | StigVersion = '2.3'
13 | Exception = @{
14 | 'V-205715' = @{
15 | ValueData = '1' # Required for using Azure Image Builder access to creation
16 | }
17 | 'V-205733' = @{
18 | Identity = 'Guests'
19 | }
20 | 'V-205672' = @{
21 | Identity = 'Guests'
22 | }
23 | 'V-205673' = @{
24 | Identity = 'Guests'
25 | }
26 | 'V-205675' = @{
27 | Identity = 'Guests'
28 | }
29 | }
30 | }
31 |
32 | Chrome ChromeSettings
33 | {
34 | StigVersion = '2.4'
35 | }
36 | }
37 | }
38 | WindowsServer2019v12r3 -Output c:\imagebuilder
39 |
--------------------------------------------------------------------------------
/scripts/MOFcreation/WindowsServer2019v2r4.ps1:
--------------------------------------------------------------------------------
1 | configuration WindowsServer2019v2r4
2 | {
3 | Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.13.1
4 | Import-DscResource -ModuleName SecurityPolicyDsc -ModuleVersion 2.10.0.0
5 |
6 | [scriptblock]$localConfigurationManager = {
7 | LocalConfigurationManager {
8 | ActionAfterReboot = 'ContinueConfiguration'
9 | ConfigurationMode = 'ApplyOnly'
10 | RebootNodeIfNeeded = $true
11 | }
12 | }
13 |
14 | [scriptblock]$microsoftEdgeStig = {
15 |
16 | Edge STIG_MicrosoftEdge
17 | {
18 |
19 | }
20 | }
21 |
22 | [scriptblock]$ie11Stig = {
23 |
24 | InternetExplorer STIG_IE11
25 | {
26 | BrowserVersion = '11'
27 | SkipRule = 'V-223016'
28 | }
29 | }
30 |
31 | [scriptblock]$dotnetFrameworkStig = {
32 |
33 | DotNetFramework STIG_DotnetFramework
34 | {
35 | FrameworkVersion = '4'
36 | }
37 | }
38 |
39 | [scriptblock]$windowsFirewallStig = {
40 |
41 | WindowsFirewall STIG_WindowsFirewall
42 | {
43 | Skiprule = @('V-242005', 'V-242004')
44 | }
45 | }
46 |
47 | [scriptblock]$windowsDefenderStig = {
48 |
49 | WindowsDefender STIG_WindowsDefender
50 | {
51 | OrgSettings = @{
52 | 'V-213450' = @{ValueData = '1' }
53 | }
54 | }
55 | }
56 |
57 | [scriptblock]$windowsStig = {
58 |
59 | $osVersion = (Get-WmiObject Win32_OperatingSystem).Caption
60 |
61 | if($osVersion -match "Windows 10")
62 | {
63 | WindowsClient STIG_WindowsClient
64 | {
65 | OsVersion = '10'
66 | SkipRule = @("V-220740","V-220739","V-220741", "V-220908")
67 | Exception = @{
68 | 'V-220972' = @{
69 | Identity = 'Guests'
70 | }
71 | 'V-220968' = @{
72 | Identity = 'Guests'
73 | }
74 | 'V-220969' = @{
75 | Identity = 'Guests'
76 | }
77 | 'V-220971' = @{
78 | Identity = 'Guests'
79 | }
80 | }
81 | OrgSettings = @{
82 | 'V-220912' = @{
83 | OptionValue = 'xGuest'
84 | }
85 | }
86 | }
87 | AccountPolicy BaseLine2
88 | {
89 | Name = "Windows10fix"
90 | Account_lockout_threshold = 3
91 | Account_lockout_duration = 15
92 | Reset_account_lockout_counter_after = 15
93 | }
94 | }
95 |
96 | switch -Wildcard ($osVersion)
97 | {
98 | "*2016*"
99 | {
100 | $osVersion = '2016'
101 | $skipRules = @('V-224866', 'V-224867', 'V-224868')
102 | $exceptions = @{
103 | 'V-225019' = @{Identity = 'Guests'}
104 | 'V-225016' = @{Identity = 'Guests'}
105 | 'V-225018' = @{Identity = 'Guests'}
106 | }
107 | $orgSettings = @{
108 | 'V-225015' = @{Identity = 'Guests'}
109 | 'V-225027' = @{OptionValue = 'xGuest'}
110 | 'V-225063' = @{ValueData = '2'}
111 | }
112 |
113 | WindowsServer STIG_WindowsServer
114 | {
115 | OsVersion = $osVersion
116 | OsRole = 'MS'
117 | Exception = $exceptions
118 | OrgSettings = $orgSettings
119 | SkipRule = $skipRules
120 | }
121 |
122 | AccountPolicy BaseLine2
123 | {
124 | Name = "2016fix"
125 | Account_lockout_threshold = 3
126 | Account_lockout_duration = 15
127 | Reset_account_lockout_counter_after = 15
128 | }
129 | break
130 | }
131 | "*2019*"
132 | {
133 | $osVersion = '2019'
134 | $exceptions = @{
135 | 'V-205733' = @{Identity = 'Guests'}
136 | 'V-205672' = @{Identity = 'Guests'}
137 | 'V-205673' = @{Identity = 'Guests'}
138 | 'V-205675' = @{Identity = 'Guests'}
139 | 'V-205715' = @{
140 | ValueData = '1' # Required for using Azure Image Builder access to creation
141 | }
142 | }
143 | $orgSettings = @{
144 | 'V-205910' = @{OptionValue = 'xGuest'}
145 | 'V-205717' = @{ValueData = '2'}
146 | }
147 |
148 | WindowsServer STIG_WindowsServer
149 | {
150 | OsVersion = $osVersion
151 | OsRole = 'MS'
152 | Exception = $exceptions
153 | OrgSettings = $orgSettings
154 | }
155 | break
156 | }
157 | }
158 | }
159 |
160 | Node localhost
161 | {
162 | $localConfigurationManager.invoke()
163 | $windowsStig.invoke()
164 | $ie11Stig.invoke()
165 | $dotnetFrameworkStig.invoke()
166 | $windowsDefenderStig.invoke()
167 | $windowsFirewallStig.invoke()
168 | $microsoftEdgeStig.invoke()
169 | }
170 | }
171 |
172 | WindowsServer2019v2r4 -Output c:\imagebuilder
--------------------------------------------------------------------------------
/scripts/auditStig.ps1:
--------------------------------------------------------------------------------
1 | # Copyright (c) Microsoft Corporation.
2 | # Licensed under the MIT License.
3 |
4 | Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value 8192
5 |
6 | $TimeStampField = (Get-Date).ToString()
7 |
8 | $computerInfo = Get-ComputerInfo
9 | $instanceData = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri http://169.254.169.254/metadata/instance?api-version=2020-06-01
10 | $powerStigVersion = $env:POWERSTIG_VER
11 | $domainRole = $env:STIG_OSROLE
12 | $windowsInstallationType = $computerInfo.WindowsInstallationType
13 | $model = $env:STIG_OSVER
14 | $stigVersion = $env:STIG_VER
15 |
16 | If ($windowsInstallationType -eq 'Client')
17 | {
18 | $xmlPathBuilder = "C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\$powerStigVersion\StigData\Processed\Windows$windowsInstallationType-$model-$stigVersion.xml"
19 | Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force
20 | }
21 | Else
22 | {
23 | $xmlPathBuilder = "C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\$powerStigVersion\StigData\Processed\Windows$windowsInstallationType-$model-$domainRole-$stigVersion.xml"
24 | }
25 | # Added this check for DSC current status to prevent from failing the audit and moving on only to report manual or document rules
26 | ### TODO: Needs a test for timing and break script and report failure
27 | if((Get-DscLocalConfigurationManager).LCMState -eq "Busy") {
28 | do {
29 | start-sleep -s 10
30 | $dscState = (Get-DscLocalConfigurationManager).LCMState
31 | }until($dscState -ne "Busy")
32 | }
33 |
34 | # Audit runtime
35 | ### TODO: Audit should test current DSC LCM state and puase if processing another request. ex: 'Get-DscLocalConfigurationManager'
36 | $audit = Test-DscConfiguration -ComputerName localhost -ReferenceConfiguration "c:\localhost.mof"
37 |
38 | [xml] $STIGxml = Get-Content $xmlPathBuilder
39 | $xmlRules = $STIGxml.DISASTIG | Get-Member -MemberType Property | where-object Definition -Like 'System.Xml.XmlElement*'
40 | $rules = @()
41 | foreach($ruleType in $xmlRules.Name)
42 | {
43 | foreach($rule in $STIGxml.DISASTIG.$ruleType.Rule)
44 | {
45 | $rules += $rule
46 | }
47 | }
48 | Function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)
49 | {
50 | $xHeaders = "x-ms-date:" + $date
51 | $stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource
52 |
53 | $bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)
54 | $keyBytes = [Convert]::FromBase64String($sharedKey)
55 |
56 | $sha256 = New-Object System.Security.Cryptography.HMACSHA256
57 | $sha256.Key = $keyBytes
58 | $calculatedHash = $sha256.ComputeHash($bytesToHash)
59 | $encodedHash = [Convert]::ToBase64String($calculatedHash)
60 | $authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash
61 | return $authorization
62 | }
63 | Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType, $resourceId)
64 | {
65 | $method = "POST"
66 | $contentType = "application/json"
67 | $resource = "/api/logs"
68 | $rfc1123date = [DateTime]::UtcNow.ToString("r")
69 | $contentLength = $body.Length
70 | $signature = Build-Signature `
71 | -customerId $customerId `
72 | -sharedKey $sharedKey `
73 | -date $rfc1123date `
74 | -contentLength $contentLength `
75 | -method $method `
76 | -contentType $contentType `
77 | -resource $resource
78 | $uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
79 |
80 | $headers = @{
81 | "Authorization" = $signature;
82 | "Log-Type" = $logType;
83 | "x-ms-date" = $rfc1123date;
84 | "time-generated-field" = $TimeStampField;
85 | "x-ms-AzureResourceId" = $resourceId;
86 | }
87 |
88 | $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
89 | return $response.StatusCode
90 |
91 | }
92 |
93 | # Workspace ID - TestSubdeploy-eastusWS
94 | $customerId = $env:WORKSPACE_ID
95 |
96 | # Primary Key
97 | $sharedKey = $env:WORKSPACE_KEY
98 |
99 | # Specify the name of the record type that you'll be creating
100 | $LogType = "STIG_Compliance_Computer"
101 |
102 | $computerJsonPayload = @{
103 | Computer = $computerInfo.CsName
104 | Manufacturer = $computerInfo.CsManufacturer
105 | Model = $computerInfo.CsModel
106 | PrimaryOwnerName = $computerInfo.CsPrimaryOwnerName
107 | DesiredState = $audit.InDesiredState
108 | Domain = $computerInfo.CsDomain
109 | Role = $computerInfo.CsDomainRole
110 | OS = $computerInfo.WindowsProductName
111 | OsVersion = $computerInfo.OsVersion
112 | PowerSTIG = $powerStigVersion
113 | STIGversion = $stigVersion
114 | STIGrole = $domainRole
115 | TagsList = $instanceData.compute.tags
116 | SecureBoot = $instanceData.compute.securityProfile.secureBootEnabled
117 | TPM = $instanceData.compute.securityProfile.virtualTpmEnabled
118 | }
119 |
120 | $json = $computerJsonPayload | ConvertTo-Json
121 |
122 | Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($json)) -logType $logType -resourceId $instanceData.compute.resourceId
123 |
124 | $LogType = "STIG_Compliance"
125 | $findings = @()
126 | $jsonPayload = ""
127 | $findingTypes = @("ResourcesInDesiredState", "ResourcesNotInDesiredState")
128 | foreach($findingType in $findingTypes)
129 | {
130 | foreach($record in $audit.($findingType))
131 | {
132 | $object = @()
133 | $type = ""
134 | $findingId = ""
135 | $severity = ""
136 | $version = ""
137 | $ResourceID = ""
138 | $application = ""
139 | $note = ""
140 |
141 | $ResourceID = [regex]::Matches($record.ResourceId,'(?<=\[).+?(?=\])')
142 |
143 | if($ResourceID.Count -le 2)
144 | {
145 | try{
146 | if($record.ResourceId.Split("-")[4].Split(":")[0] -eq 'V')
147 | {
148 | $findingId = "V-"+ $record.ResourceId.Split("-")[5].Split(":")[0]
149 | } else {
150 | $findingId = "V-"+ $record.ResourceId.Split("-")[4].Split(":")[0]
151 | }
152 | } catch {
153 | $findingId = "null"
154 | }
155 | $version = ""
156 | $baseline = $ResourceId[1].Value
157 | $application = $record.ResourceId.Split("]")[1].split("[")[0].Split("-")[0]
158 | } else {
159 | $findingId = $ResourceID[1].Value -replace ":",""
160 | $severity = $ResourceID[2].Value
161 | $version = $ResourceID[3].Value
162 | $baseline = $ResourceID[4].Value
163 | if($version -eq "[Skip")
164 | {
165 | $ResourceID = [regex]::Matches(($record.ResourceId -replace "\[Skip\] ",""),'(?<=\[).+?(?=\])')
166 | $note = "Skip"
167 | $version = $ResourceID[3].Value
168 | $baseline = $ResourceID[4].Value
169 | }
170 | if($version -eq "[Exception")
171 | {
172 | $ResourceID = [regex]::Matches(($record.ResourceId -replace "\[Exception\] ",""),'(?<=\[).+?(?=\])')
173 | $note = "Exception"
174 | $version = $ResourceID[3].Value
175 | $baseline = $ResourceID[4].Value
176 | }
177 | }
178 |
179 | $object = @{
180 | Computer = $computerInfo.CsName
181 | DesiredState = $record.InDesiredState
182 | ResourceName = $record.ResourceName
183 | Type = $type
184 | FindingID = $findingId
185 | Severity = $severity
186 | Version = $version
187 | StartDate = $record.StartDate
188 | ModuleName = $record.ModuleName
189 | ModuleVersion = $record.ModuleVersion
190 | ConfigurationName = $record.ConfigurationName
191 | Error = $record.Error
192 | FinalState = $record.FinalState
193 | SourceInfo = $record.SourceInfo
194 | SetBy = "PowerSTIG"
195 | Baseline = $baseline
196 | Application = $application
197 | Description = ""
198 | Note = $note
199 | STIGversion = $stigVersion
200 | }
201 | $findings+= $object
202 | }
203 |
204 | }
205 | $allFindings = @()
206 | foreach($trueFinding in $findings)
207 | {
208 | $ruleFinding = $rules | where-object id -eq $trueFinding.FindingID
209 | if($ruleFinding)
210 | {
211 | $trueFinding.Severity = $ruleFinding.severity
212 | $trueFinding.Version = $ruleFinding.title
213 | $trueFinding.Type = $ruleFinding.dscresource
214 | $trueFinding.Description = $ruleFinding.PolicyName
215 | $allFindings += $trueFinding
216 | }
217 | }
218 | $stiglogType = "STIG_Compliance"
219 | $jsonPayload = $allFindings | ConvertTo-Json
220 | Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($jsonPayload)) -logType $stiglogType -resourceId $instanceData.compute.resourceId
221 |
222 |
223 | $object = $null
224 | [nullable[bool]]$desiredState = $null
225 | $manual = @()
226 | $jsonPayload = ""
227 | $findingRules = @("ManualRule", "DocumentRule")
228 | foreach($findingRule in $findingRules)
229 | {
230 | foreach($manualRule in $STIGxml.DISASTIG.($findingRule).Rule)
231 | {
232 | $object = @{
233 | Computer = $computerInfo.CsName
234 | DesiredState = $desiredState
235 | ResourceName = ""
236 | Type = $findingRule
237 | FindingID = $manualRule.id
238 | Severity = $manualRule.severity
239 | Version = $manualRule.title
240 | StartDate = ""
241 | ModuleName = ""
242 | ModuleVersion = ""
243 | ConfigurationName = ""
244 | Error = ""
245 | FinalState = ""
246 | SourceInfo = ""
247 | SetBy = "PowerSTIG"
248 | Baseline = ""
249 | Application = ""
250 | Description = ""
251 | Note = ""
252 | STIGversion = $stigVersion
253 | }
254 | $manual += $object
255 | }
256 | }
257 | $jsonPayload = $manual | ConvertTo-Json
258 | Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($jsonPayload)) -logType $stiglogType -resourceId $instanceData.compute.resourceId
259 |
260 |
--------------------------------------------------------------------------------
/scripts/redhat7stig.sh:
--------------------------------------------------------------------------------
1 | set -e
2 |
3 | # only run once during deployment
4 | if [ -f ./azAutomationComplete ]; then
5 | echo "STIG Automation completed, exiting..."
6 | exit 0
7 | fi
8 |
9 | # https://docs.microsoft.com/en-us/azure/virtual-machines/workloads/redhat/redhat-rhui
10 | id=$(. /etc/os-release && echo $ID)
11 | if [ ${id} == 'rhel' ]; then
12 | echo "Executing yum update to disable all repos and enable all microsoft repos..."
13 | yum update -y --disablerepo='*' --enablerepo='*microsoft*' > ./yumupdateresults.log
14 | fi
15 |
16 | # dsc deployment automation
17 | echo "Move (OS Specific) .mof to configuration store as Pending.mof..."
18 | mv ./*.mof /etc/opt/omi/conf/dsc/configuration/Pending.mof
19 | echo "Execute Register.py --RefreshMode Push --ConfigurationMode ApplyOnly..."
20 | /opt/microsoft/dsc/Scripts/Register.py --RefreshMode Push --ConfigurationMode ApplyOnly > ./dscresults.log
21 | echo "Execute PerformRequiredConfigurationChecks.py to apply the Pending.mof configuration..."
22 | /opt/microsoft/dsc/Scripts/PerformRequiredConfigurationChecks.py >> ./dscresults.log
23 | if grep -q "MI_RESULT_FAILED" ./dscresults.log; then
24 | echo "Failed to apply Desired State Configuration successfully, check dscresults.log for more details..."
25 | exit 1
26 | else
27 | echo "Applied Desired State Configuration successfully..."
28 | fi
29 |
30 | # authentication/password/session automation
31 | echo "Backing up password-auth, postlogin and system-auth files..."
32 | cp --force /etc/pam.d/system-auth /etc/pam.d/backup.system-auth
33 | cp --force /etc/pam.d/password-auth /etc/pam.d/backup.password-auth
34 | cp --force /etc/pam.d/postlogin /etc/pam.d/backup.postlogin
35 | echo "Removing 'nullok' from password-auth and system-auth files..."
36 | sed -i 's/nullok //g' /etc/pam.d/system-auth /etc/pam.d/password-auth
37 | echo "Updating auth pam_faillock.so module in password-auth and system-auth files..."
38 | authRequiredFailDelay='auth required pam_faildelay.so delay=2000000'
39 | authRequiredFaillock='auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900'
40 | authDefaultFaillock='auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900'
41 | sed -i "s/\(auth.*sufficient.*pam_fprintd.so\)/${authRequiredFailDelay}/g" /etc/pam.d/system-auth
42 | sed -i "s/\(auth.*delay.*2000000\)/\1\n${authRequiredFaillock}/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
43 | sed -i "s/\(auth.*pam_unix.so.*\)/\1\n${authDefaultFaillock}/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
44 | echo "Updating account pam_faillock.so module in password-auth and system-auth files..."
45 | acctReqPamFaillock='account required pam_faillock.so'
46 | sed -i "s/\(account.*pam_unix\.so\)/${acctReqPamFaillock}\n\1/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
47 | echo "Updating password pam_pwhistory.so module in password-auth and system-auth files..."
48 | passReqPamPwHistory='password requisite pam_pwhistory.so use_authtok remember=5 retry=3'
49 | sed -i "s/\(password.*requisite.*pam_pwquality\.so.*\)/\1\n${passReqPamPwHistory}/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
50 | echo "Updating session pam_lastlog.so module in /etc/pam.d/postlogin"
51 | sessReqPamLastlog='session required pam_lastlog.so showfailed'
52 | sed -i "s/\(session.*quiet\)/${sessReqPamLastlog}\n\1/g" /etc/pam.d/postlogin
53 | echo "Removing 'NOPASSWD' tag from all files in /etc/sudoers.d/* /etc/sudoers"
54 | grep -r -l -i nopasswd /etc/sudoers.d/* /etc/sudoers | xargs sed -i 's/\s*NOPASSWD://g'
55 | echo "Setting minimum number of days before password change for user specified admin account to 1"
56 | chage -m 1 $1
57 | echo "Setting maximum number of days before password change for user specified admin account to 60"
58 | chage -M 60 $1
59 |
60 | # file system automation
61 | echo "Setting /home mount to use nosuid in /etc/fstab..."
62 | sed -i "s/\(.*\/home.*defaults\)/\1,nosuid/g" /etc/fstab
63 | echo "Setting tmpfs /dev/shm to mount using nodev, nosuid and noexec in /etc/fstab"
64 | echo 'tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0' >> /etc/fstab
65 |
66 | # fips automation
67 | if rpm -q --quiet "dracut-fips"; then
68 | echo "Recreating initramfs with dracut to support FIPS..."
69 | dracut --force --verbose 2> ./fipsresults.log
70 | echo "Modifying grub to support FIPS..."
71 | BOOT_UUID=$(findmnt --noheadings --output uuid --target /boot)
72 | sed -i "s/\(GRUB_CMDLINE_LINUX=\".*[^\"]\+\)/\1 fips=1 boot=UUID=${BOOT_UUID}/g" /etc/default/grub
73 | if [ -f /boot/grub2/grub.cfg ]; then
74 | echo "Regenerating /boot/grub2/grub.cfg (BIOS)..."
75 | grub2-mkconfig -o /boot/grub2/grub.cfg 2>> ./fipsresults.log
76 | fi
77 | if [ -f /boot/efi/EFI/centos/grub.cfg ]; then
78 | echo "Regenerating /boot/efi/EFI/centos/grub.cfg (UEFI)..."
79 | grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg 2>> ./fipsresults.log
80 | elif [ -f /boot/efi/EFI/redhat/grub.cfg ]; then
81 | echo "Regenerating /boot/efi/EFI/redhat/grub.cfg (UEFI)..."
82 | grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg 2>> ./fipsresults.log
83 | else
84 | echo "Skipping grub2-mkconfig for UEFI, no EFI grub.cfg file found..."
85 | fi
86 | else
87 | echo "Skipping fips automation due to dracut-fips package installation absence..."
88 | fi
89 |
90 | # aide configuration automation
91 | if rpm -q --quiet "aide"; then
92 | echo "Modifying /etc/aide.conf to use sha512..."
93 | sed -i 's/CONTENT_EX = sha256/CONTENT_EX = sha512/g' /etc/aide.conf
94 | echo "Executing /usr/sbin/aide --init..."
95 | /usr/sbin/aide --init > aideresults.log
96 | echo "Moving /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz..."
97 | mv --verbose --force /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
98 | echo "Adding aide daily check cron job..."
99 | echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' > /etc/cron.daily/aide
100 | else
101 | echo "Skipping aide automation due to aide package installation absence..."
102 | fi
103 |
104 | # system reboot
105 | echo "Rebooting to apply STIG settings..."
106 | touch ./azAutomationComplete
107 | exit 0
--------------------------------------------------------------------------------
/scripts/redhat8stig.sh:
--------------------------------------------------------------------------------
1 | # only run once during deployment
2 | if [ -f ./azAutomationComplete ]; then
3 | echo "STIG Automation completed, exiting..."
4 | exit 0
5 | fi
6 |
7 | ###############################################################################
8 | echo "Setting script variables"
9 | ###############################################################################
10 | version=$(. /etc/os-release && echo $VERSION_ID)
11 |
12 | ###############################################################################
13 | echo "Automating Rule Id V-230233"
14 | ###############################################################################
15 | sed -i "s/\(password\s*sufficient.*\)/\1 rounds=5000/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
16 | # END V-230233
17 |
18 | ###############################################################################
19 | echo "Automating Rule Id V-230234"
20 | # SCAP fails if /boot/efi/EFI/redhat/grub.cfg exists on Gen 1 Azure VM
21 | ###############################################################################
22 | firmwarecheck=$([ -d /sys/firmware/efi ] && echo UEFI || echo BIOS)
23 | if [ $firmwarecheck = 'BIOS' ]; then
24 | mv /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/redhat/grub.bak
25 | fi
26 | # END V-230234
27 |
28 | ###############################################################################
29 | echo "Automating Rule Id V-230253"
30 | ###############################################################################
31 | sed -i "s/^SSH_USE_STRONG_RNG=.*/SSH_USE_STRONG_RNG=32/g" /etc/sysconfig/sshd
32 | # END V-230253
33 |
34 | ###############################################################################
35 | echo "Automating Rule Id V-230257"
36 | ###############################################################################
37 | find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -type f -exec chmod 0755 {} \;
38 | # END V-230257
39 |
40 | ###############################################################################
41 | echo "Automating Rule Id V-230271"
42 | ###############################################################################
43 | grep -r -l -i nopasswd /etc/sudoers.d/* /etc/sudoers | xargs sed -i 's/\s*NOPASSWD://g' 2>&1
44 | # END V-230271
45 |
46 | ###############################################################################
47 | echo "Automating Rule Id V-230287"
48 | ###############################################################################
49 | chmod 0600 /etc/ssh/ssh_host*key
50 | # END V-230287
51 |
52 | ###############################################################################
53 | echo "Automating Rule Id V-230301"
54 | ###############################################################################
55 | sed -i "s/\(.*[[:space:]]\/[[:alpha:]].*defaults\)/\1,nodev/g" /etc/fstab
56 | # END V-230301
57 |
58 | ###############################################################################
59 | echo "Automating Rule Id V-230311"
60 | ###############################################################################
61 | rm -f /usr/lib/sysctl.d/50-coredump.conf
62 | echo "kernel.core_pattern = |/bin/false" > /etc/sysctl.d/90-azurestig-v230311.conf
63 | # END V-230311
64 |
65 | ###############################################################################
66 | echo "Automating Rule Ids V-230332, V-230334, V-230336, V-230338, V-230340, V-230342, V-230344"
67 | ###############################################################################
68 | if [ ${version} == '8.0' ] || [ ${version} == '8.1' ]; then
69 | authRequired='auth required'
70 | acctRequired='account required'
71 | spacing=' '
72 | authFaillockPreAuth='pam_faillock.so preauth dir=\/var\/log\/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0'
73 | authFaillockAuthFail='pam_faillock.so authfail dir=\/var\/log\/faillock unlock_time=0'
74 | sed -i "s/\(auth.*pam_unix.so.*\)/${authRequired}${spacing}${authFaillockPreAuth}\n\1/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
75 | sed -i "s/\(auth.*pam_unix.so.*\)/\1\n${authRequired}${spacing}${authFaillockAuthFail}/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
76 | sed -i "s/\(account.*pam_unix.so\)/${acctRequired}${spacing}pam_faillock.so\n\1/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
77 | else
78 | echo " Automation intended for 8.0 and 8.1; '$version' detected, skipping..."
79 | fi
80 | # END V-230332, V-230334, V-230336, V-230338, V-230340, V-230342, V-230344
81 |
82 | ###############################################################################
83 | echo "Automating Rule Id V-230333"
84 | ###############################################################################
85 | if [ ${version} == '8.0' ] || [ ${version} == '8.1' ]; then
86 | echo " Automation intended for 8.2 and newer, '$version' detected, skipping..."
87 | else
88 | authRequiredFaillock='auth required pam_faillock.so'
89 | acctRequiredFaillock='account required pam_faillock.so'
90 | sed -i "s/\(auth.*required.*pam_env.so\)/\1\n${authRequiredFaillock} preauth/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
91 | sed -i "s/\(auth.*required.*pam_deny.so\)/${authRequiredFaillock} authfail\n\1/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
92 | sed -i "s/\(account.*required.*pam_unix.so\)/${acctRequiredFaillock}\n\1/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
93 | sed -i "s/.*deny\s*=.*/deny = 3/g" /etc/security/faillock.conf
94 | fi
95 | # END V-230333
96 |
97 | ###############################################################################
98 | echo "Automating Rule Id V-230335"
99 | ###############################################################################
100 | if [ ${version} == '8.0' ] || [ ${version} == '8.1' ]; then
101 | echo " Automation intended for 8.2 and newer, '$version' detected, skipping..."
102 | else
103 | sed -i "s/.*fail_interval\s*=.*/fail_interval = 900/g" /etc/security/faillock.conf
104 | fi
105 | # END V-230335
106 |
107 | ###############################################################################
108 | echo "Automating Rule Id V-230337"
109 | ###############################################################################
110 | if [ ${version} == '8.0' ] || [ ${version} == '8.1' ]; then
111 | echo " Automation intended for 8.2 and newer, '$version' detected, skipping..."
112 | else
113 | sed -i "s/^\(#\|\)[[:space:]]*unlock_time\s*=.*/unlock_time = 0/g" /etc/security/faillock.conf
114 | fi
115 | # END V-230337
116 |
117 | ###############################################################################
118 | echo "Automating Rule Id V-230341"
119 | ###############################################################################
120 | if [ ${version} == '8.0' ] || [ ${version} == '8.1' ]; then
121 | echo " Automation intended for 8.2 and newer, '$version' detected, skipping..."
122 | else
123 | if grep -q -i silent /etc/security/faillock.conf; then
124 | sed -i "s/.*silent.*/silent/g" /etc/security/faillock.conf
125 | else
126 | echo "silent" >> /etc/security/faillock.conf
127 | fi
128 | fi
129 | # END V-230341
130 |
131 | ###############################################################################
132 | echo "Automating Rule Id V-230343"
133 | ###############################################################################
134 | if [ ${version} == '8.0' ] || [ ${version} == '8.1' ]; then
135 | echo " Automation intended for 8.2 and newer, '$version' detected, skipping..."
136 | else
137 | if grep -q -i audit /etc/security/faillock.conf; then
138 | sed -i "s/.*audit.*/audit/g" /etc/security/faillock.conf
139 | else
140 | echo "audit" >> /etc/security/faillock.conf
141 | fi
142 | fi
143 | # END V-230343
144 |
145 | ###############################################################################
146 | echo "Automating Rule Id V-230345"
147 | ###############################################################################
148 | if [ ${version} == '8.0' ] || [ ${version} == '8.1' ]; then
149 | echo " Automation intended for 8.2 and newer, '$version' detected, skipping..."
150 | else
151 | sed -i "s/^\(#\|\)[[:space:]]*even_deny_root.*/even_deny_root/g" /etc/security/faillock.conf
152 | fi
153 | # END V-230345
154 |
155 | ###############################################################################
156 | echo "Automating Rule Id V-230349"
157 | ###############################################################################
158 | echo 'if [ "$PS1" ]; then' >> /etc/profile.d/230348-customshell.sh
159 | echo 'parent=$(ps -o ppid= -p $$)' >> /etc/profile.d/230348-customshell.sh
160 | echo 'name=$(ps -o comm= -p $parent)' >> /etc/profile.d/230348-customshell.sh
161 | echo 'case "$name" in (sshd|login) exec tmux ;; esac' >> /etc/profile.d/230348-customshell.sh
162 | echo 'fi' >> /etc/profile.d/230348-customshell.sh
163 | # END V-230349
164 |
165 | ###############################################################################
166 | echo "Automating Rule Id V-230367"
167 | ###############################################################################
168 | chage -M 60 $1
169 | chage -M 60 root
170 | # END V-230367
171 |
172 | ###############################################################################
173 | echo "Automating Rule Id V-230368"
174 | ###############################################################################
175 | passwordRequired='password required'
176 | spacing=' '
177 | passwordReqPwHist='pam_pwhistory.so use_authtok remember=5 retry=3'
178 | sed -i "s/\(password.*pam_unix.so.*\)/${passwordRequired}${spacing}${passwordReqPwHist}\n\1/g" /etc/pam.d/password-auth /etc/pam.d/system-auth
179 | # END V-230368
180 |
181 | ###############################################################################
182 | echo "Automating Rule Id V-230373"
183 | ###############################################################################
184 | useradd -D -f 35
185 | # END V-230373
186 |
187 | ###############################################################################
188 | echo "Automating Rule Id V-230380"
189 | ###############################################################################
190 | sed -i 's/\s*nullok\s*/ /g' /etc/pam.d/system-auth /etc/pam.d/password-auth
191 | sed -i "s/.*PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
192 | # END V-230380
193 |
194 | ###############################################################################
195 | echo "Automating Rule Id V-230439"
196 | ###############################################################################
197 | echo '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete' >> /etc/audit/rules.d/audit.rules
198 | echo '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete' >> /etc/audit/rules.d/audit.rules
199 | # END V-230439
200 |
201 | ###############################################################################
202 | echo "Automating Rule Id V-230485"
203 | ###############################################################################
204 | if ! grep -q -w 'port' /etc/chrony.conf; then
205 | echo 'port 0' >> /etc/chrony.conf
206 | else
207 | sed -i 's/\(^port\|^#port\).*/port 0/g' /etc/chrony.conf
208 | fi
209 | # END V-230485
210 |
211 | ###############################################################################
212 | echo "Automating Rule Id V-230486"
213 | ###############################################################################
214 | if ! grep -q -w 'cmdport' /etc/chrony.conf; then
215 | echo 'cmdport 0' >> /etc/chrony.conf
216 | else
217 | sed -i 's/\(^cmdport\|^#cmdport\).*/cmdport 0/g' /etc/chrony.conf
218 | fi
219 | # END V-230486
220 |
221 | ###############################################################################
222 | echo "Automating Rule Id V-230494"
223 | ###############################################################################
224 | echo 'install atm /bin/true' > /etc/modprobe.d/atm.conf
225 | echo 'blacklist atm' >> /etc/modprobe.d/blacklist.conf
226 | # END V-230494
227 |
228 | ###############################################################################
229 | echo "Automating Rule Id V-230495"
230 | ###############################################################################
231 | echo 'install can /bin/true' > /etc/modprobe.d/can.conf
232 | echo 'blacklist can' >> /etc/modprobe.d/blacklist.conf
233 | # END V-230495
234 |
235 | ###############################################################################
236 | echo "Automating Rule Id V-230496"
237 | ###############################################################################
238 | echo 'install sctp /bin/true' > /etc/modprobe.d/sctp.conf
239 | echo 'blacklist sctp' >> /etc/modprobe.d/blacklist.conf
240 | # END V-230496
241 |
242 | ###############################################################################
243 | echo "Automating Rule Id V-230497"
244 | ###############################################################################
245 | echo 'install tipc /bin/true' > /etc/modprobe.d/tipc.conf
246 | echo 'blacklist tipc' >> /etc/modprobe.d/blacklist.conf
247 | # END V-230497
248 |
249 | ###############################################################################
250 | echo "Automating Rule Id V-230498"
251 | ###############################################################################
252 | echo 'install cramfs /bin/true' > /etc/modprobe.d/cramfs.conf
253 | echo 'blacklist cramfs' >> /etc/modprobe.d/blacklist.conf
254 | # END V-230498
255 |
256 | ###############################################################################
257 | echo "Automating Rule Id V-230499"
258 | ###############################################################################
259 | echo 'install firewire-core /bin/true' > /etc/modprobe.d/firewire-core.conf
260 | echo 'blacklist firewire-core' >> /etc/modprobe.d/blacklist.conf
261 | # END V-230499
262 |
263 | ###############################################################################
264 | echo "Automating Rule Id V-230503"
265 | ###############################################################################
266 | echo 'install usb-storage /bin/true' > /etc/modprobe.d/usb-storage.conf
267 | echo 'blacklist usb-storage' >> /etc/modprobe.d/blacklist.conf
268 | # END V-230503
269 |
270 | ###############################################################################
271 | echo "Automating Rule Id V-230507"
272 | ###############################################################################
273 | echo 'install bluetooth /bin/true' > /etc/modprobe.d/bluetooth.conf
274 | # END V-230507
275 |
276 | ###############################################################################
277 | echo "Automating Rule Ids V-230508, V-230509, V-230510"
278 | ###############################################################################
279 | echo 'tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0' >> /etc/fstab
280 | # END V-230508, V-230509, V-230510
281 |
282 | ###############################################################################
283 | echo "Automating Rule Id V-230511, V-230512, V-230513"
284 | ###############################################################################
285 | sed -i 's/\(\/tmp.*\)defaults.*/\1defaults,nodev,nosuid,noexec 0 0/g' /etc/fstab
286 | # END V-230511, V-230512, V-230513
287 |
288 | ###############################################################################
289 | echo "Automating Rule Id V-230546"
290 | ###############################################################################
291 | rm -f /usr/lib/sysctl.d/10-default-yama-scope.conf
292 | sysctl -w kernel.yama.ptrace_scope=1
293 | echo "kernel.yama.ptrace_scope = 1" > /etc/sysctl.d/90-azurestig-v230546.conf
294 | # END V-230546
295 |
296 | ###############################################################################
297 | echo "Automating Rule Id V-237642"
298 | ###############################################################################
299 | echo 'Defaults !targetpw' >> /etc/sudoers.d/237642
300 | echo 'Defaults !rootpw' >> /etc/sudoers.d/237642
301 | echo 'Defaults !runaspw' >> /etc/sudoers.d/237642
302 | # END V-237642
303 |
304 | ###############################################################################
305 | echo "Installing Ansible for STIG automation..."
306 | ###############################################################################
307 | yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
308 | # replacing releasever in epel repo files; issue in 8.1/8.2 where the $releasever returns "8.1" / "8.2" instead of "8"
309 | sed -i 's/$releasever/8/g' /etc/yum.repos.d/epel*.repo
310 | yum -y install ansible
311 |
312 | ###############################################################################
313 | echo "Unzipping rhel8STIG-ansible.zip to ./rhel8STIG"
314 | ###############################################################################
315 | unzip rhel8STIG-ansible.zip -d ./rhel8STIG
316 | chmod +x ./rhel8STIG/enforce.sh
317 | # due to enforce.sh content pathing, changing to expanded directory for script execution
318 | cd ./rhel8STIG
319 | sh ./enforce.sh
320 |
321 | ###############################################################################
322 | # "Automating Rule Id V-230483" 8.0 auditd.conf does not recogn. percent sign
323 | ###############################################################################
324 | if [ ${version} == '8.0' ]; then
325 | echo "Automating Rule Id V-230483"
326 | sed -i 's/25%/2048/g' /etc/audit/auditd.conf
327 | fi
328 | # END V-230483
329 |
330 | ###############################################################################
331 | echo "Automating Rule Id V-230350"
332 | ###############################################################################
333 | sed -i 's/.*tmux.*//g' /etc/shells
334 | echo '---------- /etc/shells content begin ----------'
335 | cat /etc/shells
336 | echo '---------- /etc/shells content end ----------'
337 | # END V-230350
338 |
339 | ###############################################################################
340 | echo "Automating Rule Id V-230223"
341 | ###############################################################################
342 | fips-mode-setup --enable
343 | # END V-230223
344 |
345 | ###############################################################################
346 | echo "Restarting system to apply STIG settings..."
347 | ###############################################################################
348 | touch ./../azAutomationComplete
349 | shutdown -r +1 2>&1
--------------------------------------------------------------------------------
/scripts/setPowerStig.ps1:
--------------------------------------------------------------------------------
1 | # Copyright (c) Microsoft Corporation.
2 | # Licensed under the MIT License.
3 |
4 | $path = "c:\imageBuilder"
5 | $logFile = "$path\setupLog.txt"
6 | function LogMessage
7 | {
8 | param([string]$message)
9 |
10 | ((Get-Date).ToString() + " - " + $message) >> $logFile;
11 | }
12 |
13 | mkdir -Path $path
14 | cd -Path $path
15 |
16 | LogMessage -message "Starting setPowerStig.ps1"
17 | Get-ExecutionPolicy -List >> $logFile
18 |
19 | LogMessage -message "**** Retrieving computer info and env variables"
20 | $computerInfo = Get-ComputerInfo
21 | $powerStigVersion = $env:POWERSTIG_VER
22 | $domainRole = $env:STIG_OSROLE
23 | $windowsInstallationType = $computerInfo.WindowsInstallationType
24 | $model = $env:STIG_OSVER
25 | $stigVersion = $env:STIG_VER
26 |
27 | LogMessage -message "**** Setting TLS"
28 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
29 | if($windowsInstallationType -eq 'Client')
30 | {
31 | LogMessage -message "**** Setting execution policy for client type"
32 | ### TODO: Potentially set to signed scripts only and sign scripts
33 | Set-ExecutionPolicy Unrestricted -Force 2>>$logFile # Windows 10 only
34 | Get-ExecutionPolicy -List >> $logFile
35 | }
36 |
37 | LogMessage -message "**** Installing NuGet"
38 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force 2>>$logFile
39 | # Install/Import PowerStig
40 | LogMessage -message "**** Installing PowerStig Module"
41 | Install-Module PowerStig -RequiredVersion $powerStigVersion 2>>$logFile -Force
42 |
43 | LogMessage -message "**** Installing additional PowerStig Module requirements"
44 | (Get-Module PowerStig -ListAvailable).RequiredModules | % {
45 | $PSItem | Install-Module -Force 2>>$logFile
46 | }
47 | LogMessage -message "**** Importing PowerStig Module"
48 | Import-Module PowerStig -Force 2>>$logFile
49 |
50 | # Enable WSMan / WinRm
51 | LogMessage -message "**** Installing WSMAN, setting MaxEvelopeSize and disabling PSremoting"
52 | Set-WSManQuickConfig -Force
53 | Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value 8192 # PowerSTIG DSC requires larger envelope size.
54 | #Disable-PSRemoting # PowerShell remoting required so disable it.
55 |
56 | LogMessage -message "**** Running DscConfiguration and logging to verbose.txt"
57 | $null = Start-DscConfiguration -Path "c:\" -Force -Wait -Verbose 4>&1 >> c:\imagebuilder\verbose.txt
58 |
59 | LogMessage -message "**** Setting up logging to LA Workspace sender"
60 | $TimeStampField = (Get-Date).ToString()
61 |
62 | Function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)
63 | {
64 | $xHeaders = "x-ms-date:" + $date
65 | $stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource
66 |
67 | $bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)
68 | $keyBytes = [Convert]::FromBase64String($sharedKey)
69 |
70 | $sha256 = New-Object System.Security.Cryptography.HMACSHA256
71 | $sha256.Key = $keyBytes
72 | $calculatedHash = $sha256.ComputeHash($bytesToHash)
73 | $encodedHash = [Convert]::ToBase64String($calculatedHash)
74 | $authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash
75 | return $authorization
76 | }
77 | # Create the function to create and post the request
78 | Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)
79 | {
80 | $method = "POST"
81 | $contentType = "application/json"
82 | $resource = "/api/logs"
83 | $rfc1123date = [DateTime]::UtcNow.ToString("r")
84 | $contentLength = $body.Length
85 | $signature = Build-Signature `
86 | -customerId $customerId `
87 | -sharedKey $sharedKey `
88 | -date $rfc1123date `
89 | -contentLength $contentLength `
90 | -method $method `
91 | -contentType $contentType `
92 | -resource $resource
93 | $uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
94 |
95 | $headers = @{
96 | "Authorization" = $signature;
97 | "Log-Type" = $logType;
98 | "x-ms-date" = $rfc1123date;
99 | "time-generated-field" = $TimeStampField;
100 | }
101 |
102 | $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
103 | return $response.StatusCode
104 | }
105 |
106 | #$audit = Test-DscConfiguration -ComputerName localhost -ReferenceConfiguration "c:\localhost.mof" -ErrorAction SilentlyContinue
107 |
108 |
109 | # Workspace ID - TestSubdeploy-eastusWS
110 | $customerId = $env:WORKSPACE_ID
111 |
112 | # Primary Key
113 | $sharedKey = $env:WORKSPACE_KEY
114 |
115 | $LogType = "STIG_Compliance_Computer"
116 |
117 | $computerJsonPayload = @{
118 | Computer = $computerInfo.CsName
119 | Manufacturer = $computerInfo.CsManufacturer
120 | Model = $computerInfo.CsModel
121 | PrimaryOwnerName = $computerInfo.CsPrimaryOwnerName
122 | DesiredState = $audit.InDesiredState
123 | Domain = $computerInfo.CsDomain
124 | Role = $computerInfo.CsDomainRole
125 | OS = $computerInfo.WindowsProductName
126 | OsVersion = $computerInfo.OsVersion
127 | PowerSTIG = $powerStigVersion
128 | STIGversion = $stigVersion
129 | STIGrole = $domainRole
130 | }
131 | $json = $computerJsonPayload | ConvertTo-Json
132 | $json 4>&1 >> c:\imagebuilder\verbose.txt
133 | Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($json)) -logType $logType
134 |
135 | # Setup scheduled task to run auditing script that reports to LA workspace
136 | ### TODO: Consider frequency requirements set here for every 20 minutes for testing but possibly should be simply daily. This also changes dashboard queries which limit to last 30 minutes.
137 | $STName = "PowerSTIG Audit Task"
138 | $STPath = "\PowerSTIG"
139 | $scheduleObject = New-Object -ComObject schedule.service
140 | $scheduleObject.connect()
141 | $taskRootFolder = $scheduleObject.GetFolder("\")
142 | $taskRootFolder.CreateFolder($STPath)
143 |
144 | $STDescription = "A task that will audit PowerSTIG DSC settings and report to Log Analytics."
145 | $STAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-File C:\auditStig.ps1"
146 | $STTrigger = New-ScheduledTaskTrigger -Daily -At 12am
147 | $STSettings = New-ScheduledTaskSettingsSet
148 | $STUserName = "NT AUTHORITY\SYSTEM" # Try other well known NT AUTHORITY\SYSTEM, NT AUTHORITY\LOCALSERVICE, NT AUTHORITY\NETWORKSERVICE,
149 | Register-ScheduledTask -TaskPath $STPath -TaskName $STName -Description $STDescription -Action $STAction -Trigger $STTrigger -RunLevel Highest -Settings $STSettings -User $STUserName
150 | Start-Sleep -Seconds 3
151 |
152 | $STModify = Get-ScheduledTask -TaskName $STName
153 | $STModify.Triggers.repetition.Duration = 'P1D'
154 | $STModify.Triggers.repetition.Interval = 'PT20M'
155 | $STModify | Set-ScheduledTask <# #>
--------------------------------------------------------------------------------
/scripts/setPowerStigLinux.sh:
--------------------------------------------------------------------------------
1 | # Register the Microsoft RedHat repository
2 | curl https://packages.microsoft.com/config/rhel/7/prod.repo | sudo tee /etc/yum.repos.d/microsoft.repo
3 |
4 | # Install PowerShell
5 | sudo yum install -y powershell
6 |
7 | # Optional installation method
8 | # sudo yum install https://github.com/PowerShell/PowerShell/releases/download/v7.0.3/powershell-lts-7.0.3-1.rhel.7.x86_64.rpm
9 |
10 | # Install OMI
11 | wget https://github.com/Microsoft/omi/releases/download/v1.1.0-0/omi-1.1.0.ssl_100.x64.rpm
12 | wget https://github.com/Microsoft/PowerShell-DSC-for-Linux/releases/download/v1.1.1-294/dsc-1.1.1-294.ssl_100.x64.rpm
13 |
14 | sudo rpm -Uvh omi-1.1.0.ssl_100.x64.rpm dsc-1.1.1-294.ssl_100.x64.rpm
15 |
16 | # Start PowerShell
17 | pwsh
18 |
19 | install-module nx
20 |
21 |
--------------------------------------------------------------------------------
/scripts/setPowerStignoaudit.ps1:
--------------------------------------------------------------------------------
1 | # Copyright (c) Microsoft Corporation.
2 | # Licensed under the MIT License.
3 |
4 | $path = "c:\imageBuilder"
5 | $logFile = "$path\setupLog.txt"
6 | function LogMessage
7 | {
8 | param([string]$message)
9 |
10 | ((Get-Date).ToString() + " - " + $message) >> $logFile;
11 | }
12 |
13 | mkdir -Path $path
14 | cd -Path $path
15 |
16 | LogMessage -message "Starting setPowerStig.ps1"
17 | Get-ExecutionPolicy -List >> $logFile
18 |
19 | LogMessage -message "**** Retrieving computer info and env variables"
20 | $computerInfo = Get-ComputerInfo
21 | $powerStigVersion = $env:POWERSTIG_VER
22 | $domainRole = $env:STIG_OSROLE
23 | $windowsInstallationType = $computerInfo.WindowsInstallationType
24 | $model = $env:STIG_OSVER
25 | $stigVersion = $env:STIG_VER
26 |
27 | LogMessage -message "**** Setting TLS"
28 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
29 | if($windowsInstallationType -eq 'Client')
30 | {
31 | LogMessage -message "**** Setting execution policy for client type"
32 | ### TODO: Potentially set to signed scripts only and sign scripts
33 | Set-ExecutionPolicy Unrestricted -Force 2>>$logFile # Windows 10 only
34 | Get-ExecutionPolicy -List >> $logFile
35 | }
36 |
37 | LogMessage -message "**** Installing NuGet"
38 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force 2>>$logFile
39 | # Install/Import PowerStig
40 | LogMessage -message "**** Installing PowerStig Module"
41 | Install-Module PowerStig -RequiredVersion $powerStigVersion 2>>$logFile -Force
42 |
43 | LogMessage -message "**** Installing additional PowerStig Module requirements"
44 | (Get-Module PowerStig -ListAvailable).RequiredModules | % {
45 | $PSItem | Install-Module -Force 2>>$logFile
46 | }
47 | LogMessage -message "**** Importing PowerStig Module"
48 | Import-Module PowerStig -Force 2>>$logFile
49 |
50 | # Enable WSMan / WinRm
51 | LogMessage -message "**** Installing WSMAN, setting MaxEvelopeSize and disabling PSremoting"
52 | Set-WSManQuickConfig -Force
53 | Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value 8192 # PowerSTIG DSC requires larger envelope size.
54 | #Disable-PSRemoting # PowerShell remoting required so disable it.
55 |
56 | LogMessage -message "**** Running DscConfiguration and logging to verbose.txt"
57 | $null = Start-DscConfiguration -Path "c:\" -Force -Wait -Verbose 4>&1 >> c:\imagebuilder\verbose.txt
58 |
59 | LogMessage -message "**** Setting up logging to LA Workspace sender"
60 |
61 | LogMessage -message "**** Starting download and install of EDGE and SCAP tooling."
62 |
63 | $localDownloadPath = join-path $path download
64 | if(!(Test-Path -Path $localDownloadPath))
65 | {
66 | md -Path $localDownloadPath -ErrorAction SilentlyContinue | Out-Null
67 | }
68 |
69 | # Download and install Edge
70 |
71 | $edgeDownloadUrl = 'https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/dba89b53-9614-4a7c-b1f3-85e5dd724930/MicrosoftEdgeEnterpriseX64.msi'
72 |
73 | $edgeFilePath = join-path $localDownloadPath MicrosoftEdgeEnterpriseX64.msi
74 |
75 | Invoke-RestMethod -Uri $edgeDownloadUrl -OutFile $edgeFilePath
76 |
77 | Start-Process -Wait -FilePath $edgeFilePath -ArgumentList "/quiet"
78 |
79 | # Download, unzip and install SCAP
80 |
81 | $windowsSCAPUrl = "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/scc-5.5_Windows_bundle.zip"
82 |
83 | $scapFilePath = join-path $localDownloadPath scc-5.5_Windows_bundle.zip
84 |
85 | Invoke-RestMethod -Uri $windowsSCAPUrl -OutFile $scapFilePath
86 |
87 | # Silently unzip install SCAP
88 |
89 | Expand-Archive -LiteralPath $scapFilePath -DestinationPath $localDownloadPath
90 |
91 | $sccPath = Join-Path $localDownloadPath scc-5.5_Windows\SCC_5.5_Windows_Setup.exe
92 |
93 | Start-Process -Wait -FilePath $sccPath -ArgumentList "/VERYSILENT /DIR=`"C:\SCC`" /TYPE=custom /COMPONENTS=`"Content\NIST_USGCB_SCAP_Content,Content\DISA_STIG_SCAP_Content,Other\SCC_Service`""
94 |
95 | Remove-Item -Path $localDownloadPath -Confirm:$false -Force -Recurse
--------------------------------------------------------------------------------
/stig.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/shawngib/project-stig/dbf6d3aca410e0a9d751f844857f777cb970b152/stig.zip
--------------------------------------------------------------------------------