-
Notifications
You must be signed in to change notification settings - Fork 128
Overview
Adam Haynes edited this page Feb 26, 2019
·
1 revision
STIG as a DevOps tool
- The STIG rules are in plain english inaccessible to automation
- Admin can read and manually configure a computer
- A GPO requires a host to be domain joined
- Current tools are disconnected
- Audit rules, but doesn't configure them
- Configure rules, but doesn't audit them
- Generally used in a silo with little input from IA \ cyber \ system owner
- They are all external to the computers themselves
- What if we could give a host a document to read auto-configure \ audit
- A collection of PowerShell modules dedicated to STIG automation
- PowerStig – The base module contains the following items:
- Composite DSC resources for each STIG (Windows Server, IIS, etc.)
- PowerShell classes to support STIG compliance business logic
- Serialized STIG rules extracted from the xccdf
- PowerStig.Convert – Extracts rule objects from xccdf
- PowerStig.Checklist * – Creates STIG ckl files prepopulated with DSC results.
- Ex. 85% of Windows Server checklist is auto completed by PowerSTIG in real time.
- Manages the PowerShell module dependencies in the manifest
- Install-Module -Name PowerSTIG will auto install all the dependent modules
- Provides access the STIG data in a standard way
- Implements the concept of organizational settings
- Enables rule values that allow a range of values to be defined for the enterprise
- Settings are validated to ensure they comply with allowed range
- Implements the concept of exceptions to a rule
- Override a rule with a value required by host application
- Tags the rule as an exception to policy to auto-detect and report exceptions
- Implements the concept of Skipped Rule
- Not all rules are applicable, so they are tracked but not applied
- Reduces 100’s of rule checks to a few lines of PowerShell
- This reduces technical debt a STIG creates
- Provides all the benefits of PowerShell DSC
- Apply and Monitor or Auto-Correct if a setting is manually changed
- Conflict detection (If you try to set a STIG value outside of PowerSTIG)
- Aligned to each STIG to ease readability in the configuration
- Once you have the data from DSC, you can report and visualize it anyway you want:
- Excel
- Power BI
- SQL Server
- Data warehouse
- DSC-EA
- Configurations are designed to be easily read, stored, and updated.
- Configurations declare the state target devices should be in.
- Repeated deployments are much less error-prone.
- Making deployments faster and more reliable
- Deploy your configuration in a Test\Dev lab to validate planned changes
- Configurations are shareable
- Common scenarios and best practices for the work that needs to be done.
- DSC has monitoring and reporting built in.
- Developers and Operations
- Merging the TTP's from both disciplines
- People, Process, Technology
- Everyone needs to be involved (IA, Cyber, Engineering, Operations, etc.)
- Everyone needs to provide input and receive output
- It's not about the technology, but it’s about the technology
- Every tool MUST talk to every other tool
- Manual tasks MUST be defined and implemented through automation
- Editors must integrate into change workflow
- PowerShell ISE
- Windows Only \ Closed source
- No longer being developed
- Visual Studio Code
- Cross platform \ Open source
- Integrates with Git, PowerShell, PSScriptAnalyzer
- Provides a task engine to execute workflow and automatic formatting
- Version Control (VC)
- Git is it
- Enables peer review
- Manages your copies of copies of files
- Removes direct access to production code
- Manages the merging of changes
- Testing
- Technical Debt - the eventual consequences of any system design
- Testing - Eliminates Technical debt
- Tests should add value not overhead
-
Pester is the PowerShell Test framework
- Unit testing tests code in isolation
- Integration testing tests everything when it is put together.
- Releasing to Production
- The code system is the only thing that should have R/W access to production
- Your release process should automatically run all of your tests
- You should have a Master code branch that is highly restricted
- You should have multiple branches that merge into Master for release
-
Stig Coverage
- Stig Coverage Summary
- Adobe-AcrobatPro-2.1
- Adobe-AcrobatReader-1.6
- Adobe-AcrobatReader-2.1
- DotNetFramework-4-2.6
- DotNetFramework-4-2.7
- FireFox-All-6.6
- FireFox-All-6.7
- Google-Chrome-2.10
- Google-Chrome-2.11
- IISServer-10.0-3.5
- IISServer-10.0-3.6
- IISSite-10.0-2.13
- IISSite-10.0-2.14
- InternetExplorer-11-2.5
- InternetExplorer-11-2.6
- MS-Edge-2.3
- MS-Edge-2.4
- Office-365ProPlus-3.3
- Office-365ProPlus-3.4
- Office-Access2016-1.1
- Office-Access2016-2.1
- Office-Excel2016-1.2
- Office-Excel2016-2.2
- Office-OneNote2016-1.2
- Office-OneNote2016-2.1
- Office-Outlook2016-2.3
- Office-Outlook2016-2.4
- Office-PowerPoint2016-1.1
- Office-PowerPoint2016-2.1
- Office-Publisher2016-1.3
- Office-Publisher2016-2.1
- Office-Skype2016-1.1
- Office-Skype2016-2.1
- Office-System2016-2.4
- Office-System2016-2.5
- Office-Word2016-1.1
- Office-Word2016-2.1
- OracleLinux-8-2.3
- OracleLinux-8-2.4
- OracleLinux-9-1.1
- RHEL-7-3.14
- RHEL-7-3.15
- RHEL-9-2.3
- RHEL-9-2.7
- SqlServer-2016-Instance-3.5
- SqlServer-2016-Instance-3.6
- SqlServer-2022-Instance-1.2
- SqlServer-2022-Instance-1.3
- Ubuntu-18.04-2.14
- Ubuntu-18.04-2.15
- WindowsClient-10-3.5
- WindowsClient-10-3.6
- WindowsClient-11-2.5
- WindowsClient-11-2.6
- WindowsDefender-All-2.6
- WindowsDefender-All-2.7
- WindowsDnsServer-2012R2-2.5
- WindowsDnsServer-2012R2-2.7
- WindowsFirewall-All-2.1
- WindowsFirewall-All-2.2
- WindowsServer-2016-DC-2.10
- WindowsServer-2016-DC-2.9
- WindowsServer-2016-MS-2.10
- WindowsServer-2016-MS-2.9
- WindowsServer-2019-DC-3.6
- WindowsServer-2019-DC-3.7
- WindowsServer-2019-MS-3.6
- WindowsServer-2019-MS-3.7
- WindowsServer-2022-DC-2.6
- WindowsServer-2022-DC-2.7
- WindowsServer-2022-MS-2.6
- WindowsServer-2022-MS-2.7