Invalid Registry Resources

[matt2005]

Doesn't appear to generate the registry resources correctly for some rules

Registry SV-52838r1_rule {
Ensure = 'Present'
PolicyType = 'Machine'
KeyValueName = 'PolicyPath'
Type = 'DWord'
Data = "0"
CheckLines = "Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding."
FixText = "Ensure servers are located in secure, access-controlled areas."
}

[clcaldwell]

@matt2005 Issue has been fixed

[athaynes]

@matt2005 @cobycode I saw this project and wanted to reach out to you to let you know about a project that I recently moved over to GitHub. https://github.com/Microsoft/PowerStig A few of us have been working on this for a while now, so if your interested, we'd love to have some more help and ideas.

[clcaldwell]

@athaynes Very cool! I had temporarily run out of time to work on this, but I should have some more time now. Briefly poking around your project, I wasn't able to see exactly what it is doing. This project was taking the STIG files and automatically generating DSC files for Remediation/Auditing - it appears that Microsoft/PowerSTIG is for the same purpose? I will definitely be taking a comprehensive look at your project over the next few days.

Making sure @grolston get's mentioned.

[athaynes]

We do the conversion with PowerStig but don't put out a DSC configuration, we create a new XML file that contains the setting from the STIG. Our PowerStig stores all of the parsed STIGs as part of the module we publish to the PowerShell gallery. You can query our PowerStig module using the PowerShell classes we provide, so it is like a mini database. The classes provide an option to override stig settings in the form of exceptions or skip rules or types of rules entirely. The PowerStigDsc composite resource is currently the main consumer of outPowerStig module, but we have a few more prototype modules in the works to handle additional scenarios.

So after typing this "quick" note, I realize that I need to add some documentation and examples to PowerSTIG :)

[grolston]

@athaynes

Sorry for the delay in the response, it has been busy. This is great to see the concept being moved forward. I have not had time to go into this due to some priorities; however, what the intent was for applying STIGs in a similar fashion how Red Hat provides via Ansible. My issue has been the limited demand for PowerShell DSC in the cloud environment I am working in (we mainly use Linux and Ansible). As more systems are moving to the cloud, we are seeing an increase in Windows OS as well as Windows OSs that require efficient auto-scaling. I will need to take a look and see. I love using PowerShell so if I can get some time I will try to help out.

[athaynes]

@grolston NP at all. I am focused on Azure Automation DSC to drive STIG automation in a Hybrid cloud environment. With PowerShell 6, we are focusing on Linux as well, we just don't have anyone on the project that is familiar with the Linux OS or the nx resources yet. We are looking forward to any feedback and ideas you have when you get some time.

[grolston]

@athaynes Really Linux with DSC using the nx module should not be a challenge depending on the implementation. Overall the big issue I had to overcome with creating general Linux STIGs in Ansible was the fact that not every OS works the same and not all Ansible modules are platform agnostic. In my case I had to support CentOS 6/7, RHEL 6/7, Ubunt 14-18, AWS Linux and AWS Linux 2 so I had to factor the changes made when the OS leveraged systemd (that was a big one). Most times when people write Ansible Playbooks they target one OS, so knowing it had to work across so many OSs made developing and testing a bit more than what people would expect. In the end we got it all to work with an Ansible-Pull solution for bootstrapping, but I imaging PowerShell DSC would be done in a very similar fashion.

I do find both PowerShell DSC and Ansible to be very similar in design which made it easy for me to move from DSC to Ansible and vice versa. PowerShell DSC did have the nice pull server setup, but when we looked at compliance reporting tools we needed some features in Azure that weren't available (work all being done on AWS).

Looking at some of the nx documentation, a lot of the built-in resources for the Linux in DSC are extremely similar to how it would be done in Ansible so really it should be hard at all.