With multiple DSC configurations applied, invoking New-StigCheckList results with not updating the STATUS for each rule correctly i.e., the status always remains as Not_Reviewed even though the rule is in the desired state. This is because $script:allResources may be initialized with the incorrect resource/configuration and therefore never initializes to the DSCResults from Test-DscConfiguration. This is true to every call to New-StigCheckList after the first call in which a different DSC configuration is tested.
In line 394 of Functions.Checklist.ps1 we see that $setting is always null in this use case (after the first call to New-StigCheckLit.
From the function Get-SettingsFromResult on line 643, we see that $script:allResources is already initialized, but not to the correct resource. So the results from Test-DscConfiguration is always ignored.
which leads to (line 424); and the status is never really evaulated.
$status = $statusMap['NotReviewed']
To Reproduce
1) Create DSC configurations for multiple composite resources. This example shows Chrome, Windows Defender AV, and Windows Client 11.
2) Compile and apply said configurations.
3) Run the below script. Checklists are made, but the status for each rule is in a Not_Reviewed state.
# Workaround for https://github.com/microsoft/PowerStig/issues/443; source the missing cmdlet.
# Get-StigXccdfBenchmarkContent : The term 'Get-StigXccdfBenchmarkContent' is not recognized as the name of a cmdlet
. 'C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.22.0\Module\Common\Function.Xccdf'
function Generate-StigReport {
param (
[string]$ReferenceConfigurationPath,
[string]$XccdfPath,
[string]$OutputFileName
)
# Resolve paths
$ReferenceConfiguration = Resolve-Path -Path $ReferenceConfigurationPath
$XccdfPathResolved = Resolve-Path -Path $XccdfPath
$OutputPath = Join-Path -Path (Get-Location).Path -ChildPath $OutputFileName
# Test DSC Configuration
$audit = Test-DscConfiguration -ReferenceConfiguration $ReferenceConfiguration.Path
# Generate STIG Checklist
New-StigCheckList -DscResults $audit -XccdfPath $XccdfPathResolved -OutputPath $OutputPath
# Output path of the generated report for confirmation
Write-Output "Report generated at: $OutputPath"
}
Generate-StigReport `
-ReferenceConfigurationPath '.\dsc\Chrome\localhost.mof' `
-XccdfPath "C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.22.0\StigData\Archive\Chrome\U_Google_Chrome_STIG_V2R9_Manual-xccdf.xml" `
-OutputFileName 'dsc\_ckl\chrome_mof.ckl'
Generate-StigReport `
-ReferenceConfigurationPath '.\dsc\WindowsDefender\localhost.mof' `
-XccdfPath "C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.22.0\StigData\Archive\Windows.Defender\U_MS_Windows_Defender_Antivirus_STIG_V2R4_Manual-xccdf.xml" `
-OutputFileName 'dsc\_ckl\windows_defender_av_mof.ckl'
Generate-StigReport `
-ReferenceConfigurationPath '.\dsc\WindowsClient\localhost.mof' `
-XccdfPath "C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.22.0\StigData\Archive\Windows.Client\U_MS_Windows_11_STIG_V1R6_Manual-xccdf.xml" `
-OutputFileName 'dsc\_ckl\windows_client_mof.ckl'
Expected behavior
The results from DscResults are evaluated and reflected in the checklists.
Screenshots
Demonstrating that $script:allResources here is inconsistent to what is expected. Here we see that this variable is a collection of the CimInstance for Chrome rather than WindowsDefender.
DscResults are for WindowsDefender
$script:allResources are for Chrome
Additional context
Note that multiple DSC configurations must be applied and using a single file for each resource.
Describe the bug
With multiple DSC configurations applied, invoking
New-StigCheckListresults with not updating theSTATUSfor each rule correctly i.e., the status always remains asNot_Reviewedeven though the rule is in the desired state. This is because$script:allResourcesmay be initialized with the incorrect resource/configuration and therefore never initializes to theDSCResultsfromTest-DscConfiguration. This is true to every call toNew-StigCheckListafter the first call in which a different DSC configuration is tested.In line 394 of
Functions.Checklist.ps1we see that$settingis always null in this use case (after the first call toNew-StigCheckLit.$setting = Get-SettingsFromResult -DscResults $DscResults -Id $vidFrom the function
Get-SettingsFromResulton line 643, we see that$script:allResourcesis already initialized, but not to the correct resource. So the results fromTest-DscConfigurationis always ignored.which leads to (line 424); and the status is never really evaulated.
$status = $statusMap['NotReviewed']To Reproduce
1) Create DSC configurations for multiple composite resources. This example shows Chrome, Windows Defender AV, and Windows Client 11. 2) Compile and apply said configurations. 3) Run the below script. Checklists are made, but the status for each rule is in a
Not_Reviewedstate.Expected behavior The results from DscResults are evaluated and reflected in the checklists.
Screenshots Demonstrating that
$script:allResourceshere is inconsistent to what is expected. Here we see that this variable is a collection of the CimInstance forChromerather thanWindowsDefender.DscResults are for
WindowsDefender$script:allResources are for
ChromeAdditional context Note that multiple DSC configurations must be applied and using a single file for each resource.