The StigRepo module accelerates cloud readiness and system hardening through building a repository to automate and customize configurations that are compliant with Security Technical Implementation Guides (STIGs) owned and released by the Defense Information Systems Agency (DISA). StigRepo identifies the systems in your Active Directory and/or Azure environment, identifies which software needs to be secured according to STIG requirements/recommendations, builds a customizable Infrastructure as Code (IaC) repository that leverages PowerSTIG to automate enforcement, auditing, and documentation of STIG requirements through Desired State Configuration. The STIG Repository can be imported into and driven through Azure DevOps or Github Enterprise for continuous STIG enforcement, auditing, monitoring, and compliance documentation.
The StigRepo Module empowers system integrators to:
United States Government organizations must adhere to STIG requirements established by the Defense Information Systems Agency (DISA). Periodic inspections for STIG compliance are conducted in which government organizations must enforce, audit, and provide documentation that shows that their environment(s) are secure up to DISA’s standards. This is a massive undertaking that requires a large amount of manpower to complete, especially for large enterprise environments, as the time it takes to audit, enforce, and document STIG compliance on a single Windows Server can take 4-8 hours depending on the complexity of the system. This means that in an environment containing 100 servers, 400-800 man-hours required just to meet STIG requirements. With the StigRepo module, that time is reduced to a matter of ~10 hours. STIG compliance can be enforced, maintained, and documented across the entire environment on-demand, ensuring the organization is in an always-ready state for cyber inspections and that their systems are hardened to prevent cyber-attacks.
The StigRepo module scans an existing Active Directory/Azure environment and builds a repository for managing, enforcing, and documenting STIG compliance. System data is customized to each system based on Operating System, software, and installed roles/features and can be further customized by customers that require exceptions to STIG requirements and/or custom configurations. The StigRepo module is a repeatable solution that can be universally implemented to quickly harden system security and establish STIG compliance. The repository that is built by the StigRepo module can easily be placed into an Azure DevOps or Github enterprise project to provide continuous enforcement, auditing, and documentation of STIG Compliance across the environment.
Prerequisites
| Execute the commands below to install the StigRepo Module, build the STIG repository, and generate STIG Checklists for On-Prem Active Directory environments: | Cmdlet | Description |
|---|---|---|
| Install-Module StigRepo | Installs the StigRepo module from the Powershell Gallery | |
| Initialize-StigRepo | Builds the STIG Compliance Automation Repository and installs dependencies on the local system | |
| New-SystemData | Scans the Active Directory Environment for targetted systems, determines applicable STIGs, and generates DSC configuration data | |
| Start-DscBuild | Generates DSC Configuration scripts and MOF files for all DSC Nodes | |
| Sync-DscModules | Syncs DSC module dependencies across all DSC Nodes | |
| Set-WinRMConfig | Expands MaxEnvelopSize on all DSC nodes | |
| Get-StigChecklists | Generates STIG Checklists for all applicable STIGs for each DSC Node |
Prerequisites
| Execute the commands below to install the StigRepo Module, build your Stig Repository, and prepare an Azure Automation account to enforce/report STIG compliance for Azure Infrastructure. | Cmdlet | Description |
|---|---|---|
| Install-Module StigRepo | Installs the StigRepo module from the Powershell Gallery. | |
| Initialize-StigRepo | Builds the STIG Compliance Automation Repository and installs dependencies on the local system | |
| New-AzSystemData | Builds System Data for Azure VMs | |
| Publish-AzAutomationModules | Uploads Modules to an Azure Automation Account | |
| Export-AzDscConfigurations | Generates DSC Configuration Scripts for each SystemData file that are constucted for Azure Automation in the "Artifacts\AzDscConfigs" folder | |
| Import-AzDscConfigurations | Imports generated STIG Configurations to Azure Automation Account | |
| Register-AzAutomationNodes | Registers Systems with System Data to an Azure Automation Account |
StigRepo organizes the repository to deploy and document STIGs using the folders listed below:
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.