-
Notifications
You must be signed in to change notification settings - Fork 3
/
Get-Started.ps1
64 lines (54 loc) · 4.12 KB
/
Get-Started.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<#
Overview
The STIG Compliance Automation Repository (SCAR) is a platform that automates STIG complaince through Desired State Configuration (DSC).
SCAR scans Active Directory to determin STIG applicablity for each server in the domain, build DSC configdata, DSC scripts,
MOFs, STIG checklists, and data comsumable via PowerBI for visual reporting.
Problem Statement
Government organizations are required to adhere to and document STIG compliance. This places a massive workload on technical teams to
enforce, monitor, and document STIG compliance during Command Cyber Readiness Inspections (CCRI) and Authority to Operate (ATO) renewals.
SCAR solves this problem by providing a source controlled environment that automates the initial building of data that can be used to
automate the enforcement, monitoring, and documentation of STIG Compliance via Desired State Configuration.
Requirements
WinRM must be enabled on target systems
Account must have WinRM Access to target systems
Powershell version 5 at minimum
Active Directory Module must be installed on Host system
#>
# STIG Compliance Automation Repository WorkFlow
# Follow the Steps below to execute the SCAR build process
# Step 1 - Build SCAR Repository
# Install the DSCSM Module and build the SCAR Repository
Install-Module DSCSM -Force
Build-ScarRepo
# Step 2 - Generate DSC Configuration Data
# SCAR leverages Active Directory and the PowerSTIG module to determine STIG applicablity for each server in the Domain
# and builds a DSC configurationdata file for each server sorted by the Organizational Unit it belongs to.
# Output - .psd1 files are created under the Nodedata folder for every server in an Active Directory Domain
New-ConfigData
# Step 3 - Sync DSC resource modules on all target systems
# The Copy-DscModules cmdlet ensures that every targetted server has the correct modules/versions based on what is in the Resources\Modules folder.
# If the module exists on a target system but is not the correct version, SCAR will remove the old version and replace it with the new one.
Copy-DscModules
# Step 4 - Increase the MaxEnvelopeSize Winrm setting on target systems
# The Set-WinRM cmdlet increases the maxenvelopsize winrm setting from 500kb to 10000kb on all target systems to ensure that they can handle
# large configurations containing PowerSTIG resources.
Set-WinRM
# Step 5 - Build DSC Configuration Scripts and MOFs
# SCAR uses the DSC Configdata it generated to build individualized DSC Configuration scripts for each system based on provided parameter values
# within the nodedata file(s) for each system. SCAR builds managed object files (MOFs) from the DSC configuration Scripts
# Output - .ps1 files are created under Artifacts\DscConfigs\ and MOFs are created under Artifacts\MOFs
Start-DscBuild
# Step 6 - Deploy/Enforce STIG Configurations
# Deploy the STIG configurations generated by SCAR.
# Warning: If STIG Exceptions are required for a given system, a "SkipRule" parameter must be added within that systems nodedata.
# View the "How to Add STIG Exceptions" wiki for detailed instructions on how to do this.
Set-DscLocalConfigurationManager -Path ".\Arifacts\Mofs"
Start-DscConfiguration -Path ".\Arifacts\Mofs" -Force -Verbose -Wait
# Step 7 - Generate STIG Checklists and PowerBI Data
# STIG Checklists are required documentation for Command Cyber Readiness Inspections (CCRI) and Authority to Operate (ATO) renewals.
# This documentation can be automated using the data built into SCAR.
# STIG Checklists are populated based on DSC compliance for all configurable settings.
# Manual Check Files (Resources\Stig Data\Manual Checks) are use to fill in the STIG Checklsit data for all non-configurable STIG requirements.
# Providing the GenerateReports switch outputs all DSC results for PowerBI consumption/reporting.
# Output - Artifacts\STIG Checklists and Artifacts\Reports
Get-StigChecklists