-
Notifications
You must be signed in to change notification settings - Fork 117
GettingStarted
All you have to do to start using PowerStig, it to run the following command from PowerShell 5.0 or higher.
Install-Module PowerStig -Scope CurrentUserPowershell will take it from there and automatically install all of the dependent modules for you. You don't need to run as an admin to install the PowerShell modules, so the -Scope CurrentUser is used to install into your profile module path. Once PowerShell has installed everything, you are ready to go. You can grab one of the examples from the composite resource links to the right and run it to compile your first STIG'd MOF. From there you have a few options, depending on if you have any DSC infrastructure already in place.
- No existing DSC infrastructure
- Existing DSC infrastructure
- Azure Automation Account
- Azure Virtual Machine
As we release updates to PowerStig with new STIG's, you shouldn't need to update PowerStig you will need to update the PowerStig module. PowerShell will take care of that for you as well.
Integrating PowerStig into your environment is not too difficult once you establish a workflow. This section is intended to help you with your initial integration. If you run into any issues that are not outlined here, please request an update to the Wiki.
With no existing configurations in your environment, things are a little easier and harder. If you don't have any existing DSC infrastructure in place take a look at what you need to do in our PowerSitDsc Getting Started Guide. That will get all of the pieces in place for you to start auditing your servers with a default configuration, but what happens when you audit a server that has been running forever and is not showing compliant? The good news is that you now know what settings are not compliant, but now you need to decide how you want to resolve the non-compliant settings.
- Generate a list of non-complaint settings for each server
- Review any documentation that you have relating to policy exceptions
- Review the non-compliant settings with your IA team to make sure they are tracking them
- Review the non-compliant settings with your cyber team to make sure they are tracking them
- For each approved exceptions to policy, update your configuration with an exception
To do the initial audit on your server(s), you can follow the PowerSitDsc Getting Started Guide. The Test-DscConfiguration outputs its results to the $audit variable that we can look at closer here.
If you have existing configurations that you would like to apply the STIG to, then you will need to take a few additional steps to ensure that you don't step on any of your existing work. This will vary based on how you have your LCM configured.