-
Notifications
You must be signed in to change notification settings - Fork 117
PowerSTIG with Azure Automation
PowerSTIG paired with Azure Automation enables better insight into the DSC status of nodes, reporting and visualization of data when logs are fowarded to Log Analytics.
PowerSTIG (3.3.0) has several modules dependenies that will need to be imported into an Azure automation environment before the PowerSTIG module can be imported.
Note: Currently there is a known issue with Azure Automation when importing the PowerSTIG module directly from the Azure Portal. In order to work around this limitation, the required dependencies must be imported using PowerShell or an ARM template.
-
Manage Modules in Azure Automation: https://docs.microsoft.com/en-us/azure/automation/shared-resources/modules
-
Example ARM template that can be used to import the PowerSTIG module and require dependencies: https://github.com/mikedzikowski/azure-import-powerstig-azureautomation
-
UserVoice feedback and votes can be added here: https://feedback.azure.com/forums/246290-automation/suggestions/38561443-powerstig-module-import-in-azure-automation
Dependencies:
- AuditPolicyDsc RequiredVersion: 1.2.0
- AuditSystemDsc RequiredVersion: 1.0.0
- AccessControlDsc RequiredVersion: 1.4.0
- ComputerManagementDsc RequiredVersion: 6.2.0
- FileContentDsc RequiredVersion: 1.1.0.108
- PolicyFileEditor RequiredVersion: 3.0.1
- PSDscResources RequiredVersion: 2.10.0.0
- SecurityPolicyDsc RequiredVersion: 2.4.0.0
- SqlServerDsc RequiredVersion: 12.1.0.0
- WindowsDefenderDsc RequiredVersion: 1.0.0.0
- xWebAdministration RequiredVersion: 2.5.0.0
- xDnsServer RequiredVersion: 1.11.0.0
The following PowerShell will script will import the PowerSTIG dependencies into an existing Azure Automation environment.
[CmdletBinding()]
param
(
[parameter(mandatory=$true)]
[string]$resourceGroupName,
[parameter(mandatory=$true)]
[string]$automationAccountName
)
#region Login to Azure
try
{
write-output "Logging in to Azure..."
$env = read-host "Please select an Azure Environment 1: Azure Government or 2: Azure Commercial"
if ($env -eq 1)
{
Add-AzAccount -EnvironmentName "AzureUSGovernment" | Out-Null
}
elseif ($env -eq 2)
{
Add-AzAccount | Out-Null
}
else
{
throw "Please enter 1 for Azure Government and 2 for Azure Commercial"
}
}
catch {
Write-Error -Message $_.Exception
throw $_.Exception
}
#endregion
#region Import PowerSTIG dependencies and PowerSTIG version 3.3.0
$Dependencies = @(
@{ModuleName = "AuditPolicyDsc"; RequiredVersion = "1.2.0)"; },
@{ModuleName = "AuditSystemDsc"; RequiredVersion = "1.0.0"; },
@{ModuleName = "AccessControlDsc"; RequiredVersion = "1.4.0"; },
@{ModuleName = "ComputerManagementDsc"; RequiredVersion = "6.2.0"; },
@{ModuleName = "FileContentDsc"; RequiredVersion = "1.1.0.108"; },
@{ModuleName = "PolicyFileEditor"; RequiredVersion = "3.0.1"; },
@{ModuleName = "PSDscResources"; RequiredVersion = "2.10.0.0"; },
@{ModuleName = "SecurityPolicyDsc"; RequiredVersion = "2.4.0.0"; },
@{ModuleName = "SqlServerDsc"; RequiredVersion = "12.1.0.0"; },
@{ModuleName = "WindowsDefenderDsc"; RequiredVersion = "1.0.0.0"; },
@{ModuleName = "xWebAdministration"; RequiredVersion = "2.5.0.0"; }
@{ModuleName = "xDnsServer"; RequiredVersion = "1.11.0.0"; },
@{ModuleName = "PowerSTIG"; RequiredVersion = "3.3.0"}
)
foreach($dep in $Dependencies)
{
$galleryRepoUri = "https://www.powershellgallery.com/api/v2/package/" + $dep.ModuleName + "/" + $dep.RequiredVersion
$galleryRepoUri
New-AzAutomationModule -ResourceGroupName $resourceGroupName -AutomationAccountName $automationAccountName -Name $dep.ModuleName -ContentLink $galleryRepoUri
}
#endregion
[CmdletBinding()]
param
(
[parameter(mandatory=$true)]
[string]$resourceGroupName,
[parameter(mandatory=$true)]
[string]$automationAccountName,
[parameter(mandatory=$true)]
[string]$sourcePath
)
try
{
Import-AzAutomationDscConfiguration -AutomationAccountName $automationAccountName -ResourceGroupName $resourceGroupName -SourcePath $sourcePath -Force
}
catch
{
Write-Error -Message $_.Exception
throw $_.Exception
}
For additional details on the Import-AzAutomationDscConfiguration cmdlet please reference the following link: https://docs.microsoft.com/en-us/powershell/module/az.automation/import-azautomationdscconfiguration?view=azps-2.6.0
To onboard a machine for management by Azure Automation State Configuration please referece the following documentation: https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding
Data from Azure State Configuration can be forwarded to Log Analytics. The following link provides the steps required to configure log fowarding for DSC configurations.
Azure State Configuration data can be fowarded by following this set of documentation: https://docs.microsoft.com/en-us/azure/automation/automation-dsc-diagnostics
- Find all resources that are not compliant
AzureDiagnostics
| where DscResourceStatus_s != "Compliant"
| summarize count() by tostring(DscResourceId_s), DscModuleName_s, bin(TimeGenerated, 4h)
- Find all DSC resources that are not complaint per node
AzureDiagnostics
| where DscResourceStatus_s == "NotCompliant"
| where DscConfigurationName_s == <DSC CONFIGURATION NAME>
| where NodeName_s == <NODE NAME>
| distinct NodeName_s , DscResourceId_s, DscResourceStatus_s