Skip to content

Instantly share code, notes, and snippets.

@liveaverage

liveaverage/win_stig.yml

Created September 27, 2019 18:40
Show Gist options
  • Save liveaverage/fd2acd3c2ed5d3b4f235be849c2de62a to your computer and use it in GitHub Desktop.
Save liveaverage/fd2acd3c2ed5d3b4f235be849c2de62a to your computer and use it in GitHub Desktop.
Download ZIP
Quick & Dirty Windows PowerStig based on: https://github.com/Microsoft/PowerStig/wiki/DscGettingStarted
Raw
win_stig.yml
---
- name: Windows PowerSTIG
hosts: all
vars:
ansible_connection: winrm
ansible_winrm_transport: basic
gather_facts: no
become: yes
become_method: runas
become_user: Administrator
tasks:
- name: Install PowerSTIG Modules
win_psmodule:
name: "{{ item }}"
state: present
loop:
- NuGet
- PowerShellGet
- PowerStig
tags:
- psmodules
- name: Install PowerSTIG prerequisites with specific versions
win_shell: |
(Get-Module PowerStig -ListAvailable).RequiredModules | % {$PSItem | Install-Module -Force}
tags:
- psmodules
- name: PowerSTIG prereqs not necessarily covered in previous task
win_psmodule:
name: "{{ item.name }}"
required_version: "{{ item.version }}"
state: present
allow_clobber: yes
loop:
- name: AuditPolicyDsc
version: 1.2.0.0
- name: SecurityPolicyDsc
version: 2.4.0.0
- name: PSDscResources
version: 2.10.0.0
tags:
- psmodules
- name: Generate PowerSTIG DSC MOF
win_shell: |
{{ lookup('template', 'templates/win_stig_dsc.ps.j2') }}
tags:
- dsc
- name: Apply generated PowerSTIG MOF
win_shell: |
Start-DscConfiguration -Path C:\Windows\Example -Force -Wait -Verbose
tags:
- dsc
@liveaverage
Copy link
Author

liveaverage commented Sep 27, 2019
edited
Loading

Accompanying DSC template [win_stig_dsc.ps.j2]

<#
    Use the embedded STIG data with default range values to apply the most recent STIG settings.
    In this example, the composite resource gets the highest 2012 R2 member server STIG version
    file it can find locally and applies it to the server. The composite resource merges in the
    default values for any settings that have a valid range.
#>
configuration Example
{
    param
    (
        [parameter()]
        [string]
        $NodeName = 'localhost'
    )

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
    {
        WindowsServer BaseLine
        {
            OsVersion   = '2016'
            OsRole      = 'MS'
            StigVersion = '1.9'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'
        }
    }
}

Example

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment