The purpose of this post is to walk through the available automated options to deploy VM’s that are compliant with DISA Stig standards.
General knowledge of Azure Virtual Machines, DISA Stigs, and automation will be very helpful.
Many organizations and US Government agencies are well aware of DISA Stigs and the process they have used to apply those settings in order to be compliant with the Stig standards. For many years many tools have been used to deploy, audit, and enforce the settings/compliance. Most, if not all, of those tools can still be used for the same reasons on Azure Virtual Machines. With all of the growing capabilities of the Azure Cloud, we will be focusing on the options available more specifically for Azure.
PowerStig (PowerStig GitHub Project)
One of the first things that you need to know about on this subject is PowerStig. PowerStig is a GitHub project that by its own definition: “PowerStig is a PowerShell module that contains several components to automate different DISA Security Technical Implementation Guides (STIGs) where possible.”. PowerStig heavily uses Desired State Configuration (Desired State Configuration for Azure overview - Azure Virtual Machines | Microsoft Docs) as its underlying technology to carry out the measurement/enforcement of the Stig settings. A little more context on PowerStig is that it can help you automate many things with Stigs, including: deploy VM Image with Stig settings, apply Stig settings to an existing VM, apply Stig settings one-time or long-term enforcement, documenting Stig checklists, and many other helpful things. For the full detail on PowerStig, see the project on Github here: https://github.com/microsoft/PowerStig/wiki.
Now that we know about PowerStig, the next piece of technology you need to know is the GitHub Project called the Azure ATO Toolkit, found here: https://github.com/Azure/ato-toolkit. The ATO Toolkit has a lot of great tools that will help you more easily achieve ATO attainment, but this post will focus more directly on the Stig part of the ATO Toolkit called the Azure Stig Solution Templates, found here: https://github.com/Azure/ato-toolkit/tree/master/stig. The Stig component of the ATO Toolkit focuses on the Azure Stig Solution Templates for Azure VM’s. Simply put, this set of source code will help you to deploy Azure VM’s with DISA Stigs applied to them at build time. This set of source code will show you how to deploy a new VM with Stigs or apply the Stigs to an existing VM, among other useful things. DISA Stig Templates are updated quarterly. The Azure Stig Solution Templates in this Github project will help you deploy these Stig templates that will be kept updated to within 60 days of the DISA quarterly release. So within 60 days of Stig settings being released by DISA (quarterly), the Azure Stig Solution Templates will be updated as well.
Azure Stig Templates for Windows (Azure Portal)
The last method that we will be talking about here is the “Azure Stig Templates for Windows” feature that is now available for Preview in the Azure Portal in Commercial and Azure Government. This solution is used directly in the Azure Portal. It works the same as the Azure Stig Solution Templates solution from GitHub (part of the ATO Toolkit). The reason it works the same is because it is the same solution. The Azure Portal uses the same code base from the Azure Stig Solution Templates in GitHub. Whether you build your VM from the Portal Stig option or from that GitHub project, the result should be the same. The GitHub project does currently offer more customization options and features, but the VM build is the same.
Now it is very normal to wonder how this all works. The fact is that both the Azure Stig Solution Templates GitHub Project AND the preview feature “Azure Stig Templates for Windows” in the Azure Portal both rely on the PowerStig GitHub Project to apply the settings. These two solutions provide a more streamlined, simple solution as opposed to using PowerStig directly, but they leverage PowerStig to make it happen. PowerStig can do many more powerful things on its own, but both of the other solutions do make it extremely easy for users to deploy VM’s with Stig settings “out of the box”. Below is a brief breakdown of some features/functionality of the three described solutions:
Measuring and reporting compliance of Stigs is a well-known component of managing an environment. As mentioned in this post, all existing tools should have no issue working for resources in Azure. With all of these cloud-based solutions for deployment, here are some cloud-based options for doing the same.
PowerStig with Azure Automation is a separate GitHub project that provides a process to provide reporting/visualization of the DSC data, which can show Stig compliance status. This project shows how to configure your environment to use Azure Automation with PowerStig/DSC, send compliance data to Log Analytics, and how to report on that compliance data. This project can be found here: PowerSTIG with Azure Automation · microsoft/PowerStig Wiki (github.com).