Skip to content

Commit

Permalink
Merge pull request #21 from xoap-io/dev
Browse files Browse the repository at this point in the history 
Feat: added STIG August 2023 configurations
  • Loading branch information
@ssokolic
ssokolic committed Oct 13, 2023
2 parents 96e3d44 + c33b120 commit e403844
Show file tree
Hide file tree
Showing 183 changed files with 31,822 additions and 6,378 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/commit-message-validator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ jobs:
commitlint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: wagoid/commitlint-github-action@v5
2 changes: 1 addition & 1 deletion .github/workflows/dependabot.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1.4.0
uses: dependabot/fetch-metadata@v1.6.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Approve a PR
Expand Down
18 changes: 1 addition & 17 deletions .github/workflows/megalinter.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,23 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
fetch-depth: 0
- name: MegaLinter
id: ml
uses: megalinter/megalinter/flavors/terraform@v6
env:
VALIDATE_ALL_CODEBASE: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DISABLE: COPYPASTE,SPELL
DISABLE_LINTERS: TERRAFORM_TERRASCAN
- name: Archive production artifacts
if: ${{ success() }} || ${{ failure() }}
uses: actions/upload-artifact@v3
with:
name: MegaLinter reports
path: |
report
mega-linter.log
2 changes: 1 addition & 1 deletion .github/workflows/tagging.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
fetch-depth: 0
Expand Down
1 change: 0 additions & 1 deletion .idea/misc.xml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

38 changes: 22 additions & 16 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,15 @@ Please check the links for more info, including usage information and full docum
- [Twitter](https://twitter.com/xoap_io)
- [LinkedIn](https://www.linkedin.com/company/xoap_io)

This repository hosts some of the most common DSC configurations that we use in our projects.

You will find the following DSC configurations in this repository:

- Citrix infrastructure and Citrix optimizer configurations
- DoD STIG configurations
- general Windows configurations
- Microsoft security baseline configurations

---

## Disclaimer
Expand All @@ -36,7 +45,7 @@ Please check the links for more info, including usage information and full docum

Be sure to always test any of those configurations in separated test environment and test clients and servers.

>Some of the available DSC configurations make severe changes to security-related configurations and could leave your Windows operating system in an unusable state.
> Some of the available DSC configurations make severe changes to security-related configurations and could leave your Windows operating system in an unusable state.
So please test once, twice or trice.

Expand Down Expand Up @@ -116,15 +125,13 @@ You can download it [here](https://www.microsoft.com/en-us/download/details.aspx

A typical DSC configuration looks like this:

```
Configuration MSTF_SecurityBaseline_Edge_v107_Computer
```PowerShell
Configuration 'MSTF_SecurityBaseline_Edge_v107_Computer'
{
Import-DSCResource -ModuleName 'GPRegistryPolicyDsc' -ModuleVersion '1.2.0'
Import-DSCResource -ModuleName 'AuditPolicyDSC' -ModuleVersion '1.4.0.0'
Import-DSCResource -ModuleName 'SecurityPolicyDSC' -ModuleVersion '2.10.0.0'
Node MSTF_SecurityBaseline_Edge_v107_Computer
Node 'MSTF_SecurityBaseline_Edge_v107_Computer'
{
RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\Edge\SitePerProcess'
{
Expand All @@ -136,19 +143,20 @@ Configuration MSTF_SecurityBaseline_Edge_v107_Computer
}
}
}
MSTF_SecurityBaseline_Edge_v107_Computer -OutputPath 'C:\MSTF_SecurityBaseline_Edge_v107_Computer'
```

In order to compile this example, you need to take care that all the referenced DSC modules are available locally.

You can check availability with:

```
```PowerShell
Get-DcsResource
```

If DSC modules are missing, you can install them simply by e.g. running:

```
```PowerShell
Install-Module SecurityPolicyDSC
```

Expand All @@ -160,15 +168,13 @@ and that you have to trust the PSGallery to be able to install the DSC modules.
Defining the versions of the modules could look like this:

```
Configuration MSTF_SecurityBaseline_Edge_v107_Computer
```PowerShell
Configuration 'MSTF_SecurityBaseline_Edge_v107_Computer'
{
Import-DSCResource -ModuleName 'GPRegistryPolicyDsc' -ModuleVersion '1.2.0' -ModuleVersion '1.2.0'
Import-DSCResource -ModuleName 'AuditPolicyDSC' -ModuleVersion '1.4.0.0' -ModuleVersion '1.4.0.0'
Import-DSCResource -ModuleName 'SecurityPolicyDSC' -ModuleVersion '2.10.0.0' -ModuleVersion '2.1.0.0'
Node MSTF_SecurityBaseline_Edge_v107_Computer
Node 'MSTF_SecurityBaseline_Edge_v107_Computer'
{
RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\Edge\SitePerProcess'
{
Expand All @@ -185,7 +191,7 @@ Configuration MSTF_SecurityBaseline_Edge_v107_Computer
So now that all DSC modules are available and the module versions are defined,
you need to run the following command in your Powershell to compile it locally:

```
```PowerShell
. PATHTOYOURSCRIPT\MSTF_SecurityBaseline_Edge_v107_Computer.ps1
MSTF_SecurityBaseline_Edge_v107_Computer
```
Expand All @@ -194,7 +200,7 @@ You should now have a localhost.mof file in this location.

The last step is to apply this configuration to your local host:

```
```PowerShell
Start-DscConfiguration -Path PATHTOYOURCONFIGURATION\MSTF_SecurityBaseline_Edge_v107_Computer -Verbose -Wait
```

Expand All @@ -204,4 +210,4 @@ Start-DscConfiguration -Path PATHTOYOURCONFIGURATION\MSTF_SecurityBaseline_Edge_

### Usage in XOAP and config.XO

Refer to our documentation [here](https://docs.xoap.io/configuration-management/quickstarts/add-configurations/)
Refer to our documentation [here](https://docs.xoap.io/configuration-management/)
222 changes: 222 additions & 0 deletions STIG/dod_stig_august_2023/DoD_Adobe_Acrobat_Pro_DC_Continuous_STIG_Computer_V2R1.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,222 @@
Configuration 'DoD_Adobe_Acrobat_Pro_DC_Continuous_STIG_Computer_V2R1'
{
Import-DscResource -ModuleName 'PSDesiredStateConfiguration'
Import-DSCResource -ModuleName 'GPRegistryPolicyDsc' -ModuleVersion '1.2.0'
Import-DSCResource -ModuleName 'AuditPolicyDSC' -ModuleVersion '1.4.0.0'
Import-DSCResource -ModuleName 'SecurityPolicyDSC' -ModuleVersion '2.10.0.0'

Node 'DoD_Adobe_Acrobat_Pro_DC_Continuous_STIG_Computer_V2R1'
{
RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Adobe\Adobe Acrobat\DC\Installer\DisableMaintenance'
{
ValueName = 'DisableMaintenance'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Adobe\Adobe Acrobat\DC\Installer'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\bEnhancedSecurityStandalone'
{
ValueName = 'bEnhancedSecurityStandalone'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\bEnhancedSecurityInBrowser'
{
ValueName = 'bEnhancedSecurityInBrowser'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\iFileAttachmentPerms'
{
ValueName = 'iFileAttachmentPerms'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\bEnableFlash'
{
ValueName = 'bEnableFlash'
ValueData = 0
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\bDisableTrustedFolders'
{
ValueName = 'bDisableTrustedFolders'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\bProtectedMode'
{
ValueName = 'bProtectedMode'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\iProtectedView'
{
ValueName = 'iProtectedView'
ValueData = 2
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\bDisablePDFHandlerSwitching'
{
ValueName = 'bDisablePDFHandlerSwitching'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\bDisableTrustedSites'
{
ValueName = 'bDisableTrustedSites'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cCloud\bAdobeSendPluginToggle'
{
ValueName = 'bAdobeSendPluginToggle'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cCloud'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cCloud\bDisableADCFileStore'
{
ValueName = 'bDisableADCFileStore'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cCloud'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cDefaultLaunchURLPerms\iUnknownURLPerms'
{
ValueName = 'iUnknownURLPerms'
ValueData = 3
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cDefaultLaunchURLPerms'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cDefaultLaunchURLPerms\iURLPerms'
{
ValueName = 'iURLPerms'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cDefaultLaunchURLPerms'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cServices\bTogglePrefsSync'
{
ValueName = 'bTogglePrefsSync'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cServices'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cServices\bToggleWebConnectors'
{
ValueName = 'bToggleWebConnectors'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cServices'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cSharePoint\bDisableSharePointFeatures'
{
ValueName = 'bDisableSharePointFeatures'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cSharePoint'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cWebmailProfiles\bDisableWebmail'
{
ValueName = 'bDisableWebmail'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cWebmailProfiles'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cWelcomeScreen\bShowWelcomeScreen'
{
ValueName = 'bShowWelcomeScreen'
ValueData = 0
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cWelcomeScreen'
}

RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\DC\Installer\DisableMaintenance'
{
ValueName = 'DisableMaintenance'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\DC\Installer'
}

<#RegistryPolicyFile 'Registry(POL): HKCU:\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\bFIPSMode'
{
ValueName = 'bFIPSMode'
ValueData = 1
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'HKCU:\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral'
}#>

<#RegistryPolicyFile 'Registry(POL): HKCU:\SOFTWARE\Adobe\Adobe Acrobat\DC\Security\cDigSig\cAdobeDownload\bLoadSettingsFromURL'
{
ValueName = 'bLoadSettingsFromURL'
ValueData = 0
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'HKCU:\SOFTWARE\Adobe\Adobe Acrobat\DC\Security\cDigSig\cAdobeDownload'
}#>

<#RegistryPolicyFile 'Registry(POL): HKCU:\SOFTWARE\Adobe\Adobe Acrobat\DC\Security\cDigSig\cEUTLDownload\bLoadSettingsFromURL'
{
ValueName = 'bLoadSettingsFromURL'
ValueData = 0
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'HKCU:\SOFTWARE\Adobe\Adobe Acrobat\DC\Security\cDigSig\cEUTLDownload'
}#>

RefreshRegistryPolicy 'ActivateClientSideExtension'
{
IsSingleInstance = 'Yes'
}
}
}

0 comments on commit e403844

Please sign in to comment.