STIG Automation using Chef on AWS and Azure

Introduction

The Defense Information Systems Agency (DISA) provides a standard to maintaining the security posture of the Department of Defense (DoD) IT infrastructure. DISA accomplishes this task is by developing and using Security Technical Implementation Guides, or “STIGs.”

DISA Security Technical Implementation Guides (STIGs) for Windows OS:

https://iase.disa.mil/stigs/os/windows/Pages/index.aspx

STIGs are nothing more than alternate configurations that make commonly used applications more secure. All DoD IT assets must meet STIG compliance in some fashion before they are allowed to operate on DoD networks. The purpose of STIGs are obvious; default configurations for many applications are inadequate in terms of security, and therefore DISA felt that developing a security standard for these applications would allow various DoD agencies to utilize the same standard – or STIG – across all application instances that exist.

Solution

STIG automation solution implemented in this repo using the Chef. Mainly using Chef templates with dynamically generating attributes (based on the STIG rules provide in .yml file) to generate the desired configuration files based on the STIG rules. Finally, desired security configuration is applied on the Windows OS.

Development Environment Setup

• Install ChefDK
• For AWS:
  
  • Install the AWS command line tools.
  • Run aws configure. This will set up your AWS credentials for both the AWS CLI tools and kitchen-ec2.
  • Create the required entries for kitchen.yml on AWS portal to create/converge an EC2 instance and update the below kitchen.yml file for AWS
• For Azure:
  
  • Install the kitchen-azurerm driver on your workstation manually and update the below kitchen.yml file for Azrue

kitchen.yml for AWS