-
Notifications
You must be signed in to change notification settings - Fork 129
CustomizingRules
PowerSTIG provides two common ways to customize behavior in a baseline:
-
SkipRule- Mark specific STIG rules as skipped (not enforced). -
OrgSettings- Override organization-specific values while keeping rules enforced.
Use SkipRule only when a rule is intentionally not enforced in your environment (for example, approved risk acceptance, technical exception, or out-of-scope requirement).
At compile time, PowerSTIG marks the listed rule IDs as skipped in the generated MOF. These rules still appear in the MOF (typically with a [Skip] marker in the ResourceID) but are represented as non-enforcing resources.
In practice, skipped entries are commonly emitted as script-based resources that always pass (TestScript returns $true), so no setting is applied for that rule.
Configuration PowerStig
{
Import-DscResource -ModuleName PowerStig -ModuleVersion 4.29.0
Node localhost
{
WindowsClient Win11-Baseline
{
StigVersion = '2.6'
OsVersion = '11'
SkipRule = 'V-253261', 'V-253445'
}
}
}
. PowerStig -OutputPath 'c:\temp\mof'Use OrgSettings when a STIG rule allows more than one valid value (for example, ranges, allowed options, or organization-defined values) and your organization requires a specific approved setting.
At compile time, PowerSTIG:
- Loads the selected STIG data (
Technology,TechnologyVersion,StigVersion). - Applies values from
OrgSettingsover default STIG values. - Compiles the final configuration into a MOF.
$WindowsClientOrgSettings = @{
'V-253261' = @{ ValueData = '900' }
'V-253445' = @{ ValueData = '1' }
}
Configuration PowerStig
{
Import-DscResource -ModuleName PowerStig -ModuleVersion 4.29.0
Node localhost
{
WindowsClient Win11-Baseline
{
StigVersion = '2.6'
OsVersion = '11'
OrgSettings = $WindowsClientOrgSettings
}
}
}
. PowerStig -OutputPath 'c:\temp\mof'- Start from a known-good baseline configuration.
- Use
SkipRuleonly for explicitly approved exceptions. - Add
OrgSettingsentries for rules that need organization-specific values. - Compile to MOF and review output.
- Test in a non-production environment before broad deployment.
-
Stig Coverage
- Stig Coverage Summary
- Adobe-AcrobatPro-2.1
- Adobe-AcrobatReader-1.6
- Adobe-AcrobatReader-2.1
- DotNetFramework-4-2.6
- DotNetFramework-4-2.7
- FireFox-All-6.6
- FireFox-All-6.7
- Google-Chrome-2.10
- Google-Chrome-2.11
- IISServer-10.0-3.5
- IISServer-10.0-3.6
- IISSite-10.0-2.13
- IISSite-10.0-2.14
- InternetExplorer-11-2.5
- InternetExplorer-11-2.6
- MS-Edge-2.3
- MS-Edge-2.4
- Office-365ProPlus-3.3
- Office-365ProPlus-3.4
- Office-Access2016-1.1
- Office-Access2016-2.1
- Office-Excel2016-1.2
- Office-Excel2016-2.2
- Office-OneNote2016-1.2
- Office-OneNote2016-2.1
- Office-Outlook2016-2.3
- Office-Outlook2016-2.4
- Office-PowerPoint2016-1.1
- Office-PowerPoint2016-2.1
- Office-Publisher2016-1.3
- Office-Publisher2016-2.1
- Office-Skype2016-1.1
- Office-Skype2016-2.1
- Office-System2016-2.4
- Office-System2016-2.5
- Office-Word2016-1.1
- Office-Word2016-2.1
- OracleLinux-8-2.3
- OracleLinux-8-2.4
- OracleLinux-9-1.1
- RHEL-7-3.14
- RHEL-7-3.15
- RHEL-9-2.3
- RHEL-9-2.7
- SqlServer-2016-Instance-3.5
- SqlServer-2016-Instance-3.6
- SqlServer-2022-Instance-1.2
- SqlServer-2022-Instance-1.3
- Ubuntu-18.04-2.14
- Ubuntu-18.04-2.15
- WindowsClient-10-3.5
- WindowsClient-10-3.6
- WindowsClient-11-2.5
- WindowsClient-11-2.6
- WindowsDefender-All-2.6
- WindowsDefender-All-2.7
- WindowsDnsServer-2012R2-2.5
- WindowsDnsServer-2012R2-2.7
- WindowsFirewall-All-2.1
- WindowsFirewall-All-2.2
- WindowsServer-2016-DC-2.10
- WindowsServer-2016-DC-2.9
- WindowsServer-2016-MS-2.10
- WindowsServer-2016-MS-2.9
- WindowsServer-2019-DC-3.6
- WindowsServer-2019-DC-3.7
- WindowsServer-2019-MS-3.6
- WindowsServer-2019-MS-3.7
- WindowsServer-2022-DC-2.6
- WindowsServer-2022-DC-2.7
- WindowsServer-2022-MS-2.6
- WindowsServer-2022-MS-2.7