PowerStig
PowerStig copied to clipboard
microsoft
Too many warnings!
Is your feature request related to a problem? Please describe. Warnings were recently added for 'skipped' rules. And another pair of warnings were added to inform the user that DISA ID's had changed. Both of these generate unwanted noise when generating configuration documents.
In our case (and I suspect in many cases), the user generating the configuration document is not the developer. The new warnings scare and confuse them and cause unwanted support requests and headache for the developer.
The 'skipped' rules are skipped intentionally - in our case because many conflict with other configuration such as those between IIS and SqlServer (see V-213967 and V-218821). The warnings may be useful while developing the configuration. But after that, they are a nuisance.
The warning about the new DISA ID's was likewise useful during development until all of the ID's in the configuration had been updated. Now it is simply a nuisance.
Describe the solution you'd like Ideally a variable would be set or passed to the configuration that would enable warnings that could be used during the development phase.
Describe alternatives you've considered I've attempted to set the $WarningPreference variable and pass -WarningAction SilentlyContinue to the configuration. This does not have any effect. I don't know if this is because our configuration is broken up into 'fragments' that are included in a master configuration document. But putting it all in one file is not feasible due to configuration size.
Additional context Skipped rule warning:
WARNING: IIS_10-0_Site_STIG: V-218762/WebAppPoolRule/medium will be Skipped as specified by the configuration
DISA Id change warning:
WARNING: With DISA's Quarterly Release (October 2020), rule Ids have changed. WARNING: For more information, please visit https://aka.ms/PowerStigDisaChanges
The DISA warning will eventually go away, once there are no longer STIGs with legacy Ids present in PowerSTIG. The warnings for Skip rules is necessary due to the fact that empty org settings will cause a rule to be skipped and notifying the user of the skip is needed.
Also, for what it's worth, if you don't care to capture any output, you could do the following:
DscConfigurationName 3>&1 | Out-Null
There is a warning for empty org settings. But I wasn't referring to that. The warning in question is for rules that are added to the "Skip" parameter. These are intentionally skipped, and presumably a warning is unnecessary.
Thank you for the suggestion about using redirection to hide the warnings. It hadn't occurred to me to try cmd style stream redirection. I'll give it a shot.
I agree that warnings should be able to be suppressed for rules that are intentionally skipped. For example, I'm currently working through setting up a valid configuration for Server 2019 Core. 2019 Core doesn't have the MitigationConfiguration.dll so all the rules with a ProcessMitigationRule type fail to run. Skipping that rule type obviously generates a ton of warnings so suppressing those while still keeping the necessary warnings would be nice.
