Skip to content

Commit

Permalink
Merge pull request #20 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Linting and Issue fixes
  • Loading branch information
uk-bolly authored May 26, 2021
2 parents eeb1222 + a773697 commit 7f75b72
Show file tree
Hide file tree
Showing 15 changed files with 4,111 additions and 3,869 deletions.
11 changes: 11 additions & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
parseable: true
quiet: true
skip_list:
- '204'
- '305'
- '303'
- '403'
- '306'
- '602'
use_default_rules: true
verbosity: 0
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
.env
*.log
*.retry
.cache
.vagrant
tests/*redhat-subscription
tests/Dockerfile
Expand Down
20 changes: 20 additions & 0 deletions .yamllint
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
ignore: |
tests/
molecule/
.gitlab-ci.yml
*molecule.yml

extends: default

rules:
indentation:
spaces: 4
truthy: disable
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
15 changes: 15 additions & 0 deletions CONTRIBUTING.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,21 @@
Contributing to MindPoint Group Projects
========================================

Rules
-----
1) All commits must be GPG signed (details in Signing section)
2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <joan.doe@email.com>) in the commit message (details in Signing section)
3) All work is done in your own branch or own fork
4) Pull requests
a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing
b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel
5) Be open and nice to each other

Workflow
--------
- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
- All community Pull Requests are into the devel branch (from forked repos they go to staging before devel). There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
Signing your contribution
-------------------------

Expand Down
60 changes: 57 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,65 @@
Windows Server 2016 CIS
=========
![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2016-CIS?style=plastic)

Configure a Windows Server 2016 system to be [CIS](https://www.cisecurity.org/cis-benchmarks/) v1.2.0 compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix

Caution(s)
-------
This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.

To use release version please point to main branch
Based on [CIS Windows Server 2016 Benchmark ](https://community.cisecurity.org/collab/public/index.php).

Documentation
-------------
[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)<br>
[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)<br>
[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)<br>
[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)<br>
[Wiki](https://github.com/ansible-lockdown/Windows-2016-CIS/wiki)<br>
[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2016-CIS/)<br>

Configure a Windows Server 2016 system to be CIS compliant.

This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.2.0 Rel 1607 released on May 27, 2020] (https://learn.cisecurity.org/l/799323/2020-07-10/zx1v).

Requirements
------------

Windows Server 2016 - Other versions are not supported.
**General:**
- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
- [Main Ansible documentation page](https://docs.ansible.com)
- [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/Windows-2016-CIS/wiki/Main-Variables).

**Technical Dependencies:**
- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
- Python3 Ansible run environment

Role Variables
--------------

This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/Windows-2016-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.

Branches
--------

- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch
- **main** - This is the release branch
- **reports** - This is a protected branch for our scoring reports, no code should ever go here
- **gh-pages** - This is the github pages branch
- **all other branches** - Individual community member branches

Community Contribution
----------------------

We encourage you (the community) to contribute to this role. Please read the rules below.

- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
- All community Pull Requests are pulled into the devel branch
- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
25 changes: 0 additions & 25 deletions Vagrantfile

This file was deleted.

30 changes: 19 additions & 11 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
---
section01_patch: yes
section02_patch: yes
section09_patch: yes
section17_patch: yes
section18_patch: yes
section19_patch: yes
section01_patch: true
section02_patch: true
section09_patch: true
section17_patch: true
section18_patch: true
section19_patch: true

min_ansible_version: "2.6"

Expand Down Expand Up @@ -35,10 +35,10 @@ workaround_for_ssg_benchmark: true
# tweak role to run in a non-privileged container
system_is_container: no

#set to false to skip tasks that either have not been developed or cannot be automated
# set to false to skip tasks that either have not been developed or cannot be automated
is_implemented: false

#set to false to skip long running tasks
# set to false to skip long running tasks
long_running: false

win_skip_for_test: false
Expand Down Expand Up @@ -89,8 +89,8 @@ rule_2_2_27: true
rule_2_2_28: true
rule_2_2_29: true
rule_2_2_30: true
rule_2_2_31: true
rule_2_2_32: true
rule_2_2_31: true
rule_2_2_32: true
rule_2_2_33: true
rule_2_2_34: true
rule_2_2_35: true
Expand Down Expand Up @@ -439,6 +439,14 @@ rule_19_7_26_1: true
rule_19_7_41_1: true
rule_19_7_45_2_1: true

# Section 2 Variables
# Control 2.3.1.5
# win16cis_admin_username is the name the administrator account will be renamed to
win16cis_admin_username: ChangeThis

# Control 2.3.1.6
# win16cis_guest_username is the name the guest account will be renamed to
win16cis_guest_username: GuestChangeThis

# This SID is the same for standalone, member, domain controller for 'Administrators' group
sedebugprivilege: "*S-1-5-32-544"
Expand Down Expand Up @@ -506,4 +514,4 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
# 9.3.8
# public_firewall_log_size is the size of the log file
# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
public_firewall_log_size: 16,384
public_firewall_log_size: 16,384
3 changes: 2 additions & 1 deletion meta/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,11 @@ galaxy_info:
description: "Ansible role to apply Windows Server 2016 CIS Benchmark"
company: "MindPoint Group"
license: MIT
role_name: windows_2016_cis
min_ansible_version: 2.6

platforms:
- name: Windows Server
- name: Windows
versions:
- 2016

Expand Down
1 change: 0 additions & 1 deletion site.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,3 @@

roles:
- role: "{{ playbook_dir }}"
system_is_container: "{{ is_container | default(false) }}"
91 changes: 46 additions & 45 deletions tasks/section01.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@
value: "{{ passwordhistorysize }}"
when: rule_1_1_1
tags:
- level1-domaincontroller
- level1-memberserver
- rule_1.1.1
- patch
- level1-domaincontroller
- level1-memberserver
- rule_1.1.1
- patch

- name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'"
block:
Expand All @@ -38,10 +38,10 @@
value: "{{ maximumpasswordage }}"
when: rule_1_1_2
tags:
- level1-domaincontroller
- level1-memberserver
- rule_1.1.2
- patch
- level1-domaincontroller
- level1-memberserver
- rule_1.1.2
- patch

- name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
block:
Expand All @@ -60,10 +60,10 @@
value: "{{ minimumpasswordage }}"
when: rule_1_1_3
tags:
- level1-domaincontroller
- level1-memberserver
- rule_1.1.3
- patch
- level1-domaincontroller
- level1-memberserver
- rule_1.1.3
- patch

- name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
block:
Expand All @@ -82,10 +82,10 @@
value: "{{ minimumpasswordlength }}"
when: rule_1_1_4
tags:
- level1-domaincontroller
- level1-memberserver
- rule_1.1.4
- patch
- level1-domaincontroller
- level1-memberserver
- rule_1.1.4
- patch

- name: "SCORED | 1.1.5 | PATCH | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
win_security_policy:
Expand All @@ -94,35 +94,35 @@
value: 1
when: rule_1_1_5
tags:
- level1-domaincontroller
- level1-memberserver
- rule_1.1.5
- patch
- level1-domaincontroller
- level1-memberserver
- rule_1.1.5
- patch

- name: "SCORED | 1.1.6 | PATCH | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
win_security_policy:
section: System Access
key: ClearTextPassword
value: "0"
section: System Access
key: ClearTextPassword
value: "0"
when: rule_1_1_6
tags:
- level1-domaincontroller
- level1-memberserver
- rule_1.1.6
- patch
- level1-domaincontroller
- level1-memberserver
- rule_1.1.6
- patch

#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable
# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable
- name: "SCORED | 1.2.2 | PATCH | (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'"
win_security_policy:
section: System Access
key: LockoutBadCount
value: "{{ lockoutbadcount }}"
when: rule_1_2_2
tags:
- level1-domaincontroller
- level1-memberserver
- rule_1.2.2
- patch
- level1-domaincontroller
- level1-memberserver
- rule_1.2.2
- patch

- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
block:
Expand All @@ -136,17 +136,18 @@

- name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
win_security_policy:
section: System Access
key: LockoutDuration
value: "{{ lockoutduration }}"
section: System Access
key: LockoutDuration
value: "{{ lockoutduration }}"
when:
- rule_1_2_1
- is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
- rule_1_2_1
# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
- is_implemented
tags:
- level1-domaincontroller
- level1-memberserver
- rule_1.2.1
- patch
- level1-domaincontroller
- level1-memberserver
- rule_1.2.1
- patch

- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
block:
Expand All @@ -165,7 +166,7 @@
value: "{{ resetlockoutcount }}"
when: rule_1_2_3
tags:
- level1-domaincontroller
- level1-memberserver
- rule_1.2.3
- patch
- level1-domaincontroller
- level1-memberserver
- rule_1.2.3
- patch
Loading

0 comments on commit 7f75b72

Please sign in to comment.