From b65ca3afaea24da2893dd4d8dc759b07b73b6282 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 19 Mar 2024 13:11:33 -0400 Subject: [PATCH 1/5] From Sep_2023 branch Signed-off-by: Frederick Witty --- .ansible-lint | 4 +++ CONTRIBUTING.rst | 4 +-- ChangeLog.md | 65 +++++++++++++++++++++--------------- LICENSE | 2 +- README.md | 36 +++++++++++--------- collections/requirements.yml | 6 ++++ defaults/main.yml | 23 +++++++------ meta/main.yml | 9 ++--- 8 files changed, 87 insertions(+), 62 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 47f63b5..6d72a4a 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,16 @@ skip_list: - 'schema' - 'no-changed-when' - 'experimental' + - 'fqcn-builtins' + - 'fqcn[action]' - 'name[casing]' - 'name[template]' + - 'name[play]' - 'jinja[spacing]' - 'yaml[line-length]' - 'key-order[task]' - 'var-naming' # Older playbook no new release + - 'var-spacing' - '204' - '208' - '305' diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 23ce2fb..75f4469 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -7,7 +7,7 @@ Rules 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) 3) All work is done in your own branch 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) -5) Be open and nice to eachother +5) Be open and nice to each other Workflow -------- @@ -64,4 +64,4 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` -option to `git commit` to automatically include the signoff message. +option to `git commit` to automatically include the sign-off message. diff --git a/ChangeLog.md b/ChangeLog.md index 6554982..1eee229 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,40 +1,51 @@ # Changelog +## Release 1.3.1 + +- March 2024 Update + - Typo Fixes + ## Release 1.3.0 -- August 2023 +- September 2023 Updates + - Bug Fixes + - Added Updated Discord Links + - Updated Galaxy Score Links + - Updated Readme + - Control 18.2.6 - Fixed Spelling For Member server + - Control 18.3.1 - Adjusted when statement for Member server only. + - PR'S Closed
+ [#37](https://github.com/ansible-lockdown/Windows-2016-CIS/pull/37) - 9.2.1/9.3.1 Fixed Module Parameters in win_firewall - Thanks @gberginc
+ [#37](https://github.com/ansible-lockdown/Windows-2016-CIS/pull/37) - Section 18 Fixed Module Parameters in win_regedit - Thanks @gberginc
+ - Reviewed all DC Only and MS Only Controls to verify when statements are valid. + - Updated win_skip_for_test controls + +- August 2023 Updates - Updated to Central org based workflow. - Updated Linting files and ran against playbook - All modules fit FQCN standard. - Updated Readme.md -## Possible Future Plans For Repo -- Warning System Added -- More of the defalt main variables will be user defined. -- Update To 2.0.0 once released by CIS, currently in draft status. - ## Release 1.2.0 - May 2023 Updates - Updated pipelines for testing in Azure -- Issues Closed - [#5](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/5) - 9.1.4/9.2.4/9.3.4 - Wrong data value - [#6](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/6) - 2.3.11.4 - Wrong data value - [#7](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/7) - 18.9.95.1 - Wrong data value - [#8](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/8) - 18.9.26.1.1 - Wrong data type - [#9](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/9) - 18.4.1 - Wrong data type - [#10](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/10) - 18.3.4 - Wrong data value - [#11](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/11) - 19.7.4.1 - Wrong data value - [#12](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/12) - 2.3.17.3 - Wrong data value - [#13](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/13) - 2.3.6.4 - Wrong data value - [#14](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/14) - 19.7.41.1 - Wrong data value - [#16](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/16) - 2.3.1.5/2.3.1.6 - Changed value from hardcoded to variable -- Updated Galaxy Workflow -- Updated module names to new standard. -- Major Update: All task rule names updated to add win16cis to them in default main - and in appropriate taks files. -- Updated Ansible_vars_goss file to match new default main. -- Ansible Lockdown Banner In Playbook (Testing) -- Full Linting Check - - + - Issues Closed
+ [#5](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/5) - 9.1.4/9.2.4/9.3.4 - Wrong data value
+ [#6](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/6) - 2.3.11.4 - Wrong data value
+ [#7](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/7) - 18.9.95.1 - Wrong data value
+ [#8](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/8) - 18.9.26.1.1 - Wrong data type
+ [#9](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/9) - 18.4.1 - Wrong data type
+ [#10](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/10) - 18.3.4 - Wrong data value
+ [#11](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/11) - 19.7.4.1 - Wrong data value
+ [#12](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/12) - 2.3.17.3 - Wrong data value
+ [#13](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/13) - 2.3.6.4 - Wrong data value
+ [#14](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/14) - 19.7.41.1 - Wrong data value
+ [#16](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/16) - 2.3.1.5/2.3.1.6 - Changed value from hardcoded to variable
+ - Updated Galaxy Workflow + - Updated module names to new standard. + - Major Update: All task rule names updated to add win16cis to them in default main + and in appropriate taks files. + - Updated Ansible_vars_goss file to match new default main. + - Ansible Lockdown Banner In Playbook (Testing) + - Full Linting Check diff --git a/LICENSE b/LICENSE index 39810af..afe32b3 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise +Copyright (c) 2024 MindPoint Group / Lockdown Enterprise Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 4f90159..442e4e0 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a Windows 2016 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant -### Based on [ Microsoft Windows Server 2019 Benchmark v1.2.0 - 04-21-2022 ](https://www.cisecurity.org/cis-benchmarks/) +### Based on [ Microsoft Windows Server 2016 RTM Benchmark v1.2.0 - 04-21-2022 ](https://www.cisecurity.org/cis-benchmarks/) --- @@ -12,7 +12,6 @@ ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) @@ -36,11 +35,11 @@ [Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_2016_cis) -[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_2016_cis) +[Ansible Support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_2016_cis) ### Community -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users --- @@ -50,15 +49,15 @@ This role **will make changes to the system** which may have unintended conseque Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. -This role was developed against a clean install of the Windows 2016 Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. +This role was developed against a clean install of the Windows 2016 Operating System. If you are implementing this role on an existing system, please review this role for any site specific changes that are needed. -To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. +To use release version please point to main branch and relevant release for the CIS benchmark you wish to work with. --- ## Matching a security Level for CIS -It is possible to to only run level 1 or level 2 controls for CIS. +It is possible to only run level 1 or level 2 controls for CIS. This is managed using tags: - level1-domaincontroller @@ -66,12 +65,12 @@ This is managed using tags: - level2-domaincontroller - level2-memberserver -The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The controls found in defaults/main also need to reflect those control numbers due to aligning every control to the audit component. ## Coming from a previous release -CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +CIS releases routinely contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) @@ -98,7 +97,7 @@ Currently this release does not have a auditing tool that is up to date. - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file. **Technical Dependencies:** @@ -119,12 +118,12 @@ This role is designed that the end user should not have to edit the tasks themse ## Tags -There are many tags available for added control precision. Each control has it's own set of tags noting what level, if it's scored/notscored, what OS element it relates to, if it's a patch or audit, and the rule number. +There are many tags available for added control precision. Each control has its own set of tags noting what level, what OS element it relates to if it's a patch or audit, and the rule number. Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag smb, this task will be skipped. The opposite can also happen where you run only controls tagged with smb. ```sh - tags: + tags: - level1-domaincontroller - level1-memberserver - win16cis_rule_18.3.3 @@ -136,9 +135,16 @@ Below is an example of the tag section from a control within this role. Using th We encourage you (the community) to contribute to this role. Please read the rules below. -- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- Your work is done in your own individual branch. Make sure to Signed-off-by and GPG sign all commits you intend to merge. - All community Pull Requests are pulled into the devel branch -- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off-by, and a functional test before being approved - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release ## Pipeline Testing + +uses: + +- ansible-core 2.12 +- ansible collections - pulls in the latest version based on the requirements file +- runs the audit using the devel branch +- This is an automated test that occurs on pull requests into devel \ No newline at end of file diff --git a/collections/requirements.yml b/collections/requirements.yml index 97aad6f..3bbac16 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,7 +2,13 @@ collections: - name: ansible.windows + type: git + source: https://github.com/ansible-collections/ansible.windows - name: community.windows + type: git + source: https://github.com/ansible-collections/community.windows - name: community.general + type: git + source: https://github.com/ansible-collections/community.general diff --git a/defaults/main.yml b/defaults/main.yml index ce0611b..2a3865b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,5 @@ --- + os_distribution: Windows-2016 benchmark: CIS benchmark_version: 1.2 @@ -29,7 +30,7 @@ win16cis_section18: true # 19.1.x Control Panel, 19.5.x Start Menu and Taskbar, 19.6.x System, 19.7.x Windows Components win16cis_section19: true -min_ansible_version: "2.9" +min_ansible_version: "2.10" # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation @@ -59,14 +60,14 @@ long_running: false # win_skip_for_test is used in the playbook to skip over certain controls that # may cause breaking changes when running it for testing purposes. # Controls that will be skipped: -# 2.3.1.5 -# 9.3.5 -# 18.9.97.1.1 -# 18.9.97.1.2 -# 18.9.97.2.1 -# 18.9.97.2.2 -# 18.9.97.2.3 -# 18.9.98.1 +# 2.3.1.5 - Renames Administrator Account +# 9.3.5 - Enables Firewall Public Rules *Breaks Reboot* +# 18.9.97.1.1 - Disables WinRM Allow Client Basic Auth +# 18.9.97.1.2 - Disables unencrypted traffic through WinRM Client +# 18.9.97.2.1 - Disables WinRM Allow Service Basic Auth +# 18.9.97.2.2 - Disables Remote Server Management through WinRM +# 18.9.97.2.3 - Disables unencrypted traffic through WinRM Service +# 18.9.98.1 - Disables Remote Shell Access win_skip_for_test: false #### Basic external audit enablement settings #### @@ -499,11 +500,11 @@ is_hyperv_installed: false # Section 2 Variables # Control 2.3.1.5 # win16cis_admin_username is the name the administrator account will be renamed to -win16cis_admin_username: ChangeThis +win16cis_admin_username: adminchangethis # Control 2.3.1.6 # win16cis_guest_username is the name the guest account will be renamed to -win16cis_guest_username: GuestChangeThis +win16cis_guest_username: guestchangethis # This SID is the same for standalone, member, domain controller for 'Administrators' group sedebugprivilege: "*S-1-5-32-544" diff --git a/meta/main.yml b/meta/main.yml index 9000c2c..9664956 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,16 +1,13 @@ --- + galaxy_info: - author: "Ryan Speelman" + author: "Ansible-Lockdown" description: "Ansible role to apply Windows Server 2016 CIS Benchmark" company: "MindPoint Group" license: MIT role_name: windows_2016_cis namespace: mindpointgroup - min_ansible_version: 2.6 - -# The galaxy api currently supports only Win 2008R2, 2008x64, 2008x86, -# 2012, 2012R2, 2016, and 2019 versions. And using anything else will lower -# galaxy score. + min_ansible_version: 2.10.0 platforms: - name: Windows versions: From 9b3ee6ae6ad2b01625ee841b5ff9adbd33f43dcd Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 19 Mar 2024 16:57:08 -0400 Subject: [PATCH 2/5] Update .github Signed-off-by: Frederick Witty --- .github/workflows/devel_pipeline_validation.yml | 16 ++++++++-------- .github/workflows/main_pipeline_validation.yml | 12 ++++++------ 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 0aae7a5..44fbd8c 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -20,9 +20,9 @@ on: # yamllint disable-line rule:truthy - '**.cfg' # A workflow run is made up of one or more jobs that can run sequentially or in parallel -# This setion contains all the jobs below that are running in the workflow. +# This section contains all the jobs below that are running in the workflow. jobs: - # This will create messages for first time contributers and direct them to the Discord server + # This will create messages for the first time contributors and direct them to the Discord server welcome: # The type of runner that the job will run on. runs-on: ubuntu-latest @@ -32,9 +32,9 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance. + # This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance. playbook-test: # The type of runner that the job will run on. runs-on: ubuntu-latest @@ -84,7 +84,7 @@ jobs: pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -93,7 +93,7 @@ jobs: id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -102,7 +102,7 @@ jobs: id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -110,7 +110,7 @@ jobs: - name: Terraform_Apply id: apply env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file WIN_USERNAME: ${{ secrets.WIN_USERNAME }} WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} OSVAR: ${{ vars.OSVAR }} diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 438dd55..ae9e500 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -20,9 +20,9 @@ on: # yamllint disable-line rule:truthy - '**.cfg' # A workflow run is made up of one or more jobs that can run sequentially or in parallel -# This setion contains all the jobs below that are running in the workflow. +# This section contains all the jobs below that are running in the workflow. jobs: - # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance. + # This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance. playbook-test: # The type of runner that the job will run on. runs-on: ubuntu-latest @@ -72,7 +72,7 @@ jobs: pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -81,7 +81,7 @@ jobs: id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ jobs: id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -98,7 +98,7 @@ jobs: - name: Terraform_Apply id: apply env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file WIN_USERNAME: ${{ secrets.WIN_USERNAME }} WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} OSVAR: ${{ vars.OSVAR }} From 3d736f8459c05d3969e9d40f0582746247403468 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 19 Mar 2024 17:22:32 -0400 Subject: [PATCH 3/5] Task Fixes Signed-off-by: Frederick Witty --- tasks/main.yml | 2 +- tasks/section01.yml | 3 ++- tasks/section02.yml | 10 +++++++--- tasks/section09.yml | 5 +++-- tasks/section17.yml | 1 + tasks/section18.yml | 32 ++++++++++++++++---------------- tasks/section19.yml | 1 + 7 files changed, 31 insertions(+), 23 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index f338cda..599363b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -27,7 +27,7 @@ - name: Check ansible version ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') - msg: You must use Ansible {{ min_ansible_version }} or greater + fail_msg: You must use Ansible {{ min_ansible_version }} or greater tags: - always diff --git a/tasks/section01.yml b/tasks/section01.yml index 0edf924..61e5a29 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,4 +1,5 @@ --- + - name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" block: - name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" @@ -106,7 +107,7 @@ community.windows.win_security_policy: section: System Access key: ClearTextPassword - value: "0" + value: 0 when: win16cis_rule_1_1_6 tags: - level1-domaincontroller diff --git a/tasks/section02.yml b/tasks/section02.yml index 4469e7c..0523f43 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1,4 +1,5 @@ --- + - name: "SCORED | 2.2.1 | PATCH | (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" ansible.windows.win_user_right: name: SeTrustedCredManAccessPrivilege @@ -1135,7 +1136,7 @@ type: dword when: - win16cis_rule_2_3_9_5 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member server" tags: - level1-memberserver - rule_2.3.9.5 @@ -1281,7 +1282,7 @@ data: "O:BAG:BAD:(A;;RC;;;BA)" type: string when: - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member server" - win16cis_rule_2_3_10_11 tags: - level1-memberserver @@ -1582,4 +1583,7 @@ type: dword when: win16cis_rule_2_3_17_8 tags: - - level1s + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.8 + - patch diff --git a/tasks/section09.yml b/tasks/section09.yml index 0dd5595..ea455c9 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1,4 +1,5 @@ --- + - name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile @@ -115,7 +116,7 @@ - name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" community.windows.win_firewall: state: enabled - profile: Private + profiles: Private when: - win16cis_rule_9_2_1 tags: @@ -226,7 +227,7 @@ - name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" community.windows.win_firewall: state: enabled - profile: Public + profiles: Public when: - win16cis_rule_9_3_1 tags: diff --git a/tasks/section17.yml b/tasks/section17.yml index 3519171..1b644f7 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,4 +1,5 @@ --- + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" block: - name: "SCORED | 17.1.1 | AUDIT | (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" diff --git a/tasks/section18.yml b/tasks/section18.yml index 83d92d7..84478e1 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1,4 +1,5 @@ --- + # one of the settings in the file render the server unreachable from ansible with this message "the specified credentials were rejected by the server" - name: "SCORED | 18.1.1.1 | PATCH | (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" ansible.windows.win_regedit: @@ -64,7 +65,7 @@ type: string when: - win16cis_rule_18_2_1 - - ansible_windows_domain_role == "Member Server" + - ansible_windows_domain_role == "Member server" tags: - level1-memberserver - rule_18.2.1 @@ -78,7 +79,7 @@ type: dword when: - win16cis_rule_18_2_2 - - ansible_windows_domain_role == "Member Server" + - ansible_windows_domain_role == "Member server" tags: - level1-memberserver - rule_18.2.2 @@ -92,7 +93,7 @@ type: dword when: - win16cis_rule_18_2_3 - - ansible_windows_domain_role == "Member Server" + - ansible_windows_domain_role == "Member server" tags: - level1-memberserver - rule_18.2.3 @@ -106,7 +107,7 @@ type: dword when: - win16cis_rule_18_2_4 - - ansible_windows_domain_role == "Member Server" + - ansible_windows_domain_role == "Member server" tags: - level1-memberserver - rule_18.2.4 @@ -120,7 +121,6 @@ type: dword when: - win16cis_rule_18_2_5 - - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.5 @@ -134,7 +134,7 @@ type: dword when: - win16cis_rule_18_2_6 - - ansible_windows_domain_role == "Memmber Server" + - ansible_windows_domain_role == "Memmber server" tags: - level1-memberserver - rule_18.2.6 @@ -148,7 +148,7 @@ type: dword when: - win16cis_rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member server" tags: - level1-memberserver - rule_18.3.1 @@ -216,10 +216,10 @@ - name: "SCORED | 18.3.6 | PATCH | (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters - state: present value: NodeType data: 2 datatype: dword + state: present when: - win16cis_rule_18_3_6 tags: @@ -231,10 +231,10 @@ - name: "SCORED | 18.3.7 | PATCH | (L1) Ensure 'WDigest Authentication' is set to 'Disabled'" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest - state: present value: UseLogonCredential data: 0 datatype: dword + state: present when: - win16cis_rule_18_3_7 tags: @@ -246,10 +246,10 @@ - name: "SCORED | 18.4.1 | PATCH | (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - state: present value: AutoAdminLogon data: 0 datatype: string + state: present when: - win16cis_rule_18_4_1 tags: @@ -261,10 +261,10 @@ - name: "SCORED | 18.4.2 | PATCH | (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters - state: present value: DisableIPSourceRouting data: 2 datatype: dword + state: present when: - win16cis_rule_18_4_2 tags: @@ -276,10 +276,10 @@ - name: "SCORED | 18.4.3 | PATCH | (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present value: DisableIPSourceRouting data: 2 datatype: dword + state: present when: - win16cis_rule_18_4_3 tags: @@ -291,10 +291,10 @@ - name: "SCORED | 18.4.4 | PATCH | (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present value: EnableICMPRedirect data: 0 datatype: dword + state: present when: - win16cis_rule_18_4_4 tags: @@ -306,10 +306,10 @@ - name: "SCORED | 18.4.5 | PATCH | (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present value: KeepAliveTime data: 300000 datatype: dword + state: present when: - win16cis_rule_18_4_5 tags: @@ -321,10 +321,10 @@ - name: "SCORED | 18.4.6 | PATCH | (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters - state: present name: NoNameReleaseOnDemand data: 1 type: dword + state: present when: - win16cis_rule_18_4_6 tags: @@ -336,10 +336,10 @@ - name: "SCORED | 18.4.7 | PATCH | (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - state: present name: PerformRouterDiscovery data: 0 type: dword + state: present when: - win16cis_rule_18_4_7 tags: diff --git a/tasks/section19.yml b/tasks/section19.yml index 17645bd..3635a83 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,4 +1,5 @@ --- + - name: "SCORED | 19.1.3.1 | PATCH | (L1) Ensure 'Enable screen saver' is set to 'Enabled'" block: - name: "SCORED | 19.1.3.1 | PATCH | (L1) Ensure 'Enable screen saver' is set to 'Enabled'" From 8762afd4a5ab3b81d2374de540bf9f1ffa1d47bb Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 20 Mar 2024 11:52:54 -0400 Subject: [PATCH 4/5] Update reboot notify Signed-off-by: Frederick Witty --- defaults/main.yml | 5 +++++ handlers/main.yml | 9 ++++++--- tasks/main.yml | 7 +++++++ tasks/post.yml | 36 ++++++++++++++++++++++++++++++++++++ tasks/section18.yml | 2 +- tasks/warning_facts.yml | 20 ++++++++++++++++++++ vars/main.yml | 10 +++++++++- 7 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 tasks/post.yml create mode 100644 tasks/warning_facts.yml diff --git a/defaults/main.yml b/defaults/main.yml index 2a3865b..46e0551 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -70,6 +70,11 @@ long_running: false # 18.9.98.1 - Disables Remote Shell Access win_skip_for_test: false +# Changes will be made that will require a system reboot. +# The following option will allow whether or not to skip the reboot. +# Default: true +skip_reboot: true + #### Basic external audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### diff --git a/handlers/main.yml b/handlers/main.yml index 93f0066..80d01dc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,7 @@ --- -- name: reboot_windows - ansible.windows.win_reboot: - reboot_timeout: 3600 + +- name: change_requires_reboot + ansible.builtin.set_fact: + reboot_host: true + tags: + - always diff --git a/tasks/main.yml b/tasks/main.yml index 599363b..a3a5e03 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -103,3 +103,10 @@ - run_audit tags: - run_audit + +- name: If Warnings found Output count and control IDs affected + ansible.builtin.debug: + msg: + - "You have {{ warn_count }} Warning(s) that require investigation(s). Their IDs are listed below:" + - "{{ warn_control_list }}" + when: warn_count != 0 diff --git a/tasks/post.yml b/tasks/post.yml new file mode 100644 index 0000000..4aa3351 --- /dev/null +++ b/tasks/post.yml @@ -0,0 +1,36 @@ +--- + +- name: "POST | Flush Handlers" + ansible.builtin.meta: flush_handlers + tags: + - always + +- name: "POST | Reboot System Options" + block: + - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False" + ansible.windows.win_reboot: + reboot_timeout: 3600 + when: + - reboot_host + - not skip_reboot + + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set" + ansible.builtin.debug: + msg: + - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually." + - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results." + changed_when: true + when: + - reboot_host + - skip_reboot + + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: + - reboot_host + - skip_reboot + vars: + warn_control_id: Reboot_Required + tags: + - always diff --git a/tasks/section18.yml b/tasks/section18.yml index 84478e1..6105b2c 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -175,7 +175,7 @@ data: 0 type: dword state: present - notify: reboot_windows + notify: change_requires_reboot when: - win16cis_rule_18_3_3 tags: diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml new file mode 100644 index 0000000..a98e642 --- /dev/null +++ b/tasks/warning_facts.yml @@ -0,0 +1,20 @@ +--- + +# This task is used to create variables used in giving a warning summary for manual tasks +# that need attention +# +# The warn_control_list and warn_count vars start life in vars/main.yml but get updated +# as the tasks that have a warning complete +# +# Those two variables are used in the tasks/main.yml to display a list of warnings +# +# warn_control_id is set within the task itself and has the control ID as the value +# +# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s +# +# warn_count is the main variable for the number of warnings and each time a warn_control_id is added +# the count increases by a value of 1 +- name: "NO CONTROL ID | AUDIT | Set fact for manual task warning." + ansible.builtin.set_fact: + warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" + warn_count: "{{ warn_count | int + 1 }}" diff --git a/vars/main.yml b/vars/main.yml index 0d4424f..6cf99ca 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,10 @@ --- -# vars file for . +# vars file for Windows-2016-CIS + +# Used to control warning summary +warn_control_list: "" +warn_count: 0 # This sets the variable that is created for the banner. lockdown_banner: "{{lookup('file', './templates/banner.txt')}}" @@ -10,3 +14,7 @@ lockdown_banner: "{{lookup('file', './templates/banner.txt')}}" win2016cis_is_standalone: false win2016cis_is_domain_controller: false win2016cis_is_domain_member: false + +# Default setting, this should not be changed +# and is overridden if a task that changed sets the value if required. +reboot_host: false From 26baa570dbd3a7c30abcea238b9a6e74c0a713d3 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 20 Mar 2024 14:29:15 -0400 Subject: [PATCH 5/5] Update .github actionsv3 to v4 Signed-off-by: Frederick Witty --- .github/workflows/devel_pipeline_validation.yml | 4 ++-- .github/workflows/main_pipeline_validation.yml | 4 ++-- .github/workflows/update_galaxy.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 44fbd8c..e4ff876 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -59,13 +59,13 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it. - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull In Terraform Code For Windows Azure - name: Clone github IaC plan - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_windows_IaC path: .github/workflows/github_windows_IaC diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index ae9e500..33221dc 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -47,13 +47,13 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it. - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull In Terraform Code For Windows Azure - name: Clone github IaC plan - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_windows_IaC path: .github/workflows/github_windows_IaC diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 14ea5bf..f510ceb 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -14,8 +14,8 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - name: Checkout V3 - uses: actions/checkout@v3 + - name: Checkout V4 + uses: actions/checkout@v4 - name: Update Galaxy uses: robertdebock/galaxy-action@master