From e3fa70c644da5e9c7c3f9cd31b899a5cfa4ae297 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 30 Mar 2021 09:28:49 -0400 Subject: [PATCH 01/12] Fixes for win_user_module settings issue #10 Signed-off-by: George Nalen --- tasks/section02.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index 3983503..104ba9c 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -2,7 +2,7 @@ - name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" win_user_right: name: SeTrustedCredManAccessPrivilege - users: + users: [] action: set when: rule_2_2_1 tags: @@ -28,7 +28,7 @@ - name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" win_user_right: name: SeTcbPrivilege - users: + users: [] action: set when: rule_2_2_4 tags: @@ -148,7 +148,7 @@ - name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" win_user_right: name: SeCreateTokenPrivilege - users: + users: [] action: set when: rule_2_2_14 tags: @@ -176,7 +176,7 @@ - name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" win_user_right: name: SeCreatePermanentPrivilege - users: + users: [] action: set when: rule_2_2_16 tags: @@ -342,7 +342,7 @@ - name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" win_user_right: name: SeEnableDelegationPrivilege - users: + users: [] action: set when: - rule_2_2_28 @@ -445,7 +445,7 @@ - name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" win_user_right: name: SeLockMemoryPrivilege - users: + users: [] action: set when: rule_2_2_35 tags: @@ -482,7 +482,7 @@ - name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" win_user_right: name: SeReLabelPrivilege - users: + users: [] action: set when: rule_2_2_39 tags: From 038965b73e1d8b850386a85dd466ac17ea81cb32 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 30 Mar 2021 13:41:32 -0400 Subject: [PATCH 02/12] Added control 18.3.6 from issue #2 Signed-off-by: George Nalen --- defaults/main.yml | 8 +++++++- tasks/section18.yml | 20 +++++++++++++++++--- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 63d36ca..a0035c6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -257,6 +257,7 @@ rule_18_3_3: true rule_18_3_4: true rule_18_3_5: true rule_18_3_6: true +rule_18_3_7: true rule_18_4_1: true rule_18_4_2: true rule_18_4_3: true @@ -509,4 +510,9 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # 9.3.8 # public_firewall_log_size is the size of the log file # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB -public_firewall_log_size: 16,384 \ No newline at end of file +public_firewall_log_size: 16,384 + +# 18.3.6 +# netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType +# Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS +netbt_nodetype: 2 \ No newline at end of file diff --git a/tasks/section18.yml b/tasks/section18.yml index 8f7d12b..6130ec4 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -343,20 +343,34 @@ - rule_18.3.5 - patch -- name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" +- name: "SCORED | 18.3.6 | PATCH | L1 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters + state: present + name: NodeType + value: "{{ netbt_nodetype }}" + datatype: dword + when: rule_18_3_6 + tags: + - level1 + - rule_18.3.6 + - patch + +- name: "SCORED | 18.3.7 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest state: present value: UseLogonCredential data: 0 datatype: dword - when: rule_18_3_6 + when: rule_18_3_7 tags: - level1 - level2 - - rule_18.3.6 + - rule_18.3.7 - patch + - name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon From 957a093c742de4d71e6e8715e0f05a96d04c41f9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 30 Mar 2021 14:01:37 -0400 Subject: [PATCH 03/12] updated section 1 tags and formatting Signed-off-by: George Nalen --- tasks/section01.yml | 216 ++++++++++++++++++++------------------------ 1 file changed, 96 insertions(+), 120 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index ea51705..74c21e8 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,105 +1,89 @@ --- - name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" - assert: - that: passwordhistorysize | int is version('24', '>=') - fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_1 - tags: - - level1 - - level2 - - rule_1.1.1 - - audit + block: + - name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" + assert: + that: passwordhistorysize | int is version('24', '>=') + fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" - win_security_policy: - section: System Access - key: PasswordHistorySize - value: "{{ passwordhistorysize }}" + - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" + win_security_policy: + section: System Access + key: PasswordHistorySize + value: "{{ passwordhistorysize }}" when: rule_1_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.1 - patch - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" - assert: - that: maximumpasswordage | int is version('60', '<=') - fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_2 - tags: - - level1 - - level2 - - rule_1.1.2 - - audit + block: + - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + assert: + that: maximumpasswordage | int is version('60', '<=') + fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" - win_security_policy: - section: System Access - key: MaximumPasswordAge - value: "{{ maximumpasswordage }}" + - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ maximumpasswordage }}" when: rule_1_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.2 - patch - name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" - assert: - that: minimumpasswordage is version('1', '>=') - fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_3 - tags: - - level1 - - level2 - - rule_1.1.3 - - audit + block: + - name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" + assert: + that: minimumpasswordage is version('1', '>=') + fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" - win_security_policy: - section: System Access - key: MinimumPasswordAge - value: "{{ minimumpasswordage }}" + - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" + win_security_policy: + section: System Access + key: MinimumPasswordAge + value: "{{ minimumpasswordage }}" when: rule_1_1_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.3 - patch - name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" - assert: - that: minimumpasswordlength is version('14', '>=') - fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_4 - tags: - - level1 - - level2 - - rule_1.1.4 - - audit + block: + - name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" + assert: + that: minimumpasswordlength is version('14', '>=') + fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" - win_security_policy: - section: System Access - key: MinimumPasswordLength - value: "{{ minimumpasswordlength }}" + - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" + win_security_policy: + section: System Access + key: MinimumPasswordLength + value: "{{ minimumpasswordlength }}" when: rule_1_1_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.4 - patch @@ -110,8 +94,8 @@ value: 1 when: rule_1_1_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.5 - patch @@ -122,36 +106,32 @@ value: "0" when: rule_1_1_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.6 - patch - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" - assert: - that: lockoutduration | int is version('15', '<=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_1 - tags: - - level1 - - level2 - - rule_1.2.1 - - audit + block: + - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" + assert: + that: lockoutduration | int is version('15', '<=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" - win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ lockoutduration }}" + - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" + win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ lockoutduration }}" when: - rule_1_2_1 - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.1 - patch @@ -163,33 +143,29 @@ value: "{{ lockoutbadcount }}" when: rule_1_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.2 - patch - name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - assert: - that: resetlockoutcount | int is version('15', '>=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_3 - tags: - - level1 - - level2 - - rule_1.2.3 - - audit + block: + - name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + assert: + that: resetlockoutcount | int is version('15', '>=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ resetlockoutcount }}" + - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ resetlockoutcount }}" when: rule_1_2_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.3 - patch From 4d4829f55af9e5d53610cec4b86c38242b57ea5d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 30 Mar 2021 14:30:17 -0400 Subject: [PATCH 04/12] updated section 2 tags Signed-off-by: George Nalen --- tasks/section02.yml | 402 ++++++++++++++++++++++---------------------- 1 file changed, 204 insertions(+), 198 deletions(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index 104ba9c..ce1289f 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -6,8 +6,8 @@ action: set when: rule_2_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.1 - patch @@ -21,6 +21,8 @@ when: - rule_2_2_2 or rule_2_2_3 tags: + - level1-domaincontroller + - level1-memberserver - rule_2.2.2 - rule_2.2.3 - patch @@ -32,8 +34,8 @@ action: set when: rule_2_2_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.4 - patch @@ -46,6 +48,7 @@ - rule_2_2_5 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.5 - patch @@ -59,8 +62,8 @@ action: set when: rule_2_2_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.6 - patch @@ -72,8 +75,8 @@ action: set when: rule_2_2_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.7 - patch @@ -87,6 +90,8 @@ when: - rule_2_2_8 or rule_2_2_9 tags: + - level1-domaincontroller + - level1-memberserver - rule_2.2.8 - rule_2.2.9 - patch @@ -99,8 +104,8 @@ action: set when: rule_2_2_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.10 - patch @@ -113,8 +118,8 @@ action: set when: rule_2_2_11 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.11 - patch @@ -127,8 +132,8 @@ action: set when: rule_2_2_12 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.12 - patch @@ -140,8 +145,8 @@ action: set when: rule_2_2_13 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.13 - patch @@ -152,8 +157,8 @@ action: set when: rule_2_2_14 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.14 - patch @@ -168,8 +173,8 @@ action: set when: rule_2_2_15 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.15 - patch @@ -180,8 +185,8 @@ action: set when: rule_2_2_16 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.16 - patch @@ -195,6 +200,7 @@ - rule_2_2_17 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.17 - patch @@ -209,8 +215,7 @@ - rule_2_2_18 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.18 - patch @@ -222,8 +227,8 @@ action: set when: rule_2_2_19 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.19 - patch @@ -238,6 +243,7 @@ - rule_2_2_20 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.20 - patch @@ -253,8 +259,7 @@ - rule_2_2_21 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.21 - patch @@ -266,8 +271,8 @@ action: set when: rule_2_2_22 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.22 - patch @@ -279,8 +284,8 @@ action: set when: rule_2_2_23 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.23 - patch @@ -292,8 +297,8 @@ action: set when: rule_2_2_24 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.24 - patch @@ -308,6 +313,7 @@ - rule_2_2_25 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.25 - patch @@ -322,8 +328,7 @@ - rule_2_2_26 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.26 - patch @@ -336,6 +341,7 @@ - rule_2_2_27 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.27 - patch @@ -348,8 +354,7 @@ - rule_2_2_28 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.28 - patch @@ -361,8 +366,8 @@ action: set when: rule_2_2_29 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.29 - patch @@ -375,8 +380,8 @@ action: set when: rule_2_2_30 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.30 - patch @@ -393,6 +398,7 @@ - rule_2_2_31 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.31 - patch @@ -410,8 +416,7 @@ - rule_2_2_32 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.32 - patch @@ -424,8 +429,8 @@ action: set when: rule_2_2_33 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.33 - patch @@ -437,8 +442,8 @@ action: set when: rule_2_2_34 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.34 - patch @@ -449,8 +454,8 @@ action: set when: rule_2_2_35 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.35 - patch @@ -463,6 +468,7 @@ - rule_2_2_36 - ansible_windows_domain_role == "Primary domain controller" tags: + - level2-domaincontroller - rule_2.2.36 - patch @@ -475,6 +481,8 @@ when: - rule_2_2_37 or rule_2_2_38 tags: + - level1-domaincontroller + - level1-memberserver - rule_2.2.37 - rule_2.2.38 - patch @@ -486,8 +494,8 @@ action: set when: rule_2_2_39 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.39 - patch @@ -499,8 +507,8 @@ action: set when: rule_2_2_40 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.40 - patch @@ -512,8 +520,8 @@ action: set when: rule_2_2_41 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.41 - patch @@ -525,8 +533,8 @@ action: set when: rule_2_2_42 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.42 - patch @@ -539,8 +547,8 @@ action: set when: rule_2_2_43 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.43 - patch @@ -553,8 +561,8 @@ action: set when: rule_2_2_44 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.44 - patch @@ -566,8 +574,8 @@ action: set when: rule_2_2_45 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.45 - patch @@ -579,8 +587,8 @@ action: set when: rule_2_2_46 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.46 - patch @@ -593,6 +601,7 @@ - rule_2_2_47 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.47 - patch @@ -604,8 +613,8 @@ action: set when: rule_2_2_48 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.48 - patch @@ -618,8 +627,7 @@ - rule_2_3_1_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.1.1 - patch @@ -631,8 +639,8 @@ type: dword when: rule_2_3_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.2 - patch @@ -643,8 +651,7 @@ value: 0 when: rule_2_3_1_3 tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.1.3 - patch @@ -656,8 +663,8 @@ type: dword when: rule_2_3_1_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.4 - patch @@ -670,8 +677,8 @@ - rule_2_3_1_5 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.5 - patch @@ -682,8 +689,8 @@ value: BobCooper when: rule_2_3_1_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberservers - rule_2.3.1.6 - patch @@ -695,8 +702,8 @@ type: dword when: rule_2_3_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.2.1 - patch @@ -708,8 +715,8 @@ type: dword when: rule_2_3_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.2.2 - patch @@ -721,8 +728,8 @@ type: string when: rule_2_3_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.4.1 - patch @@ -734,8 +741,8 @@ type: dword when: rule_2_3_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.4.2 - patch @@ -749,6 +756,7 @@ - rule_2_3_5_1 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.5.1 - patch @@ -762,6 +770,7 @@ - rule_2_3_5_2 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.5.2 - patch @@ -775,6 +784,7 @@ - rule_2_3_5_3 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.5.3 - patch @@ -788,8 +798,8 @@ - rule_2_3_6_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.1 - patch @@ -803,8 +813,8 @@ - rule_2_3_6_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.2 - patch @@ -818,8 +828,8 @@ - rule_2_3_6_3 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.3 - patch @@ -833,8 +843,8 @@ - rule_2_3_6_4 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.4 - patch @@ -848,8 +858,8 @@ - rule_2_3_6_5 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.5 - patch @@ -863,8 +873,8 @@ - rule_2_3_6_6 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.6 - patch @@ -876,8 +886,8 @@ type: dword when: rule_2_3_7_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.1 - patch @@ -889,8 +899,8 @@ type: dword when: rule_2_3_7_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.2 - patch @@ -902,8 +912,8 @@ type: dword when: rule_2_3_7_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.3 - patch @@ -915,8 +925,8 @@ type: string when: rule_2_3_7_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.4 - patch @@ -928,8 +938,8 @@ type: string when: rule_2_3_7_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.5 - patch @@ -941,7 +951,7 @@ type: string when: rule_2_3_7_6 tags: - - level2 + - level2-memberserver - rule_2.3.7.6 - patch @@ -953,8 +963,8 @@ type: dword when: rule_2_3_7_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.7 - patch @@ -968,8 +978,7 @@ - rule_2_3_7_8 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.7.8 - patch @@ -981,8 +990,8 @@ type: string when: rule_2_3_7_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.9 - patch @@ -994,8 +1003,8 @@ type: dword when: rule_2_3_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.8.1 - patch @@ -1007,8 +1016,8 @@ type: dword when: rule_2_3_8_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.8.2 - patch @@ -1020,8 +1029,8 @@ type: dword when: rule_2_3_8_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.8.3 - patch @@ -1033,8 +1042,8 @@ type: dword when: rule_2_3_9_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.1 - patch @@ -1046,8 +1055,8 @@ type: dword when: rule_2_3_9_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.2 - patch @@ -1059,8 +1068,8 @@ type: dword when: rule_2_3_9_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.3 - patch @@ -1072,8 +1081,8 @@ type: dword when: rule_2_3_9_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.4 - patch @@ -1087,8 +1096,7 @@ - rule_2_3_9_5 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.9.5 - patch @@ -1099,8 +1107,8 @@ value: 0 when: rule_2_3_10_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.1 - patch @@ -1114,8 +1122,7 @@ - rule_2_3_10_2 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.2 - patch @@ -1129,8 +1136,7 @@ - rule_2_3_10_3 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.3 - patch @@ -1142,7 +1148,8 @@ type: dword when: rule_2_3_10_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_2.3.10.4 - patch @@ -1154,8 +1161,8 @@ type: dword when: rule_2_3_10_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.5 - patch @@ -1169,6 +1176,7 @@ - rule_2_3_10_6 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.10.6 - patch @@ -1182,8 +1190,7 @@ - rule_2_3_10_7 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.7 - patch @@ -1195,8 +1202,8 @@ type: multistring when: rule_2_3_10_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.8 - patch @@ -1208,8 +1215,8 @@ type: multistring when: rule_2_3_10_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.9 - patch @@ -1221,8 +1228,8 @@ type: dword when: rule_2_3_10_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.10 - patch @@ -1234,8 +1241,7 @@ type: string when: rule_2_3_10_11 tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.11 - patch @@ -1247,8 +1253,8 @@ type: multistring when: rule_2_3_10_12 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.12 - patch @@ -1260,8 +1266,8 @@ type: dword when: rule_2_3_10_13 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.13 - patch @@ -1273,8 +1279,8 @@ type: dword when: rule_2_3_11_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.1 - patch @@ -1286,8 +1292,8 @@ type: dword when: rule_2_3_11_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.2 - patch @@ -1299,8 +1305,8 @@ type: dword when: rule_2_3_11_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.3 - patch @@ -1312,8 +1318,8 @@ type: dword when: rule_2_3_11_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.4 - patch @@ -1325,8 +1331,8 @@ type: dword when: rule_2_3_11_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.5 - patch @@ -1338,8 +1344,8 @@ type: dword when: rule_2_3_11_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.6 - patch @@ -1351,8 +1357,8 @@ type: dword when: rule_2_3_11_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.7 - patch @@ -1364,8 +1370,8 @@ type: dword when: rule_2_3_11_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.8 - patch @@ -1377,8 +1383,8 @@ type: dword when: rule_2_3_11_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.9 - patch @@ -1390,8 +1396,8 @@ type: dword when: rule_2_3_11_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.10 - patch @@ -1403,8 +1409,8 @@ type: dword when: rule_2_3_13_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.13.1 - patch @@ -1416,8 +1422,8 @@ type: dword when: rule_2_3_15_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.15.1 - patch @@ -1429,8 +1435,8 @@ type: dword when: rule_2_3_15_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.15.2 - patch @@ -1442,8 +1448,8 @@ type: dword when: rule_2_3_17_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.1 - patch @@ -1455,8 +1461,8 @@ type: dword when: rule_2_3_17_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.2 - patch @@ -1468,8 +1474,8 @@ type: dword when: rule_2_3_17_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.3 - patch @@ -1481,8 +1487,8 @@ type: dword when: rule_2_3_17_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.4 - patch @@ -1494,8 +1500,8 @@ type: dword when: rule_2_3_17_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.5 - patch @@ -1507,8 +1513,8 @@ type: dword when: rule_2_3_17_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.6 - patch @@ -1520,8 +1526,8 @@ type: dword when: rule_2_3_17_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.7 - patch @@ -1533,8 +1539,8 @@ type: dword when: rule_2_3_17_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.8 - patch From a12d0fe0f529d1ab82d571ba5e7ea71dc5fd2b34 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 30 Mar 2021 15:59:14 -0400 Subject: [PATCH 05/12] finished half of section 17 tags and formatting Signed-off-by: George Nalen --- defaults/main.yml | 2 + tasks/section17.yml | 727 +++++++++++++++++++------------------------- 2 files changed, 316 insertions(+), 413 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a0035c6..b1a505b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -208,6 +208,8 @@ rule_9_3_10: true # section17 rule_17_1_1: true +rule_17_1_2: true +rule_17_1_3: true rule_17_2_1: true rule_17_2_2: true rule_17_2_3: true diff --git a/tasks/section17.yml b/tasks/section17.yml index da38c82..fda21a4 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,518 +1,431 @@ --- -- name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_1_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_1_1 - tags: - - level1 - - level2 - - rule_17.1.1 - - audit - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" block: - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable - when: "'Success' not in rule_17_1_1_audit.stdout" - changed_when: "'Success' not in rule_17_1_1_audit.stdout" - - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable - when: "'Failure' not in rule_17_1_1_audit.stdout" - changed_when: "'Failure' not in rule_17_1_1_audit.stdout" + - name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_1_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable + when: "'Success' not in rule_17_1_1_audit.stdout" + changed_when: "'Success' not in rule_17_1_1_audit.stdout" + + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable + when: "'Failure' not in rule_17_1_1_audit.stdout" + changed_when: "'Failure' not in rule_17_1_1_audit.stdout" when: - rule_17_1_1 - - rule_17_1_1_audit is defined - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_1_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.1.1 - patch -- name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_1 +- name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + block: + - name: "SCORED | 17.1.2 | AUDIT | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_1_2_audit + + - name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable + when: "'Success' not in rule_17_1_2_audit.stdout" + + - name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable + when: "'Failure' not in rule_17_1_2_audit.stdout" + when: + - rule_17_1_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_17.2.1 - - audit + - level1-domaincontroller + - rule_17.1.2 + - patch -- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" +- name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" block: - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable - when: "'Success' not in rule_17_2_1_audit.stdout" - changed_when: "'Success' not in rule_17_2_1_audit.stdout" - - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable - when: "'Failure' not in rule_17_2_1_audit.stdout" - changed_when: "'Failure' not in rule_17_2_1_audit.stdout" + - name: "SCORED | 17.1.3 | AUDIT | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_1_3_audit + + - name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable + when: "'Success' not in rule_17_1_3_audit.stdout" + + - name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable + when: "'Failure' not in rule_17_1_3_audit.stdout" when: - - rule_17_2_1 - - rule_17_2_1_audit is defined + - rule_17_1_3 - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_1_audit.stdout" tags: - - level1 - - level2 - - rule_17.2.1 + - level1-domaincontroller + - rule_17.1.2 - patch -- name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to include Success DC only" - win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_2_audit - changed_when: no - ignore_errors: yes +- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" + block: + - name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_1_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: "'Success' not in rule_17_2_1_audit.stdout" + + - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable + when: "'Failure' not in rule_17_2_1_audit.stdout" when: - - rule_17_2_2 + - rule_17_2_1 - ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_17.2.2 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.2.1 + - patch - name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to include Success DC only" - win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + block: + - name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to include Success DC only" + win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_2_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to include Success DC only" + win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + changed_when: "'Success' not in rule_17_2_2_audit.stdout" + when: "'Success' not in rule_17_2_2_audit.stdout" when: - rule_17_2_2 - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_2_audit is defined - - "'Success' not in rule_17_2_2_audit.stdout" - changed_when: "'Success' not in rule_17_2_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller - rule_17.2.2 - patch -- name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to include Success DC only" - win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_3_audit - changed_when: no - ignore_errors: yes - when: - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_3 - tags: - - rule_17.2.3 - - audit - - name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to include Success DC only" - win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable + block: + - name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to include Success DC only" + win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_3_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to include Success DC only" + win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable + when: "'Success' not in rule_17_2_3_audit.stdout" when: - - ansible_windows_domain_role == "Primary domain controller" - rule_17_2_3 - - rule_17_2_3_audit is defined - - "'Success' not in rule_17_2_3_audit.stdout" - changed_when: "'Success' not in rule_17_2_3_audit.stdout" + - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_17.2.3 - patch -- name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to include Success DC only" - win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_4 - tags: - - level1 - - level2 - - rule_17.2.4 - - audit - - name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to include Success DC only" - win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + block: + - name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to include Success DC only" + win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_4_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to include Success DC only" + win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + when: "'Success' not in rule_17_2_4_audit.stdout" when: - rule_17_2_4 - - rule_17_2_4_audit is defined - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_4_audit.stdout" - changed_when: "'Success' not in rule_17_2_4_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller - rule_17.2.4 - patch - name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to include Success" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_5 - tags: - - level1 - - level2 - - rule_17.2.5 - - audit - -- name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to include Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + block: + - name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to include Success" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_5_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to include Success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: "'Success' not in rule_17_2_5_audit.stdout" when: - rule_17_2_5 - rule_17_2_5_audit is defined - "'Success' not in rule_17_2_5_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.5 - patch -- name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_6 - tags: - - level1 - - level2 - - rule_17.2.6 - - audit - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" block: - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable - when: "'Success' not in rule_17_2_6_audit.stdout" - changed_when: "'Success' not in rule_17_2_6_audit.stdout" - - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable - when: "'Failure' not in rule_17_2_6_audit.stdout" - changed_when: "'Failure' not in rule_17_2_6_audit.stdout" + - name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_2_6_audit + + - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable + when: "'Success' not in rule_17_2_6_audit.stdout" + + - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable + when: "'Failure' not in rule_17_2_6_audit.stdout" when: - rule_17_2_6 - - rule_17_2_6_audit is defined tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.6 - patch -- name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to include Success" - win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_1 - tags: - - level1 - - level2 - - rule_17.3.1 - - audit - - name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to include Success" - win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable - changed_when: "'Success' not in rule_17_3_1_audit.stdout" + block: + - name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to include Success" + win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_3_1_audit + + - name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to include Success" + win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable + when: "'Success' not in rule_17_3_1_audit.stdout" when: - rule_17_3_1 - - rule_17_3_1_audit is defined - - "'Success' not in rule_17_3_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.3.1 - patch -- name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to include Success" - win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_2 - tags: - - level1 - - level2 - - rule_17.3.2 - - audit - - name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to include Success" - win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable - changed_when: "'Success' not in rule_17_3_2_audit.stdout" + block: + - name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to include Success" + win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_3_2_audit + + - name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to include Success" + win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable + when: "'Success' not in rule_17_3_2_audit.stdout" when: - rule_17_3_2 - - rule_17_3_2_audit is defined - - "'Success' not in rule_17_3_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.3.2 - patch -- name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to include Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_4_1 - tags: - - rule_17.4.1 - - audit - - name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to include Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable - changed_when: "'Success' not in rule_17_4_1_audit.stdout" + block: + - name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to include Failure DC only" + win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_4_1_audit + + - name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to include Failure DC only" + win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable + when: "'Success' not in rule_17_4_1_audit.stdout" when: - rule_17_4_1 - - rule_17_4_1_audit is defined - - "'Success' not in rule_17_4_1_audit.stdout" tags: + - level1-domaincontroller - rule_17.4.1 - patch -- name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to include Success DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_17.4.2 - - audit - - name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to include Success DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable - changed_when: "'Success' not in rule_17_4_2_audit.stdout" + block: + - name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to include Success DC only" + win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_4_2_audit + + - name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to include Success DC only" + win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable + when: "'Success' not in rule_17_4_2_audit.stdout" when: - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_4_2_audit is defined - - "'Success' not in rule_17_4_2_audit.stdout" tags: + - level1-domaincontroller - rule_17.4.2 - patch -- name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to include Failure" - win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_1 - tags: - - level1 - - level2 - - rule_17.5.1 - - audit - - name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to include Failure" - win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable - changed_when: "'Failure' not in rule_17_5_1_audit.stdout" + block: + - name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to include Failure" + win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_1_audit + + - name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to include Failure" + win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable + when: "'Failure' not in rule_17_5_1_audit.stdout" when: - rule_17_5_1 - - rule_17_5_1_audit is defined - - "'Failure' not in rule_17_5_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.1 - patch -- name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to include Success" - win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_2 - tags: - - level1 - - level2 - - rule_17.5.2 - - audit - - name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to include Success" - win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - changed_when: "'Success' not in wn19_au_000170_audit.stdout" + block: + - name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to include Success" + win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_2_audit + + - name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to include Success" + win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable + when: "'Success' not in wn19_au_000170_audit.stdout" when: - rule_17_5_2 - - wn19_au_000170_audit is defined - - "'Success' not in wn19_au_000170_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.2 - patch - name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" - win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_3 - tags: - - level1 - - level2 - - rule_17.5.3 - - audit - -- name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to include Success" - win_shell: AuditPol /set /subcategory:"Logoff" /success:enable - changed_when: "'Success' not in rule_17_5_3_audit.stdout" + block: + - name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_3_audit + + - name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to include Success" + win_shell: AuditPol /set /subcategory:"Logoff" /success:enable + when: "'Success' not in rule_17_5_3_audit.stdout" when: - rule_17_5_3 - - rule_17_5_3_audit is defined - - "'Success' not in rule_17_5_3_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.3 - patch -- name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - audit - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" block: - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Logon" /success:enable - changed_when: "'Success' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Logon" /failure:enable - changed_when: "'Failure' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - when: rule_17_5_4 + - name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_4_audit + + - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Logon" /success:enable + when: "'Failure' not in rule_17_5_4_audit.stdout" + + - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + when: "'Failure' not in rule_17_5_4_audit.stdout" + when: + - rule_17_5_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.4 - patch -- name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_5_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_5_5 - tags: - - level1 - - level2 - - rule_17.5.5 - - audit - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" block: - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable - changed_when: "'Success' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Success' not in rule_17_5_5_audit.stdout" - - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable - changed_when: "'Failure' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Failure' not in rule_17_5_5_audit.stdout" + - name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_5_audit + + - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable + when: "'Success' not in rule_17_5_5_audit.stdout" + + - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable + when: "'Failure' not in rule_17_5_5_audit.stdout" when: - rule_17_5_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.5 - patch -- name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to include Success" - win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_6 - tags: - - level1 - - level2 - - rule_17.5.6 - - audit - - name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to include Success" - win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable - changed_when: "'Success' not in rule_17_5_6_audit.stdout" + block: + - name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to include Success" + win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_6_audit + + - name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to include Success" + win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable + when: "'Success' not in rule_17_5_6_audit.stdout" when: - rule_17_5_6 - - rule_17_5_6_audit is defined - - "'Success' not in rule_17_5_6_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.6 - patch -- name: "SCORED | 17.6.1 | AUDIT | L1 Ensure Audit Detailed File Share is set to include Failure" - win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_1 - tags: - - level1 - - level2 - - rule_17.6.1 - - audit - - name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Detailed File Share is set to include Failure" - win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable - changed_when: "'Failure' not in rule_17_6_1_audit.stdout" + block: + - name: "SCORED | 17.6.1 | AUDIT | L1 Ensure Audit Detailed File Share is set to include Failure" + win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_6_1_audit + + - name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Detailed File Share is set to include Failure" + win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable + when: "'Failure' not in rule_17_6_1_audit.stdout" when: - rule_17_6_1 - - rule_17_6_1_audit is defined - - "'Failure' not in rule_17_6_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.1 - patch -- name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit File Share is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_2 - tags: - - level1 - - level2 - - rule_17.6.2 - - audit - - name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"File Share" /failure:enable - changed_when: "'Failure' not in rule_17_6_2_audit.stdout" - when: - - rule_17_6_2 - - rule_17_6_2_audit is defined - - "'Failure' not in rule_17_6_2_audit.stdout" - tags: - - level1 - - level2 + block: + - name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit File Share is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_6_2_audit + + - name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"File Share" /failure:enable + when: "'Failure' not in rule_17_6_2_audit.stdout" + tags: + - level1-domaincontroller + - level1-memberserver - rule_17.6.2 - patch @@ -522,58 +435,46 @@ audit_type: success, failure when: rule_17_6_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.3 - patch -- name: "SCORED | 17.6.4 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_4 - tags: - - level1 - - level2 - - rule_17.6.4 - - audit - - name: "SCORED | 17.6.4 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable - changed_when: "'Success' not in rule_17_6_4_audit.stdout" + block: + - name: "SCORED | 17.6.4 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_6_4_audit + + - name: "SCORED | 17.6.4 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + when: "'Success' not in rule_17_6_4_audit.stdout" when: - rule_17_6_4 - - rule_17_6_4_audit is defined - - "'Success' not in rule_17_6_4_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.4 - patch - name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to include Success" - win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_1 - tags: - - level1 - - level2 - - rule_17.7.1 - - audit - -- name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to include Success" - win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_1_audit.stdout" + block: + - name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to include Success" + win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_1_audit + + - name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to include Success" + win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable + when: "'Success' not in rule_17_7_1_audit.stdout" when: - rule_17_7_1 - - rule_17_7_1_audit is defined - - "'Success' not in rule_17_7_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.1 - patch From 5d71e76aaca4427fef52f62cd1ea2e7fae22a003 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 31 Mar 2021 11:11:37 -0400 Subject: [PATCH 06/12] Finished section 17 tags and formatting Signed-off-by: George Nalen --- tasks/section17.yml | 368 +++++++++++++++++--------------------------- 1 file changed, 142 insertions(+), 226 deletions(-) diff --git a/tasks/section17.yml b/tasks/section17.yml index fda21a4..d95e21b 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -459,7 +459,7 @@ - rule_17.6.4 - patch -- name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to include Success" +- name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to include Success" block: - name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" @@ -478,298 +478,214 @@ - rule_17.7.1 - patch -- name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to include Success" - win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_2 - tags: - - level1 - - level2 - - rule_17.7.2 - - audit - - name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to include Success" - win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_2_audit.stdout" + block: + - name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to include Success" + win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: fa + failed_when: false + register: rule_17_7_2_audit + + - name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to include Success" + win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable + when: "'Success' not in rule_17_7_2_audit.stdout" when: - rule_17_7_2 - - rule_17_7_2_audit is defined - - "'Success' not in rule_17_7_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.2 - patch -- name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to include Success" - win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_3 - tags: - - level1 - - level2 - - rule_17.7.3 - - audit - - name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to include Success" - win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_3_audit.stdout" + block: + - name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to include Success" + win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_3_audit + + - name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to include Success" + win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable + when: "'Success' not in rule_17_7_3_audit.stdout" when: - rule_17_7_3 - - rule_17_7_3_audit is defined - - "'Success' not in rule_17_7_3_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.3 - patch -- name: "SCORED | 17.7.4 | AUDIT | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_4 - tags: - - level1 - - level2 - - rule_17.7.4 - - audit - - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" block: - - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_4_audit.stdout" - when: - - rule_17_7_4_audit is defined - - "'Success' not in rule_17_7_4_audit.stdout" - - - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable - changed_when: "'Failure' not in rule_17_7_4_audit.stdout" - when: - - rule_17_7_4_audit is defined - - "'Failure' not in rule_17_7_4_audit.stdout" - when: rule_17_7_4 - tags: - - level1 - - level2 - - rule_17.7.4 - - patch + - name: "SCORED | 17.7.4 | AUDIT | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_4_audit -- name: "SCORED | 17.7.5 | AUDIT | L1 Ensure Audit Other Policy Change Events is set to include Failure" - win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_5 + - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable + when: "'Success' not in rule_17_7_4_audit.stdout" + + - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable + when: "'Failure' not in rule_17_7_4_audit.stdout" + when: + - rule_17_7_4 tags: - - level1 - - level2 - - rule_17.7.5 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.7.4 + - patch - name: "SCORED | 17.7.5 | PATCH | L1 Ensure Audit Other Policy Change Events is set to include Failure" - win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable - changed_when: "'Success' not in rule_17_7_5_audit.stdout" + block: + - name: "SCORED | 17.7.5 | AUDIT | L1 Ensure Audit Other Policy Change Events is set to include Failure" + win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_5_audit + + - name: "SCORED | 17.7.5 | PATCH | L1 Ensure Audit Other Policy Change Events is set to include Failure" + win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable + when: "'Success' not in rule_17_7_5_audit.stdout" when: - rule_17_7_5 - - rule_17_7_5_audit is defined - - "'Success' not in rule_17_7_5_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.5 - patch -- name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_8_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_8_1 - tags: - - level1 - - level2 - - rule_17.8.1 - - audit - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" block: - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable - changed_when: "'Success' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Success' not in rule_17_8_1_audit.stdout" + - name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_8_1_audit - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable - changed_when: "'Failure' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Failure' not in rule_17_8_1_audit.stdout" + - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable + when: "'Success' not in rule_17_8_1_audit.stdout" - when: rule_17_8_1 + - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable + when: "'Failure' not in rule_17_8_1_audit.stdout" + when: + - rule_17_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.8.1 - patch -- name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_1 - tags: - - level1 - - level2 - - rule_17.9.1 - - audit - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" block: - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable - changed_when: "'Success' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Success' not in rule_17_9_1_audit.stdout" - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable - changed_when: "'Failure' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Failure' not in rule_17_9_1_audit.stdout" - - when: rule_17_9_1 - tags: - - level1 - - level2 - - rule_17.9.1 - - patch + - name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_1_audit + + - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable + when: "'Success' not in rule_17_9_1_audit.stdout" -- name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_2 + - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable + when: "'Failure' not in rule_17_9_1_audit.stdout" + when: + - rule_17_9_1 tags: - - level1 - - level2 - - rule_17.9.2 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.9.1 + - patch - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" block: - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable - changed_when: "'Success' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Success' not in rule_17_9_2_audit.stdout" - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable - changed_when: "'Failure' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Failure' not in rule_17_9_2_audit.stdout" - when: rule_17_9_2 - tags: - - level1 - - level2 - - rule_17.9.2 - - patch + - name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_2_audit -- name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to include Success" - win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_3 + - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable + when: "'Success' not in rule_17_9_2_audit.stdout" + + - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable + when: "'Failure' not in rule_17_9_2_audit.stdout" + when: + - rule_17_9_2 tags: - - level1 - - level2 - - rule_17.9.3 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.9.2 + - patch - name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to include Success" - win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable - changed_when: "'Success' not in rule_17_9_3_audit.stdout" + block: + - name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to include Success" + win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_3_audit + + - name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to include Success" + win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable + when: "'Success' not in rule_17_9_3_audit.stdout" when: - rule_17_9_3 - - rule_17_9_3_audit is defined - - "'Success' not in rule_17_9_3_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.3 - patch -- name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to include Success" - win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_4 - tags: - - level1 - - level2 - - rule_17.9.4 - - audit - - name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to include Success" - win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable - changed_when: "'Success' not in rule_17_9_4_audit.stdout" + block: + - name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to include Success" + win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_4_audit + + - name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to include Success" + win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable + when: "'Success' not in rule_17_9_4_audit.stdout" when: - rule_17_9_4 - - rule_17_9_4_audit is defined - - "'Success' not in rule_17_9_4_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.4 - patch -- name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_5 - tags: - - level1 - - level2 - - rule_17.9.5 - - audit - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" block: + - name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_5_audit + - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable changed_when: "'Success' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Success' not in rule_17_9_5_audit.stdout" + when: "'Success' not in rule_17_9_5_audit.stdout" - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable changed_when: "'Failure' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Failure' not in rule_17_9_5_audit.stdout" - when: rule_17_9_5 + when: "'Failure' not in rule_17_9_5_audit.stdout" + when: + - rule_17_9_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.5 - patch - From 4e930c535dcdc86558009fc796264db4dd4e31b3 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 31 Mar 2021 13:52:42 -0400 Subject: [PATCH 07/12] Finished section 18 tags, formatting, and control adjustments Signed-off-by: George Nalen --- defaults/main.yml | 11 +- tasks/section18.yml | 1435 +++++++++++++++++++++++-------------------- 2 files changed, 786 insertions(+), 660 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b1a505b..a7203c5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -291,7 +291,6 @@ rule_18_5_21_2: true rule_18_7_1_1: true rule_18_8_3_1: true rule_18_8_4_1: true -rule_18_8_4_2: true rule_18_8_5_1: true rule_18_8_5_2: true rule_18_8_5_3: true @@ -337,12 +336,12 @@ rule_18_8_36_1: true rule_18_8_36_2: true rule_18_8_37_1: true rule_18_8_37_2: true -rule_18_8_45_1: true rule_18_8_45_5_1: true -rule_18_8_45_11_1: true -rule_18_8_47_1: true -rule_18_8_50_1_1: true -rule_18_8_50_1_2: true +rule_18_8_47_5_1: true +rule_18_8_47_11_1: true +rule_18_8_49_1: true +rule_18_8_52_1_1: true +rule_18_8_52_1_2: true rule_18_9_4_1: true rule_18_9_6_1: true rule_18_9_8_1: true diff --git a/tasks/section18.yml b/tasks/section18.yml index 6130ec4..736cb8f 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -5,10 +5,11 @@ name: NoLockScreenCamera data: 1 type: dword - when: rule_18_1_1_1 + when: + - rule_18_1_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.1.1 - patch @@ -18,276 +19,205 @@ name: NoLockScreenSlideshow data: 1 type: dword - when: rule_18_1_1_2 + when: + - rule_18_1_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.1.2 - patch -- name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_2_2 - tags: - - level1 - - level2 - - rule_18.1.2.2 - - audit - - name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - command: "echo true" + block: + - name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_1_2_2_audit + + - name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" + command: "echo true" when: - is_implemented - rule_18_1_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.2.2 - patch -- name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_3 - tags: - - level2 - - rule_18.1.3 - - audit - - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" + block: + - name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_1_2_2_audit + + - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" + command: "echo true" when: - is_implemented - rule_18_1_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.1.3 - patch -- name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.1 - - audit - - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_1_audit + + - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" + command: "echo true" when: - is_implemented - rule_18_2_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.1 - patch -- name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.2 - - audit - - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_2_audit + + - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" + command: "echo true" when: - is_implemented - rule_18_2_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.2 - patch -- name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.3 - - audit - - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_3_audit + + - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" + command: "echo true" when: - is_implemented - rule_18_2_3 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.3 - patch -- name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.4 - - audit - - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_4_audit + + - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" + command: "echo true" when: - is_implemented - rule_18_2_4 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.4 - patch -- name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.5 - - audit - - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_5_audit + + - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" + command: "echo true" when: - is_implemented - rule_18_2_5 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.5 - patch -- name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.6 - - audit - - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_3_6_audit + + - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" + command: "echo true" when: - is_implemented - rule_18_2_6 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.6 - patch -- name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.1 - - audit - - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" + block: + - name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_3_1_audit + + - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" + command: "echo true" when: - is_implemented - rule_18_3_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.3.1 - patch -- name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_2 - tags: - - level1 - - level2 - - rule_18.3.2 - - audit - - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - command: "echo true" + block: + - name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_3_2_audit + + - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" + command: "echo true" when: - is_implemented - rule_18_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.2 - patch -- name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" +- name: "SCORED | 18.3.3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -295,51 +225,45 @@ type: dword state: present notify: reboot_windows - when: rule_18_3_3 + when: + - rule_18_3_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.3 - patch -- name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" +- name: "SCORED | 18.3.4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel name: DisableExceptionChainValidation data: 1 type: dword state: present - when: rule_18_3_4 + when: + - rule_18_3_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.4 - patch -- name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_5 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.5 - - audit - - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - command: "echo true" + block: + - name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_3_5_audit + + - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" + command: "echo true" when: - is_implemented - rule_18_3_5 - ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller - rule_18.3.5 - patch @@ -350,9 +274,11 @@ name: NodeType value: "{{ netbt_nodetype }}" datatype: dword - when: rule_18_3_6 + when: + - rule_18_3_6 tags: - - level1 + - level1-domaincontroller + - level1-memberserver - rule_18.3.6 - patch @@ -363,10 +289,11 @@ value: UseLogonCredential data: 0 datatype: dword - when: rule_18_3_7 + when: + - rule_18_3_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.7 - patch @@ -378,10 +305,11 @@ value: AutoAdminLogon data: 0 datatype: dword - when: rule_18_4_1 + when: + - rule_18_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.1 - patch @@ -392,10 +320,11 @@ value: DisableIPSourceRouting data: 2 datatype: dword - when: rule_18_4_2 + when: + - rule_18_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.2 - patch @@ -406,10 +335,11 @@ value: DisableIPSourceRouting data: 2 datatype: dword - when: rule_18_4_3 + when: + - rule_18_4_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.3 - patch @@ -420,10 +350,11 @@ value: EnableICMPRedirect data: 0 datatype: dword - when: rule_18_4_4 + when: + - rule_18_4_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.4 - patch @@ -434,9 +365,11 @@ value: KeepAliveTime data: 300000 datatype: dword - when: rule_18_4_5 + when: + - rule_18_4_5 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.5 - patch @@ -447,10 +380,11 @@ name: NoNameReleaseOnDemand data: 1 type: dword - when: rule_18_4_6 + when: + - rule_18_4_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.6 - patch @@ -461,9 +395,11 @@ name: PerformRouterDiscovery data: 0 type: dword - when: rule_18_4_7 + when: + - rule_18_4_7 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.7 - patch @@ -474,10 +410,11 @@ data: 1 type: dword state: present - when: rule_18_4_8 + when: + - rule_18_4_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.8 - patch @@ -488,10 +425,11 @@ data: 5 type: string state: present - when: rule_18_4_9 + when: + - rule_18_4_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.9 - patch @@ -501,9 +439,11 @@ name: TcpMaxDataRetransmissions data: 3 type: dword - when: rule_18_4_10 + when: + - rule_18_4_10 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.10 - patch @@ -513,9 +453,11 @@ name: TcpMaxDataRetransmissions data: 3 type: dword - when: rule_18_4_11 + when: + - rule_18_4_11 tags: - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.11 - patch @@ -525,42 +467,27 @@ name: WarningLevel data: 90 type: dword - when: rule_18_4_12 - tags: - - level1 - - level2 - - rule_18.4.12 - - patch - - -- name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters - name: NodeType - data: 2 - type: dword when: - - rule_18_5_4_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_4_12 tags: - - level1 - - level2 - - rule_18.5.4.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.4.12 - patch -- name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" +- name: "SCORED | 18.5.4.1 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast data: 0 type: dword when: - - rule_18_5_4_2 + - rule_18_5_4_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_18.5.4.2 + - level2-domaincontroller + - level2-memberserver + - rule_18.5.4.1 - patch - name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" @@ -569,9 +496,11 @@ name: EnableFontProviders data: 0 type: dword - when: rule_18_5_5_1 + when: + - rule_18_5_5_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.5.1 - patch @@ -583,8 +512,8 @@ type: dword when: rule_18_5_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.8.1 - patch @@ -617,9 +546,11 @@ name: ProhibitLLTDIOOnPrivateNet data: 0 type: dword - when: rule_18_5_9_1 + when: + - rule_18_5_9_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.9.1 - patch @@ -652,9 +583,11 @@ name: ProhibitRspndrOnPrivateNet data: 0 type: dword - when: rule_18_5_9_2 + when: + - rule_18_5_9_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.9.2 - patch @@ -664,9 +597,11 @@ name: Disabled data: 1 type: dword - when: rule_18_5_10_2 + when: + - rule_18_5_10_2 tags: - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.10.2 - patch @@ -676,10 +611,11 @@ name: NC_AllowNetBridge_NLA data: 0 type: dword - when: rule_18_5_11_2 + when: + - rule_18_5_11_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.11.2 - patch @@ -689,10 +625,11 @@ name: NC_ShowSharedAccessUI data: 0 type: dword - when: rule_18_5_11_3 + when: + - rule_18_5_11_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.11.3 - patch @@ -702,10 +639,11 @@ name: NC_StdDomainUserSetLocation data: 1 type: dword - when: rule_18_5_11_4 + when: + - rule_18_5_11_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.11.4 - patch @@ -723,10 +661,11 @@ name: "\\\\*\\SYSVOL" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - when: rule_18_5_14_1 + when: + - rule_18_5_14_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.14.1 - patch @@ -736,9 +675,11 @@ name: DisabledComponents data: 255 type: dword - when: rule_18_5_19_2_1 + when: + - rule_18_5_19_2_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.19.2.1 - patch @@ -778,9 +719,11 @@ name: DisableWPDRegistrar data: 0 type: dword - when: rule_18_5_20_1 + when: + - rule_18_5_20_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.20.1 - patch @@ -790,9 +733,11 @@ name: DisableWcnUi data: 1 type: dword - when: rule_18_5_20_2 + when: + - rule_18_5_20_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.20.2 - patch @@ -802,10 +747,11 @@ name: fMinimizeConnections data: 1 type: dword - when: rule_18_5_21_1 + when: + - rule_18_5_21_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.21.1 - patch @@ -819,7 +765,7 @@ - rule_18_5_21_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 + - level2-memberserver - rule_18.5.21.2 - patch @@ -829,9 +775,11 @@ name: NoCloudApplicationNotification data: 1 type: dword - when: rule_18_7_1_1 + when: + - rule_18_7_1_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.7.1.1 - patch @@ -841,10 +789,11 @@ name: ProcessCreationIncludeCmdLine_Enabled data: 0 type: dword - when: rule_18_8_3_1 + when: + - rule_18_8_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.3.1 - patch @@ -854,10 +803,11 @@ name: AllowEncryptionOracle data: 0 type: dword - when: rule_18_8_4_1 + when: + - rule_18_8_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.4.1 - patch @@ -867,10 +817,11 @@ name: AllowProtectedCreds data: 1 type: dword - when: rule_18_8_4_2 + when: + - rule_18_8_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.4.2 - patch @@ -880,8 +831,11 @@ name: EnableVirtualizationBasedSecurity data: 1 type: dword - when: rule_18_8_5_1 + when: + - rule_18_8_5_1 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.1 - patch @@ -891,8 +845,11 @@ name: RequirePlatformSecurityFeatures data: 3 type: dword - when: rule_18_8_5_2 + when: + - rule_18_8_5_2 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.2 - patch @@ -902,8 +859,11 @@ name: HypervisorEnforcedCodeIntegrity data: 1 type: dword - when: rule_18_8_5_3 + when: + - rule_18_8_5_3 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.3 - patch @@ -913,8 +873,11 @@ name: HVCIMATRequired data: 1 type: dword - when: rule_18_8_5_4 + when: + - rule_18_8_5_4 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.4 - patch @@ -928,6 +891,7 @@ - rule_18_8_5_5 - not ansible_windows_domain_role == "Primary domain controller" tags: + - ngws-memberserver - rule_18.8.5.5 - patch @@ -941,6 +905,7 @@ - rule_18_8_5_6 - ansible_windows_domain_role == "Primary domain controller" tags: + - ngws-domaincontroller - rule_18.8.5.6 - patch @@ -950,8 +915,11 @@ name: ConfigureSystemGuardLaunch data: 1 type: dword - when: rule_18_8_5_7 + when: + - rule_18_8_5_7 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.7 - patch @@ -961,10 +929,11 @@ name: DriverLoadPolicy data: 3 type: dword - when: rule_18_8_14_1 + when: + - rule_18_8_14_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.14.1 - patch @@ -974,10 +943,11 @@ name: NoBackgroundPolicy data: 0 type: dword - when: rule_18_8_21_2 + when: + - rule_18_8_21_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.2 - patch @@ -987,10 +957,11 @@ name: NoGPOListChanges data: 0 type: dword - when: rule_18_8_21_3 + when: + - rule_18_8_21_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.3 - patch @@ -1000,10 +971,11 @@ name: EnableCdp data: 0 type: dword - when: rule_18_8_21_4 + when: + - rule_18_8_21_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.4 - patch @@ -1012,10 +984,11 @@ path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy state: absent delete_key: yes - when: rule_18_8_21_5 + when: + - rule_18_8_21_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.5 - patch @@ -1025,10 +998,11 @@ name: DisableWebPnPDownload data: 1 type: dword - when: rule_18_8_22_1_1 + when: + - rule_18_8_22_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.22.1.1 - patch @@ -1038,9 +1012,11 @@ name: PreventHandwritingDataSharing data: 1 type: dword - when: rule_18_8_22_1_2 + when: + - rule_18_8_22_1_2 tags: - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.22.1.2 - patch @@ -1050,9 +1026,11 @@ name: PreventHandwritingErrorReports data: 1 type: dword - when: rule_18_8_22_1_3 + when: + - rule_18_8_22_1_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.3 - patch @@ -1062,9 +1040,11 @@ name: ExitOnMSICW data: 1 type: dword - when: rule_18_8_22_1_4 + when: + - rule_18_8_22_1_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.4 - patch @@ -1074,10 +1054,11 @@ name: NoWebServices data: 1 type: dword - when: rule_18_8_22_1_5 + when: + - rule_18_8_22_1_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.22.1.5 - patch @@ -1087,10 +1068,11 @@ name: DisableHTTPPrinting data: 1 type: dword - when: rule_18_8_22_1_6 + when: + - rule_18_8_22_1_6 tags: - - level1 - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.6 - patch @@ -1100,9 +1082,11 @@ name: NoRegistration data: 1 type: dword - when: rule_18_8_22_1_7 + when: + - rule_18_8_22_1_7 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.7 - patch @@ -1112,9 +1096,11 @@ name: DisableContentFileUpdates data: 1 type: dword - when: rule_18_8_22_1_8 + when: + - rule_18_8_22_1_8 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.8 - patch @@ -1124,9 +1110,11 @@ name: NoOnlinePrintsWizard data: 1 type: dword - when: rule_18_8_22_1_9 + when: + - rule_18_8_22_1_9 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.9 - patch @@ -1136,9 +1124,11 @@ name: NoPublishingWizard data: 1 type: dword - when: rule_18_8_22_1_10 + when: + - rule_18_8_22_1_10 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.10 - patch @@ -1148,9 +1138,11 @@ name: CEIP data: 2 type: dword - when: rule_18_8_22_1_11 + when: + - rule_18_8_22_1_11 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.11 - patch @@ -1160,9 +1152,11 @@ name: CEIPEnable data: 0 type: dword - when: rule_18_8_22_1_12 + when: + - rule_18_8_22_1_12 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.12 - patch @@ -1180,9 +1174,11 @@ name: DoReport data: 0 type: dword - when: rule_18_8_22_1_13 + when: + - rule_18_8_22_1_13 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.13 - patch @@ -1200,9 +1196,11 @@ name: DevicePKInitEnabled data: 1 type: dword - when: rule_18_8_25_1 + when: + - rule_18_8_25_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.25.1 - patch @@ -1212,10 +1210,11 @@ name: DeviceEnumerationPolicy data: 0 type: dword - when: rule_18_8_26_1 + when: + - rule_18_8_26_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.26.1 - patch @@ -1225,9 +1224,11 @@ name: BlockUserInputMethodsForSignIn data: 1 type: dword - when: rule_18_8_27_1 + when: + - rule_18_8_27_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.27.1 - patch @@ -1237,10 +1238,11 @@ name: BlockUserFromShowingAccountDetailsOnSignin data: 1 type: dword - when: rule_18_8_28_1 + when: + - rule_18_8_28_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.1 - patch @@ -1250,10 +1252,11 @@ name: DontDisplayNetworkSelectionUI data: 1 type: dword - when: rule_18_8_28_2 + when: + - rule_18_8_28_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.2 - patch @@ -1263,10 +1266,11 @@ name: DontEnumerateConnectedUsers data: 1 type: dword - when: rule_18_8_28_3 + when: + - rule_18_8_28_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.3 - patch @@ -1276,10 +1280,10 @@ name: EnumerateLocalUsers data: 0 type: dword - when: rule_18_8_28_4 + when: + - rule_18_8_28_4 tags: - - level1 - - level2 + - level1-memberserver - rule_18.8.28.4 - patch @@ -1289,10 +1293,11 @@ name: DisableLockScreenAppNotifications data: 1 type: dword - when: rule_18_8_28_5 + when: + - rule_18_8_28_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.5 - patch @@ -1302,10 +1307,11 @@ name: BlockDomainPicturePassword data: 1 type: dword - when: rule_18_8_28_6 + when: + - rule_18_8_28_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.6 - patch @@ -1315,10 +1321,11 @@ name: AllowDomainPINLogon data: 0 type: dword - when: rule_18_8_28_7 + when: + - rule_18_8_28_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.7 - patch @@ -1328,9 +1335,11 @@ name: AllowCrossDeviceClipboard data: 0 type: dword - when: rule_18_8_31_1 + when: + - rule_18_8_31_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.31.1 - patch @@ -1340,9 +1349,11 @@ name: UploadUserActivities data: 0 type: dword - when: rule_18_8_31_2 + when: + - rule_18_8_31_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.31.2 - patch @@ -1352,9 +1363,11 @@ name: DCSettingIndex data: 0 type: dword - when: rule_18_8_34_6_1 + when: + - rule_18_8_34_6_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.34.6.1 - patch @@ -1364,9 +1377,11 @@ name: ACSettingIndex data: 0 type: dword - when: rule_18_8_34_6_2 + when: + - rule_18_8_34_6_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.34.6.2 - patch @@ -1376,10 +1391,11 @@ name: DCSettingIndex data: 1 type: dword - when: rule_18_8_34_6_3 + when: + - rule_18_8_34_6_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.34.6.3 - patch @@ -1389,10 +1405,11 @@ name: ACSettingIndex data: 1 type: dword - when: rule_18_8_34_6_4 + when: + - rule_18_8_34_6_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.34.6.4 - patch @@ -1402,10 +1419,11 @@ name: fAllowUnsolicited data: 0 type: dword - when: rule_18_8_36_1 + when: + - rule_18_8_36_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.36.1 - patch @@ -1415,10 +1433,11 @@ name: fAllowToGetHelp data: 0 type: dword - when: rule_18_8_36_2 + when: + - rule_18_8_36_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.36.2 - patch @@ -1432,8 +1451,7 @@ - rule_18_8_37_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.8.37.1 - patch @@ -1447,70 +1465,78 @@ - rule_18_8_37_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 + - level2-memberserver - rule_18.8.37.2 - patch -- name: "SCORED | 18.8.45.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" +- name: "SCORED | 18.8.47.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy name: DisableQueryRemoteServer data: 0 type: dword - when: rule_18_8_45_5_1 + when: + - rule_18_8_47_5_1 tags: - - level2 - - rule_18.8.45.5.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.5.1 - patch -- name: "SCORED | 18.8.45.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" +- name: "SCORED | 18.8.47.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} name: ScenarioExecutionEnabled data: 0 type: dword - when: rule_18_8_45_11_1 + when: + - rule_18_8_47_11_1 tags: - - level2 - - rule_18.8.45.11.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.11.1 - patch -- name: "SCORED | 18.8.47.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" +- name: "SCORED | 18.8.49.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo name: DisabledByGroupPolicy data: 1 type: dword - when: rule_18_8_47_1 + when: + - rule_18_8_49_1 tags: - - level2 - - rule_18.8.47.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.49.1 - patch -- name: "SCORED | 18.8.50.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" +- name: "SCORED | 18.8.52.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient name: Enabled data: 1 type: dword - when: rule_18_8_50_1_1 + when: + - rule_18_8_52_1_1 tags: - - level2 - - rule_18.8.50.1.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.52.1.1 - patch -- name: "SCORED | 18.8.50.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" +- name: "SCORED | 18.8.52.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled data: 1 type: dword when: - - rule_18_8_50_1_2 + - rule_18_8_52_1_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 - - rule_18.8.50.1.2 + - level2-memberserver + - rule_18.8.52.1.2 - patch - name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" @@ -1519,9 +1545,11 @@ name: AllowSharedLocalAppData data: 0 type: dword - when: rule_18_9_4_1 + when: + - rule_18_9_4_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.4.1 - patch @@ -1531,10 +1559,11 @@ name: MSAOptional data: 1 type: dword - when: rule_18_9_6_1 + when: + - rule_18_9_6_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.6.1 - patch @@ -1544,10 +1573,11 @@ name: NoAutoplayfornonVolume data: 1 type: dword - when: rule_18_9_8_1 + when: + - rule_18_9_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.8.1 - patch @@ -1557,10 +1587,11 @@ name: NoAutorun data: 1 type: dword - when: rule_18_9_8_2 + when: + - rule_18_9_8_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.8.2 - patch @@ -1570,10 +1601,11 @@ name: NoDriveTypeAutoRun data: 255 type: dword - when: rule_18_9_8_3 + when: + - rule_18_9_8_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.8.3 - patch @@ -1583,10 +1615,11 @@ name: EnhancedAntiSpoofing data: 1 type: dword - when: rule_18_9_10_1_1 + when: + - rule_18_9_10_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.10.1.1 - patch @@ -1596,9 +1629,11 @@ name: AllowCamera data: 1 type: dword - when: rule_18_9_12_1 + when: + - rule_18_9_12_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.12.1 - patch @@ -1608,10 +1643,11 @@ name: DisableWindowsConsumerFeatures data: 1 type: dword - when: rule_18_9_13_1 + when: + - rule_18_9_13_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.13.1 - patch @@ -1621,10 +1657,11 @@ name: RequirePinForPairing data: 1 type: dword - when: rule_18_9_14_1 + when: + - rule_18_9_14_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.14.1 - patch @@ -1634,10 +1671,11 @@ name: DisablePasswordReveal data: 1 type: dword - when: rule_18_9_15_1 + when: + - rule_18_9_15_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.15.1 - patch @@ -1647,10 +1685,11 @@ name: EnumerateAdministrators data: 0 type: dword - when: rule_18_9_15_2 + when: + - rule_18_9_15_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.15.2 - patch @@ -1660,10 +1699,11 @@ name: AllowTelemetry data: 0 type: dword - when: rule_18_9_16_1 + when: + - rule_18_9_16_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.16.1 - patch @@ -1673,9 +1713,11 @@ name: DisableEnterpriseAuthProxy data: 0 type: dword - when: rule_18_9_16_2 + when: + - rule_18_9_16_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.16.2 - patch @@ -1685,10 +1727,11 @@ name: DoNotShowFeedbackNotifications data: 1 type: dword - when: rule_18_9_16_3 + when: + - rule_18_9_16_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.16.3 - patch @@ -1698,10 +1741,11 @@ name: AllowBuildPreview data: 0 type: dword - when: rule_18_9_16_4 + when: + - rule_18_9_16_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.16.4 - patch @@ -1711,10 +1755,11 @@ name: Retention data: 0 type: dword - when: rule_18_9_26_1_1 + when: + - rule_18_9_26_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.1.1 - patch @@ -1724,10 +1769,11 @@ name: MaxSize data: 65538 type: dword - when: rule_18_9_26_1_2 + when: + - rule_18_9_26_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.1.2 - patch @@ -1737,10 +1783,11 @@ name: Retention data: 0 type: string - when: rule_18_9_26_2_1 + when: + - rule_18_9_26_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.2.1 - patch @@ -1750,10 +1797,11 @@ name: MaxSize data: 196608 type: dword - when: rule_18_9_26_2_2 + when: + - rule_18_9_26_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.2.2 - patch @@ -1763,10 +1811,11 @@ name: Retention data: 0 type: string - when: rule_18_9_26_3_1 + when: + - rule_18_9_26_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.3.1 - patch @@ -1776,10 +1825,11 @@ name: MaxSize data: 32768 type: dword - when: rule_18_9_26_3_2 + when: + - rule_18_9_26_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.3.2 - patch @@ -1789,10 +1839,11 @@ name: Retention data: 0 type: string - when: rule_18_9_26_4_1 + when: + - rule_18_9_26_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.4.1 - patch @@ -1802,10 +1853,11 @@ name: MaxSize data: 65538 type: dword - when: rule_18_9_26_4_2 + when: + - rule_18_9_26_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.4.2 - patch @@ -1815,10 +1867,11 @@ name: NoDataExecutionPrevention data: 0 type: dword - when: rule_18_9_30_2 + when: + - rule_18_9_30_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.30.2 - patch @@ -1828,10 +1881,11 @@ name: NoHeapTerminationOnCorruption data: 0 type: dword - when: rule_18_9_30_3 + when: + - rule_18_9_30_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.30.3 - patch @@ -1841,10 +1895,11 @@ name: PreXPSP2ShellProtocolBehavior data: 0 type: dword - when: rule_18_9_30_4 + when: + - rule_18_9_30_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.30.4 - patch @@ -1854,9 +1909,11 @@ name: DisableLocation data: 1 type: dword - when: rule_18_9_39_2 + when: + - rule_18_9_39_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.39.2 - patch @@ -1866,9 +1923,11 @@ name: AllowMessageSync data: 0 type: dword - when: rule_18_9_43_1 + when: + - rule_18_9_43_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.43.1 - patch @@ -1878,10 +1937,11 @@ name: DisableUserAuth data: 1 type: dword - when: rule_18_9_44_1 + when: + - rule_18_9_44_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.44.1 - patch @@ -1891,10 +1951,11 @@ name: DisableFileSyncNGSC data: 1 type: dword - when: rule_18_9_52_1 + when: + - rule_18_9_52_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.52.1 - patch @@ -1904,10 +1965,11 @@ name: DisablePasswordSaving data: 1 type: dword - when: rule_18_9_59_2_2 + when: + - rule_18_9_59_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.2.2 - patch @@ -1917,9 +1979,11 @@ name: fSingleSessionPerUser data: 1 type: dword - when: rule_18_9_59_3_2_1 + when: + - rule_18_9_59_3_2_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.2.1 - patch @@ -1929,9 +1993,11 @@ name: fDisableCcm data: 1 type: dword - when: rule_18_9_59_3_3_1 + when: + - rule_18_9_59_3_3_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.3.1 - patch @@ -1941,10 +2007,11 @@ name: fDisableCdm data: 1 type: dword - when: rule_18_9_59_3_3_2 + when: + - rule_18_9_59_3_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.3.2 - patch @@ -1954,9 +2021,11 @@ name: fDisableLPT data: 1 type: dword - when: rule_18_9_59_3_3_3 + when: + - rule_18_9_59_3_3_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.3.3 - patch @@ -1966,9 +2035,11 @@ name: fDisablePNPRedir data: 1 type: dword - when: rule_18_9_59_3_3_4 + when: + - rule_18_9_59_3_3_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.3.4 - patch @@ -1978,10 +2049,11 @@ name: fPromptForPassword data: 1 type: dword - when: rule_18_9_59_3_9_1 + when: + - rule_18_9_59_3_9_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.1 - patch @@ -1991,10 +2063,11 @@ name: fEncryptRPCTraffic data: 1 type: dword - when: rule_18_9_59_3_9_2 + when: + - rule_18_9_59_3_9_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.2 - patch @@ -2004,10 +2077,11 @@ name: SecurityLayer data: 2 type: dword - when: rule_18_9_59_3_9_3 + when: + - rule_18_9_59_3_9_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.3 - patch @@ -2017,10 +2091,11 @@ name: UserAuthentication data: 1 type: dword - when: rule_18_9_59_3_9_4 + when: + - rule_18_9_59_3_9_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.4 - patch @@ -2030,10 +2105,11 @@ name: MinEncryptionLevel data: 3 type: dword - when: rule_18_9_59_3_9_5 + when: + - rule_18_9_59_3_9_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.5 - patch @@ -2043,9 +2119,11 @@ name: MaxIdleTime data: 3600000 type: dword - when: rule_18_9_59_3_10_1 + when: + - rule_18_9_59_3_10_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.10.1 - patch @@ -2055,9 +2133,11 @@ name: MaxDisconnectionTime data: 28800000 type: dword - when: rule_18_9_59_3_10_2 + when: + - rule_18_9_59_3_10_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.10.2 - patch @@ -2067,10 +2147,11 @@ name: DeleteTempDirsOnExit data: 1 type: dword - when: rule_18_9_59_3_11_1 + when: + - rule_18_9_59_3_11_1 tags: - - level1 - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.11.1 - patch @@ -2080,10 +2161,11 @@ name: PerSessionTempDir data: 1 type: dword - when: rule_18_9_59_3_11_2 + when: + - rule_18_9_59_3_11_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.11.2 - patch @@ -2093,10 +2175,11 @@ name: DisableEnclosureDownload data: 1 type: dword - when: rule_18_9_60_1 + when: + - rule_18_9_60_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.60.1 - patch @@ -2106,9 +2189,11 @@ name: AllowCloudSearch data: 0 type: dword - when: rule_18_9_61_2 + when: + - rule_18_9_61_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.61.2 - patch @@ -2118,10 +2203,11 @@ name: AllowIndexingEncryptedStoresOrItems data: 0 type: dword - when: rule_18_9_61_3 + when: + - rule_18_9_61_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.61.3 - patch @@ -2131,9 +2217,11 @@ name: NoGenTicket data: 1 type: dword - when: rule_18_9_66_1 + when: + - rule_18_9_66_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.66.1 - patch @@ -2143,10 +2231,11 @@ name: LocalSettingOverrideSpynetReporting data: 0 type: dword - when: rule_18_9_77_3_1 + when: + - rule_18_9_77_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.3.1 - patch @@ -2156,9 +2245,11 @@ name: SpynetReporting data: 0 type: dword - when: rule_18_9_77_3_2 + when: + - rule_18_9_77_3_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.77.3.2 - patch @@ -2168,10 +2259,11 @@ name: DisableBehaviorMonitoring data: 0 type: dword - when: rule_18_9_77_7_1 + when: + - rule_18_9_77_7_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.7.1 - patch @@ -2181,9 +2273,11 @@ name: DisableGenericRePorts data: 1 type: dword - when: rule_18_9_77_9_1 + when: + - rule_18_9_77_9_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.77.9.1 - patch @@ -2193,10 +2287,11 @@ name: DisableRemovableDriveScanning data: 0 type: dword - when: rule_18_9_77_10_1 + when: + - rule_18_9_77_10_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.10.1 - patch @@ -2206,10 +2301,11 @@ name: DisableEmailScanning data: 0 type: dword - when: rule_18_9_77_10_2 + when: + - rule_18_9_77_10_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.10.2 - patch @@ -2219,10 +2315,11 @@ name: ExploitGuard_ASR_Rules data: 1 type: dword - when: rule_18_9_77_13_1_1 + when: + - rule_18_9_77_13_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.13.1.1 - patch @@ -2244,10 +2341,11 @@ - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - d3e037e1-3eb8-44c8-a917-57927947596d - d4f940ab-401b-4efc-aadc-ad5f3c50688a - when: rule_18_9_77_13_1_2 + when: + - rule_18_9_77_13_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.13.1.2 - patch @@ -2257,10 +2355,11 @@ name: ExploitGuard_ASR_Rules data: 1 type: dword - when: rule_18_9_77_13_3_1 + when: + - rule_18_9_77_13_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.13.3.1 - patch @@ -2270,10 +2369,11 @@ name: PUAProtection data: 1 type: dword - when: rule_18_9_77_14 + when: + - rule_18_9_77_14 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.14 - patch @@ -2283,10 +2383,11 @@ name: DisableAntiSpyware data: 0 type: dword - when: rule_18_9_77_15 + when: + - rule_18_9_77_15 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.15 - patch @@ -2298,16 +2399,18 @@ name: EnableSmartScreen data: 1 type: dword + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: ShellSmartScreenLevel data: Block type: string - when: rule_18_9_80_1_1 + when: + - rule_18_9_80_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.80.1.1 - patch @@ -2317,9 +2420,11 @@ name: AllowSuggestedAppsInWindowsInkWorkspace data: 0 type: dword - when: rule_18_9_84_1 + when: + - rule_18_9_84_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.84.1 - patch @@ -2329,10 +2434,11 @@ name: AllowWindowsInkWorkspace data: 1 type: dword - when: rule_18_9_84_2 + when: + - rule_18_9_84_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.84.2 - patch @@ -2342,10 +2448,11 @@ name: EnableUserControl data: 0 type: dword - when: rule_18_9_85_1 + when: + - rule_18_9_85_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.85.1 - patch @@ -2355,10 +2462,11 @@ name: AlwaysInstallElevated data: 0 type: dword - when: rule_18_9_85_2 + when: + - rule_18_9_85_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.85.2 - patch @@ -2368,9 +2476,11 @@ name: SafeForScripting data: 0 type: dword - when: rule_18_9_85_3 + when: + - rule_18_9_85_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.85.3 - patch @@ -2380,10 +2490,11 @@ name: DisableAutomaticRestartSignOn data: 1 type: dword - when: rule_18_9_86_1 + when: + - rule_18_9_86_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.86.1 - patch @@ -2393,10 +2504,11 @@ name: EnableScriptBlockLogging data: 1 type: dword - when: rule_18_9_95_1 + when: + - rule_18_9_95_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.95.1 - patch @@ -2406,10 +2518,11 @@ name: EnableTranscripting data: 1 type: dword - when: rule_18_9_95_2 + when: + - rule_18_9_95_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.95.2 - patch @@ -2423,8 +2536,8 @@ - rule_18_9_97_1_1 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.1.1 - patch @@ -2438,8 +2551,8 @@ - rule_18_9_97_1_2 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.1.2 - patch @@ -2451,8 +2564,8 @@ type: dword when: rule_18_9_97_1_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.1.3 - patch @@ -2466,8 +2579,8 @@ - rule_18_9_97_2_1 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.2.1 - patch @@ -2482,7 +2595,8 @@ - rule_18_9_97_2_2 - not win_skip_for_test tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.97.2.2 - patch @@ -2496,8 +2610,8 @@ - rule_18_9_97_2_3 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.2.3 - patch @@ -2507,10 +2621,11 @@ name: DisableRunAs data: 1 type: dword - when: rule_18_9_97_2_4 + when: + - rule_18_9_97_2_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.2.4 - patch @@ -2525,7 +2640,8 @@ - rule_18_9_98_1 - not win_skip_for_test tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.98.1 - patch @@ -2535,10 +2651,11 @@ name: DisallowExploitProtectionOverride data: 1 type: dword - when: rule_18_9_99_2_1 + when: + - rule_18_9_99_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.99.2.1 - patch @@ -2550,16 +2667,18 @@ name: ManagePreviewBuilds data: 1 type: dword + - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue data: 0 type: dword - when: rule_18_9_102_1_1 + when: + - rule_18_9_102_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.1.1 - patch @@ -2571,22 +2690,25 @@ name: DeferFeatureUpdates data: 1 type: dword + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdatesPeriodInDays data: 180 type: dword + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: BranchReadinessLevel data: 16 type: dword - when: rule_18_9_102_1_2 + when: + - rule_18_9_102_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.1.2 - patch @@ -2598,16 +2720,18 @@ name: DeferQualityUpdates data: 1 type: dword + - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdatesPeriodInDays data: 0 type: dword - when: rule_18_9_102_1_3 + when: + - rule_18_9_102_1_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.1.3 - patch @@ -2617,10 +2741,11 @@ name: NoAutoUpdate data: 0 type: dword - when: rule_18_9_102_2 + when: + - rule_18_9_102_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.2 - patch @@ -2630,10 +2755,11 @@ name: ScheduledInstallDay data: 0 type: dword - when: rule_18_9_102_3 + when: + - rule_18_9_102_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.3 - patch @@ -2643,10 +2769,11 @@ name: NoAutoRebootWithLoggedOnUsers data: 0 type: dword - when: rule_18_9_102_4 + when: + - rule_18_9_102_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.4 - patch From ca90fb11a8776b2f9195eee1eab4335f8e63b47d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 31 Mar 2021 13:59:29 -0400 Subject: [PATCH 08/12] Finished section 18 tags and formatting Signed-off-by: George Nalen --- tasks/section19.yml | 117 ++++++++++++++++++++++++++++---------------- 1 file changed, 75 insertions(+), 42 deletions(-) diff --git a/tasks/section19.yml b/tasks/section19.yml index ca42ed1..e564c5d 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -7,16 +7,18 @@ name: ScreenSaveActive data: 1 type: string + - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive data: 1 type: string - when: rule_19_1_3_1 + when: + - rule_19_1_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.1 - patch @@ -28,16 +30,18 @@ name: SCRNSAVE.EXE data: scrnsave.scr type: string + - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: SCRNSAVE.EXE data: scrnsave.scr type: string - when: rule_19_1_3_2 + when: + - rule_19_1_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.2 - patch @@ -49,16 +53,18 @@ name: ScreenSaverIsSecure data: 1 type: string + - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure data: 1 type: string - when: rule_19_1_3_3 + when: + - rule_19_1_3_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.3 - patch @@ -70,16 +76,18 @@ name: ScreenSaveTimeOut data: 900 type: string + - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: 900 type: string - when: rule_19_1_3_4 + when: + - rule_19_1_3_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.4 - patch @@ -91,16 +99,18 @@ name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword + - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword - when: rule_19_5_1_1 + when: + - rule_19_5_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.5.1.1 - patch @@ -112,15 +122,18 @@ name: NoImplicitFeedback data: 1 type: dword + - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword - when: rule_19_6_6_1_1 + when: + - rule_19_6_6_1_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.6.6.1.1 - patch @@ -132,16 +145,18 @@ name: SaveZoneInformation data: 3 type: dword + - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation data: 3 type: dword - when: rule_19_7_4_1 + when: + - rule_19_7_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.4.1 - patch @@ -153,16 +168,18 @@ name: ScanWithAntiVirus data: 3 type: dword + - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus data: 3 type: dword - when: rule_19_7_4_2 + when: + - rule_19_7_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.4.2 - patch @@ -174,16 +191,18 @@ name: ConfigureWindowsSpotlight data: 2 type: dword + - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword - when: rule_19_7_7_1 + when: + - rule_19_7_7_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.7.1 - patch @@ -195,16 +214,18 @@ name: DisableThirdPartySuggestions data: 1 type: dword + - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword - when: rule_19_7_7_2 + when: + - rule_19_7_7_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.7.2 - patch @@ -216,15 +237,18 @@ name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword + - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword - when: rule_19_7_7_3 + when: + - rule_19_7_7_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.7.3 - patch @@ -236,15 +260,18 @@ name: DisableWindowsSpotlightFeatures data: 1 type: dword + - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword - when: rule_19_7_7_4 + when: + - rule_19_7_7_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.7.4 - patch @@ -256,16 +283,18 @@ name: NoInplaceSharing data: 1 type: dword + - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword - when: rule_19_7_26_1 + when: + - rule_19_7_26_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.26.1 - patch @@ -277,16 +306,18 @@ name: AlwaysInstallElevated data: 0 type: dword + - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - when: rule_19_7_41_1 + when: + - rule_19_7_41_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.41.1 - patch @@ -298,15 +329,17 @@ name: PreventCodecDownload data: 1 type: dword + - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - when: rule_19_7_45_2_1 + when: + - rule_19_7_45_2_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.45.2.1 - patch - From 27778041ceefa70d563d0496e910e9b659546a43 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 31 Mar 2021 14:14:05 -0400 Subject: [PATCH 09/12] Updated some more minor formatting in section 01 and 02 Signed-off-by: George Nalen --- tasks/section01.yml | 55 +++++----- tasks/section02.yml | 246 +++++++++++++++++++++++++++++--------------- 2 files changed, 195 insertions(+), 106 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 74c21e8..8ea7d90 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,79 +1,82 @@ --- -- name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" +- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" block: - name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" assert: that: passwordhistorysize | int is version('24', '>=') fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" + changed_when: false + ignore_errors: true register: result - changed_when: no - ignore_errors: yes - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" win_security_policy: section: System Access key: PasswordHistorySize value: "{{ passwordhistorysize }}" - when: rule_1_1_1 + when: + - rule_1_1_1 tags: - level1-domaincontroller - level1-memberserver - rule_1.1.1 - patch -- name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" +- name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" block: - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" assert: that: maximumpasswordage | int is version('60', '<=') fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" + changed_when: false + ignore_errors: true register: result - changed_when: no - ignore_errors: yes - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" win_security_policy: section: System Access key: MaximumPasswordAge value: "{{ maximumpasswordage }}" - when: rule_1_1_2 + when: + - rule_1_1_2 tags: - level1-domaincontroller - level1-memberserver - rule_1.1.2 - patch -- name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" +- name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" block: - name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" assert: that: minimumpasswordage is version('1', '>=') fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" + changed_when: false + ignore_errors: true register: result - changed_when: no - ignore_errors: yes - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" win_security_policy: section: System Access key: MinimumPasswordAge value: "{{ minimumpasswordage }}" - when: rule_1_1_3 + when: + - rule_1_1_3 tags: - level1-domaincontroller - level1-memberserver - rule_1.1.3 - patch -- name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" +- name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" block: - name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" assert: that: minimumpasswordlength is version('14', '>=') fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" + changed_when: false + ignore_errors: true register: result - changed_when: no - ignore_errors: yes - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" win_security_policy: @@ -92,7 +95,8 @@ section: System Access key: PasswordComplexity value: 1 - when: rule_1_1_5 + when: + - rule_1_1_5 tags: - level1-domaincontroller - level1-memberserver @@ -104,7 +108,8 @@ section: System Access key: ClearTextPassword value: "0" - when: rule_1_1_6 + when: + - rule_1_1_6 tags: - level1-domaincontroller - level1-memberserver @@ -117,9 +122,9 @@ assert: that: lockoutduration | int is version('15', '<=') fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" + changed_when: false + ignore_errors: true register: result - changed_when: no - ignore_errors: yes - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" win_security_policy: @@ -141,29 +146,31 @@ section: System Access key: LockoutBadCount value: "{{ lockoutbadcount }}" - when: rule_1_2_2 + when: + - rule_1_2_2 tags: - level1-domaincontroller - level1-memberserver - rule_1.2.2 - patch -- name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" +- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" block: - name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" assert: that: resetlockoutcount | int is version('15', '>=') fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" + changed_when: false + ignore_errors: true register: result - changed_when: no - ignore_errors: yes - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" win_security_policy: section: System Access key: ResetLockoutCount value: "{{ resetlockoutcount }}" - when: rule_1_2_3 + when: + - rule_1_2_3 tags: - level1-domaincontroller - level1-memberserver diff --git a/tasks/section02.yml b/tasks/section02.yml index ce1289f..66f112e 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -4,7 +4,8 @@ name: SeTrustedCredManAccessPrivilege users: [] action: set - when: rule_2_2_1 + when: + - rule_2_2_1 tags: - level1-domaincontroller - level1-memberserver @@ -32,7 +33,8 @@ name: SeTcbPrivilege users: [] action: set - when: rule_2_2_4 + when: + - rule_2_2_4 tags: - level1-domaincontroller - level1-memberserver @@ -60,7 +62,8 @@ - Local Service - Network Service action: set - when: rule_2_2_6 + when: + - rule_2_2_6 tags: - level1-domaincontroller - level1-memberserver @@ -73,7 +76,8 @@ users: - Administrators action: set - when: rule_2_2_7 + when: + - rule_2_2_7 tags: - level1-domaincontroller - level1-memberserver @@ -102,7 +106,8 @@ users: - Administrators action: set - when: rule_2_2_10 + when: + - rule_2_2_10 tags: - level1-domaincontroller - level1-memberserver @@ -116,7 +121,8 @@ - Administrators - Local Service action: set - when: rule_2_2_11 + when: + - rule_2_2_11 tags: - level1-domaincontroller - level1-memberserver @@ -130,7 +136,8 @@ - Administrators - Local Service action: set - when: rule_2_2_12 + when: + - rule_2_2_12 tags: - level1-domaincontroller - level1-memberserver @@ -143,7 +150,8 @@ users: - Administrators action: set - when: rule_2_2_13 + when: + - rule_2_2_13 tags: - level1-domaincontroller - level1-memberserver @@ -155,7 +163,8 @@ name: SeCreateTokenPrivilege users: [] action: set - when: rule_2_2_14 + when: + - rule_2_2_14 tags: - level1-domaincontroller - level1-memberserver @@ -171,7 +180,8 @@ - Network Service - Service action: set - when: rule_2_2_15 + when: + - rule_2_2_15 tags: - level1-domaincontroller - level1-memberserver @@ -183,7 +193,8 @@ name: SeCreatePermanentPrivilege users: [] action: set - when: rule_2_2_16 + when: + - rule_2_2_16 tags: - level1-domaincontroller - level1-memberserver @@ -225,7 +236,8 @@ users: - Administrators action: set - when: rule_2_2_19 + when: + - rule_2_2_19 tags: - level1-domaincontroller - level1-memberserver @@ -269,7 +281,8 @@ users: - Guests action: set - when: rule_2_2_22 + when: + - rule_2_2_22 tags: - level1-domaincontroller - level1-memberserver @@ -282,7 +295,8 @@ users: - Guests action: set - when: rule_2_2_23 + when: + - rule_2_2_23 tags: - level1-domaincontroller - level1-memberserver @@ -295,7 +309,8 @@ users: - Guests action: set - when: rule_2_2_24 + when: + - srule_2_2_24 tags: - level1-domaincontroller - level1-memberserver @@ -364,7 +379,8 @@ users: - Administrators action: set - when: rule_2_2_29 + when: + - rule_2_2_29 tags: - level1-domaincontroller - level1-memberserver @@ -378,7 +394,8 @@ - Local Service - Network Service action: set - when: rule_2_2_30 + when: + - rule_2_2_30 tags: - level1-domaincontroller - level1-memberserver @@ -427,7 +444,8 @@ - Administrators - Window Manager\Window Manager Group action: set - when: rule_2_2_33 + when: + - rule_2_2_33 tags: - level1-domaincontroller - level1-memberserver @@ -440,7 +458,8 @@ users: - Administrators action: set - when: rule_2_2_34 + when: + - rule_2_2_34 tags: - level1-domaincontroller - level1-memberserver @@ -452,7 +471,8 @@ name: SeLockMemoryPrivilege users: [] action: set - when: rule_2_2_35 + when: + - rule_2_2_35 tags: - level1-domaincontroller - level1-memberserver @@ -492,7 +512,8 @@ name: SeReLabelPrivilege users: [] action: set - when: rule_2_2_39 + when: + - rule_2_2_39 tags: - level1-domaincontroller - level1-memberserver @@ -505,7 +526,8 @@ users: - Administrators action: set - when: rule_2_2_40 + when: + - rule_2_2_40 tags: - level1-domaincontroller - level1-memberserver @@ -518,7 +540,8 @@ users: - Administrators action: set - when: rule_2_2_41 + when: + - rule_2_2_41 tags: - level1-domaincontroller - level1-memberserver @@ -531,7 +554,8 @@ users: - Administrators action: set - when: rule_2_2_42 + when: + - rule_2_2_42 tags: - level1-domaincontroller - level1-memberserver @@ -545,7 +569,8 @@ - Administrators - NT SERVICE\WdiServiceHost action: set - when: rule_2_2_43 + when: + - rule_2_2_43 tags: - level1-domaincontroller - level1-memberserver @@ -559,7 +584,8 @@ - LOCAL SERVICE - NETWORK SERVICE action: set - when: rule_2_2_44 + when: + - rule_2_2_44 tags: - level1-domaincontroller - level1-memberserver @@ -572,7 +598,8 @@ users: - Administrators action: set - when: rule_2_2_45 + when: + - rule_2_2_45 tags: - level1-domaincontroller - level1-memberserver @@ -585,7 +612,8 @@ users: - Administrators action: set - when: rule_2_2_46 + when: + - rule_2_2_46 tags: - level1-domaincontroller - level1-memberserver @@ -611,7 +639,8 @@ users: - Administrators action: set - when: rule_2_2_48 + when: + - rule_2_2_48 tags: - level1-domaincontroller - level1-memberserver @@ -637,7 +666,8 @@ name: NoConnectedUser data: 3 type: dword - when: rule_2_3_1_2 + when: + - rule_2_3_1_2 tags: - level1-domaincontroller - level1-memberserver @@ -649,7 +679,8 @@ section: System Access key: EnableGuestAccount value: 0 - when: rule_2_3_1_3 + when: + - rule_2_3_1_3 tags: - level1-memberserver - rule_2.3.1.3 @@ -661,7 +692,8 @@ name: LimitBlankPasswordUse data: 1 type: dword - when: rule_2_3_1_4 + when: + - rule_2_3_1_4 tags: - level1-domaincontroller - level1-memberserver @@ -687,7 +719,8 @@ section: System Access key: NewGuestName value: BobCooper - when: rule_2_3_1_6 + when: + - rule_2_3_1_6 tags: - level1-domaincontroller - level1-memberservers @@ -700,7 +733,8 @@ name: SCENoApplyLegacyAuditPolicy data: 1 type: dword - when: rule_2_3_2_1 + when: + - rule_2_3_2_1 tags: - level1-domaincontroller - level1-memberserver @@ -713,7 +747,8 @@ name: CrashOnAuditFail data: 0 type: dword - when: rule_2_3_2_2 + when: + - rule_2_3_2_2 tags: - level1-domaincontroller - level1-memberserver @@ -726,7 +761,8 @@ name: AllocateDASD data: 0 type: string - when: rule_2_3_4_1 + when: + - rule_2_3_4_1 tags: - level1-domaincontroller - level1-memberserver @@ -739,7 +775,8 @@ name: AddPrinterDrivers data: 1 type: dword - when: rule_2_3_4_2 + when: + - rule_2_3_4_2 tags: - level1-domaincontroller - level1-memberserver @@ -884,7 +921,8 @@ name: DisableCAD data: 0 type: dword - when: rule_2_3_7_1 + when: + - rule_2_3_7_1 tags: - level1-domaincontroller - level1-memberserver @@ -897,7 +935,8 @@ name: DontDisplayLastUserName data: 1 type: dword - when: rule_2_3_7_2 + when: + - rule_2_3_7_2 tags: - level1-domaincontroller - level1-memberserver @@ -910,7 +949,8 @@ name: InactivityTimeoutSecs data: 900 type: dword - when: rule_2_3_7_3 + when: + - rule_2_3_7_3 tags: - level1-domaincontroller - level1-memberserver @@ -923,7 +963,8 @@ name: LegalNoticeText data: "{{ legalnoticetext }}" type: string - when: rule_2_3_7_4 + when: + - rule_2_3_7_4 tags: - level1-domaincontroller - level1-memberserver @@ -936,7 +977,8 @@ name: LegalNoticeCaption data: "{{ legalnoticecaption }}" type: string - when: rule_2_3_7_5 + when: + - rule_2_3_7_5 tags: - level1-domaincontroller - level1-memberserver @@ -949,7 +991,8 @@ name: cachedlogonscount data: 1 type: string - when: rule_2_3_7_6 + when: + - rule_2_3_7_6 tags: - level2-memberserver - rule_2.3.7.6 @@ -961,7 +1004,8 @@ name: PasswordExpiryWarning data: 14 type: dword - when: rule_2_3_7_7 + when: + - rule_2_3_7_7 tags: - level1-domaincontroller - level1-memberserver @@ -988,7 +1032,8 @@ name: scremoveoption data: 1 type: string - when: rule_2_3_7_9 + when: + - rule_2_3_7_9 tags: - level1-domaincontroller - level1-memberserver @@ -1001,7 +1046,8 @@ name: RequireSecuritySignature data: 1 type: dword - when: rule_2_3_8_1 + when: + - rule_2_3_8_1 tags: - level1-domaincontroller - level1-memberserver @@ -1014,7 +1060,8 @@ name: EnableSecuritySignature data: 1 type: dword - when: rule_2_3_8_2 + when: + - rule_2_3_8_2 tags: - level1-domaincontroller - level1-memberserver @@ -1027,7 +1074,8 @@ name: EnablePlainTextPassword data: 0 type: dword - when: rule_2_3_8_3 + when: + - rule_2_3_8_3 tags: - level1-domaincontroller - level1-memberserver @@ -1040,7 +1088,8 @@ name: autodisconnect data: 15 type: dword - when: rule_2_3_9_1 + when: + - rule_2_3_9_1 tags: - level1-domaincontroller - level1-memberserver @@ -1053,7 +1102,8 @@ name: requiresecuritysignature data: 1 type: dword - when: rule_2_3_9_2 + when: + - rule_2_3_9_2 tags: - level1-domaincontroller - level1-memberserver @@ -1066,7 +1116,8 @@ name: enablesecuritysignature data: 1 type: dword - when: rule_2_3_9_3 + when: + - rule_2_3_9_3 tags: - level1-domaincontroller - level1-memberserver @@ -1079,7 +1130,8 @@ name: enableforcedlogoff data: 1 type: dword - when: rule_2_3_9_4 + when: + - rule_2_3_9_4 tags: - level1-domaincontroller - level1-memberserver @@ -1105,7 +1157,8 @@ section: System Access key: LSAAnonymousNameLookup value: 0 - when: rule_2_3_10_1 + when: + - rule_2_3_10_1 tags: - level1-domaincontroller - level1-memberserver @@ -1146,7 +1199,8 @@ name: DisableDomainCreds data: 1 type: dword - when: rule_2_3_10_4 + when: + - rule_2_3_10_4 tags: - level2-domaincontroller - level2-memberserver @@ -1159,7 +1213,8 @@ name: EveryoneIncludesAnonymous data: 0 type: dword - when: rule_2_3_10_5 + when: + - rule_2_3_10_5 tags: - level1-domaincontroller - level1-memberserver @@ -1200,7 +1255,8 @@ name: "Machine" data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] type: multistring - when: rule_2_3_10_8 + when: + - rule_2_3_10_8 tags: - level1-domaincontroller - level1-memberserver @@ -1213,7 +1269,8 @@ name: "Machine" data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] type: multistring - when: rule_2_3_10_9 + when: + - rule_2_3_10_9 tags: - level1-domaincontroller - level1-memberserver @@ -1226,7 +1283,8 @@ name: RestrictNullSessAccess data: 1 type: dword - when: rule_2_3_10_10 + when: + - rule_2_3_10_10 tags: - level1-domaincontroller - level1-memberserver @@ -1239,7 +1297,8 @@ name: RestrictRemoteSAM data: "O:BAG:BAD:(A;;RC;;;BA)" type: string - when: rule_2_3_10_11 + when: + - rule_2_3_10_11 tags: - level1-memberserver - rule_2.3.10.11 @@ -1251,7 +1310,8 @@ name: NullSessionShares data: "" type: multistring - when: rule_2_3_10_12 + when: + - rule_2_3_10_12 tags: - level1-domaincontroller - level1-memberserver @@ -1264,7 +1324,8 @@ name: ForceGuest data: 0 type: dword - when: rule_2_3_10_13 + when: + - rule_2_3_10_13 tags: - level1-domaincontroller - level1-memberserver @@ -1277,7 +1338,8 @@ name: UseMachineId data: 1 type: dword - when: rule_2_3_11_1 + when: + - rule_2_3_11_1 tags: - level1-domaincontroller - level1-memberserver @@ -1290,7 +1352,8 @@ name: allownullsessionfallback data: 0 type: dword - when: rule_2_3_11_2 + when: + - rule_2_3_11_2 tags: - level1-domaincontroller - level1-memberserver @@ -1303,7 +1366,8 @@ name: AllowOnlineID data: 0 type: dword - when: rule_2_3_11_3 + when: + - rule_2_3_11_3 tags: - level1-domaincontroller - level1-memberserver @@ -1316,7 +1380,8 @@ name: SupportedEncryptionTypes data: 2147483644 type: dword - when: rule_2_3_11_4 + when: + - rule_2_3_11_4 tags: - level1-domaincontroller - level1-memberserver @@ -1329,7 +1394,8 @@ name: NoLMHash data: 1 type: dword - when: rule_2_3_11_5 + when: + - rule_2_3_11_5 tags: - level1-domaincontroller - level1-memberserver @@ -1342,7 +1408,8 @@ name: EnableForcedLogOff data: 1 type: dword - when: rule_2_3_11_6 + when: + - rule_2_3_11_6 tags: - level1-domaincontroller - level1-memberserver @@ -1355,7 +1422,8 @@ name: LMCompatibilityLevel data: 5 type: dword - when: rule_2_3_11_7 + when: + - rule_2_3_11_7 tags: - level1-domaincontroller - level1-memberserver @@ -1368,7 +1436,8 @@ name: LDAPClientIntegrity data: 1 type: dword - when: rule_2_3_11_8 + when: + - rule_2_3_11_8 tags: - level1-domaincontroller - level1-memberserver @@ -1381,7 +1450,8 @@ name: NTLMMinClientSec data: 537395200 type: dword - when: rule_2_3_11_9 + when: + - rule_2_3_11_9 tags: - level1-domaincontroller - level1-memberserver @@ -1394,7 +1464,8 @@ name: NTLMMinServerSec data: 537395200 type: dword - when: rule_2_3_11_10 + when: + - rule_2_3_11_10 tags: - level1-domaincontroller - level1-memberserver @@ -1407,7 +1478,8 @@ name: ShutdownWithoutLogon data: 0 type: dword - when: rule_2_3_13_1 + when: + - rule_2_3_13_1 tags: - level1-domaincontroller - level1-memberserver @@ -1420,7 +1492,8 @@ name: ObCaseInsensitive data: 1 type: dword - when: rule_2_3_15_1 + when: + - rule_2_3_15_1 tags: - level1-domaincontroller - level1-memberserver @@ -1433,7 +1506,8 @@ name: ProtectionMode data: 1 type: dword - when: rule_2_3_15_2 + when: + - rule_2_3_15_2 tags: - level1-domaincontroller - level1-memberserver @@ -1446,7 +1520,8 @@ name: FilterAdministratorToken data: 1 type: dword - when: rule_2_3_17_1 + when: + - rule_2_3_17_1 tags: - level1-domaincontroller - level1-memberserver @@ -1459,7 +1534,8 @@ name: ConsentPromptBehaviorAdmin data: 2 type: dword - when: rule_2_3_17_2 + when: + - rule_2_3_17_2 tags: - level1-domaincontroller - level1-memberserver @@ -1472,7 +1548,8 @@ name: ConsentPromptBehaviorUser data: 0 type: dword - when: rule_2_3_17_3 + when: + - rule_2_3_17_3 tags: - level1-domaincontroller - level1-memberserver @@ -1485,7 +1562,8 @@ name: EnableInstallerDetection data: 1 type: dword - when: rule_2_3_17_4 + when: + - rule_2_3_17_4 tags: - level1-domaincontroller - level1-memberserver @@ -1498,7 +1576,8 @@ name: EnableSecureUIAPaths data: 1 type: dword - when: rule_2_3_17_5 + when: + - rule_2_3_17_5 tags: - level1-domaincontroller - level1-memberserver @@ -1511,7 +1590,8 @@ name: EnableLUA data: 1 type: dword - when: rule_2_3_17_6 + when: + - rule_2_3_17_6 tags: - level1-domaincontroller - level1-memberserver @@ -1524,7 +1604,8 @@ name: PromptOnSecureDesktop data: 1 type: dword - when: rule_2_3_17_7 + when: + - rule_2_3_17_7 tags: - level1-domaincontroller - level1-memberserver @@ -1537,7 +1618,8 @@ name: EnableVirtualization data: 1 type: dword - when: rule_2_3_17_8 + when: + - rule_2_3_17_8 tags: - level1-domaincontroller - level1-memberserver From 0057d219e787fc1ecf5ea5bc8d14319d14955d86 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 31 Mar 2021 14:57:24 -0400 Subject: [PATCH 10/12] minor fixes to get role running again Signed-off-by: George Nalen --- defaults/main.yml | 1 + tasks/section02.yml | 2 +- tasks/section17.yml | 22 ++++++++++------------ 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a7203c5..8382e3e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -291,6 +291,7 @@ rule_18_5_21_2: true rule_18_7_1_1: true rule_18_8_3_1: true rule_18_8_4_1: true +rule_18_8_4_2: true rule_18_8_5_1: true rule_18_8_5_2: true rule_18_8_5_3: true diff --git a/tasks/section02.yml b/tasks/section02.yml index 66f112e..7461587 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -310,7 +310,7 @@ - Guests action: set when: - - srule_2_2_24 + - rule_2_2_24 tags: - level1-domaincontroller - level1-memberserver diff --git a/tasks/section17.yml b/tasks/section17.yml index d95e21b..634788d 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -166,8 +166,6 @@ when: "'Success' not in rule_17_2_5_audit.stdout" when: - rule_17_2_5 - - rule_17_2_5_audit is defined - - "'Success' not in rule_17_2_5_audit.stdout" tags: - level1-domaincontroller - level1-memberserver @@ -300,7 +298,7 @@ - name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to include Success" win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - when: "'Success' not in wn19_au_000170_audit.stdout" + when: "'Success' not in rule_17_5_2_audit.stdout" when: - rule_17_5_2 tags: @@ -482,7 +480,7 @@ block: - name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - changed_when: fa + changed_when: false failed_when: false register: rule_17_7_2_audit @@ -673,15 +671,15 @@ failed_when: false register: rule_17_9_5_audit - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable - changed_when: "'Success' not in rule_17_9_5_audit.stdout" - when: "'Success' not in rule_17_9_5_audit.stdout" + - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable + changed_when: "'Success' not in rule_17_9_5_audit.stdout" + when: "'Success' not in rule_17_9_5_audit.stdout" - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable - changed_when: "'Failure' not in rule_17_9_5_audit.stdout" - when: "'Failure' not in rule_17_9_5_audit.stdout" + - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable + changed_when: "'Failure' not in rule_17_9_5_audit.stdout" + when: "'Failure' not in rule_17_9_5_audit.stdout" when: - rule_17_9_5 tags: From 217f4119fdf6d40cdfa7021fceed951d2f7688cd Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 31 Mar 2021 15:23:56 -0400 Subject: [PATCH 11/12] Updated readme and contributing files Signed-off-by: George Nalen --- CONTRIBUTING.rst | 15 +++++++++++- README.md | 64 +++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 75 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 14a8ffe..a5c4e03 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -1,6 +1,19 @@ Contributing to MindPoint Group Projects ======================================== +Rules +----- +1) All commits must be GPG signed (details in Signing section) +2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) +3) All work is done in your own branch +4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) +5) Be open and nice to eachother + +Workflow +-------- +- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge +- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release Signing your contribution ------------------------- @@ -50,4 +63,4 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` -option to `git commit` to automatically include the signoff message. +option to `git commit` to automatically include the signoff message. \ No newline at end of file diff --git a/README.md b/README.md index 6bd57b6..1aa8780 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,69 @@ Windows Server 2019 CIS ========= +![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-CIS?style=plastic) -Configure a Windows Server 2019 system to be CIS compliant. +Configure a Windows Server 2019 system to be CIS compliant. All findings will be audited by default. Non-disruptive Section 1, Section 2, Section 9, Section 17, Section 18, and Section 19 findings will be corrected by default. -This role is based on CIS Microsoft Windows Server 2019: [Version 1.1.0 Rel 1809 released on Janurary 14, 2020] (https://workbench.cisecurity.org/benchmarks/4846). +Caution(s) +------- +This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. + +This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. + +To use release version please point to main branch +Based on [Windows Server 2019 CIS v1.1.0 01-14-2020](https://learn.cisecurity.org/l/799323/2020-07-10/zx22). + +Documentation +------------- +[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
+[Wiki](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki)
+[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2019-CIS/)
Requirements ------------ +**General:** +- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible + - [Main Ansible documentation page](https://docs.ansible.com) + - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) + - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) + - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) +- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki/Main-Variables). + +**Technical Dependencies:** +- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer) + +The following packages must be installed on the controlling host/host where ansible is executed: + +- passlib (or python2-passlib, if using python2) +- python-lxml +- python-xmltodict +- python-jmespath +- pywinrm + +Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. + +Role Variables +-------------- +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. + +Branches +-------- +- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch +- **main** - This is the release branch +- **reports** - This is a protected branch for our scoring reports, no code should ever go here +- **gh-pages** - This is the github pages branch +- **all other branches** - Individual community member branches + +Community Contribution +---------------------- + +We encourage you (the community) to contribute to this role. Please read the rules below. -Windows Server 2019 - Other versions are not supported. \ No newline at end of file +- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- All community Pull Requests are pulled into the devel branch +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release \ No newline at end of file From 6b1a4ceb45a39a3a19ae02f7b8b95af04a0eac58 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 31 Mar 2021 16:00:53 -0400 Subject: [PATCH 12/12] Adjusted CIS link Signed-off-by: George Nalen --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1aa8780..dad434f 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ This role **will make changes to the system** that could break things. This is n This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. To use release version please point to main branch -Based on [Windows Server 2019 CIS v1.1.0 01-14-2020](https://learn.cisecurity.org/l/799323/2020-07-10/zx22). +Based on [Windows Server 2019 CIS v1.1.0 01-14-2020](https://downloads.cisecurity.org/#/). Documentation -------------