Merge pull request #99 from mfortin/mfortin/patch-1

Fix CIS control ids
ansible-lockdown · Apr 23, 2024 · 063021e · 063021e
2 parents 38ff0d7 + 5e515c2
commit 063021e
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 19 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -390,7 +390,6 @@ win19cis_rule_18_10_10_1: true
 win19cis_rule_18_10_12_1: true
 win19cis_rule_18_10_12_2: true
 win19cis_rule_18_10_12_3: true
-win19cis_rule_18_9_14_3: true
 win19cis_rule_18_10_13_1: true
 win19cis_rule_18_10_14_1: true
 win19cis_rule_18_10_14_2: true

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -30,6 +30,7 @@
   ansible.builtin.set_fact:
       win19cis_cloud_based_system: true
   when:
+      - ansible_system_vendor == 'Microsoft Corporation'
       - ansible_virtualization_type == 'Hyper-V' or
         ansible_virtualization_type == 'hvm' or
         ansible_virtualization_type == 'kvm'

diff --git a/tasks/section18.yml b/tasks/section18.yml
@@ -559,15 +559,14 @@
       - patch
       - netbios
 
-- name: "18.6.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server"
+- name: "18.6.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled"
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient
       name: EnableMulticast
       data: 0
       type: dword
   when:
       - win19cis_rule_18_6_4_2
-      - win2019cis_is_domain_member
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -2771,7 +2770,7 @@
   ansible.windows.win_regedit:
       path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
       name: DisableRealtimeMonitoring
-      data: 1
+      data: 0
       datatype: dword
   when:
       - win19cis_rule_18_10_43_10_2
@@ -3346,20 +3345,6 @@
       - patch
       - wik
 
-- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled"
-  ansible.windows.win_regedit:
-      path: HKLM:\Software\Policies\Microsoft\Windows\Installer
-      name: EnableUserControl
-      data: 0
-      type: dword
-  when:
-      - win19cis_rule_18_10_81_1
-  tags:
-      - level1-domaincontroller
-      - level1-memberserver
-      - rule_18.10.81.1
-      - patch
-
 - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'"
   block:
       - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards."
@@ -3396,6 +3381,34 @@
       - automated
       - patch
 
+- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled"
+  ansible.windows.win_regedit:
+      path: HKLM:\Software\Policies\Microsoft\Windows\Installer
+      name: EnableUserControl
+      data: 0
+      type: dword
+  when:
+      - win19cis_rule_18_10_81_1
+  tags:
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_18.10.81.1
+      - patch
+
+- name: "18.10.81.2 | PATCH | Ensure 'Always install with elevated privileges' is set to 'Disabled'"
+  ansible.windows.win_regedit:
+      path: HKLM:\Software\Policies\Microsoft\Windows\Installer
+      name: AlwaysInstallElevated
+      data: 0
+      type: dword
+  when:
+      - win19cis_rule_18_10_81_2
+  tags:
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_18.10.81.2
+      - patch
+
 - name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled"
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows\Installer
@@ -3658,7 +3671,7 @@
         ansible.windows.win_regedit:
             path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
             name: ManagePreviewBuildsPolicyValue
-            data: 0
+            data: 1
             type: dword
   when:
       - win19cis_rule_18_10_93_4_1