Merge pull request #86 from ansible-lockdown/devel

2023 October Updates based on CIS Benchmark v2.0.0 + Typo Fixes

.github/workflows/devel_pipeline_validation.yml

@@ -1,13 +1,11 @@
 ---
 
-# This is a basic workflow to help you get started with Actions
-
 name: Devel Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
 # events but only for the devel branch
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
     pull_request_target:
         types: [opened, reopened, synchronize]
         branches:
@@ -32,16 +30,16 @@ jobs:
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   pr-message: |-
                     Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
-    # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance.
+    # This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance.
     playbook-test:
         # The type of runner that the job will run on.
         runs-on: ubuntu-latest
 
         env:
             ENABLE_DEBUG: false
-            # Imported as a variable by terraform.
+            # Imported as a variable by Terraform.
             TF_VAR_repository: ${{ github.event.repository.name }}
             ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
             ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
@@ -75,7 +73,7 @@ jobs:
             - name: user details
               run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json
 
-          # Show the Os Var and Benchmark Type And Load
+          # Show the OS Var, Benchmark Type and Load
             - name: DEBUG - Show IaC files
               if: env.ENABLE_DEBUG == 'true'
               run: |
@@ -84,7 +82,7 @@ jobs:
                 pwd
                 ls
               env:
-                  # Imported from github variables this is used to load the relvent OS.tfvars file
+                  # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                   OSVAR: ${{ vars.OSVAR }}
                   TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -93,7 +91,7 @@ jobs:
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from github variables this is used to load the relevant OS.tfvars file
                   OSVAR: ${{ vars.OSVAR }}
                   TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -102,15 +100,15 @@ jobs:
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from github variables this is used to load the relevant OS.tfvars file
                   OSVAR: ${{ vars.OSVAR }}
                   TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
           # Execute The Actions And Build Azure Server
             - name: Terraform_Apply
               id: apply
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                   WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
                   WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
                   OSVAR: ${{ vars.OSVAR }}

.github/workflows/main_pipeline_validation.yml

@@ -1,13 +1,11 @@
 ---
 
-# This is a basic workflow to help you get started with Actions
-
 name: Main Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
 # events but only for the devel branch
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
     pull_request_target:
         types: [opened, reopened, synchronize]
         branches:
@@ -22,14 +20,14 @@ on:  # yamllint disable-line rule:truthy
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 # This setion contains all the jobs below that are running in the workflow.
 jobs:
-    # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance.
+    # This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance.
     playbook-test:
         # The type of runner that the job will run on.
         runs-on: ubuntu-latest
 
         env:
             ENABLE_DEBUG: false
-            # Imported as a variable by terraform.
+            # Imported as a variable by Terraform.
             TF_VAR_repository: ${{ github.event.repository.name }}
             ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
             ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
@@ -63,7 +61,7 @@ jobs:
             - name: user details
               run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json
 
-          # Show the Os Var and Benchmark Type And Load
+          # Show the OS Var, Benchmark Type And Load
             - name: DEBUG - Show IaC files
               if: env.ENABLE_DEBUG == 'true'
               run: |
@@ -72,7 +70,7 @@ jobs:
                 pwd
                 ls
               env:
-                  # Imported from github variables this is used to load the relvent OS.tfvars file
+                  # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                   OSVAR: ${{ vars.OSVAR }}
                   TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -81,7 +79,7 @@ jobs:
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from github variables this is used to load the relevant OS.tfvars file
                   OSVAR: ${{ vars.OSVAR }}
                   TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -90,15 +88,15 @@ jobs:
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from github variables this is used to load the relevant OS.tfvars file
                   OSVAR: ${{ vars.OSVAR }}
                   TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
           # Execute The Actions And Build Azure Server
             - name: Terraform_Apply
               id: apply
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from github variables this is used to load the relevant OS.tfvars file
                   WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
                   WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
                   OSVAR: ${{ vars.OSVAR }}

.github/workflows/update_galaxy.yml

@@ -1,4 +1,4 @@
-# This is a basic workflow to help you get started with Actions
+---
 
 name: Update Galaxy
 

.yamllint

@@ -1,4 +1,5 @@
 ---
+
 extends: default
 
 ignore: |

CONTRIBUTING.rst

@@ -6,13 +6,13 @@ Rules
 1) All commits must be GPG signed (details in Signing section)
 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
 3) All work is done in your own branch
-4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
-5) Be open and nice to eachother
+4) All pull requests go into the devel branch. There are automated checks for signed commits, Signed-off-by in commit messages, and functional testing)
+5) Be open and nice to each other
 
 Workflow
 --------
-- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
-- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
+- Your work is done in your own individual branch. Make sure to to Signed-off-by and GPG sign all commits you intend to merge
+- All community Pull Requests are to the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
 - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
 
 Signing your contribution
@@ -30,24 +30,24 @@ The process is to certify the below DCO 1.1 text
     By making a contribution to this project, I certify that:
 
     (a) The contribution was created in whole or in part by me and I
-        have the right to submit it under the open source license
+        have the right to submit it under the open-source license
         indicated in the file; or
 
     (b) The contribution is based upon previous work that, to the best
-        of my knowledge, is covered under an appropriate open source
+        of my knowledge, is covered under an appropriate open-source
         license and I have the right under that license to submit that
         work with modifications, whether created in whole or in part
-        by me, under the same open source license (unless I am
+        by me, under the same open-source license (unless I am
         permitted to submit under a different license), as indicated
         in the file; or
 
-    (c) The contribution was provided directly to me by some other
-        person who certified (a), (b) or (c) and I have not modified
+    (c) The contribution was provided directly to me by another
+        contributor who certified (a), (b), or (c) and I have not modified
         it.
 
     (d) I understand and agree that this project and the contribution
         are public and that a record of the contribution (including all
-        personal information I submit with it, including my sign-off) is
+        personal information I submit with it, including my Signed-off-by) is
         maintained indefinitely and may be redistributed consistent with
         this project or the open source license(s) involved.
 ::
@@ -64,4 +64,4 @@ following text in your contribution commit message:
 
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
-option to `git commit` to automatically include the signoff message.
+option to `git commit` to automatically include the Signed-off-by message.

ChangeLog.md

@@ -1,11 +1,16 @@
 # Changelog
 
+## Release 2.0.0
+
+October 2023 Update
+- Update Controls to CIS V2.0.0 released 04-05-2023
+
 ## Release 1.3.0
 
 August 2023 Update
 - Updated Workflows To Central Repo
   - Renamed them to better run across all repos.
-- Removed Templates & PR Temmplate from repo and adjusted to Org level.
+- Removed Templates & PR Template from repo and adjusted to Org level.
 - Updated Readme Layout to add new pipeline badges.
 - Section1_Cloud moved from tasks/main and renamed to section1_cloud_lockout_order and in section1.yml workflow.
 - Updated Tags in tasks/main.

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise
+Copyright (c) 2023 MindPoint Group / Lockdown Enterprise
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -2,7 +2,7 @@
 
 ## Configure a Windows 2019 system to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
 
-### Based on [ Microsoft Windows Server 2019 Benchmark v1.3.0 - 03-18-2022 ](https://www.cisecurity.org/cis-benchmarks/)
+### Based on [ Microsoft Windows Server 2019 Benchmark v2.0.0 - 04-14-2023 ](https://www.cisecurity.org/cis-benchmarks/)
 
 ---
 
@@ -12,7 +12,6 @@
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
@@ -40,7 +39,7 @@
 
 ### Community
 
-On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
+On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
 
 ---
 
@@ -77,7 +76,7 @@ Further details can be seen in the [Changelog](./ChangeLog.md)
 
 ## Auditing (new)
 
-Currently this release does not have a auditing tool that is up to date.
+Currently this release does not have an auditing tool that is up to date.
 
 ## Documentation
 
@@ -98,7 +97,7 @@ Currently this release does not have a auditing tool that is up to date.
   - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
   - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
 - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
-- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file.
+- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file.
 
 **Technical Dependencies:**
 
@@ -119,15 +118,15 @@ This role is designed that the end user should not have to edit the tasks themse
 
 ## Tags
 
-There are many tags available for added control precision. Each control has it's own set of tags noting what level, if it's scored/notscored, what OS element it relates to, if it's a patch or audit, and the rule number.
+There are many tags available for added control precision. Each control has it's own set of tags noting what level, what OS element it relates to, if it's a patch or audit, and the rule number.
 
 Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag smb, this task will be skipped. The opposite can also happen where you run only controls tagged with smb.
 
 ```sh
       tags:
       - level1-domaincontroller
       - level1-memberserver
-      - win19cis_rule_18.3.3
+      - rule_18.3.3
       - patch
       - smb
 ```
@@ -136,9 +135,9 @@ Below is an example of the tag section from a control within this role. Using th
 
 We encourage you (the community) to contribute to this role. Please read the rules below.
 
-- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
+- Your work is done in your own individual branch. Make sure to Signed-off-by and GPG sign all commits you intend to merge.
 - All community Pull Requests are pulled into the devel branch
-- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
+- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off-by, and a functional test before being approved
 - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
 
 ## Pipeline Testing

collections/requirements.yml

@@ -2,7 +2,13 @@
 
 collections:
     - name: ansible.windows
+      type: git
+      source: https://github.com/ansible-collections/ansible.windows
 
     - name: community.windows
+      type: git
+      source: https://github.com/ansible-collections/community.windows
 
     - name: community.general
+      type: git
+      source: https://github.com/ansible-collections/community.general