Merge pull request #61 from ansible-lockdown/Oct_2022_Updates

Oct 2022 updates
ansible-lockdown · Oct 26, 2022 · 3b76c78 · 3b76c78
2 parents 90b28a9 + f1fa7d0
commit 3b76c78
Show file tree

Hide file tree

Showing 17 changed files with 1,557 additions and 770 deletions.
diff --git a/.ansible-lint b/.ansible-lint
@@ -1,6 +1,15 @@
 parseable: true
 quiet: true
 skip_list:
+  - 'schema'
+  - 'no-changed-when'
+  - 'fqcn-builtins'
+  - 'experimental'
+  - 'fqcn[action-core]'
+  - 'fqcn[action]'
+  - 'name[casing]'
+  - 'name[template]'
+  - 'jinja[spacing]'
   - '204'
   - '305'
   - '303'

diff --git a/.yamllint b/.yamllint
@@ -9,12 +9,26 @@ extends: default
 
 rules:
   indentation:
+    # Requiring 4 space indentation
     spaces: 4
-  truthy: disable
+    # Requiring consistent indentation within a file, either indented or not
+    indent-sequences: consistent
+  #truthy: disable
   braces:
     max-spaces-inside: 1
     level: error
   brackets:
     max-spaces-inside: 1
     level: error
+  indentation:
+    indent-sequences: consistent
+    level: error
   line-length: disable
+  key-duplicates: enable
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    allowed-values: ['true', 'false']
+    check-keys: false
diff --git a/README.md b/README.md
@@ -1,29 +1,35 @@
-Windows Server 2019 CIS
-=========
+# Windows Server 2019 CIS
+
 ![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-CIS?style=plastic)
 
-Configure a Windows Server 2019 system to be CIS compliant. All findings will be audited by default. Non-disruptive Section 1, Section 2, Section 9, Section 17, Section 18, and Section 19 findings will be corrected by default.
+Configure a Windows Server 2019 system to be [CIS](https://downloads.cisecurity.org/#/) compliant. 
+
+ Based on [CIS Microsoft Windows Server 2019 Benchmark v1.3.0 - 03-18-2022](https://learn.cisecurity.org/l/799323/2022-03-15/rshpk)
+
+ ## Join us
+
+ On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
+
+ ## Caution(s)
 
-Caution(s)
--------
 This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
 
-This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
+This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
 
 To use release version please point to main branch
-Based on [Windows Server 2019 CIS v1.2.1 05-08-2021](https://downloads.cisecurity.org/#/).
+Based on [Windows Server 2019 CIS v1.3.0 03-18-2022](https://downloads.cisecurity.org/#/).
+
+## Documentation
 
-Documentation
--------------
 [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)<br>
 [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)<br>
 [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)<br>
 [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)<br>
 [Wiki](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki)<br>
 [Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2019-CIS/)<br>
 
-Requirements
-------------
+## Requirements
+
 **General:**
 - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
   - [Main Ansible documentation page](https://docs.ansible.com)

diff --git a/collections/requirements.yml b/collections/requirements.yml
@@ -0,0 +1,4 @@
+---
+
+collections:
+- name: community.windows
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,39 +1,63 @@
 ---
-section01_patch: yes
-section02_patch: yes
-section09_patch: yes
-section17_patch: yes
-section18_patch: yes
-section19_patch: yes
+
+# Section 1 Account Policies
+# 1.1.x Password Policy, 1.2.x Account Lockout Policy
+section01_patch: true
+
+# Section 2 Local Policies
+# 2.2.x User Rights Assignment, 2.3.x Security Options
+section02_patch: true
+
+# Section 5 System Services
+# 5.x Printers
+section05_patch: true
+
+# Section 9 Windows Defender Firewall with Advanced Security (formerly Windows Firewall with Advanced Security)
+# 9.1.x Domain Profile, 9.2.x Private Profile, 9.3.x Public Profile
+section09_patch: true
+
+# Section 17 Advanced Audit Policy Configuration
+# 17.1.x Account Logon, 17.2.x Account Management, 17.3.x Detailed Tracking, 17.4.x DS Access, 17.5.x Logon/Logoff
+# 17.6.x Object Access, 17.7.x Policy Change, 17.8.x Privilege Use, 17.9.x System
+section17_patch: true
+
+# Section 18 Administrative Templates (Computer)
+# 18.1.x Control Panel, 18.2.x LAPS, 18.3.x MS Security Guide, 18.4.x MSS (Legacy), 18.5.x Network, 18.6.x Printers
+# 18.7.x Start Menu and Taskbar, 18.8.x System, 18.9.x Windows Components
+section18_patch: true
+
+# Section 19 Administrative Templates (User)
+# 19.1.x Control Panel, 19.5.x Start Menu and Taskbar, 19.6.x System, 19.7.x Windows Components
+section19_patch: true
 
 min_ansible_version: "2.6"
 
 # We've defined complexity-high to mean that we cannot automatically remediate
 # the rule in question.  In the future this might mean that the remediation
 # may fail in some cases.
-complexity_high: no
+complexity_high: false
 
 # Show "changed" for complex items not remediated per complexity-high setting
 # to make them stand out.  "changed" items on a second run of the role would
 # indicate items requiring manual review.
-audit_complex: yes
+audit_complex: true
 
 # We've defined disruption-high to indicate items that are likely to cause
 # disruption in a normal workflow.  These items can be remediated automatically
 # but are disabled by default to avoid disruption.
-disruption_high: no
+disruption_high: false
 
 # Show "changed" for disruptive items not remediated per disruption-high
 # setting to make them stand out.
-audit_disruptive: yes
+audit_disruptive: true
 
 skip_for_travis: false
 
 workaround_for_disa_benchmark: true
 workaround_for_ssg_benchmark: true
 
 # tweak role to run in a non-privileged container
-system_is_container: no
+system_is_container: false
 
 # set to false to skip tasks that either have not been developed or cannot be automated
 is_implemented: false
@@ -180,6 +204,10 @@ rule_2_3_17_6: true
 rule_2_3_17_7: true
 rule_2_3_17_8: true
 
+# section 5
+rule_5_1: true
+rule_5_2: true
+
 # section09
 rule_9_1_1: true
 rule_9_1_2: true
@@ -290,6 +318,9 @@ rule_18_5_20_1: true
 rule_18_5_20_2: true
 rule_18_5_21_1: true
 rule_18_5_21_2: true
+rule_18_6_1: true
+rule_18_6_2: true
+rule_18_6_3: true
 rule_18_7_1_1: true
 rule_18_8_3_1: true
 rule_18_8_4_1: true
@@ -301,6 +332,7 @@ rule_18_8_5_4: true
 rule_18_8_5_5: true
 rule_18_8_5_6: true
 rule_18_8_5_7: true
+rule_18_8_7_2: true
 rule_18_8_14_1: true
 rule_18_8_21_2: true
 rule_18_8_21_3: true
@@ -339,6 +371,7 @@ rule_18_8_36_1: true
 rule_18_8_36_2: true
 rule_18_8_37_1: true
 rule_18_8_37_2: true
+rule_18_8_40_1: true
 rule_18_8_45_5_1: true
 rule_18_8_47_5_1: true
 rule_18_8_47_11_1: true
@@ -353,14 +386,20 @@ rule_18_9_8_3: true
 rule_18_9_10_1_1: true
 rule_18_9_12_1: true
 rule_18_9_13_1: true
-rule_18_9_13_2: true
 rule_18_9_14_1: true
+rule_18_9_14_2: true
 rule_18_9_15_1: true
 rule_18_9_15_2: true
 rule_18_9_16_1: true
 rule_18_9_16_2: true
-rule_18_9_16_3: true
-rule_18_9_16_4: true
+rule_18_9_17_1: true
+rule_18_9_17_2: true
+rule_18_9_17_3: true
+rule_18_9_17_4: true
+rule_18_9_17_5: true
+rule_18_9_17_6: true
+rule_18_9_17_7: true
+rule_18_9_17_8: true
 rule_18_9_26_1_1: true
 rule_18_9_26_1_2: true
 rule_18_9_26_2_1: true
@@ -381,14 +420,15 @@ rule_18_9_45_4_1_1: true
 rule_18_9_45_4_1_2: true
 rule_18_9_45_4_3_1: true
 rule_18_9_45_5_1: true
-rule_18_9_45_8_1: true
-rule_18_9_45_8_2: true
-rule_18_9_45_8_3: true
 rule_18_9_45_10_1: true
 rule_18_9_45_11_1: true
 rule_18_9_45_11_2: true
 rule_18_9_45_14: true
 rule_18_9_45_15: true
+rule_18_9_47_9_1: true
+rule_18_9_47_9_2: true
+rule_18_9_47_9_3: true
+rule_18_9_47_9_4: true
 rule_18_9_55_1: true
 rule_18_9_62_2_2: true
 rule_18_9_62_3_2_1: true
@@ -416,8 +456,6 @@ rule_18_9_85_1: true
 rule_18_9_85_2: true
 rule_18_9_85_3: true
 rule_18_9_86_1: true
-rule_18_9_95_1: true
-rule_18_9_95_2: true
 rule_18_9_97_1_1: true
 rule_18_9_97_1_2: true
 rule_18_9_97_1_3: true
@@ -427,12 +465,14 @@ rule_18_9_97_2_3: true
 rule_18_9_97_2_4: true
 rule_18_9_98_1: true
 rule_18_9_99_2_1: true
-rule_18_9_102_1_1: true
-rule_18_9_102_1_2: true
-rule_18_9_102_1_3: true
-rule_18_9_102_2: true
-rule_18_9_102_3: true
-rule_18_9_102_4: true
+rule_18_9_100_1: true
+rule_18_9_100_2: true
+rule_18_9_108_1_1: true
+rule_18_9_108_2_1: true
+rule_18_9_108_2_2: true
+rule_18_9_108_4_1: true
+rule_18_9_108_4_2: true
+rule_18_9_108_4_3: true
 
 # section19
 rule_19_1_3_1: true
@@ -447,6 +487,7 @@ rule_19_7_8_1: true
 rule_19_7_8_2: true
 rule_19_7_8_3: true
 rule_19_7_8_4: true
+rule_19_7_8_5: true
 rule_19_7_28_1: true
 rule_19_7_43_1: true
 rule_19_7_47_2_1: true
@@ -470,11 +511,17 @@ sedebugprivilege: "*S-1-5-32-544"
 
 pass_age: 60
 
-lockoutduration: 15
-lockoutbadcount: 3
+# 1.2.2
+# lockoutbadcount must be 5 or few, but not 0 (zero)
+lockoutbadcount: 5
+
 resetlockoutcount: 15
 passwordhistorysize: 24
-maximumpasswordage: 60
+
+# 1.1.2
+# maximumpasswordage must be 365 or fewer, but not 0 (zero)
+maximumpasswordage: 365
+
 minimumpasswordage: 1
 minimumpasswordlength: 14
 
@@ -509,7 +556,6 @@ legalnoticecaption: "DoD Notice and Consent Banner"
 # This is a variable to determine if Windows Manager should be included in this step
 increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_installation_type=="Server Core") else (["Administrators","Window Manager\Window Manager Group"]) }}'
 
-
 # 9.1.5
 # domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log
 # This is a variable to give some leway on where to store these log files

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: reboot_windows
   win_reboot:
       reboot_timeout: 3600
diff --git a/meta/main.yml b/meta/main.yml
@@ -5,6 +5,7 @@ galaxy_info:
     company: "MindPoint Group"
     license: MIT
     role_name: windows_2019_cis
+    namespace: mindpointgroup
     min_ansible_version: 2.6
 
     platforms:

diff --git a/site.yml b/site.yml
@@ -1,8 +1,6 @@
 ---
-- hosts: all
-  vars:
-      is_container: false
+
+- hosts: all  # noqa: name[play]
 
   roles:
       - role: "{{ playbook_dir }}"
-        system_is_container: "{{ is_container | default(false) }}"
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -41,6 +41,12 @@
   tags:
       - section02
 
+- name: Execute the section 5 tasks
+  import_tasks: section05.yml
+  when: section05_patch | bool
+  tags:
+      - section05
+
 - name: Execute the section 9 tasks
   import_tasks: section09.yml
   when: section09_patch | bool

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -17,15 +17,15 @@
       - name: set fact if domain member server
         set_fact:
             win2019cis_is_domain_member: true
-        when: 
+        when:
             - ansible_windows_domain_role == 'Member server'
 
 - name: Get Windows installation type
   win_reg_stat:
-    path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
-    name: InstallationType
+      path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
+      name: InstallationType
   register: get_windows_installation_type
 
 - name: Set Windows installation type
   set_fact:
-    windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
+      windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"