Merge pull request #12 from ansible-lockdown/devel

Version 1.0.1 Update
Signed-off-by: George Nalen [email protected]

CONTRIBUTING.rst

@@ -1,6 +1,19 @@
 Contributing to MindPoint Group Projects
 ========================================
 
+Rules
+-----
+1) All commits must be GPG signed (details in Signing section)
+2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
+3) All work is done in your own branch
+4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
+5) Be open and nice to eachother
+
+Workflow
+--------
+- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
+- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
 Signing your contribution
 -------------------------
 
@@ -50,4 +63,4 @@ following text in your contribution commit message:
 
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
-option to `git commit` to automatically include the signoff message.
+option to `git commit` to automatically include the signoff message.

README.md

@@ -1,11 +1,69 @@
 Windows Server 2019 CIS
 =========
+![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-CIS?style=plastic)
 
-Configure a Windows Server 2019 system to be CIS compliant.
+Configure a Windows Server 2019 system to be CIS compliant. All findings will be audited by default. Non-disruptive Section 1, Section 2, Section 9, Section 17, Section 18, and Section 19 findings will be corrected by default.
 
-This role is based on CIS Microsoft Windows Server 2019: [Version 1.1.0 Rel 1809 released on Janurary 14, 2020] (https://workbench.cisecurity.org/benchmarks/4846).
+Caution(s)
+-------
+This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
+
+This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
+
+To use release version please point to main branch
+Based on [Windows Server 2019 CIS v1.1.0 01-14-2020](https://downloads.cisecurity.org/#/).
+
+Documentation
+-------------
+[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)<br>
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)<br>
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)<br>
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)<br>
+[Wiki](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki)<br>
+[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2019-CIS/)<br>
 
 Requirements
 ------------
+**General:**
+- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
+  - [Main Ansible documentation page](https://docs.ansible.com)
+  - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
+  - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
+  - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
+- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. 
+- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki/Main-Variables).
+
+**Technical Dependencies:**
+- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
+
+The following packages must be installed on the controlling host/host where ansible is executed:
+
+- passlib (or python2-passlib, if using python2)
+- python-lxml
+- python-xmltodict
+- python-jmespath
+- pywinrm
+
+Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.
+
+Role Variables
+--------------
+This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.
+
+Branches
+--------
+- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch
+- **main** - This is the release branch
+- **reports** - This is a protected branch for our scoring reports, no code should ever go here
+- **gh-pages** - This is the github pages branch
+- **all other branches** - Individual community member branches
+
+Community Contribution
+----------------------
+
+We encourage you (the community) to contribute to this role. Please read the rules below.
 
-Windows Server 2019 - Other versions are not supported.
+- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
+- All community Pull Requests are pulled into the devel branch
+- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release

defaults/main.yml

@@ -208,6 +208,8 @@ rule_9_3_10: true
 
 # section17
 rule_17_1_1: true
+rule_17_1_2: true
+rule_17_1_3: true
 rule_17_2_1: true
 rule_17_2_2: true
 rule_17_2_3: true
@@ -257,6 +259,7 @@ rule_18_3_3: true
 rule_18_3_4: true
 rule_18_3_5: true
 rule_18_3_6: true
+rule_18_3_7: true
 rule_18_4_1: true
 rule_18_4_2: true
 rule_18_4_3: true
@@ -334,12 +337,12 @@ rule_18_8_36_1: true
 rule_18_8_36_2: true
 rule_18_8_37_1: true
 rule_18_8_37_2: true
-rule_18_8_45_1: true
 rule_18_8_45_5_1: true
-rule_18_8_45_11_1: true
-rule_18_8_47_1: true
-rule_18_8_50_1_1: true
-rule_18_8_50_1_2: true
+rule_18_8_47_5_1: true
+rule_18_8_47_11_1: true
+rule_18_8_49_1: true
+rule_18_8_52_1_1: true
+rule_18_8_52_1_2: true
 rule_18_9_4_1: true
 rule_18_9_6_1: true
 rule_18_9_8_1: true
@@ -509,4 +512,9 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
 # 9.3.8
 # public_firewall_log_size is the size of the log file
 # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
-public_firewall_log_size: 16,384
+public_firewall_log_size: 16,384
+
+# 18.3.6
+# netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType
+# Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS
+netbt_nodetype: 2