updates after linting

Signed-off-by: George Nalen <[email protected]>

.ansible-lint

@@ -1,6 +1,15 @@
 parseable: true
 quiet: true
 skip_list:
+  - 'schema'
+  - 'no-changed-when'
+  - 'fqcn-builtins'
+  - 'experimental'
+  - 'fqcn[action-core]'
+  - 'fqcn[action]'
+  - 'name[casing]'
+  - 'name[template]'
+  - 'jinja[spacing]'
   - '204'
   - '305'
   - '303'

.yamllint

@@ -9,12 +9,26 @@ extends: default
 
 rules:
   indentation:
+    # Requiring 4 space indentation
     spaces: 4
-  truthy: disable
+    # Requiring consistent indentation within a file, either indented or not
+    indent-sequences: consistent
+  #truthy: disable
   braces:
     max-spaces-inside: 1
     level: error
   brackets:
     max-spaces-inside: 1
     level: error
+  indentation:
+    indent-sequences: consistent
+    level: error
   line-length: disable
+  key-duplicates: enable
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    allowed-values: ['true', 'false']
+    check-keys: false

collections/requirements.yml

@@ -0,0 +1,4 @@
+---
+
+collections:
+- name: community.windows

defaults/main.yml

@@ -35,29 +35,29 @@ min_ansible_version: "2.6"
 # We've defined complexity-high to mean that we cannot automatically remediate
 # the rule in question.  In the future this might mean that the remediation
 # may fail in some cases.
-complexity_high: no
+complexity_high: false
 
 # Show "changed" for complex items not remediated per complexity-high setting
 # to make them stand out.  "changed" items on a second run of the role would
 # indicate items requiring manual review.
-audit_complex: yes
+audit_complex: true
 
 # We've defined disruption-high to indicate items that are likely to cause
 # disruption in a normal workflow.  These items can be remediated automatically
 # but are disabled by default to avoid disruption.
-disruption_high: no
+disruption_high: false
 
 # Show "changed" for disruptive items not remediated per disruption-high
 # setting to make them stand out.
-audit_disruptive: yes
+audit_disruptive: true
 
 skip_for_travis: false
 
 workaround_for_disa_benchmark: true
 workaround_for_ssg_benchmark: true
 
 # tweak role to run in a non-privileged container
-system_is_container: no
+system_is_container: false
 
 # set to false to skip tasks that either have not been developed or cannot be automated
 is_implemented: false
@@ -390,6 +390,8 @@ rule_18_9_14_1: true
 rule_18_9_14_2: true
 rule_18_9_15_1: true
 rule_18_9_15_2: true
+rule_18_9_16_1: true
+rule_18_9_16_2: true
 rule_18_9_17_1: true
 rule_18_9_17_2: true
 rule_18_9_17_3: true
@@ -554,7 +556,6 @@ legalnoticecaption: "DoD Notice and Consent Banner"
 # This is a variable to determine if Windows Manager should be included in this step
 increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_installation_type=="Server Core") else (["Administrators","Window Manager\Window Manager Group"]) }}'
 
-
 # 9.1.5
 # domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log
 # This is a variable to give some leway on where to store these log files

handlers/main.yml

@@ -1,4 +1,5 @@
 ---
+
 - name: reboot_windows
   win_reboot:
       reboot_timeout: 3600

meta/main.yml

@@ -5,6 +5,7 @@ galaxy_info:
     company: "MindPoint Group"
     license: MIT
     role_name: windows_2019_cis
+    namespace: mindpointgroup
     min_ansible_version: 2.6
 
     platforms:

site.yml

@@ -1,8 +1,6 @@
 ---
-- hosts: all
-  vars:
-      is_container: false
+
+- hosts: all  # noqa: name[play]
 
   roles:
       - role: "{{ playbook_dir }}"
-        system_is_container: "{{ is_container | default(false) }}"

tasks/main.yml

@@ -41,6 +41,12 @@
   tags:
       - section02
 
+- name: Execute the section 5 tasks
+  import_tasks: section05.yml
+  when: section05_patch | bool
+  tags:
+      - section05
+
 - name: Execute the section 9 tasks
   import_tasks: section09.yml
   when: section09_patch | bool

tasks/prelim.yml

@@ -17,15 +17,15 @@
       - name: set fact if domain member server
         set_fact:
             win2019cis_is_domain_member: true
-        when: 
+        when:
             - ansible_windows_domain_role == 'Member server'
 
 - name: Get Windows installation type
   win_reg_stat:
-    path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
-    name: InstallationType
+      path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
+      name: InstallationType
   register: get_windows_installation_type
 
 - name: Set Windows installation type
   set_fact:
-    windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
+      windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"

tasks/section18.yml

@@ -115,7 +115,7 @@
       type: dword
   when:
       - rule_18_2_4
-      - ansible_windows_domain_role == "Member Server"
+      - ansible_windows_domain_role != "Member Server"
   tags:
       - level1-memberserver
       - rule_18.2.4
@@ -1078,7 +1078,7 @@
   win_regedit:
       path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy
       state: absent
-      delete_key: yes
+      delete_key: false
   when:
       - rule_18_8_21_5
   tags:
@@ -1916,7 +1916,7 @@
       - rule_18.9.17.3
       - patch
       - onesettings
-      
+
 - name: "18.9.17.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled"
   win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection
@@ -2941,8 +2941,6 @@
 #       - rule_18.9.95.1
 #       - patch
 
-
-
 - name: "18.9.97.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled"
   win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client
@@ -3060,7 +3058,7 @@
   win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs
       name: AllowRemoteShellAccess
-      data: 1
+      data: 0
       type: dword
   when:
       - rule_18_9_98_1

tasks/section19.yml

@@ -48,7 +48,7 @@
       - patch
       - screensaver
 
-- name: "19.1.3.3 | PATCH |Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0"
+- name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0"
   block:
       - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0"
         win_regedit: