diff --git a/.ansible-lint b/.ansible-lint index f2a7e7c..470d43e 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,6 +1,15 @@ parseable: true quiet: true skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - 'experimental' + - 'fqcn[action-core]' + - 'fqcn[action]' + - 'name[casing]' + - 'name[template]' + - 'jinja[spacing]' - '204' - '305' - '303' diff --git a/.yamllint b/.yamllint index 93378b9..33c0076 100755 --- a/.yamllint +++ b/.yamllint @@ -9,12 +9,26 @@ extends: default rules: indentation: + # Requiring 4 space indentation spaces: 4 - truthy: disable + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + #truthy: disable braces: max-spaces-inside: 1 level: error brackets: max-spaces-inside: 1 level: error + indentation: + indent-sequences: consistent + level: error line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 0000000..c0d1d51 --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,4 @@ +--- + +collections: +- name: community.windows diff --git a/defaults/main.yml b/defaults/main.yml index 26a2864..6005ded 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -35,21 +35,21 @@ min_ansible_version: "2.6" # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation # may fail in some cases. -complexity_high: no +complexity_high: false # Show "changed" for complex items not remediated per complexity-high setting # to make them stand out. "changed" items on a second run of the role would # indicate items requiring manual review. -audit_complex: yes +audit_complex: true # We've defined disruption-high to indicate items that are likely to cause # disruption in a normal workflow. These items can be remediated automatically # but are disabled by default to avoid disruption. -disruption_high: no +disruption_high: false # Show "changed" for disruptive items not remediated per disruption-high # setting to make them stand out. -audit_disruptive: yes +audit_disruptive: true skip_for_travis: false @@ -57,7 +57,7 @@ workaround_for_disa_benchmark: true workaround_for_ssg_benchmark: true # tweak role to run in a non-privileged container -system_is_container: no +system_is_container: false # set to false to skip tasks that either have not been developed or cannot be automated is_implemented: false @@ -390,6 +390,8 @@ rule_18_9_14_1: true rule_18_9_14_2: true rule_18_9_15_1: true rule_18_9_15_2: true +rule_18_9_16_1: true +rule_18_9_16_2: true rule_18_9_17_1: true rule_18_9_17_2: true rule_18_9_17_3: true @@ -554,7 +556,6 @@ legalnoticecaption: "DoD Notice and Consent Banner" # This is a variable to determine if Windows Manager should be included in this step increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_installation_type=="Server Core") else (["Administrators","Window Manager\Window Manager Group"]) }}' - # 9.1.5 # domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log # This is a variable to give some leway on where to store these log files diff --git a/handlers/main.yml b/handlers/main.yml index 6e8efd4..bcc9fd2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,5 @@ --- + - name: reboot_windows win_reboot: reboot_timeout: 3600 diff --git a/meta/main.yml b/meta/main.yml index 478487b..85b0cd9 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,6 +5,7 @@ galaxy_info: company: "MindPoint Group" license: MIT role_name: windows_2019_cis + namespace: mindpointgroup min_ansible_version: 2.6 platforms: diff --git a/site.yml b/site.yml index 644ad68..2161d3d 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,6 @@ --- -- hosts: all - vars: - is_container: false + +- hosts: all # noqa: name[play] roles: - role: "{{ playbook_dir }}" - system_is_container: "{{ is_container | default(false) }}" diff --git a/tasks/main.yml b/tasks/main.yml index c3e0ed9..8b13cad 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -41,6 +41,12 @@ tags: - section02 +- name: Execute the section 5 tasks + import_tasks: section05.yml + when: section05_patch | bool + tags: + - section05 + - name: Execute the section 9 tasks import_tasks: section09.yml when: section09_patch | bool diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 78e5527..c4ab829 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -17,15 +17,15 @@ - name: set fact if domain member server set_fact: win2019cis_is_domain_member: true - when: + when: - ansible_windows_domain_role == 'Member server' - name: Get Windows installation type win_reg_stat: - path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion - name: InstallationType + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion + name: InstallationType register: get_windows_installation_type - name: Set Windows installation type set_fact: - windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" + windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" diff --git a/tasks/section18.yml b/tasks/section18.yml index 8d703ee..18d3946 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -115,7 +115,7 @@ type: dword when: - rule_18_2_4 - - ansible_windows_domain_role == "Member Server" + - ansible_windows_domain_role != "Member Server" tags: - level1-memberserver - rule_18.2.4 @@ -1078,7 +1078,7 @@ win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy state: absent - delete_key: yes + delete_key: false when: - rule_18_8_21_5 tags: @@ -1916,7 +1916,7 @@ - rule_18.9.17.3 - patch - onesettings - + - name: "18.9.17.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection @@ -2941,8 +2941,6 @@ # - rule_18.9.95.1 # - patch - - - name: "18.9.97.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client @@ -3060,7 +3058,7 @@ win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess - data: 1 + data: 0 type: dword when: - rule_18_9_98_1 diff --git a/tasks/section19.yml b/tasks/section19.yml index c1a0854..5600eb8 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -48,7 +48,7 @@ - patch - screensaver -- name: "19.1.3.3 | PATCH |Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +- name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" block: - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: