From da357f4c31ac7889871e37df674f2ed7ec43154d Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 14 Mar 2024 12:22:04 -0400 Subject: [PATCH 01/12] Update cloud_lockout logic Signed-off-by: Frederick Witty --- tasks/section01.yml | 21 ++++++--------------- tasks/section01_cloud_lockout_order.yml | 1 + 2 files changed, 7 insertions(+), 15 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 91c4eef..1d9aa7b 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -190,9 +190,7 @@ ansible.builtin.import_tasks: file: section01_cloud_lockout_order.yml when: - - win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - win22cis_cloud_based_system tags: - section01_cloud_lockout_order @@ -228,9 +226,7 @@ - win22cis_bad_login_lockout_count > 0 when: - win22cis_rule_1_2_2 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver @@ -245,9 +241,8 @@ value: "{{ win22cis_allow_admin_account_lockout }}" when: - win22cis_rule_1_2_3 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-memberserver - rule_1.2.3 @@ -284,9 +279,7 @@ - win22cis_account_lockout_counter_reset <= win22cis_account_lockout_duration when: - win22cis_rule_1_2_4 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver @@ -318,9 +311,7 @@ when: win22cis_account_lockout_duration >= 15 when: - win22cis_rule_1_2_1 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver diff --git a/tasks/section01_cloud_lockout_order.yml b/tasks/section01_cloud_lockout_order.yml index dbb61ca..cae28b8 100644 --- a/tasks/section01_cloud_lockout_order.yml +++ b/tasks/section01_cloud_lockout_order.yml @@ -80,6 +80,7 @@ value: "{{ win22cis_allow_admin_account_lockout }}" when: - win22cis_rule_1_2_3 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_1.2.3 From 031cdcd64e183288b990c606782f310bd1d20514 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 14 Mar 2024 16:09:11 -0400 Subject: [PATCH 02/12] Update section 19 with loop and change_requires_reboot Signed-off-by: Frederick Witty --- defaults/main.yml | 5 + tasks/post.yml | 36 +++++ tasks/prelim.yml | 37 ++++++ tasks/section18.yml | 4 +- tasks/section19.yml | 313 +++++++++++++++----------------------------- vars/main.yml | 4 + 6 files changed, 186 insertions(+), 213 deletions(-) create mode 100644 tasks/post.yml diff --git a/defaults/main.yml b/defaults/main.yml index b151064..441b2cb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -70,6 +70,11 @@ long_running: false # win22cis_rule_18_10_90_1 win_skip_for_test: true +# Changes will be made that will require a system reboot. +# The following option will allow whether or not to skip the reboot. +# Default: true +skip_reboot: true + # These variables correspond with the CIS Rule IDs defined in the CIS and allow you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the level1 and level2 group variables. You must enable an entire group # in order for the variables below to take effect. diff --git a/tasks/post.yml b/tasks/post.yml new file mode 100644 index 0000000..4aa3351 --- /dev/null +++ b/tasks/post.yml @@ -0,0 +1,36 @@ +--- + +- name: "POST | Flush Handlers" + ansible.builtin.meta: flush_handlers + tags: + - always + +- name: "POST | Reboot System Options" + block: + - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False" + ansible.windows.win_reboot: + reboot_timeout: 3600 + when: + - reboot_host + - not skip_reboot + + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set" + ansible.builtin.debug: + msg: + - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually." + - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results." + changed_when: true + when: + - reboot_host + - skip_reboot + + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: + - reboot_host + - skip_reboot + vars: + warn_control_id: Reboot_Required + tags: + - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c19f64e..f0a9efa 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -49,3 +49,40 @@ windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" tags: - always + + +- name: PRELIM | Obtatin And Load Default And User Hives + block: + - name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile) + ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT + changed_when: false + failed_when: false + + - name: PRELIM | Pull All Username and SIDs + ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID } + changed_when: false + failed_when: false + register: all_users + + - name: PRELIM | Create Results List Fact For Username And SIDs + ansible.builtin.set_fact: + username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}" + + - name: PRELIM | Load All User Hives From Username And SIDs List + ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT + changed_when: false + failed_when: false + loop: "{{ username_and_sid_results_list }}" + + - name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS + ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"} + changed_when: false + failed_when: false + register: current_users_loaded_hku + + - name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS + ansible.builtin.set_fact: + hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}" + when: win22cis_section19 + tags: + - always diff --git a/tasks/section18.yml b/tasks/section18.yml index d2b30ae..a8f20e4 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -207,7 +207,7 @@ name: RpcAuthnLevelPrivacyEnabled data: 1 type: dword - notify: reboot_windows + notify: change_requires_reboot when: - win22cis_rule_18_4_2 tags: @@ -239,7 +239,7 @@ data: 0 type: dword state: present - notify: reboot_windows + notify: change_requires_reboot when: - win22cis_rule_18_4_4 tags: diff --git a/tasks/section19.yml b/tasks/section19.yml index 1138a71..9b7074a 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,20 +1,13 @@ --- - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - block: - - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string - - - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_1_3_1 tags: @@ -25,20 +18,13 @@ - screensaver - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - block: - - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string - - - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_1_3_2 tags: @@ -53,7 +39,7 @@ - name: Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have an invalid time set for win22cis_screen_saver_timeout please read" + - "Warning!! You have an invalid time set for win10cis_screen_saver_timeout please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win22cis_screen_saver_timeout == 0 or @@ -70,23 +56,12 @@ - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: "{{ win22cis_screen_saver_timeout }}" - type: string - when: - - win22cis_screen_saver_timeout > 0 - - win22cis_screen_saver_timeout <= 900 - - - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: "{{ win22cis_screen_saver_timeout }}" type: string - when: - - win22cis_screen_saver_timeout > 0 - - win22cis_screen_saver_timeout <= 900 + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_1_3_3 tags: @@ -97,20 +72,13 @@ - screensaver - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - block: - - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword - - - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_5_1_1 tags: @@ -121,20 +89,13 @@ - toast - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - block: - - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword - - - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_6_6_1_1 tags: @@ -145,20 +106,13 @@ - help - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - block: - - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword - - - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_4_1 tags: @@ -169,20 +123,13 @@ - attachments - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - block: - - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword - - - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_4_2 tags: @@ -193,20 +140,13 @@ - antivirus - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - block: - - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword - - - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_1 tags: @@ -217,20 +157,13 @@ - cloudcontent - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - block: - - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword - - - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_2 tags: @@ -241,20 +174,13 @@ - cloudcontent - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - block: - - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword - - - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_3 tags: @@ -265,20 +191,13 @@ - cloudcontent - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - block: - - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword - - - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_4 tags: @@ -289,20 +208,13 @@ - cloudcontent - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - block: - - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableSpotlightCollectionOnDesktop - data: 1 - type: dword - - - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableSpotlightCollectionOnDesktop - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\CloudContent + name: DisableSpotlightCollectionOnDesktop + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_5 tags: @@ -313,20 +225,13 @@ - cloudcontent - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - block: - - name: "19.7.25.1| PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword - - - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_25_1 tags: @@ -338,20 +243,13 @@ - sharing - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - block: - - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword - - - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_40_1 tags: @@ -362,20 +260,13 @@ - permissions - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - block: - - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword - - - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_42_2_1 tags: diff --git a/vars/main.yml b/vars/main.yml index 51f62e8..40755de 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -17,3 +17,7 @@ win22cis_cloud_based_system: false win2022cis_is_standalone: false win2022cis_is_domain_controller: false win2022cis_is_domain_member: false + +# Default setting, this should not be changed +# and is overridden if a task that changed sets the value if required. +reboot_host: false From 06cc2955fe50d1535bb0ed763b4cf8d34dbcd05a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 15 Mar 2024 11:53:34 -0400 Subject: [PATCH 03/12] Update handeler name to change_requires_reboot Signed-off-by: Frederick Witty --- handlers/main.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 0cb78d6..80d01dc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,7 @@ --- -- name: reboot_windows - ansible.windows.win_reboot: - reboot_timeout: 3600 +- name: change_requires_reboot + ansible.builtin.set_fact: + reboot_host: true + tags: + - always From d3cdda02b49248d5fb982daef24ec32bbbea333c Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 15 Mar 2024 14:24:24 -0400 Subject: [PATCH 04/12] Fix 18.9.7.2 title and var Signed-off-by: Frederick Witty --- defaults/main.yml | 2 +- tasks/section18.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 441b2cb..fb9a2bb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -360,7 +360,7 @@ win22cis_rule_18_9_5_4: true win22cis_rule_18_9_5_5: true win22cis_rule_18_9_5_6: true win22cis_rule_18_9_5_7: true -win22cis_rule_18_8_7_2: true +win22cis_rule_18_9_7_2: true win22cis_rule_18_9_13_1: true win22cis_rule_18_9_19_2: true win22cis_rule_18_9_19_3: true diff --git a/tasks/section18.yml b/tasks/section18.yml index a8f20e4..c183561 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1265,18 +1265,18 @@ - patch - vbs -- name: "18.8.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled" +- name: "18.9.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata name: PreventDeviceMetadataFromNetwork data: 1 type: dword when: - - win22cis_rule_18_8_7_2 + - win22cis_rule_18_9_7_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.7.2 + - rule_18.9.7.2 - patch - metadata From 550bd563a207ed7b01cdd3a25756eaafbfc374ff Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 15 Mar 2024 16:09:06 -0400 Subject: [PATCH 05/12] Fix 18.10.89.2.2 reg value Signed-off-by: Frederick Witty --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index c183561..619f84b 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -3578,7 +3578,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig - data: 1 + data: 0 type: dword when: - win22cis_rule_18_10_89_2_2 From 9bebc1ccfb302bf399096f39207be816754e9cb2 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 18 Mar 2024 08:34:39 -0400 Subject: [PATCH 06/12] Update meta Signed-off-by: Frederick Witty --- meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/main.yml b/meta/main.yml index ddc4dae..4dfa6b1 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: - author: "George Nalen, Mark Bolwell, Stephen Williams, Frederick Witty Jr." + author: "Stephen Williams, Frederick Witty Jr." description: "Ansible role to apply Windows Server 2022 CIS Benchmark" company: "MindPoint Group" license: MIT From 9e1d76a6be51ebfd5b3e81d175461cf32c4434c2 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 18 Mar 2024 08:54:11 -0400 Subject: [PATCH 07/12] defaults main var update Signed-off-by: Frederick Witty --- defaults/main.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fb9a2bb..57a5963 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -37,20 +37,11 @@ min_ansible_version: "2.10" # may fail in some cases. complexity_high: true -# Show "changed" for complex items not remediated per complexity-high setting -# to make them stand out. "changed" items on a second run of the role would -# indicate items requiring manual review. -audit_complex: true - # We've defined disruption-high to indicate items that are likely to cause # disruption in a normal workflow. These items can be remediated automatically # but are disabled by default to avoid disruption. disruption_high: false -# Show "changed" for disruptive items not remediated per disruption-high -# setting to make them stand out. -audit_disruptive: false - # Tweak role to run in a non-privileged container system_is_container: false From fece5cac1c1bd88f4fb9a4bc864727462c1b228f Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 18 Mar 2024 08:56:34 -0400 Subject: [PATCH 08/12] update section5 with handeler name chance Signed-off-by: Frederick Witty --- tasks/section05.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section05.yml b/tasks/section05.yml index 2321979..4c67efa 100644 --- a/tasks/section05.yml +++ b/tasks/section05.yml @@ -20,7 +20,7 @@ start_mode: disabled state: stopped when: spooler_service_info.exists - notify: reboot_windows + notify: change_requires_reboot when: - win22cis_rule_5_1 or win22cis_rule_5_2 From e6108d31728b791b908600f6efaf566fde819ea2 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 18 Mar 2024 11:44:22 -0400 Subject: [PATCH 09/12] update win_skip_for_test withe latest controls Signed-off-by: Frederick Witty --- defaults/main.yml | 20 ++++++++++++-------- tasks/section02.yml | 3 +++ 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 57a5963..435440b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -51,14 +51,16 @@ long_running: false # win_skip_for_test is used in the playbook to skip over WINRM-based controls that # may cause WINRM Basic Connection Type to be disabled. # Setting win_skip_for_test to 'false' will enable Secure Connection types only. -# win22cis_rule_2_3_1_4 -# win22cis_rule_9_3_5 -# win22cis_rule_18_10_89_1_1 -# win22cis_rule_18_10_89_1_2 -# win22cis_rule_18_10_89_2_1 -# win22cis_rule_18_10_89_2_2 -# win22cis_rule_18_10_89_2_3 -# win22cis_rule_18_10_90_1 +# win22cis_rule_2_2_25 - Breaks Local Admin Connection +# win22cis_rule_2_2_26 - Breaks Local Admin Connection +# win22cis_rule_2_3_1_4 - Rename default administrator account +# win22cis_rule_9_3_5 - Enables Firewall Public Rules *Breaks Reboot* +# win22cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth +# win22cis_rule_18_10_89_1_2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control. +# win22cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth +# win22cis_rule_18_10_89_2_2 - Disables Remote Server Management through WinRM +# win22cis_rule_18_10_89_2_3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control. +# win22cis_rule_18_10_90_1 - Disables Remote Shell Access win_skip_for_test: true # Changes will be made that will require a system reboot. @@ -114,6 +116,8 @@ win22cis_rule_2_2_21: true win22cis_rule_2_2_22: true win22cis_rule_2_2_23: true win22cis_rule_2_2_24: true +# Setting win22cis_rule_2_2_25 and win22cis_rule_2_2_26 Control To True Will Break Ansible Connection +# Setting win_skip_for_test: true -- will skip the controls here even if they are set to true. win22cis_rule_2_2_25: true win22cis_rule_2_2_26: true win22cis_rule_2_2_27: true diff --git a/tasks/section02.yml b/tasks/section02.yml index 320e581..23e4f63 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -300,6 +300,7 @@ when: - win22cis_rule_2_2_20 - win2022cis_is_domain_controller + - not win_skip_for_test tags: - level1-domaincontroller - rule_2.2.20 @@ -378,6 +379,7 @@ when: - win22cis_rule_2_2_25 - win2022cis_is_domain_controller + - not win_skip_for_test tags: - level1-domaincontroller - rule_2.2.25 @@ -394,6 +396,7 @@ when: - win22cis_rule_2_2_26 - win2022cis_is_domain_member + - not win_skip_for_test tags: - level1-memberserver - rule_2.2.26 From 874e9f8a20d79b386512dc15b78f7f15eb288190 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 18 Mar 2024 20:42:48 -0400 Subject: [PATCH 10/12] update changelog Signed-off-by: Frederick Witty --- ChangeLog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index 7a4731d..eb756f1 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,13 @@ ## Release 2.0.1 +March 2024 Update +- Improved 19.x section logic for Windows local user SIDs and HKU support. +- Reboot handler and logic Improvement with skip_reboot var feature. +- win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26. +- Mislabeled control fix for win22cis_rule_18_9_7_2 +- Improved logic for win22cis_cloud_based_system 1.2.x controls. + February 2024 Update - Issues Addressed: - [#27](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/27) - Thank you @SwaffelSmurf From 0ef7269f3c6103f3e6aed869bd087c953372920b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 18 Mar 2024 20:52:50 -0400 Subject: [PATCH 11/12] Update ChangeLog with @Mr.Steve81 Signed-off-by: Frederick Witty --- ChangeLog.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index eb756f1..e27c1e9 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -3,11 +3,12 @@ ## Release 2.0.1 March 2024 Update -- Improved 19.x section logic for Windows local user SIDs and HKU support. -- Reboot handler and logic Improvement with skip_reboot var feature. -- win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26. -- Mislabeled control fix for win22cis_rule_18_9_7_2 -- Improved logic for win22cis_cloud_based_system 1.2.x controls. +Thank you @MrSteve81 for the enhancements to this release! + - Improved 19.x section logic for Windows local user SIDs and HKU support. + - Reboot handler and logic Improvement with skip_reboot var feature. + - win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26. + - Mislabeled control fix for win22cis_rule_18_9_7_2 + - Improved logic for win22cis_cloud_based_system 1.2.x controls. February 2024 Update - Issues Addressed: From 18e1212d204e16ed0a899d07ad907838508efd9f Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 19 Mar 2024 08:23:35 -0400 Subject: [PATCH 12/12] Typo Fixes Signed-off-by: Frederick Witty --- tasks/prelim.yml | 2 +- tasks/section19.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f0a9efa..4a28327 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -51,7 +51,7 @@ - always -- name: PRELIM | Obtatin And Load Default And User Hives +- name: PRELIM | Retrieve Default NTUSER and All Local User Hive Data block: - name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile) ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT diff --git a/tasks/section19.yml b/tasks/section19.yml index 9b7074a..0c6a872 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -39,7 +39,7 @@ - name: Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have an invalid time set for win10cis_screen_saver_timeout please read" + - "Warning!! You have an invalid time set for win22cis_screen_saver_timeout please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win22cis_screen_saver_timeout == 0 or