Merge pull request #23 from ansible-lockdown/audit_changes

Audit changes Signed-off-by: George Nalen <[email protected]>
ansible-lockdown · Jun 28, 2021 · 44c7b74 · 44c7b74
2 parents a773697 + 04c9ec9
commit 44c7b74
Show file tree

Hide file tree

Showing 4 changed files with 122 additions and 126 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -439,6 +439,11 @@ rule_19_7_26_1: true
 rule_19_7_41_1: true
 rule_19_7_45_2_1: true
 
+# Global Variables
+
+# is_hyperv_installed is a true/false for having hyper-visor installed
+is_hyperv_installed: false
+
 # Section 2 Variables
 # Control 2.3.1.5
 # win16cis_admin_username is the name the administrator account will be renamed to
@@ -461,6 +466,16 @@ maximumpasswordage: 60
 minimumpasswordage: 1
 minimumpasswordlength: 14
 
+# Control 18.2.5
+# laps_passwordlength is the LAPS tool password length.
+# To conform to CIS standards please use a min value of 15 and max value of 127
+laps_passwordlength: 15
+
+# Control 18.2.6
+# laps_passwordagedays is the LAPS tool password age in days
+# To conform to CIS standards please use a max value of 30
+laps_passwordagedays: 30
+
 newadministratorname: renamedadmin
 newguestname: renamedguest
 
@@ -515,3 +530,11 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
 # public_firewall_log_size is the size of the log file
 # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
 public_firewall_log_size: 16,384
+
+
+# 18.9.102.2
+# win16cis_wupdate_options are described below
+# value 2 - Notify for download and install, value 3 - Auto download and notify for install
+# value 4 - Auto download and schedule install (recommended), value 5 - Allow local admin to choose setting
+# value 7 - Auto download, notify to install, notify to restart
+win16cis_wupdate_options: 4
diff --git a/tasks/section02.yml b/tasks/section02.yml
@@ -233,15 +233,26 @@
       - patch
 
 - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only)"
-  win_user_right:
-      name: SeCreateSymbolicLinkPrivilege
-      users:
-          - Administrators
-          - NT VIRTUAL MACHINE\Virtual Machines
-      action: set
+  block:
+      - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only) | No Hyper-v"
+        win_user_right:
+            name: SeCreateSymbolicLinkPrivilege
+            users:
+                - Administrators
+            action: set
+        when: not is_hyperv_installed
+
+      - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only) | With Hyper-v"
+        win_user_right:
+            name: SeCreateSymbolicLinkPrivilege
+            users:
+                - Administrators
+                - NT VIRTUAL MACHINE\Virtual Machines
+            action: set
+        when: is_hyperv_installed
   when:
       - rule_2_2_18
-      - ansible_windows_domain_role == "Member server"
+      - not ansible_windows_domain_role == "Primary domain controller"
   tags:
       - level1-memberserver
       - rule_2.2.18
@@ -285,7 +296,7 @@
       action: set
   when:
       - rule_2_2_21
-      - ansible_windows_domain_member
+      - not ansible_windows_domain_role == "Primary domain controller"
   tags:
       - level1-memberserver
       - rule_2.2.21
@@ -442,7 +453,7 @@
       action: set
   when:
       - rule_2_2_32
-      - ansible_windows_domain_member
+      - not ansible_windows_domain_role == "Primary domain controller"
   tags:
       - level1-memberserver
       - rule_2.2.32
@@ -654,6 +665,7 @@
   when:
       - rule_2_3_1_1
       - not ansible_windows_domain_role == "Primary domain controller"
+      - disruption_high
   tags:
       - level1-memberserver
       - rule_2.3.1.1
@@ -827,7 +839,7 @@
       type: dword
   when:
       - rule_2_3_6_1
-      - not ansible_windows_domain_role == "Primary domain controller"
+      - ansible_windows_domain_role == "Member Server"
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -842,7 +854,7 @@
       type: dword
   when:
       - rule_2_3_6_2
-      - not ansible_windows_domain_role == "Primary domain controller"
+      - ansible_windows_domain_role == "Member Server"
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -978,7 +990,7 @@
       type: string
   when:
       - rule_2_3_7_6
-      - not ansible_windows_domain_role == "Primary domain controller"
+      - ansible_windows_domain_role == "Member server"
   tags:
       - level2-memberserver
       - rule_2.3.7.6
@@ -1123,7 +1135,7 @@
       type: dword
   when:
       - rule_2_3_9_5
-      - ansible_windows_domain_role == "Member server"
+      - not ansible_windows_domain_role == "Primary domain controller"
   tags:
       - level1-memberserver
       - rule_2.3.9.5
@@ -1240,7 +1252,7 @@
   win_regedit:
       path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths
       name: "Machine"
-      data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc']
+      data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc', 'System\CurrentControlSet\Services\SysmonLog']
       type: multistring
   when: rule_2_3_10_9
   tags:
@@ -1487,8 +1499,8 @@
 - name: "SCORED | 2.3.17.2 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'"
   win_regedit:
       path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System
-      name: EnableUIADesktopToggle
-      data: 0
+      name: ConsentPromptBehaviorAdmin
+      data: 2
       type: dword
   when: rule_2_3_17_2
   tags:

diff --git a/tasks/section17.yml b/tasks/section17.yml
@@ -75,23 +75,22 @@
 - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'"
   block:
       - name: "SCORED | 17.2.1 | AUDIT | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Get current settings"
-        win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
+        win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
         changed_when: false
         failed_when: false
         register: rule_17_2_1_audit
 
       - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Success"
-        win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable
+        win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable
         changed_when: "'Success' not in rule_17_2_1_audit.stdout"
         when: "'Success' not in rule_17_2_1_audit.stdout"
 
       - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Failure"
-        win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable
+        win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable
         changed_when: "'Failure' not in rule_17_2_1_audit.stdout"
         when: "'Failure' not in rule_17_2_1_audit.stdout"
   when:
       - rule_17_2_1
-      - ansible_windows_domain_role == "Primary domain controller"
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -557,7 +556,7 @@
         register: rule_17_7_5_audit
 
       - name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Set failure"
-        win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable
+        win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable
         when: "'Failure' not in rule_17_7_5_audit.stdout"
   when:
       - rule_17_7_5