Merge pull request #20 from ansible-lockdown/devel

Linting and Issue fixes

.ansible-lint

@@ -0,0 +1,11 @@
+parseable: true
+quiet: true
+skip_list:
+  - '204'
+  - '305'
+  - '303'
+  - '403'
+  - '306'
+  - '602'
+use_default_rules: true
+verbosity: 0

.gitignore

@@ -1,6 +1,7 @@
 .env
 *.log
 *.retry
+.cache
 .vagrant
 tests/*redhat-subscription
 tests/Dockerfile

.yamllint

@@ -0,0 +1,20 @@
+---
+ignore: |
+  tests/
+  molecule/
+  .gitlab-ci.yml
+  *molecule.yml
+
+extends: default
+
+rules:
+  indentation:
+    spaces: 4
+  truthy: disable
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable

CONTRIBUTING.rst

@@ -1,6 +1,21 @@
 Contributing to MindPoint Group Projects
 ========================================
 
+Rules
+-----
+1) All commits must be GPG signed (details in Signing section)
+2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
+3) All work is done in your own branch or own fork
+4) Pull requests
+    a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing
+    b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel
+5) Be open and nice to each other
+
+Workflow
+--------
+- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
+- All community Pull Requests are into the devel branch (from forked repos they go to staging before devel). There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
 Signing your contribution
 -------------------------
 

README.md

@@ -1,11 +1,65 @@
 Windows Server 2016 CIS
 =========
+![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2016-CIS?style=plastic)
+
+Configure a Windows Server 2016 system to be [CIS](https://www.cisecurity.org/cis-benchmarks/) v1.2.0 compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix
+
+Caution(s)
+-------
+This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
+
+This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
+
+To use release version please point to main branch
+Based on [CIS Windows Server 2016 Benchmark ](https://community.cisecurity.org/collab/public/index.php).
+
+Documentation
+-------------
+[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)<br>
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)<br>
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)<br>
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)<br>
+[Wiki](https://github.com/ansible-lockdown/Windows-2016-CIS/wiki)<br>
+[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2016-CIS/)<br>
 
-Configure a Windows Server 2016 system to be CIS compliant.
 
-This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.2.0 Rel 1607 released on May 27, 2020] (https://learn.cisecurity.org/l/799323/2020-07-10/zx1v).
 
 Requirements
 ------------
 
-Windows Server 2016 - Other versions are not supported.
+**General:**
+- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
+  - [Main Ansible documentation page](https://docs.ansible.com)
+  - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
+  - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
+  - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
+- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. 
+- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/Windows-2016-CIS/wiki/Main-Variables).
+
+**Technical Dependencies:**
+- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
+- Python3 Ansible run environment
+
+Role Variables
+--------------
+
+This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/Windows-2016-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.
+
+Branches
+--------
+
+- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch
+- **main** - This is the release branch
+- **reports** - This is a protected branch for our scoring reports, no code should ever go here
+- **gh-pages** - This is the github pages branch
+- **all other branches** - Individual community member branches
+
+Community Contribution
+----------------------
+
+We encourage you (the community) to contribute to this role. Please read the rules below.
+
+- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
+- All community Pull Requests are pulled into the devel branch
+- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release

defaults/main.yml

@@ -1,10 +1,10 @@
 ---
-section01_patch: yes
-section02_patch: yes
-section09_patch: yes
-section17_patch: yes
-section18_patch: yes
-section19_patch: yes
+section01_patch: true
+section02_patch: true
+section09_patch: true
+section17_patch: true
+section18_patch: true
+section19_patch: true
 
 min_ansible_version: "2.6"
 
@@ -35,10 +35,10 @@ workaround_for_ssg_benchmark: true
 # tweak role to run in a non-privileged container
 system_is_container: no
 
-#set to false to skip tasks that either have not been developed or cannot be automated
+# set to false to skip tasks that either have not been developed or cannot be automated
 is_implemented: false
 
-#set to false to skip long running tasks
+# set to false to skip long running tasks
 long_running: false
 
 win_skip_for_test: false
@@ -89,8 +89,8 @@ rule_2_2_27: true
 rule_2_2_28: true
 rule_2_2_29: true
 rule_2_2_30: true
-rule_2_2_31: true 
-rule_2_2_32: true 
+rule_2_2_31: true
+rule_2_2_32: true
 rule_2_2_33: true
 rule_2_2_34: true
 rule_2_2_35: true
@@ -439,6 +439,14 @@ rule_19_7_26_1: true
 rule_19_7_41_1: true
 rule_19_7_45_2_1: true
 
+# Section 2 Variables
+# Control 2.3.1.5
+# win16cis_admin_username is the name the administrator account will be renamed to
+win16cis_admin_username: ChangeThis
+
+# Control 2.3.1.6
+# win16cis_guest_username is the name the guest account will be renamed to
+win16cis_guest_username: GuestChangeThis
 
 # This SID is the same for standalone, member, domain controller for 'Administrators' group
 sedebugprivilege: "*S-1-5-32-544"
@@ -506,4 +514,4 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
 # 9.3.8
 # public_firewall_log_size is the size of the log file
 # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
-public_firewall_log_size: 16,384
+public_firewall_log_size: 16,384

meta/main.yml

@@ -4,10 +4,11 @@ galaxy_info:
     description: "Ansible role to apply Windows Server 2016 CIS Benchmark"
     company: "MindPoint Group"
     license: MIT
+    role_name: windows_2016_cis
     min_ansible_version: 2.6
 
     platforms:
-        - name: Windows Server
+        - name: Windows
           versions:
               - 2016
 

site.yml

@@ -5,4 +5,3 @@
 
   roles:
       - role: "{{ playbook_dir }}"
-        system_is_container: "{{ is_container | default(false) }}"

tasks/section01.yml

@@ -16,10 +16,10 @@
             value: "{{ passwordhistorysize }}"
   when: rule_1_1_1
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.1
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.1
+      - patch
 
 - name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'"
   block:
@@ -38,10 +38,10 @@
             value: "{{ maximumpasswordage }}"
   when: rule_1_1_2
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.2
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.2
+      - patch
 
 - name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
   block:
@@ -60,10 +60,10 @@
             value: "{{ minimumpasswordage }}"
   when: rule_1_1_3
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.3
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.3
+      - patch
 
 - name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
   block:
@@ -82,10 +82,10 @@
             value: "{{ minimumpasswordlength }}"
   when: rule_1_1_4
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.4
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.4
+      - patch
 
 - name: "SCORED | 1.1.5 | PATCH | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
   win_security_policy:
@@ -94,35 +94,35 @@
       value: 1
   when: rule_1_1_5
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.5
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.5
+      - patch
 
 - name: "SCORED | 1.1.6 | PATCH | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
   win_security_policy:
-    section: System Access
-    key: ClearTextPassword
-    value: "0"
+      section: System Access
+      key: ClearTextPassword
+      value: "0"
   when: rule_1_1_6
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.6
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.6
+      - patch
 
-#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable
+# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable
 - name: "SCORED | 1.2.2 | PATCH | (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'"
   win_security_policy:
       section: System Access
       key: LockoutBadCount
       value: "{{ lockoutbadcount }}"
   when: rule_1_2_2
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.2.2
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.2.2
+      - patch
 
 - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
   block:
@@ -136,17 +136,18 @@
 
       - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
         win_security_policy:
-          section: System Access
-          key: LockoutDuration
-          value: "{{ lockoutduration }}"
+            section: System Access
+            key: LockoutDuration
+            value: "{{ lockoutduration }}"
   when:
-    - rule_1_2_1
-    - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
+      - rule_1_2_1
+      # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
+      - is_implemented
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.2.1
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.2.1
+      - patch
 
 - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
   block:
@@ -165,7 +166,7 @@
             value: "{{ resetlockoutcount }}"
   when: rule_1_2_3
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.2.3
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.2.3
+      - patch