-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from ansible-lockdown/georgenalen
Updated for CIS v1.2.0 changes Signed-off-by: George Nalen <georgen@mindpointgroup.com>
Showing
9 changed files
with
2,403 additions
and
2,003 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,195 +1,171 @@ | ||
--- | ||
- name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" | ||
assert: | ||
that: passwordhistorysize | int is version('24', '>=') | ||
fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
when: rule_1_1_1 | ||
tags: | ||
- level1 | ||
- level2 | ||
- rule_1.1.1 | ||
- audit | ||
- name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" | ||
block: | ||
- name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" | ||
assert: | ||
that: passwordhistorysize | int is version('24', '>=') | ||
fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
|
||
- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" | ||
win_security_policy: | ||
section: System Access | ||
key: PasswordHistorySize | ||
value: "{{ passwordhistorysize }}" | ||
- name: "SCORED | 1.1.1 | PATCH | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" | ||
win_security_policy: | ||
section: System Access | ||
key: PasswordHistorySize | ||
value: "{{ passwordhistorysize }}" | ||
when: rule_1_1_1 | ||
tags: | ||
- level1 | ||
- level2 | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_1.1.1 | ||
- patch | ||
|
||
- name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" | ||
assert: | ||
that: maximumpasswordage | int is version('60', '<=') | ||
fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
when: rule_1_1_2 | ||
tags: | ||
- level1 | ||
- level2 | ||
- rule_1.1.2 | ||
- audit | ||
- name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" | ||
block: | ||
- name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" | ||
assert: | ||
that: maximumpasswordage | int is version('60', '<=') | ||
fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
|
||
- name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" | ||
win_security_policy: | ||
section: System Access | ||
key: MaximumPasswordAge | ||
value: "{{ maximumpasswordage }}" | ||
- name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" | ||
win_security_policy: | ||
section: System Access | ||
key: MaximumPasswordAge | ||
value: "{{ maximumpasswordage }}" | ||
when: rule_1_1_2 | ||
tags: | ||
- level1 | ||
- level2 | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_1.1.2 | ||
- patch | ||
|
||
- name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" | ||
assert: | ||
that: minimumpasswordage is version('1', '>=') | ||
fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
when: rule_1_1_3 | ||
tags: | ||
- level1 | ||
- level2 | ||
- rule_1.1.3 | ||
- audit | ||
- name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" | ||
block: | ||
- name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" | ||
assert: | ||
that: minimumpasswordage is version('1', '>=') | ||
fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
|
||
- name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" | ||
win_security_policy: | ||
section: System Access | ||
key: MinimumPasswordAge | ||
value: "{{ minimumpasswordage }}" | ||
- name: "SCORED | 1.1.3 | PATCH | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" | ||
win_security_policy: | ||
section: System Access | ||
key: MinimumPasswordAge | ||
value: "{{ minimumpasswordage }}" | ||
when: rule_1_1_3 | ||
tags: | ||
- level1 | ||
- level2 | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_1.1.3 | ||
- patch | ||
|
||
- name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" | ||
assert: | ||
that: minimumpasswordlength is version('14', '>=') | ||
fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
when: rule_1_1_4 | ||
tags: | ||
- level1 | ||
- level2 | ||
- rule_1.1.4 | ||
- audit | ||
- name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" | ||
block: | ||
- name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" | ||
assert: | ||
that: minimumpasswordlength is version('14', '>=') | ||
fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
|
||
- name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" | ||
win_security_policy: | ||
section: System Access | ||
key: MinimumPasswordLength | ||
value: "{{ minimumpasswordlength }}" | ||
- name: "SCORED | 1.1.4 | PATCH | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" | ||
win_security_policy: | ||
section: System Access | ||
key: MinimumPasswordLength | ||
value: "{{ minimumpasswordlength }}" | ||
when: rule_1_1_4 | ||
tags: | ||
- level1 | ||
- level2 | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_1.1.4 | ||
- patch | ||
|
||
- name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" | ||
- name: "SCORED | 1.1.5 | PATCH | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" | ||
win_security_policy: | ||
section: System Access | ||
key: PasswordComplexity | ||
value: 1 | ||
when: rule_1_1_5 | ||
tags: | ||
- level1 | ||
- level2 | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_1.1.5 | ||
- patch | ||
|
||
- name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" | ||
- name: "SCORED | 1.1.6 | PATCH | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" | ||
win_security_policy: | ||
section: System Access | ||
key: ClearTextPassword | ||
value: "0" | ||
when: rule_1_1_6 | ||
tags: | ||
- level1 | ||
- level2 | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_1.1.6 | ||
- patch | ||
|
||
- name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" | ||
assert: | ||
that: lockoutduration | int is version('15', '<=') | ||
fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
when: rule_1_2_1 | ||
tags: | ||
- level1 | ||
- level2 | ||
- rule_1.2.1 | ||
- audit | ||
|
||
- name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" | ||
win_security_policy: | ||
section: System Access | ||
key: LockoutDuration | ||
value: "{{ lockoutduration }}" | ||
when: | ||
- rule_1_2_1 | ||
- is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp | ||
tags: | ||
- level1 | ||
- level2 | ||
- rule_1.2.1 | ||
- patch | ||
|
||
#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable | ||
- name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" | ||
- name: "SCORED | 1.2.2 | PATCH | (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'" | ||
win_security_policy: | ||
section: System Access | ||
key: LockoutBadCount | ||
value: "{{ lockoutbadcount }}" | ||
when: rule_1_2_2 | ||
tags: | ||
- level1 | ||
- level2 | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_1.2.2 | ||
- patch | ||
|
||
- name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" | ||
assert: | ||
that: resetlockoutcount | int is version('15', '>=') | ||
fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
when: rule_1_2_3 | ||
- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" | ||
block: | ||
- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" | ||
assert: | ||
that: lockoutduration | int is version('15', '<=') | ||
fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
|
||
- name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" | ||
win_security_policy: | ||
section: System Access | ||
key: LockoutDuration | ||
value: "{{ lockoutduration }}" | ||
when: | ||
- rule_1_2_1 | ||
- is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp | ||
tags: | ||
- level1 | ||
- level2 | ||
- rule_1.2.3 | ||
- audit | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_1.2.1 | ||
- patch | ||
|
||
- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" | ||
win_security_policy: | ||
section: System Access | ||
key: ResetLockoutCount | ||
value: "{{ resetlockoutcount }}" | ||
- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" | ||
block: | ||
- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" | ||
assert: | ||
that: resetlockoutcount | int is version('15', '>=') | ||
fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" | ||
register: result | ||
changed_when: no | ||
ignore_errors: yes | ||
|
||
- name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" | ||
win_security_policy: | ||
section: System Access | ||
key: ResetLockoutCount | ||
value: "{{ resetlockoutcount }}" | ||
when: rule_1_2_3 | ||
tags: | ||
- level1 | ||
- level2 | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_1.2.3 | ||
- patch |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,364 @@ | ||
--- | ||
- name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile | ||
name: EnableFirewall | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_1_1 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.1.1 | ||
- patch | ||
|
||
- name: "SCORED | 9.1.2 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile | ||
name: DefaultInboundAction | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_1_2 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.1.2 | ||
- patch | ||
|
||
- name: "SCORED | 9.1.3 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile | ||
name: DefaultOutboundAction | ||
data: 0 | ||
type: dword | ||
when: | ||
- rule_9_1_3 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.1.3 | ||
- patch | ||
|
||
- name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile | ||
name: DisableNotifications | ||
data: 0 | ||
type: dword | ||
when: | ||
- rule_9_1_4 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.1.4 | ||
- patch | ||
|
||
# title has slashes switched | ||
- name: "SCORED | 9.1.5 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging | ||
name: LogFilePath | ||
data: '{{ domain_firewall_log_path }}' | ||
type: string | ||
when: | ||
- rule_9_1_5 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.1.5 | ||
- patch | ||
|
||
- name: "SCORED | 9.1.6 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging | ||
name: LogFileSize | ||
data: '{{ domain_firewall_log_size }}' | ||
type: dword | ||
when: | ||
- rule_9_1_6 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.1.6 | ||
- patch | ||
|
||
- name: "SCORED | 9.1.7 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging | ||
name: LogDroppedPackets | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_1_7 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.1.7 | ||
- patch | ||
|
||
- name: "SCORED | 9.1.8 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging | ||
name: LogSuccessfulConnections | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_1_8 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.1.8 | ||
- patch | ||
|
||
- name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" | ||
win_firewall: | ||
state: enabled | ||
profile: Private | ||
when: | ||
- rule_9_2_1 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.2.1 | ||
- patch | ||
|
||
- name: "SCORED | 9.2.2 | PATCH | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile | ||
name: DefaultInboundAction | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_2_2 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.2.2 | ||
- patch | ||
|
||
- name: "SCORED | 9.2.3 | PATCH | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile | ||
name: DefaultOutboundAction | ||
data: 0 | ||
type: dword | ||
when: | ||
- rule_9_2_3 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.2.3 | ||
- patch | ||
|
||
- name: "SCORED | 9.2.4 | PATCH | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile | ||
name: DisableNotifications | ||
data: 0 | ||
type: dword | ||
when: | ||
- rule_9_2_4 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.2.4 | ||
- patch | ||
|
||
# title has slashes switched | ||
- name: "SCORED | 9.2.5 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging | ||
name: LogFilePath | ||
data: '{{ private_firewall_log_path }}' | ||
type: string | ||
when: | ||
- rule_9_2_5 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.2.5 | ||
- patch | ||
|
||
- name: "SCORED | 9.2.6 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging | ||
name: LogFileSize | ||
data: '{{ private_firewall_log_size }}' | ||
type: dword | ||
when: | ||
- rule_9_2_6 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.2.6 | ||
- patch | ||
|
||
- name: "SCORED | 9.2.7 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging | ||
name: LogDroppedPackets | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_2_7 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.2.7 | ||
- patch | ||
|
||
- name: "SCORED | 9.2.8 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging | ||
name: LogSuccessfulConnections | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_2_8 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.2.8 | ||
- patch | ||
|
||
- name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" | ||
win_firewall: | ||
state: enabled | ||
profile: Public | ||
when: | ||
- rule_9_3_1 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.1 | ||
- patch | ||
|
||
- name: "SCORED | 9.3.2 | PATCH | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile | ||
name: DefaultInboundAction | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_3_2 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.2 | ||
- patch | ||
|
||
- name: "SCORED | 9.3.3 | PATCH | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile | ||
name: DefaultOutboundAction | ||
data: 0 | ||
type: dword | ||
when: | ||
- rule_9_3_3 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.3 | ||
- patch | ||
|
||
- name: "SCORED | 9.3.4 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile | ||
name: DisableNotifications | ||
data: 0 | ||
type: dword | ||
when: | ||
- rule_9_3_4 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.4 | ||
- patch | ||
|
||
- name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile | ||
name: AllowLocalPolicyMerge | ||
data: 0 | ||
type: dword | ||
when: | ||
- rule_9_3_5 | ||
- not win_skip_for_test | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.5 | ||
- patch | ||
|
||
- name: "SCORED | 9.3.6 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile | ||
name: AllowLocalIPsecPolicyMerge | ||
data: 0 | ||
type: dword | ||
when: | ||
- rule_9_3_6 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.6 | ||
- patch | ||
|
||
# title has slashes switched | ||
- name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging | ||
name: LogFilePath | ||
data: '{{ public_firewall_log_path }}' | ||
type: string | ||
when: | ||
- rule_9_3_7 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.7 | ||
- patch | ||
|
||
- name: "SCORED | 9.3.8 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging | ||
name: LogFileSize | ||
data: '{{ public_firewall_log_size }}' | ||
type: dword | ||
when: | ||
- rule_9_3_8 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.8 | ||
- patch | ||
|
||
- name: "SCORED | 9.3.9 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging | ||
name: LogDroppedPackets | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_3_9 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.9 | ||
- patch | ||
|
||
- name: "SCORED | 9.3.10 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" | ||
win_regedit: | ||
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging | ||
name: LogSuccessfulConnections | ||
data: 1 | ||
type: dword | ||
when: | ||
- rule_9_3_10 | ||
tags: | ||
- level1-domaincontroller | ||
- level1-memberserver | ||
- rule_9.3.10 | ||
- patch |
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.