From 2da3738b48a164370509e430815b4298920ef1cd Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 8 Feb 2021 09:24:45 -0500 Subject: [PATCH] Added section 9 and testing vars Signed-off-by: George Nalen --- defaults/main.yml | 59 +++++++ tasks/section02.yml | 4 +- tasks/section09.yml | 363 +++++++++++++++++++++++++++++++++++++++++++- tasks/section18.yml | 20 ++- 4 files changed, 438 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ce49a01..39e0889 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -41,6 +41,7 @@ is_implemented: false #set to false to skip long running tasks long_running: false +win_skip_for_test: true # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group @@ -177,6 +178,34 @@ rule_2_3_17_6: true rule_2_3_17_7: true rule_2_3_17_8: true +# section09 +rule_9_1_1: true +rule_9_1_2: true +rule_9_1_3: true +rule_9_1_4: true +rule_9_1_5: true +rule_9_1_6: true +rule_9_1_7: true +rule_9_1_8: true +rule_9_2_1: true +rule_9_2_2: true +rule_9_2_3: true +rule_9_2_4: true +rule_9_2_5: true +rule_9_2_6: true +rule_9_2_7: true +rule_9_2_8: true +rule_9_3_1: true +rule_9_3_2: true +rule_9_3_3: true +rule_9_3_4: true +rule_9_3_5: true +rule_9_3_6: true +rule_9_3_7: true +rule_9_3_8: true +rule_9_3_9: true +rule_9_3_10: true + # section17 rule_17_1_1: true rule_17_2_1: true @@ -451,3 +480,33 @@ sys_maxsize: 32768 legalnoticecaption: "DoD Notice and Consent Banner" + +# 9.1.5 +# domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log +# This is a variable to give some leway on where to store these log files +domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log' + +# 9.1.6 +# domain_firewall_log_size is the size of the log file generated +# To conform to CIS standards the value should be 16,384 or greater. Value is in KB +domain_firewall_log_size: 16,384 + +# 9.2.5 +# private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log +# This is a variable to give some leway on where to store these log files +private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log' + +# 9.2.6 +# private_firewall_log_size is the size of the log file +# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +private_firewall_log_size: 16,384 + +# 9.3.7 +# public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log +# This is a variable to give some leway on where to store these log files +public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' + +# 9.3.8 +# public_firewall_log_size is the size of the log file +# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +public_firewall_log_size: 16,384 \ No newline at end of file diff --git a/tasks/section02.yml b/tasks/section02.yml index 832a9bd..3983503 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -666,7 +666,9 @@ section: System Access key: newadministratorname value: GeorgeSharp - when: rule_2_3_1_5 + when: + - rule_2_3_1_5 + - not win_skip_for_test tags: - level1 - level2 diff --git a/tasks/section09.yml b/tasks/section09.yml index 73b314f..d2dd2da 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1 +1,362 @@ ---- \ No newline at end of file +--- +- name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + win_firewall: + state: enabled + profile: Domain + when: + - rule_9_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.1 + - patch + +- name: "SCORED | 9.1.2 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultInboundAction + data: 1 + type: dword + when: + - rule_9_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.2 + - patch + +- name: "SCORED | 9.1.3 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultOutboundAction + data: 0 + type: dword + when: + - rule_9_1_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.3 + - patch + +- name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DisableNotifications + data: 0 + type: dword + when: + - rule_9_1_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.4 + - patch + +# title has slashes switched +- name: "SCORED | 9.1.5 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFilePath + data: '{{ domain_firewall_log_path }}' + type: string + when: + - rule_9_1_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.5 + - patch + +- name: "SCORED | 9.1.6 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFileSize + data: '{{ domain_firewall_log_size }}' + type: dword + when: + - rule_9_1_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.6 + - patch + +- name: "SCORED | 9.1.7 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword + when: + - rule_9_1_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.7 + - patch + +- name: "SCORED | 9.1.8 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword + when: + - rule_9_1_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.7 + - patch + +- name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + win_firewall: + state: enabled + profile: Private + when: + - rule_9_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.1 + - patch + +- name: "SCORED | 9.2.2 | PATCH | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultInboundAction + data: 1 + type: dword + when: + - rule_9_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.2 + - patch + +- name: "SCORED | 9.2.3 | PATCH | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultOutboundAction + data: 0 + type: dword + when: + - rule_9_2_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.3 + - patch + +- name: "SCORED | 9.2.4 | PATCH | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DisableNotifications + data: 0 + type: dword + when: + - rule_9_2_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.4 + - patch + +# title has slashes switched +- name: "SCORED | 9.2.5 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFilePath + data: '{{ private_firewall_log_path }}' + type: string + when: + - rule_9_2_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.5 + - patch + +- name: "SCORED | 9.2.6 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFileSize + data: '{{ private_firewall_log_size }}' + type: dword + when: + - rule_9_2_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.6 + - patch + +- name: "SCORED | 9.2.7 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword + when: + - rule_9_2_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.7 + - patch + +- name: "SCORED | 9.2.8 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword + when: + - rule_9_2_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.8 + - patch + +- name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + win_firewall: + state: enabled + profile: Public + when: + - rule_9_3_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.1 + - patch + +- name: "SCORED | 9.3.2 | PATCH | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultInboundAction + data: 1 + type: dword + when: + - rule_9_3_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.2 + - patch + +- name: "SCORED | 9.3.3 | PATCH | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultOutboundAction + data: 0 + type: dword + when: + - rule_9_3_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.3 + - patch + +- name: "SCORED | 9.3.4 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DisableNotifications + data: 0 + type: dword + when: + - rule_9_3_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.4 + - patch + +- name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalPolicyMerge + data: 0 + type: dword + when: + - rule_9_3_5 + - not win_skip_for_test + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.5 + - patch + +- name: "SCORED | 9.3.6 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalIPsecPolicyMerge + data: 0 + type: dword + when: + - rule_9_3_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.6 + - patch + +# title has slashes switched +- name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFilePath + data: '{{ public_firewall_log_path }}' + type: string + when: + - rule_9_3_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.7 + - patch + +- name: "SCORED | 9.3.8 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFileSize + data: '{{ public_firewall_log_size }}' + type: dword + when: + - rule_9_3_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.8 + - patch + +- name: "SCORED | 9.3.9 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword + when: + - rule_9_3_9 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.9 + - patch + +- name: "SCORED | 9.3.10 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword + when: + - rule_9_3_10 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.10 + - patch \ No newline at end of file diff --git a/tasks/section18.yml b/tasks/section18.yml index 920a8db..8f7d12b 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -2405,7 +2405,9 @@ name: AllowBasic data: 0 type: dword - when: rule_18_9_97_1_1 + when: + - rule_18_9_97_1_1 + - not win_skip_for_test tags: - level1 - level2 @@ -2418,7 +2420,9 @@ name: AllowUnencryptedTraffic data: 0 type: dword - when: rule_18_9_97_1_2 + when: + - rule_18_9_97_1_2 + - not win_skip_for_test tags: - level1 - level2 @@ -2444,7 +2448,9 @@ name: AllowBasic data: 0 type: dword - when: rule_18_9_97_2_1 + when: + - rule_18_9_97_2_1 + - not win_skip_for_test tags: - level1 - level2 @@ -2460,7 +2466,7 @@ type: dword when: - rule_18_9_97_2_2 - - is_implemented + - not win_skip_for_test tags: - level2 - rule_18.9.97.2.2 @@ -2472,7 +2478,9 @@ name: AllowUnencryptedTraffic data: 0 type: dword - when: rule_18_9_97_2_3 + when: + - rule_18_9_97_2_3 + - not win_skip_for_test tags: - level1 - level2 @@ -2501,7 +2509,7 @@ type: dword when: - rule_18_9_98_1 - - is_implemented + - not win_skip_for_test tags: - level2 - rule_18.9.98.1