Skip to content

Commit

Permalink
Merge pull request #3 from ansible-lockdown/georgenalen
Browse files Browse the repository at this point in the history
Added Section 9
Signed-off-by: George Nalen <[email protected]>
  • Loading branch information
georgenalen authored Feb 8, 2021
2 parents 74df167 + 2da3738 commit 694b6c3
Show file tree
Hide file tree
Showing 5 changed files with 445 additions and 7 deletions.
60 changes: 60 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
section01_patch: yes
section02_patch: yes
section09_patch: yes
section17_patch: yes
section18_patch: yes
section19_patch: yes
Expand Down Expand Up @@ -40,6 +41,7 @@ is_implemented: false
#set to false to skip long running tasks
long_running: false

win_skip_for_test: true

# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
Expand Down Expand Up @@ -176,6 +178,34 @@ rule_2_3_17_6: true
rule_2_3_17_7: true
rule_2_3_17_8: true

# section09
rule_9_1_1: true
rule_9_1_2: true
rule_9_1_3: true
rule_9_1_4: true
rule_9_1_5: true
rule_9_1_6: true
rule_9_1_7: true
rule_9_1_8: true
rule_9_2_1: true
rule_9_2_2: true
rule_9_2_3: true
rule_9_2_4: true
rule_9_2_5: true
rule_9_2_6: true
rule_9_2_7: true
rule_9_2_8: true
rule_9_3_1: true
rule_9_3_2: true
rule_9_3_3: true
rule_9_3_4: true
rule_9_3_5: true
rule_9_3_6: true
rule_9_3_7: true
rule_9_3_8: true
rule_9_3_9: true
rule_9_3_10: true

# section17
rule_17_1_1: true
rule_17_2_1: true
Expand Down Expand Up @@ -450,3 +480,33 @@ sys_maxsize: 32768


legalnoticecaption: "DoD Notice and Consent Banner"

# 9.1.5
# domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log
# This is a variable to give some leway on where to store these log files
domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log'

# 9.1.6
# domain_firewall_log_size is the size of the log file generated
# To conform to CIS standards the value should be 16,384 or greater. Value is in KB
domain_firewall_log_size: 16,384

# 9.2.5
# private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log
# This is a variable to give some leway on where to store these log files
private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log'

# 9.2.6
# private_firewall_log_size is the size of the log file
# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
private_firewall_log_size: 16,384

# 9.3.7
# public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log
# This is a variable to give some leway on where to store these log files
public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log'

# 9.3.8
# public_firewall_log_size is the size of the log file
# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
public_firewall_log_size: 16,384
6 changes: 6 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,12 @@
tags:
- section02

- name: Execute the section 9 tasks
import_tasks: section09.yml
when: section09_patch | bool
tags:
- section09

- name: Execute the section 17 tasks
import_tasks: section17.yml
when: section17_patch | bool
Expand Down
4 changes: 3 additions & 1 deletion tasks/section02.yml
Original file line number Diff line number Diff line change
Expand Up @@ -666,7 +666,9 @@
section: System Access
key: newadministratorname
value: GeorgeSharp
when: rule_2_3_1_5
when:
- rule_2_3_1_5
- not win_skip_for_test
tags:
- level1
- level2
Expand Down
Loading

0 comments on commit 694b6c3

Please sign in to comment.