Merge pull request #44 from ansible-lockdown/devel

June issue fixes Signed-off-by: George Nalen <[email protected]>
ansible-lockdown · Jul 2, 2021 · 6d657c9 · 6d657c9
2 parents c65a68e + cfcae4e
commit 6d657c9
Show file tree

Hide file tree

Showing 10 changed files with 3,646 additions and 3,621 deletions.
diff --git a/.ansible-lint b/.ansible-lint
@@ -0,0 +1,11 @@
+parseable: true
+quiet: true
+skip_list:
+  - '204'
+  - '305'
+  - '303'
+  - '403'
+  - '306'
+  - '602'
+use_default_rules: true
+verbosity: 0
diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,20 @@
+---
+ignore: |
+  tests/
+  molecule/
+  .gitlab-ci.yml
+  *molecule.yml
+
+extends: default
+
+rules:
+  indentation:
+    spaces: 4
+  truthy: disable
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -35,10 +35,10 @@ workaround_for_ssg_benchmark: true
 # tweak role to run in a non-privileged container
 system_is_container: no
 
-#set to false to skip tasks that either have not been developed or cannot be automated
+# set to false to skip tasks that either have not been developed or cannot be automated
 is_implemented: false
 
-#set to false to skip long running tasks
+# set to false to skip long running tasks
 long_running: false
 
 win_skip_for_test: false
@@ -446,6 +446,20 @@ rule_19_7_41_1: true
 rule_19_7_45_2_1: true
 
 
+# Section 2 Variables
+
+# 2.2.18
+# is_hyperv_installed is Hyper-V installed
+is_hyperv_installed: false
+
+# 2.3.1.5
+# win19cis_admin_username is the name the administrator account will be renamed to
+win19cis_admin_username: adminchangethis
+
+# 2.3.1.6
+# win19cis_guest_username is the name the guest account will be renamed to
+win19cis_guest_username: guestchangethis
+
 # This SID is the same for standalone, member, domain controller for 'Administrators' group
 sedebugprivilege: "*S-1-5-32-544"
 
@@ -514,7 +528,19 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
 # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
 public_firewall_log_size: 16,384
 
+# Control 18.2.5
+# laps_passwordlength is the LAPS tool password length.
+# To conform to CIS standards please use a min value of 15 and max value of 127
+laps_passwordlength: 15
+
+# Control 18.2.6
+# laps_passwordagedays is the LAPS tool password age in days
+# To conform to CIS standards please use a max value of 30
+laps_passwordagedays: 30
+
 # 18.3.6
 # netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType
 # Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS
-netbt_nodetype: 2
+netbt_nodetype: 2
+
+
diff --git a/meta/main.yml b/meta/main.yml
@@ -4,10 +4,11 @@ galaxy_info:
     description: "Ansible role to apply Windows Server 2019 CIS Benchmark"
     company: "MindPoint Group"
     license: MIT
+    role_name: windows_2019_cis
     min_ansible_version: 2.6
 
     platforms:
-        - name: Windows Server
+        - name: Windows
           versions:
               - 2019
 

diff --git a/tasks/section01.yml b/tasks/section01.yml
@@ -15,12 +15,12 @@
             key: PasswordHistorySize
             value: "{{ passwordhistorysize }}"
   when:
-    - rule_1_1_1
+      - rule_1_1_1
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.1
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.1
+      - patch
 
 - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0"
   block:
@@ -38,12 +38,12 @@
             key: MaximumPasswordAge
             value: "{{ maximumpasswordage }}"
   when:
-    - rule_1_1_2
+      - rule_1_1_2
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.2
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.2
+      - patch
 
 - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days"
   block:
@@ -61,12 +61,12 @@
             key: MinimumPasswordAge
             value: "{{ minimumpasswordage }}"
   when:
-    - rule_1_1_3
+      - rule_1_1_3
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.3
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.3
+      - patch
 
 - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters"
   block:
@@ -83,39 +83,41 @@
             section: System Access
             key: MinimumPasswordLength
             value: "{{ minimumpasswordlength }}"
-  when: rule_1_1_4
+  when:
+      - rule_1_1_4
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.4
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.4
+      - patch
 
 - name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled"
   win_security_policy:
       section: System Access
       key: PasswordComplexity
       value: 1
   when:
-    - rule_1_1_5
+      - rule_1_1_5
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.5
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.5
+      - patch
 
 - name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled"
   win_security_policy:
-    section: System Access
-    key: ClearTextPassword
-    value: "0"
+      section: System Access
+      key: ClearTextPassword
+      value: "0"
   when:
-    - rule_1_1_6
+      - rule_1_1_6
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.1.6
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.1.6
+      - patch
 
+# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
 - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes"
   block:
       - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes"
@@ -128,31 +130,31 @@
 
       - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes"
         win_security_policy:
-          section: System Access
-          key: LockoutDuration
-          value: "{{ lockoutduration }}"
+            section: System Access
+            key: LockoutDuration
+            value: "{{ lockoutduration }}"
   when:
-    - rule_1_2_1
-    - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
+      - rule_1_2_1
+      - is_implemented
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.2.1
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.2.1
+      - patch
 
-#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable
+# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable
 - name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0"
   win_security_policy:
       section: System Access
       key: LockoutBadCount
       value: "{{ lockoutbadcount }}"
   when:
-    - rule_1_2_2
+      - rule_1_2_2
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.2.2
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.2.2
+      - patch
 
 - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes"
   block:
@@ -170,9 +172,9 @@
             key: ResetLockoutCount
             value: "{{ resetlockoutcount }}"
   when:
-    - rule_1_2_3
+      - rule_1_2_3
   tags:
-    - level1-domaincontroller
-    - level1-memberserver
-    - rule_1.2.3
-    - patch
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_1.2.3
+      - patch