Merge pull request #31 from ansible-lockdown/2024_FEB_UPDATE

2024 March Bug fixes for Cloud VM logic on section 1.2.x, Improved Reboot Handler and SID Logic Improvement

ChangeLog.md

@@ -2,6 +2,14 @@
 
 ## Release 2.0.1
 
+March 2024 Update
+Thank you @MrSteve81 for the enhancements to this release!
+    - Improved 19.x section logic for Windows local user SIDs and HKU support.
+    - Reboot handler and logic Improvement with skip_reboot var feature.
+    - win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26.
+    - Mislabeled control fix for win22cis_rule_18_9_7_2
+    - Improved logic for win22cis_cloud_based_system 1.2.x controls.
+
 February 2024 Update
 - Issues Addressed:
     - [#27](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/27) - Thank you @SwaffelSmurf

defaults/main.yml

@@ -37,20 +37,11 @@ min_ansible_version: "2.10"
 # may fail in some cases.
 complexity_high: true
 
-# Show "changed" for complex items not remediated per complexity-high setting
-# to make them stand out.  "changed" items on a second run of the role would
-# indicate items requiring manual review.
-audit_complex: true
-
 # We've defined disruption-high to indicate items that are likely to cause
 # disruption in a normal workflow. These items can be remediated automatically
 # but are disabled by default to avoid disruption.
 disruption_high: false
 
-# Show "changed" for disruptive items not remediated per disruption-high
-# setting to make them stand out.
-audit_disruptive: false
-
 # Tweak role to run in a non-privileged container
 system_is_container: false
 
@@ -60,16 +51,23 @@ long_running: false
 # win_skip_for_test is used in the playbook to skip over WINRM-based controls that
 # may cause WINRM Basic Connection Type to be disabled.
 # Setting win_skip_for_test to 'false' will enable Secure Connection types only.
-# win22cis_rule_2_3_1_4
-# win22cis_rule_9_3_5
-# win22cis_rule_18_10_89_1_1
-# win22cis_rule_18_10_89_1_2
-# win22cis_rule_18_10_89_2_1
-# win22cis_rule_18_10_89_2_2
-# win22cis_rule_18_10_89_2_3
-# win22cis_rule_18_10_90_1
+# win22cis_rule_2_2_25 - Breaks Local Admin Connection
+# win22cis_rule_2_2_26 - Breaks Local Admin Connection
+# win22cis_rule_2_3_1_4 - Rename default administrator account
+# win22cis_rule_9_3_5 - Enables Firewall Public Rules *Breaks Reboot*
+# win22cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth
+# win22cis_rule_18_10_89_1_2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control.
+# win22cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth
+# win22cis_rule_18_10_89_2_2 - Disables Remote Server Management through WinRM
+# win22cis_rule_18_10_89_2_3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control.
+# win22cis_rule_18_10_90_1 - Disables Remote Shell Access
 win_skip_for_test: true
 
+# Changes will be made that will require a system reboot.
+# The following option will allow whether or not to skip the reboot.
+# Default: true
+skip_reboot: true
+
 # These variables correspond with the CIS Rule IDs defined in the CIS and allow you to enable/disable specific rules.
 # PLEASE NOTE: These work in coordination with the level1 and level2 group variables. You must enable an entire group
 # in order for the variables below to take effect.
@@ -118,6 +116,8 @@ win22cis_rule_2_2_21: true
 win22cis_rule_2_2_22: true
 win22cis_rule_2_2_23: true
 win22cis_rule_2_2_24: true
+# Setting win22cis_rule_2_2_25 and win22cis_rule_2_2_26 Control To True Will Break Ansible Connection
+# Setting win_skip_for_test: true -- will skip the controls here even if they are set to true.
 win22cis_rule_2_2_25: true
 win22cis_rule_2_2_26: true
 win22cis_rule_2_2_27: true
@@ -355,7 +355,7 @@ win22cis_rule_18_9_5_4: true
 win22cis_rule_18_9_5_5: true
 win22cis_rule_18_9_5_6: true
 win22cis_rule_18_9_5_7: true
-win22cis_rule_18_8_7_2: true
+win22cis_rule_18_9_7_2: true
 win22cis_rule_18_9_13_1: true
 win22cis_rule_18_9_19_2: true
 win22cis_rule_18_9_19_3: true

handlers/main.yml

@@ -1,5 +1,7 @@
 ---
 
-- name: reboot_windows
-  ansible.windows.win_reboot:
-      reboot_timeout: 3600
+- name: change_requires_reboot
+  ansible.builtin.set_fact:
+      reboot_host: true
+  tags:
+      - always

meta/main.yml

@@ -1,7 +1,7 @@
 ---
 
 galaxy_info:
-    author: "George Nalen, Mark Bolwell, Stephen Williams, Frederick Witty Jr."
+    author: "Stephen Williams, Frederick Witty Jr."
     description: "Ansible role to apply Windows Server 2022 CIS Benchmark"
     company: "MindPoint Group"
     license: MIT

tasks/post.yml

@@ -0,0 +1,36 @@
+---
+
+- name: "POST | Flush Handlers"
+  ansible.builtin.meta: flush_handlers
+  tags:
+      - always
+
+- name: "POST | Reboot System Options"
+  block:
+      - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False"
+        ansible.windows.win_reboot:
+            reboot_timeout: 3600
+        when:
+            - reboot_host
+            - not skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set"
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually."
+                - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results."
+        changed_when: true
+        when:
+            - reboot_host
+            - skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        when:
+            - reboot_host
+            - skip_reboot
+  vars:
+      warn_control_id: Reboot_Required
+  tags:
+      - always

tasks/prelim.yml

@@ -49,3 +49,40 @@
       windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
   tags:
       - always
+
+
+- name: PRELIM | Retrieve Default NTUSER and All Local User Hive Data
+  block:
+      - name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile)
+        ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT
+        changed_when: false
+        failed_when: false
+
+      - name: PRELIM | Pull All Username and SIDs
+        ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
+        changed_when: false
+        failed_when: false
+        register: all_users
+
+      - name: PRELIM | Create Results List Fact For Username And SIDs
+        ansible.builtin.set_fact:
+            username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}"
+
+      - name: PRELIM | Load All User Hives From Username And SIDs List
+        ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
+        changed_when: false
+        failed_when: false
+        loop: "{{ username_and_sid_results_list }}"
+
+      - name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS
+        ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
+        changed_when: false
+        failed_when: false
+        register: current_users_loaded_hku
+
+      - name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS
+        ansible.builtin.set_fact:
+            hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}"
+  when: win22cis_section19
+  tags:
+      - always

tasks/section01.yml

@@ -190,9 +190,7 @@
   ansible.builtin.import_tasks:
       file: section01_cloud_lockout_order.yml
   when:
-      - win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - win22cis_cloud_based_system
   tags:
       - section01_cloud_lockout_order
 
@@ -228,9 +226,7 @@
             - win22cis_bad_login_lockout_count > 0
   when:
       - win22cis_rule_1_2_2
-      - not win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - not win22cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -245,9 +241,8 @@
       value: "{{ win22cis_allow_admin_account_lockout }}"
   when:
       - win22cis_rule_1_2_3
-      - not win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - win2022cis_is_domain_member
+      - not win22cis_cloud_based_system
   tags:
       - level1-memberserver
       - rule_1.2.3
@@ -284,9 +279,7 @@
             - win22cis_account_lockout_counter_reset <= win22cis_account_lockout_duration
   when:
       - win22cis_rule_1_2_4
-      - not win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - not win22cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -318,9 +311,7 @@
         when: win22cis_account_lockout_duration >= 15
   when:
       - win22cis_rule_1_2_1
-      - not win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - not win22cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver

tasks/section01_cloud_lockout_order.yml

@@ -80,6 +80,7 @@
       value: "{{ win22cis_allow_admin_account_lockout }}"
   when:
       - win22cis_rule_1_2_3
+      - win2022cis_is_domain_member
   tags:
       - level1-memberserver
       - rule_1.2.3

tasks/section02.yml

@@ -300,6 +300,7 @@
   when:
       - win22cis_rule_2_2_20
       - win2022cis_is_domain_controller
+      - not win_skip_for_test
   tags:
       - level1-domaincontroller
       - rule_2.2.20
@@ -378,6 +379,7 @@
   when:
       - win22cis_rule_2_2_25
       - win2022cis_is_domain_controller
+      - not win_skip_for_test
   tags:
       - level1-domaincontroller
       - rule_2.2.25
@@ -394,6 +396,7 @@
   when:
       - win22cis_rule_2_2_26
       - win2022cis_is_domain_member
+      - not win_skip_for_test
   tags:
       - level1-memberserver
       - rule_2.2.26

tasks/section05.yml

@@ -20,7 +20,7 @@
             start_mode: disabled
             state: stopped
         when: spooler_service_info.exists
-  notify: reboot_windows
+  notify: change_requires_reboot
   when:
       - win22cis_rule_5_1 or
         win22cis_rule_5_2

tasks/section18.yml

@@ -207,7 +207,7 @@
       name: RpcAuthnLevelPrivacyEnabled
       data: 1
       type: dword
-  notify: reboot_windows
+  notify: change_requires_reboot
   when:
       - win22cis_rule_18_4_2
   tags:
@@ -239,7 +239,7 @@
       data: 0
       type: dword
       state: present
-  notify: reboot_windows
+  notify: change_requires_reboot
   when:
       - win22cis_rule_18_4_4
   tags:
@@ -1265,18 +1265,18 @@
       - patch
       - vbs
 
-- name: "18.8.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled"
+- name: "18.9.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled"
   ansible.windows.win_regedit:
       path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata
       name: PreventDeviceMetadataFromNetwork
       data: 1
       type: dword
   when:
-      - win22cis_rule_18_8_7_2
+      - win22cis_rule_18_9_7_2
   tags:
       - level1-domaincontroller
       - level1-memberserver
-      - rule_18.8.7.2
+      - rule_18.9.7.2
       - patch
       - metadata
 
@@ -3578,7 +3578,7 @@
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
       name: AllowAutoConfig
-      data: 1
+      data: 0
       type: dword
   when:
       - win22cis_rule_18_10_89_2_2