PR And Issue Fixes

Signed-off-by: Stephen Williams <[email protected]>

ChangeLog.md

@@ -2,17 +2,28 @@
 
 ## Release 2.0.1
 
+December 2024 Updates
+- Updated 1.1.2 When logic
+- Issues Addressed:
+  - [#51](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/51) - Thank you @msachikanta
+  - [#50](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/50) - Thank you @msachikanta
+  - [#48](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/48) - Thanks @animatco
+  - [#45](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/45) - Thanks @Crombell95
+  - [#32](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/32) - Thanks @RomainPisters (Verified It has been addressed.)
+- PR's Addressed:
+  - [#53](https://github.com/ansible-lockdown/Windows-2022-CIS/pull/53/files) - Thanks @tgoetheyn
+
 April 2024 Update
-Thank you @RomainPisters
-    - Fix from Issue #32
+- Issues Addressed:
+  - [#32](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/32) - Thank you @RomainPisters
 
 March 2024 Update
-Thank you @MrSteve81 for the enhancements to this release!
-    - Improved 19.x section logic for Windows local user SIDs and HKU support.
-    - Reboot handler and logic Improvement with skip_reboot var feature.
-    - win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26.
-    - Mislabeled control fix for win22cis_rule_18_9_7_2
-    - Improved logic for win22cis_cloud_based_system 1.2.x controls.
+- Thank you @MrSteve81 for the enhancements to this release!
+  - Improved 19.x section logic for Windows local user SIDs and HKU support.
+  - Reboot handler and logic Improvement with skip_reboot var feature.
+  - win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26.
+  - Mislabeled control fix for win22cis_rule_18_9_7_2
+  - Improved logic for win22cis_cloud_based_system 1.2.x controls.
 
 February 2024 Update
 - Issues Addressed:

defaults/main.yml

@@ -325,7 +325,7 @@ win22cis_rule_18_6_9_1: true
 win22cis_rule_18_6_9_2: true
 win22cis_rule_18_6_10_2: true
 win22cis_rule_18_6_11_2: true
-win22cis_rule_18_5_11_3: true
+win22cis_rule_18_6_11_3: true
 win22cis_rule_18_6_11_4: true
 win22cis_rule_18_6_14_1: true
 win22cis_rule_18_6_19_2_1: true
@@ -389,7 +389,7 @@ win22cis_rule_18_9_27_7: true
 win22cis_rule_18_9_30_1: true
 win22cis_rule_18_9_30_2: true
 win22cis_rule_18_9_32_6_1: true
-win22cis_rule_18_3_32_6_2: true
+win22cis_rule_18_9_32_6_2: true
 win22cis_rule_18_9_32_6_3: true
 win22cis_rule_18_9_32_6_4: true
 win22cis_rule_18_9_34_1: true
@@ -467,6 +467,7 @@ win22cis_rule_18_10_57_3_3_3: true
 win22cis_rule_18_10_57_3_3_4: true
 win22cis_rule_18_10_57_3_3_5: true
 win22cis_rule_18_10_57_3_3_6: true
+win22cis_rule_18_10_57_3_3_7: true
 win22cis_rule_18_10_57_3_9_1: true
 win22cis_rule_18_10_57_3_9_2: true
 win22cis_rule_18_10_57_3_9_3: true

tasks/section01.yml

@@ -36,14 +36,26 @@
 
 - name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0"
   block:
+      - name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set Variable."
+        community.windows.win_security_policy:
+            section: System Access
+            key: MaximumPasswordAge
+            value: "{{ win22cis_maximum_password_age }}"
+        when:
+            - win22cis_maximum_password_age <= 365
+            - win22cis_maximum_password_age > 0
+            - win22cis_maximum_password_age > win22cis_minimum_password_age
+
       - name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Warning check for maximum password age time."
         ansible.builtin.debug:
             msg:
                 - "Warning!! You have an invalid age set for win22cis_maximum_password_age please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
+                - "Also verify your win22cis_maximum_password_age is more then the win22cis_minimum_password_age"
         when:
             - win22cis_maximum_password_age > 365 or
               win22cis_maximum_password_age == 0
+            - win22cis_maximum_password_age < win22cis_minimum_password_age
 
       - name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set warning count."
         ansible.builtin.import_tasks:
@@ -53,15 +65,7 @@
         when:
             - win22cis_maximum_password_age > 365 or
               win22cis_maximum_password_age == 0
-
-      - name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set Variable."
-        community.windows.win_security_policy:
-            section: System Access
-            key: MaximumPasswordAge
-            value: "{{ win22cis_maximum_password_age }}"
-        when:
-            - win22cis_maximum_password_age <= 365
-            - win22cis_maximum_password_age > 0
+            - win22cis_maximum_password_age < win22cis_minimum_password_age
   when:
       - win22cis_rule_1_1_2
   tags:
@@ -73,32 +77,36 @@
 
 - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days"
   block:
+      - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable."
+        community.windows.win_security_policy:
+            section: System Access
+            key: MinimumPasswordAge
+            value: "{{ win22cis_minimum_password_age }}"
+        when:
+            - win22cis_minimum_password_age <= 364 or
+              win22cis_minimum_password_age > 0
+            - win22cis_minimum_password_age < win22cis_maximum_password_age
+
       - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimum password age."
         ansible.builtin.debug:
             msg:
                 - "Warning!! You have an invalid age set for win22cis_maximum_password_age please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
+                - "Also verify your win22cis_minimum_password_age is less then the win22cis_maximum_password_age"
         when:
-            - win22cis_maximum_password_age > 999 or
-              win22cis_maximum_password_age == 0
+            - win22cis_minimum_password_age > 364 or
+              win22cis_minimum_password_age == 0
+            - win22cis_minimum_password_age > win22cis_maximum_password_age
 
       - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Set warning count."
         ansible.builtin.import_tasks:
             file: warning_facts.yml
         vars:
             warn_control_id: '1.1.3'
         when:
-            - win22cis_maximum_password_age > 999 or
-              win22cis_maximum_password_age == 0
-
-      - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable."
-        community.windows.win_security_policy:
-            section: System Access
-            key: MinimumPasswordAge
-            value: "{{ win22cis_minimum_password_age }}"
-        when:
-            - win22cis_maximum_password_age <= 999 or
-              win22cis_maximum_password_age > 0
+            - win22cis_minimum_password_age > 364 or
+              win22cis_minimum_password_age == 0
+            - win22cis_minimum_password_age > win22cis_maximum_password_age
   when:
       - win22cis_rule_1_1_3
   tags:
@@ -108,6 +116,23 @@
       - patch
       - password
 
+# If the "RelaxMinimumPasswordLengthLimits" is not set prior to the "MinimumPasswordLength"
+# an error occurs if the password is set beyond 14 characters.
+- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled."
+  ansible.windows.win_regedit:
+      path: HKLM:\SYSTEM\CurrentControlSet\Control\SAM
+      name: RelaxMinimumPasswordLengthLimits
+      data: 1
+      type: dword
+  when:
+      - win22cis_rule_1_1_6
+      - prelim_win22cis_is_domain_member
+  tags:
+      - level1-memberserver
+      - rule_1.1.6
+      - patch
+      - password
+
 - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters"
   block:
       - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters | Warning Check For Variable Standards."
@@ -155,7 +180,7 @@
 
 - name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled."
   ansible.windows.win_regedit:
-      path: HKLM:\System\CurrentControlSet\Control\SAM
+      path: HKLM:\SYSTEM\CurrentControlSet\Control\SAM
       name: RelaxMinimumPasswordLengthLimits
       data: 1
       type: dword