Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2024 March Bug fixes for Cloud VM logic on section 1.2.x, Improved Reboot Handler and SID Logic Improvement #31

Merged
merged 12 commits into from
Mar 19, 2024
8 changes: 8 additions & 0 deletions ChangeLog.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@

## Release 2.0.1

March 2024 Update
Thank you @MrSteve81 for the enhancements to this release!
- Improved 19.x section logic for Windows local user SIDs and HKU support.
- Reboot handler and logic Improvement with skip_reboot var feature.
- win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26.
- Mislabeled control fix for win22cis_rule_18_9_7_2
- Improved logic for win22cis_cloud_based_system 1.2.x controls.

February 2024 Update
- Issues Addressed:
- [#27](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/27) - Thank you @SwaffelSmurf
Expand Down
36 changes: 18 additions & 18 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,20 +37,11 @@ min_ansible_version: "2.10"
# may fail in some cases.
complexity_high: true

# Show "changed" for complex items not remediated per complexity-high setting
# to make them stand out. "changed" items on a second run of the role would
# indicate items requiring manual review.
audit_complex: true

# We've defined disruption-high to indicate items that are likely to cause
# disruption in a normal workflow. These items can be remediated automatically
# but are disabled by default to avoid disruption.
disruption_high: false

# Show "changed" for disruptive items not remediated per disruption-high
# setting to make them stand out.
audit_disruptive: false

# Tweak role to run in a non-privileged container
system_is_container: false

Expand All @@ -60,16 +51,23 @@ long_running: false
# win_skip_for_test is used in the playbook to skip over WINRM-based controls that
# may cause WINRM Basic Connection Type to be disabled.
# Setting win_skip_for_test to 'false' will enable Secure Connection types only.
# win22cis_rule_2_3_1_4
# win22cis_rule_9_3_5
# win22cis_rule_18_10_89_1_1
# win22cis_rule_18_10_89_1_2
# win22cis_rule_18_10_89_2_1
# win22cis_rule_18_10_89_2_2
# win22cis_rule_18_10_89_2_3
# win22cis_rule_18_10_90_1
# win22cis_rule_2_2_25 - Breaks Local Admin Connection
# win22cis_rule_2_2_26 - Breaks Local Admin Connection
# win22cis_rule_2_3_1_4 - Rename default administrator account
# win22cis_rule_9_3_5 - Enables Firewall Public Rules *Breaks Reboot*
# win22cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth
# win22cis_rule_18_10_89_1_2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control.
# win22cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth
# win22cis_rule_18_10_89_2_2 - Disables Remote Server Management through WinRM
# win22cis_rule_18_10_89_2_3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control.
# win22cis_rule_18_10_90_1 - Disables Remote Shell Access
win_skip_for_test: true

# Changes will be made that will require a system reboot.
# The following option will allow whether or not to skip the reboot.
# Default: true
skip_reboot: true

# These variables correspond with the CIS Rule IDs defined in the CIS and allow you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the level1 and level2 group variables. You must enable an entire group
# in order for the variables below to take effect.
Expand Down Expand Up @@ -118,6 +116,8 @@ win22cis_rule_2_2_21: true
win22cis_rule_2_2_22: true
win22cis_rule_2_2_23: true
win22cis_rule_2_2_24: true
# Setting win22cis_rule_2_2_25 and win22cis_rule_2_2_26 Control To True Will Break Ansible Connection
# Setting win_skip_for_test: true -- will skip the controls here even if they are set to true.
win22cis_rule_2_2_25: true
win22cis_rule_2_2_26: true
win22cis_rule_2_2_27: true
Expand Down Expand Up @@ -355,7 +355,7 @@ win22cis_rule_18_9_5_4: true
win22cis_rule_18_9_5_5: true
win22cis_rule_18_9_5_6: true
win22cis_rule_18_9_5_7: true
win22cis_rule_18_8_7_2: true
win22cis_rule_18_9_7_2: true
win22cis_rule_18_9_13_1: true
win22cis_rule_18_9_19_2: true
win22cis_rule_18_9_19_3: true
Expand Down
8 changes: 5 additions & 3 deletions handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
---

- name: reboot_windows
ansible.windows.win_reboot:
reboot_timeout: 3600
- name: change_requires_reboot
ansible.builtin.set_fact:
reboot_host: true
tags:
- always
2 changes: 1 addition & 1 deletion meta/main.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---

galaxy_info:
author: "George Nalen, Mark Bolwell, Stephen Williams, Frederick Witty Jr."
author: "Stephen Williams, Frederick Witty Jr."
description: "Ansible role to apply Windows Server 2022 CIS Benchmark"
company: "MindPoint Group"
license: MIT
Expand Down
36 changes: 36 additions & 0 deletions tasks/post.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---

- name: "POST | Flush Handlers"
ansible.builtin.meta: flush_handlers
tags:
- always

- name: "POST | Reboot System Options"
block:
- name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False"
ansible.windows.win_reboot:
reboot_timeout: 3600
when:
- reboot_host
- not skip_reboot

- name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set"
ansible.builtin.debug:
msg:
- "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually."
- "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results."
changed_when: true
when:
- reboot_host
- skip_reboot

- name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count"
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- reboot_host
- skip_reboot
vars:
warn_control_id: Reboot_Required
tags:
- always
37 changes: 37 additions & 0 deletions tasks/prelim.yml
uk-bolly marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,40 @@
windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
tags:
- always


- name: PRELIM | Retrieve Default NTUSER and All Local User Hive Data
block:
- name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile)
ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT
changed_when: false
failed_when: false

- name: PRELIM | Pull All Username and SIDs
ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
changed_when: false
failed_when: false
register: all_users

- name: PRELIM | Create Results List Fact For Username And SIDs
ansible.builtin.set_fact:
username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}"

- name: PRELIM | Load All User Hives From Username And SIDs List
ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
changed_when: false
failed_when: false
loop: "{{ username_and_sid_results_list }}"

- name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS
ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
changed_when: false
failed_when: false
register: current_users_loaded_hku

- name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS
ansible.builtin.set_fact:
hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}"
when: win22cis_section19
tags:
- always
21 changes: 6 additions & 15 deletions tasks/section01.yml
Original file line number Diff line number Diff line change
Expand Up @@ -190,9 +190,7 @@
ansible.builtin.import_tasks:
file: section01_cloud_lockout_order.yml
when:
- win22cis_cloud_based_system or
win2022cis_is_domain_controller or
win2022cis_is_domain_member
- win22cis_cloud_based_system
tags:
- section01_cloud_lockout_order

Expand Down Expand Up @@ -228,9 +226,7 @@
- win22cis_bad_login_lockout_count > 0
when:
- win22cis_rule_1_2_2
- not win22cis_cloud_based_system or
win2022cis_is_domain_controller or
win2022cis_is_domain_member
- not win22cis_cloud_based_system
tags:
- level1-domaincontroller
- level1-memberserver
Expand All @@ -245,9 +241,8 @@
value: "{{ win22cis_allow_admin_account_lockout }}"
when:
- win22cis_rule_1_2_3
- not win22cis_cloud_based_system or
win2022cis_is_domain_controller or
win2022cis_is_domain_member
- win2022cis_is_domain_member
- not win22cis_cloud_based_system
tags:
- level1-memberserver
- rule_1.2.3
Expand Down Expand Up @@ -284,9 +279,7 @@
- win22cis_account_lockout_counter_reset <= win22cis_account_lockout_duration
when:
- win22cis_rule_1_2_4
- not win22cis_cloud_based_system or
win2022cis_is_domain_controller or
win2022cis_is_domain_member
- not win22cis_cloud_based_system
tags:
- level1-domaincontroller
- level1-memberserver
Expand Down Expand Up @@ -318,9 +311,7 @@
when: win22cis_account_lockout_duration >= 15
when:
- win22cis_rule_1_2_1
- not win22cis_cloud_based_system or
win2022cis_is_domain_controller or
win2022cis_is_domain_member
- not win22cis_cloud_based_system
tags:
- level1-domaincontroller
- level1-memberserver
Expand Down
1 change: 1 addition & 0 deletions tasks/section01_cloud_lockout_order.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@
value: "{{ win22cis_allow_admin_account_lockout }}"
when:
- win22cis_rule_1_2_3
- win2022cis_is_domain_member
tags:
- level1-memberserver
- rule_1.2.3
Expand Down
3 changes: 3 additions & 0 deletions tasks/section02.yml
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,7 @@
when:
- win22cis_rule_2_2_20
- win2022cis_is_domain_controller
- not win_skip_for_test
tags:
- level1-domaincontroller
- rule_2.2.20
Expand Down Expand Up @@ -378,6 +379,7 @@
when:
- win22cis_rule_2_2_25
- win2022cis_is_domain_controller
- not win_skip_for_test
tags:
- level1-domaincontroller
- rule_2.2.25
Expand All @@ -394,6 +396,7 @@
when:
- win22cis_rule_2_2_26
- win2022cis_is_domain_member
- not win_skip_for_test
tags:
- level1-memberserver
- rule_2.2.26
Expand Down
2 changes: 1 addition & 1 deletion tasks/section05.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
start_mode: disabled
state: stopped
when: spooler_service_info.exists
notify: reboot_windows
notify: change_requires_reboot
when:
- win22cis_rule_5_1 or
win22cis_rule_5_2
Expand Down
12 changes: 6 additions & 6 deletions tasks/section18.yml
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@
name: RpcAuthnLevelPrivacyEnabled
data: 1
type: dword
notify: reboot_windows
notify: change_requires_reboot
when:
- win22cis_rule_18_4_2
tags:
Expand Down Expand Up @@ -239,7 +239,7 @@
data: 0
type: dword
state: present
notify: reboot_windows
notify: change_requires_reboot
when:
- win22cis_rule_18_4_4
tags:
Expand Down Expand Up @@ -1265,18 +1265,18 @@
- patch
- vbs

- name: "18.8.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled"
- name: "18.9.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata
name: PreventDeviceMetadataFromNetwork
data: 1
type: dword
when:
- win22cis_rule_18_8_7_2
- win22cis_rule_18_9_7_2
tags:
- level1-domaincontroller
- level1-memberserver
- rule_18.8.7.2
- rule_18.9.7.2
- patch
- metadata

Expand Down Expand Up @@ -3578,7 +3578,7 @@
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
name: AllowAutoConfig
data: 1
data: 0
type: dword
when:
- win22cis_rule_18_10_89_2_2
Expand Down
Loading
Loading