From dc624a742c0b60b1662386bbc5f745abb9d9e8b2 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Mon, 11 Mar 2024 10:49:38 -0400 Subject: [PATCH 1/9] Typos Fixed, Section 19 Enhanced, Skip Reboot Add Signed-off-by: Stephen Williams --- ChangeLog.md | 10 +++ README.md | 6 +- defaults/main.yml | 40 +++++---- handlers/main.yml | 6 +- tasks/main.yml | 8 ++ tasks/post.yml | 25 ++++++ tasks/prelim.yml | 71 ++++++++++----- tasks/section_1/cis_1.2.x.yml | 2 +- .../section_1/cis_1.2_cloud_lockout_order.yml | 2 +- .../section_18.10/cis_18.10.89.x.yml | 34 ++----- tasks/section_18/section_18.3/cis_18.3.x.yml | 6 -- tasks/section_19/cis_19.1.3.x.yml | 56 ++++-------- tasks/section_19/cis_19.5.1.x.yml | 21 ++--- tasks/section_19/cis_19.6.6.x.yml | 21 ++--- tasks/section_19/cis_19.7.25.x.yml | 21 ++--- tasks/section_19/cis_19.7.4.x.yml | 42 +++------ tasks/section_19/cis_19.7.40.x.yml | 21 ++--- tasks/section_19/cis_19.7.42.2.x.yml | 21 ++--- tasks/section_19/cis_19.7.7.x.yml | 88 +++++++------------ tasks/section_9/cis_9.3.x.yml | 2 +- vars/main.yml | 8 +- 21 files changed, 229 insertions(+), 282 deletions(-) create mode 100644 tasks/post.yml diff --git a/ChangeLog.md b/ChangeLog.md index 3e2a729..cf6d4f7 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,5 +2,15 @@ ## Release 1.0.0 +March 2024 + - Updated Section 19 To Take Into Account All HKU Accounts And Windows Default Template. + - Fixed A Number Of Typos + - Updated Readme + - Added Option For skip_reboot And Warning Message For It. + - Added Two New Comtrols To Win_Skip_For_Test + - 18.10.89.1.2 + - 18.10.89.2.3 +- Removed When Checks For Domain, Member Server, And Standalone + September 2023 - Initial Release For Benchmark 2.0.0 Released 03.07.2023 diff --git a/README.md b/README.md index 943fc81..0383067 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ To use release version please point to main branch and relevant release for the ## Matching a security Level for CIS -It is possible to to only run level 1 or level 2 controls for CIS as well as a variety of other tags that are available for this role. +It is possible to only run level 1 or level 2 controls for CIS as well as a variety of other tags that are available for this role. This is managed using tags: - level1-corporate-enterprise-environment @@ -72,11 +72,11 @@ This is managed using tags: - level2-bitlocker - bitlocker -The controls found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The controls found in defaults/main also need to reflect those control numbers due to aligning every control to the audit component. ## Coming from a previous release -CIS release always contains changes, so it is highly recommended to review the new references and available variables. This have changed significantly since the ansible-lockdown initial release. +CIS releases always contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) diff --git a/defaults/main.yml b/defaults/main.yml index 1f2e177..07f6487 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,11 +1,11 @@ --- -win10cis_section1: true -win10cis_section2: true -win10cis_section5: true -win10cis_section9: true -win10cis_section17: true -win10cis_section18: true +win10cis_section1: false +win10cis_section2: false +win10cis_section5: false +win10cis_section9: false +win10cis_section17: false +win10cis_section18: false win10cis_section19: true # Global Variables @@ -22,11 +22,18 @@ win10cis_min_ansible_version: "2.10.1" # 9.3.5 - Enables Firewall Public Rules *Breaks Reboot* # 18.10.57.3.2.1 - Disables Remote Desktop Connections # 18.10.89.1.1 - Disables WinRM Allow Client Basic Auth +# 18.10.89.1.2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control. # 18.10.89.2.1 - Disables WinRM Allow Service Basic Auth # 18.10.89.2.2 - Disables Remote Server Management through WinRM +# 18.10.89.2.3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control. # 18.10.90.1 - Disables Remote Shell Access win_skip_for_test: false +# Changes will be made that will require a system reboot. +# The following option will allow whether or not to skip the reboot. +# Default: true +skip_reboot: false + # Section 1 Rules win10cis_rule_1_1_1: true win10cis_rule_1_1_2: true @@ -785,7 +792,7 @@ win10cis_consent_prompt_behavior_admin: 2 # 9.1.5 # win10cis_domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log -# This is a variable to give some leway on where to store these log files. +# This is a variable to give some leeway on where to store these log files. # Default: '%SystemRoot%\System32\logfiles\firewall\domainfw.log' win10cis_domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log' @@ -797,23 +804,23 @@ win10cis_domain_firewall_log_size: 16384 # 9.2.5 # win10cis_private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log -# This is a variable to give some leway on where to store these log files +# This is a variable to give some leeway on where to store these log files win10cis_private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log' # 9.2.6 # win10cis_private_firewall_log_size is the size of the log file -# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +# To conform to CIS standards the value should be 16,384 or greater. Value is in KB # Default: 16384 win10cis_private_firewall_log_size: 16384 # 9.3.7 # win10cis_public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log -# This is a variable to give some leway on where to store these log files +# This is a variable to give some leeway on where to store these log files win10cis_public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # 9.3.8 # win10cis_public_firewall_log_size is the size of the log file -# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +# To conform to CIS standards the value should be 16,384 or greater. Value is in KB # Default: 16384 win10cis_public_firewall_log_size: 16384 @@ -952,14 +959,6 @@ win10cis_allow_windows_ink_workspace: 1 # Default: Default - This will save it to the default location win10cis_powershell_transcription_dir: Default -# 18.10.89.2.2 -# win10cis_winrm_allow_auto_config will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -# *** CIS calls for Disabled *** -# 0 - Disbaled -# 1 - Enabled -# Default: 1 -win10cis_winrm_allow_auto_config: 1 - # 18.10.93.2.1 # win10cis_au_options is policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. # The recommended state for this setting is: Enabled. @@ -980,6 +979,9 @@ win10cis_defer_feature_updates_period_in_days: 180 # Section 19 Variables +# Apply CIS To DEFAULT User Profile For New Users in Section 19 when the control number is set to true. +win10cis_default_user_profile: true + # 19.1.3.3 # win10cis_screen_saver_timeout is the setting that specifies how much user idle time must elapse before the screen saver is launched. # The recommended state for this setting is: Enabled: 900 seconds or fewer, but not 0. diff --git a/handlers/main.yml b/handlers/main.yml index 0cb78d6..f93d639 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: reboot_windows - ansible.windows.win_reboot: - reboot_timeout: 3600 +- name: change_requires_reboot + ansible.builtin.set_fact: + change_requires_reboot: true diff --git a/tasks/main.yml b/tasks/main.yml index 4b6ea01..05f4b60 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -87,9 +87,17 @@ tags: - section19 +- name: Run Post Tasks + ansible.builtin.import_tasks: post.yml + tags: + - post_tasks + - always + - name: If Warnings found Output count and control IDs affected ansible.builtin.debug: msg: - "You have {{ warn_count }} Warning(s) that require investigation(s). Their ID’s are listed below:" - "{{ warn_control_list }}" when: warn_count != 0 + tags: + - always diff --git a/tasks/post.yml b/tasks/post.yml new file mode 100644 index 0000000..bf03733 --- /dev/null +++ b/tasks/post.yml @@ -0,0 +1,25 @@ +- name: POST | reboot system if changes require it and not skipped + block: + - name: POST | Reboot system if changes require it and not skipped + ansible.windows.win_reboot: + reboot_timeout: 3600 + when: + - not skip_reboot + + - name: POST | Warning a reboot required but skip option set + ansible.builtin.debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results." + changed_when: true + when: + - change_requires_reboot + - skip_reboot + + - name: "POST | Warning a reboot required but skip option set | warning count" + ansible.builtin.import_tasks: warning_facts.yml + when: + - change_requires_reboot + - skip_reboot + vars: + warn_control_id: Reboot_Required + tags: + - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f6fe702..381a6f3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -28,28 +28,6 @@ tags: - always -- name: Set System Facts Based On Gather Facts Module - block: - - name: Set fact is system is standalone - ansible.builtin.set_fact: - win11cis_is_standalone: true - when: - - ansible_windows_domain_role == 'Stand-alone server' - - - name: Set fact if domain controller role - ansible.builtin.set_fact: - win11cis_is_domain_controller: true - when: - - ansible_windows_domain_role | regex_search('(domain controller)') - - - name: set fact if domain member server - ansible.builtin.set_fact: - win11cis_is_domain_member: true - when: - - ansible_windows_domain_role == 'Member server' - tags: - - always - # HVM is Amazon AMI's, Hyper-V is Azure's, KVM is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') # Current list is elastic and will be updated as we test more cloud based services. # Current testing is working in Azure using Hyper-V. We are currently using this for reference: @@ -83,3 +61,52 @@ win10cis_windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" tags: - always + +- name: Load Default User Hive (Account That All New Users Get Created From Profile) + ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT + changed_when: false + failed_when: false + when: win10cis_section19 + tags: + - always + +- name: Pull All Username and SIDs + ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID } + changed_when: false + failed_when: false + register: all_users + when: win10cis_section19 + tags: + - always + +- name: Create Results List Fact For Username And SIDs + ansible.builtin.set_fact: + username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}" + when: win10cis_section19 + tags: + - always + +- name: Load All User Hives From Username And SIDs List + ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT + changed_when: false + failed_when: false + loop: "{{ username_and_sid_results_list }}" + when: win10cis_section19 + tags: + - always + +- name: Retrieve Current Users SIDs from HKEY_USERS + ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"} + changed_when: false + failed_when: false + register: current_users_loaded_hku + when: win10cis_section19 + tags: + - always + +- name: Create List Fact For Current Users SIDs from HKEY_USERS + ansible.builtin.set_fact: + hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}" + when: win10cis_section19 + tags: + - always diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 68202ec..5a1ea69 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -74,7 +74,7 @@ - win10cis_account_lockout_counter_reset > win10cis_account_lockout_duration or win10cis_account_lockout_counter_reset < 15 - - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." community.windows.win_security_policy: section: System Access key: ResetLockoutCount diff --git a/tasks/section_1/cis_1.2_cloud_lockout_order.yml b/tasks/section_1/cis_1.2_cloud_lockout_order.yml index 84c054e..58a8253 100644 --- a/tasks/section_1/cis_1.2_cloud_lockout_order.yml +++ b/tasks/section_1/cis_1.2_cloud_lockout_order.yml @@ -88,7 +88,7 @@ - win10cis_account_lockout_counter_reset > win10cis_account_lockout_duration or win10cis_account_lockout_counter_reset < 15 - - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." community.windows.win_security_policy: section: System Access key: ResetLockoutCount diff --git a/tasks/section_18/section_18.10/cis_18.10.89.x.yml b/tasks/section_18/section_18.10/cis_18.10.89.x.yml index d31547f..162a076 100644 --- a/tasks/section_18/section_18.10/cis_18.10.89.x.yml +++ b/tasks/section_18/section_18.10/cis_18.10.89.x.yml @@ -24,6 +24,7 @@ type: dword when: - win10cis_rule_18_10_89_1_2 + - not win_skip_for_test tags: - level1-corporate-enterprise-environment - rule_18.10.89.1.2 @@ -64,33 +65,11 @@ # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart - name: "18.10.89.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled" - block: - - name: "18.10.89.2.2 | AUDIT | Ensure Allow remote server management through WinRM is set to Disabled | Warning Check For Variable Standards." - ansible.builtin.debug: - msg: - - "Warning!! You have an invalid setting for win10cis_winrm_allow_auto_config. Please read" - - "the notes for the variable and make the necessary change to the variable to be in compliance." - when: - - win10cis_winrm_allow_auto_config != 0 - - win10cis_winrm_allow_auto_config != 1 - - - name: "18.10.89.2.2 | AUDIT | Ensure Allow remote server management through WinRM is set to Disabled | Warn Count." - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '18.10.89.2.2' - when: - - win10cis_winrm_allow_auto_config != 0 - - win10cis_winrm_allow_auto_config != 1 - - - name: "18.10.89.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled | Set Variable." - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowAutoConfig - data: "{{ win10cis_winrm_allow_auto_config }}" - type: dword - when: - - win10cis_winrm_allow_auto_config == 0 or win10cis_winrm_allow_auto_config == 1 + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowAutoConfig + data: 0 + type: dword when: - win10cis_rule_18_10_89_2_2 - not win_skip_for_test @@ -109,6 +88,7 @@ type: dword when: - win10cis_rule_18_10_89_2_3 + - not win_skip_for_test tags: - level1-corporate-enterprise-environment - rule_18.10.89.2.3 diff --git a/tasks/section_18/section_18.3/cis_18.3.x.yml b/tasks/section_18/section_18.3/cis_18.3.x.yml index 7d4ecda..bf88c87 100644 --- a/tasks/section_18/section_18.3/cis_18.3.x.yml +++ b/tasks/section_18/section_18.3/cis_18.3.x.yml @@ -8,7 +8,6 @@ type: string when: - win10cis_rule_18_3_1 - - not win10cis_is_domain_controller tags: - level1-corporate-enterprise-environment - rule_18.3.1 @@ -24,7 +23,6 @@ type: dword when: - win10cis_rule_18_3_2 - - not win10cis_is_domain_controller tags: - level1-corporate-enterprise-environment - rule_18.3.2 @@ -40,7 +38,6 @@ type: dword when: - win10cis_rule_18_3_3 - - not win10cis_is_domain_controller tags: - level1-corporate-enterprise-environment - rule_18.3.3 @@ -56,7 +53,6 @@ type: dword when: - win10cis_rule_18_3_4 - - not win10cis_is_domain_controller tags: - level1-corporate-enterprise-environment - rule_18.3.4 @@ -89,7 +85,6 @@ when: win10cis_laps_password_length >= 15 when: - win10cis_rule_18_3_5 - - not win10cis_is_domain_controller tags: - level1-corporate-enterprise-environment - rule_18.3.5 @@ -121,7 +116,6 @@ when: win10cis_laps_password_age_days <= 30 when: - win10cis_rule_18_3_6 - - not win10cis_is_domain_controller tags: - level1-corporate-enterprise-environment - rule_18.3.6 diff --git a/tasks/section_19/cis_19.1.3.x.yml b/tasks/section_19/cis_19.1.3.x.yml index a8c7e87..4eca8bd 100644 --- a/tasks/section_19/cis_19.1.3.x.yml +++ b/tasks/section_19/cis_19.1.3.x.yml @@ -1,20 +1,13 @@ --- - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - block: - - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string - - - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_1_3_1 tags: @@ -25,20 +18,13 @@ - screen-saver - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - block: - - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string - - - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_1_3_2 tags: @@ -70,23 +56,15 @@ - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: "{{ win10cis_screen_saver_timeout }}" - type: string - when: - - win10cis_screen_saver_timeout > 0 - - win10cis_screen_saver_timeout <= 900 - - - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: "{{ win10cis_screen_saver_timeout }}" type: string + loop: "{{ hku_loaded_list }}" when: - win10cis_screen_saver_timeout > 0 - win10cis_screen_saver_timeout <= 900 + notify: change_requires_reboot when: - win10cis_rule_19_1_3_3 tags: diff --git a/tasks/section_19/cis_19.5.1.x.yml b/tasks/section_19/cis_19.5.1.x.yml index 78b23d8..21433e3 100644 --- a/tasks/section_19/cis_19.5.1.x.yml +++ b/tasks/section_19/cis_19.5.1.x.yml @@ -1,20 +1,13 @@ --- - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - block: - - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword - - - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_5_1_1 tags: diff --git a/tasks/section_19/cis_19.6.6.x.yml b/tasks/section_19/cis_19.6.6.x.yml index d5a7d96..785d155 100644 --- a/tasks/section_19/cis_19.6.6.x.yml +++ b/tasks/section_19/cis_19.6.6.x.yml @@ -1,20 +1,13 @@ --- - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - block: - - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword - - - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_6_6_1_1 tags: diff --git a/tasks/section_19/cis_19.7.25.x.yml b/tasks/section_19/cis_19.7.25.x.yml index b7fdf0b..e0a150b 100644 --- a/tasks/section_19/cis_19.7.25.x.yml +++ b/tasks/section_19/cis_19.7.25.x.yml @@ -1,20 +1,13 @@ --- - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - block: - - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword - - - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_25_1 tags: diff --git a/tasks/section_19/cis_19.7.4.x.yml b/tasks/section_19/cis_19.7.4.x.yml index 3082ae7..80339f9 100644 --- a/tasks/section_19/cis_19.7.4.x.yml +++ b/tasks/section_19/cis_19.7.4.x.yml @@ -1,20 +1,13 @@ --- - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - block: - - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword - - - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_4_1 tags: @@ -25,20 +18,13 @@ - preserve-zone-information - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - block: - - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword - - - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_4_2 tags: diff --git a/tasks/section_19/cis_19.7.40.x.yml b/tasks/section_19/cis_19.7.40.x.yml index 1194901..0366980 100644 --- a/tasks/section_19/cis_19.7.40.x.yml +++ b/tasks/section_19/cis_19.7.40.x.yml @@ -1,20 +1,13 @@ --- - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - block: - - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword - - - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_40_1 tags: diff --git a/tasks/section_19/cis_19.7.42.2.x.yml b/tasks/section_19/cis_19.7.42.2.x.yml index 253e7c6..36dad96 100644 --- a/tasks/section_19/cis_19.7.42.2.x.yml +++ b/tasks/section_19/cis_19.7.42.2.x.yml @@ -1,20 +1,13 @@ --- - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - block: - - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword - - - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_47_2_1 tags: diff --git a/tasks/section_19/cis_19.7.7.x.yml b/tasks/section_19/cis_19.7.7.x.yml index ab0bca6..25febbd 100644 --- a/tasks/section_19/cis_19.7.7.x.yml +++ b/tasks/section_19/cis_19.7.7.x.yml @@ -1,20 +1,13 @@ --- - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - block: - - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword - - - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_7_1 tags: @@ -25,20 +18,13 @@ - windows-spotlight - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - block: - - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword - - - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_7_2 tags: @@ -49,20 +35,13 @@ - third-party-content - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - block: - - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword - - - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_7_3 tags: @@ -73,20 +52,13 @@ - diagnostic-data - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - block: - - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword - - - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_7_4 tags: @@ -98,10 +70,12 @@ - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" ansible.windows.win_regedit: - path: HKCU:\SOFTWARE\Policies\Microsoft\Windows\CloudContent + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\CloudContent name: DisableSpotlightCollectionOnDesktop data: 1 type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_rule_19_7_7_5 tags: diff --git a/tasks/section_9/cis_9.3.x.yml b/tasks/section_9/cis_9.3.x.yml index ff85911..0684a8a 100644 --- a/tasks/section_9/cis_9.3.x.yml +++ b/tasks/section_9/cis_9.3.x.yml @@ -123,7 +123,7 @@ warn_control_id: '9.3.8' when: win10cis_public_firewall_log_size < 16384 - - name: Apply Settings To Registry." + - name: "9.3.8 | AUDIT | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Apply Settings To Registry." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFileSize diff --git a/vars/main.yml b/vars/main.yml index a83f852..5860b58 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -15,8 +15,6 @@ lockdown_banner: "{{lookup('file', './templates/banner.txt')}}" # This will be changed to true if discovered. win10cis_cloud_based_system: false -# These are default values that will be changed when the prelim -# runs and finds the correct setting. -win10cis_is_standalone: false -win10cis_is_domain_controller: false -win10cis_is_domain_member: false +# default setting, this should not be changed +# and is overridden if a task that changed sets the value if required. +change_requires_reboot: false From 0ec504ef863dd4b9e93fda0779ec60417f31a90d Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Mon, 11 Mar 2024 13:24:27 -0400 Subject: [PATCH 2/9] Typos Fixed, Section 19 Enhanced, Skip Reboot Add Signed-off-by: Stephen Williams --- defaults/main.yml | 2 +- handlers/main.yml | 4 +++- tasks/post.yml | 13 +++++++++---- tasks/section_19/cis_19.1.3.x.yml | 1 + vars/main.yml | 2 +- 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 07f6487..51e4b10 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -32,7 +32,7 @@ win_skip_for_test: false # Changes will be made that will require a system reboot. # The following option will allow whether or not to skip the reboot. # Default: true -skip_reboot: false +skip_reboot: true # Section 1 Rules win10cis_rule_1_1_1: true diff --git a/handlers/main.yml b/handlers/main.yml index f93d639..80d01dc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,4 +2,6 @@ - name: change_requires_reboot ansible.builtin.set_fact: - change_requires_reboot: true + reboot_host: true + tags: + - always diff --git a/tasks/post.yml b/tasks/post.yml index bf03733..1a2e22c 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,23 +1,28 @@ +- debug: + msg: "{{ reboot_host }}" + - name: POST | reboot system if changes require it and not skipped block: - name: POST | Reboot system if changes require it and not skipped ansible.windows.win_reboot: reboot_timeout: 3600 when: + - reboot_host - not skip_reboot - name: POST | Warning a reboot required but skip option set ansible.builtin.debug: - msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results." + msg: "Warning!! Changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results." changed_when: true when: - - change_requires_reboot + - reboot_host - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - - change_requires_reboot + - reboot_host - skip_reboot vars: warn_control_id: Reboot_Required diff --git a/tasks/section_19/cis_19.1.3.x.yml b/tasks/section_19/cis_19.1.3.x.yml index 4eca8bd..85b08a0 100644 --- a/tasks/section_19/cis_19.1.3.x.yml +++ b/tasks/section_19/cis_19.1.3.x.yml @@ -25,6 +25,7 @@ type: string loop: "{{ hku_loaded_list }}" notify: change_requires_reboot + changed_when: true when: - win10cis_rule_19_1_3_2 tags: diff --git a/vars/main.yml b/vars/main.yml index 5860b58..21ba3a3 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -17,4 +17,4 @@ win10cis_cloud_based_system: false # default setting, this should not be changed # and is overridden if a task that changed sets the value if required. -change_requires_reboot: false +reboot_host: false From a9957b310658d3e5efcb0c9895f2ada57cd74fed Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 12 Mar 2024 10:23:11 -0400 Subject: [PATCH 3/9] Skip Reboot Fixed Signed-off-by: Stephen Williams --- defaults/main.yml | 14 +++++++------- tasks/main.yml | 6 +++--- tasks/post.yml | 20 +++++++++++++------- tasks/section_19/cis_19.1.3.x.yml | 3 +-- vars/main.yml | 2 +- 5 files changed, 25 insertions(+), 20 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 51e4b10..cb29535 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,11 +1,11 @@ --- -win10cis_section1: false -win10cis_section2: false -win10cis_section5: false -win10cis_section9: false -win10cis_section17: false -win10cis_section18: false +win10cis_section1: true +win10cis_section2: true +win10cis_section5: true +win10cis_section9: true +win10cis_section17: true +win10cis_section18: true win10cis_section19: true # Global Variables @@ -32,7 +32,7 @@ win_skip_for_test: false # Changes will be made that will require a system reboot. # The following option will allow whether or not to skip the reboot. # Default: true -skip_reboot: true +skip_reboot: false # Section 1 Rules win10cis_rule_1_1_1: true diff --git a/tasks/main.yml b/tasks/main.yml index 05f4b60..fbb269c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -88,12 +88,12 @@ - section19 - name: Run Post Tasks - ansible.builtin.import_tasks: post.yml + ansible.builtin.import_tasks: + file: post.yml tags: - - post_tasks - always -- name: If Warnings found Output count and control IDs affected +- name: If Warnings Found Output Count And Control IDs Affected ansible.builtin.debug: msg: - "You have {{ warn_count }} Warning(s) that require investigation(s). Their ID’s are listed below:" diff --git a/tasks/post.yml b/tasks/post.yml index 1a2e22c..4aa3351 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,24 +1,30 @@ -- debug: - msg: "{{ reboot_host }}" +--- -- name: POST | reboot system if changes require it and not skipped +- name: "POST | Flush Handlers" + ansible.builtin.meta: flush_handlers + tags: + - always + +- name: "POST | Reboot System Options" block: - - name: POST | Reboot system if changes require it and not skipped + - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False" ansible.windows.win_reboot: reboot_timeout: 3600 when: - reboot_host - not skip_reboot - - name: POST | Warning a reboot required but skip option set + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set" ansible.builtin.debug: - msg: "Warning!! Changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results." + msg: + - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually." + - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results." changed_when: true when: - reboot_host - skip_reboot - - name: "POST | Warning a reboot required but skip option set | warning count" + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count" ansible.builtin.import_tasks: file: warning_facts.yml when: diff --git a/tasks/section_19/cis_19.1.3.x.yml b/tasks/section_19/cis_19.1.3.x.yml index 85b08a0..6d12c2e 100644 --- a/tasks/section_19/cis_19.1.3.x.yml +++ b/tasks/section_19/cis_19.1.3.x.yml @@ -25,7 +25,6 @@ type: string loop: "{{ hku_loaded_list }}" notify: change_requires_reboot - changed_when: true when: - win10cis_rule_19_1_3_2 tags: @@ -62,10 +61,10 @@ data: "{{ win10cis_screen_saver_timeout }}" type: string loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win10cis_screen_saver_timeout > 0 - win10cis_screen_saver_timeout <= 900 - notify: change_requires_reboot when: - win10cis_rule_19_1_3_3 tags: diff --git a/vars/main.yml b/vars/main.yml index 21ba3a3..4bfad0c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -15,6 +15,6 @@ lockdown_banner: "{{lookup('file', './templates/banner.txt')}}" # This will be changed to true if discovered. win10cis_cloud_based_system: false -# default setting, this should not be changed +# Default setting, this should not be changed # and is overridden if a task that changed sets the value if required. reboot_host: false From bccffcd7cdfdf5ca4194e7f124f35b8141dc4c14 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 12 Mar 2024 10:34:54 -0400 Subject: [PATCH 4/9] Typos Fixed Signed-off-by: Stephen Williams --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index cb29535..7a603e5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,6 +14,7 @@ win10cis_min_ansible_version: "2.10.1" # win_skip_for_test is the setting that will skip tasks that may cause changes that will affect the system. # These controls are primarily around RDP and WinRM +# Default: false # Controls that will be skipped: # 2.2.16 - Breaks Local Admin Connection # 2.2.20 - Breaks Local Admin Connection From f5dd41ca865bf4200355927a27647894bb34668d Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 12 Mar 2024 10:43:19 -0400 Subject: [PATCH 5/9] Github Action Updates Signed-off-by: Stephen Williams --- .github/workflows/devel_pipeline_validation.yml | 4 ++-- .github/workflows/main_pipeline_validation.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 870d6d3..0649432 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -59,13 +59,13 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it. - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull In Terraform Code For Windows Azure - name: Clone github IaC plan - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_windows_IaC path: .github/workflows/github_windows_IaC diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 438dd55..d280d3b 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -47,13 +47,13 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it. - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull In Terraform Code For Windows Azure - name: Clone github IaC plan - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_windows_IaC path: .github/workflows/github_windows_IaC From d34c7da44f48456d22d189d58abf8aae010926de Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 12 Mar 2024 11:04:26 -0400 Subject: [PATCH 6/9] Fix Handler Signed-off-by: Stephen Williams --- tasks/section_18/section_18.4/cis_18.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_18/section_18.4/cis_18.4.x.yml b/tasks/section_18/section_18.4/cis_18.4.x.yml index 382cf79..8ac9d14 100644 --- a/tasks/section_18/section_18.4/cis_18.4.x.yml +++ b/tasks/section_18/section_18.4/cis_18.4.x.yml @@ -52,7 +52,7 @@ data: 0 type: dword state: present - notify: reboot_windows + notify: change_requires_reboot when: - win10cis_rule_18_4_4 tags: From e7fe50c860b2d78f2c31e49c9199f9d8f00c5761 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 12 Mar 2024 11:17:12 -0400 Subject: [PATCH 7/9] Fix Skip Reboot Default Signed-off-by: Stephen Williams --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7a603e5..b3baef8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -33,7 +33,7 @@ win_skip_for_test: false # Changes will be made that will require a system reboot. # The following option will allow whether or not to skip the reboot. # Default: true -skip_reboot: false +skip_reboot: true # Section 1 Rules win10cis_rule_1_1_1: true From e411cee71e5e7cea1e84578b8b18dff2714a11de Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Wed, 13 Mar 2024 08:07:06 -0400 Subject: [PATCH 8/9] Fix Prelim Signed-off-by: Stephen Williams --- tasks/prelim.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 381a6f3..ae55d62 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -32,7 +32,7 @@ # Current list is elastic and will be updated as we test more cloud based services. # Current testing is working in Azure using Hyper-V. We are currently using this for reference: # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 -- name: Set Fact If Cloud Based System. +- name: PRELIM | Set Fact If Cloud Based System. ansible.builtin.set_fact: win10cis_cloud_based_system: true when: @@ -42,7 +42,7 @@ tags: - always -- name: Check Hyper-V Installation +- name: PRELIM | Check Hyper-V Installation ansible.windows.win_shell: Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All | Select-Object -Property State | ft -hide changed_when: false failed_when: false @@ -56,13 +56,13 @@ tags: - always -- name: Set Windows installation type +- name: PRELIM | Set Windows installation type ansible.builtin.set_fact: win10cis_windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" tags: - always -- name: Load Default User Hive (Account That All New Users Get Created From Profile) +- name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile) ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT changed_when: false failed_when: false @@ -70,7 +70,7 @@ tags: - always -- name: Pull All Username and SIDs +- name: PRELIM | Pull All Username and SIDs ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID } changed_when: false failed_when: false @@ -79,14 +79,14 @@ tags: - always -- name: Create Results List Fact For Username And SIDs +- name: PRELIM | Create Results List Fact For Username And SIDs ansible.builtin.set_fact: username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}" when: win10cis_section19 tags: - always -- name: Load All User Hives From Username And SIDs List +- name: PRELIM | Load All User Hives From Username And SIDs List ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT changed_when: false failed_when: false @@ -95,7 +95,7 @@ tags: - always -- name: Retrieve Current Users SIDs from HKEY_USERS +- name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"} changed_when: false failed_when: false @@ -104,7 +104,7 @@ tags: - always -- name: Create List Fact For Current Users SIDs from HKEY_USERS +- name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS ansible.builtin.set_fact: hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}" when: win10cis_section19 From 4b2e75ac90f46f1a10c56cbb8af190e848dd8470 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Wed, 13 Mar 2024 08:24:44 -0400 Subject: [PATCH 9/9] Fix Prelim Block Signed-off-by: Stephen Williams --- tasks/prelim.yml | 67 +++++++++++++++++++----------------------------- 1 file changed, 27 insertions(+), 40 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index ae55d62..06eebba 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -62,51 +62,38 @@ tags: - always -- name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile) - ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT - changed_when: false - failed_when: false - when: win10cis_section19 - tags: - - always +- name: PRELIM | Obtatin And Load Defaukt Abnd User Hives + block: + - name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile) + ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT + changed_when: false + failed_when: false -- name: PRELIM | Pull All Username and SIDs - ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID } - changed_when: false - failed_when: false - register: all_users - when: win10cis_section19 - tags: - - always + - name: PRELIM | Pull All Username and SIDs + ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID } + changed_when: false + failed_when: false + register: all_users -- name: PRELIM | Create Results List Fact For Username And SIDs - ansible.builtin.set_fact: - username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}" - when: win10cis_section19 - tags: - - always + - name: PRELIM | Create Results List Fact For Username And SIDs + ansible.builtin.set_fact: + username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}" -- name: PRELIM | Load All User Hives From Username And SIDs List - ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT - changed_when: false - failed_when: false - loop: "{{ username_and_sid_results_list }}" - when: win10cis_section19 - tags: - - always + - name: PRELIM | Load All User Hives From Username And SIDs List + ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT + changed_when: false + failed_when: false + loop: "{{ username_and_sid_results_list }}" -- name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS - ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"} - changed_when: false - failed_when: false - register: current_users_loaded_hku - when: win10cis_section19 - tags: - - always + - name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS + ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"} + changed_when: false + failed_when: false + register: current_users_loaded_hku -- name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS - ansible.builtin.set_fact: - hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}" + - name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS + ansible.builtin.set_fact: + hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}" when: win10cis_section19 tags: - always