Sept 2023 fixes

.github/workflows/devel_pipeline_validation.yml

@@ -59,13 +59,13 @@ jobs:
         steps:
           # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                   ref: ${{ github.event.pull_request.head.sha }}
 
           # Pull In Terraform Code For Windows Azure
             - name: Clone github IaC plan
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                   repository: ansible-lockdown/github_windows_IaC
                   path: .github/workflows/github_windows_IaC

.github/workflows/main_pipeline_validation.yml

@@ -47,13 +47,13 @@ jobs:
         steps:
           # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                   ref: ${{ github.event.pull_request.head.sha }}
 
           # Pull In Terraform Code For Windows Azure
             - name: Clone github IaC plan
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                   repository: ansible-lockdown/github_windows_IaC
                   path: .github/workflows/github_windows_IaC

ChangeLog.md

@@ -2,5 +2,15 @@
 
 ## Release 1.0.0
 
+March 2024
+  - Updated Section 19 To Take Into Account All HKU Accounts And Windows Default Template.
+  - Fixed A Number Of Typos
+  - Updated Readme
+  - Added Option For skip_reboot And Warning Message For It.
+  - Added Two New Comtrols To Win_Skip_For_Test
+    - 18.10.89.1.2
+    - 18.10.89.2.3
+- Removed When Checks For Domain, Member Server, And Standalone
+
 September 2023
   - Initial Release For Benchmark 2.0.0 Released 03.07.2023

README.md

@@ -58,7 +58,7 @@ To use release version please point to main branch and relevant release for the
 
 ## Matching a security Level for CIS
 
-It is possible to to only run level 1 or level 2 controls for CIS as well as a variety of other tags that are available for this role.
+It is possible to only run level 1 or level 2 controls for CIS as well as a variety of other tags that are available for this role.
 This is managed using tags:
 
 - level1-corporate-enterprise-environment
@@ -72,11 +72,11 @@ This is managed using tags:
 - level2-bitlocker
 - bitlocker
 
-The controls found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component.
+The controls found in defaults/main also need to reflect those control numbers due to aligning every control to the audit component.
 
 ## Coming from a previous release
 
-CIS release always contains changes, so it is highly recommended to review the new references and available variables. This have changed significantly since the ansible-lockdown initial release.
+CIS releases always contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release.
 This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly.
 
 Further details can be seen in the [Changelog](./ChangeLog.md)

defaults/main.yml

@@ -14,6 +14,7 @@ win10cis_min_ansible_version: "2.10.1"
 
 # win_skip_for_test is the setting that will skip tasks that may cause changes that will affect the system.
 # These controls are primarily around RDP and WinRM
+# Default: false
 # Controls that will be skipped:
 # 2.2.16 - Breaks Local Admin Connection
 # 2.2.20 - Breaks Local Admin Connection
@@ -22,11 +23,18 @@ win10cis_min_ansible_version: "2.10.1"
 # 9.3.5 - Enables Firewall Public Rules *Breaks Reboot*
 # 18.10.57.3.2.1 - Disables Remote Desktop Connections
 # 18.10.89.1.1  - Disables WinRM Allow Client Basic Auth
+# 18.10.89.1.2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control.
 # 18.10.89.2.1 - Disables WinRM Allow Service Basic Auth
 # 18.10.89.2.2 - Disables Remote Server Management through WinRM
+# 18.10.89.2.3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control.
 # 18.10.90.1 - Disables Remote Shell Access
 win_skip_for_test: false
 
+# Changes will be made that will require a system reboot.
+# The following option will allow whether or not to skip the reboot.
+# Default: true
+skip_reboot: true
+
 # Section 1 Rules
 win10cis_rule_1_1_1: true
 win10cis_rule_1_1_2: true
@@ -785,7 +793,7 @@ win10cis_consent_prompt_behavior_admin: 2
 
 # 9.1.5
 # win10cis_domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log
-# This is a variable to give some leway on where to store these log files.
+# This is a variable to give some leeway on where to store these log files.
 # Default: '%SystemRoot%\System32\logfiles\firewall\domainfw.log'
 win10cis_domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log'
 
@@ -797,23 +805,23 @@ win10cis_domain_firewall_log_size: 16384
 
 # 9.2.5
 # win10cis_private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log
-# This is a variable to give some leway on where to store these log files
+# This is a variable to give some leeway on where to store these log files
 win10cis_private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log'
 
 # 9.2.6
 # win10cis_private_firewall_log_size is the size of the log file
-# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
+# To conform to CIS standards the value should be 16,384 or greater. Value is in KB
 # Default: 16384
 win10cis_private_firewall_log_size: 16384
 
 # 9.3.7
 # win10cis_public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log
-# This is a variable to give some leway on where to store these log files
+# This is a variable to give some leeway on where to store these log files
 win10cis_public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
 
 # 9.3.8
 # win10cis_public_firewall_log_size is the size of the log file
-# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
+# To conform to CIS standards the value should be 16,384 or greater. Value is in KB
 # Default: 16384
 win10cis_public_firewall_log_size: 16384
 
@@ -952,14 +960,6 @@ win10cis_allow_windows_ink_workspace: 1
 # Default: Default - This will save it to the default location
 win10cis_powershell_transcription_dir: Default
 
-# 18.10.89.2.2
-# win10cis_winrm_allow_auto_config will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart
-# *** CIS calls for Disabled ***
-# 0 - Disbaled
-# 1 - Enabled
-# Default: 1
-win10cis_winrm_allow_auto_config: 1
-
 # 18.10.93.2.1
 # win10cis_au_options is policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS.
 # The recommended state for this setting is: Enabled.
@@ -980,6 +980,9 @@ win10cis_defer_feature_updates_period_in_days: 180
 
 # Section 19 Variables
 
+# Apply CIS To DEFAULT User Profile For New Users in Section 19 when the control number is set to true.
+win10cis_default_user_profile: true
+
 # 19.1.3.3
 # win10cis_screen_saver_timeout is the setting that specifies how much user idle time must elapse before the screen saver is launched.
 # The recommended state for this setting is: Enabled: 900 seconds or fewer, but not 0.

handlers/main.yml

@@ -1,5 +1,7 @@
 ---
 
-- name: reboot_windows
-  ansible.windows.win_reboot:
-      reboot_timeout: 3600
+- name: change_requires_reboot
+  ansible.builtin.set_fact:
+      reboot_host: true
+  tags:
+      - always

tasks/main.yml

@@ -87,9 +87,17 @@
   tags:
       - section19
 
-- name: If Warnings found Output count and control IDs affected
+- name: Run Post Tasks
+  ansible.builtin.import_tasks:
+      file: post.yml
+  tags:
+      - always
+
+- name: If Warnings Found Output Count And Control IDs Affected
   ansible.builtin.debug:
       msg:
           - "You have {{ warn_count }} Warning(s) that require investigation(s). Their ID’s are listed below:"
           - "{{ warn_control_list }}"
   when: warn_count != 0
+  tags:
+      - always

tasks/post.yml

@@ -0,0 +1,36 @@
+---
+
+- name: "POST | Flush Handlers"
+  ansible.builtin.meta: flush_handlers
+  tags:
+      - always
+
+- name: "POST | Reboot System Options"
+  block:
+      - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False"
+        ansible.windows.win_reboot:
+            reboot_timeout: 3600
+        when:
+            - reboot_host
+            - not skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set"
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually."
+                - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results."
+        changed_when: true
+        when:
+            - reboot_host
+            - skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        when:
+            - reboot_host
+            - skip_reboot
+  vars:
+      warn_control_id: Reboot_Required
+  tags:
+      - always

tasks/prelim.yml

@@ -28,33 +28,11 @@
   tags:
       - always
 
-- name: Set System Facts Based On Gather Facts Module
-  block:
-      - name: Set fact is system is standalone
-        ansible.builtin.set_fact:
-            win11cis_is_standalone: true
-        when:
-            - ansible_windows_domain_role == 'Stand-alone server'
-
-      - name: Set fact if domain controller role
-        ansible.builtin.set_fact:
-            win11cis_is_domain_controller: true
-        when:
-            - ansible_windows_domain_role | regex_search('(domain controller)')
-
-      - name: set fact if domain member server
-        ansible.builtin.set_fact:
-            win11cis_is_domain_member: true
-        when:
-            - ansible_windows_domain_role == 'Member server'
-  tags:
-      - always
-
 # HVM is Amazon AMI's, Hyper-V is Azure's, KVM is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV')
 # Current list is elastic and will be updated as we test more cloud based services.
 # Current testing is working in Azure using Hyper-V. We are currently using this for reference:
 # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
-- name: Set Fact If Cloud Based System.
+- name: PRELIM | Set Fact If Cloud Based System.
   ansible.builtin.set_fact:
       win10cis_cloud_based_system: true
   when:
@@ -64,7 +42,7 @@
   tags:
       - always
 
-- name: Check Hyper-V Installation
+- name: PRELIM | Check Hyper-V Installation
   ansible.windows.win_shell: Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All | Select-Object -Property State | ft -hide
   changed_when: false
   failed_when: false
@@ -78,8 +56,57 @@
   tags:
       - always
 
-- name: Set Windows installation type
+- name: PRELIM | Set Windows installation type
   ansible.builtin.set_fact:
       win10cis_windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
   tags:
       - always
+
+- name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile)
+  ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT
+  changed_when: false
+  failed_when: false
+  when: win10cis_section19
+  tags:
+      - always
+
+- name: PRELIM | Pull All Username and SIDs
+  ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
+  changed_when: false
+  failed_when: false
+  register: all_users
+  when: win10cis_section19
+  tags:
+      - always
+
+- name: PRELIM | Create Results List Fact For Username And SIDs
+  ansible.builtin.set_fact:
+      username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}"
+  when: win10cis_section19
+  tags:
+      - always
+
+- name: PRELIM | Load All User Hives From Username And SIDs List
+  ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
+  changed_when: false
+  failed_when: false
+  loop: "{{ username_and_sid_results_list }}"
+  when: win10cis_section19
+  tags:
+      - always
+
+- name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS
+  ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
+  changed_when: false
+  failed_when: false
+  register: current_users_loaded_hku
+  when: win10cis_section19
+  tags:
+      - always
+
+- name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS
+  ansible.builtin.set_fact:
+      hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}"
+  when: win10cis_section19
+  tags:
+      - always

tasks/section_1/cis_1.2.x.yml

@@ -74,7 +74,7 @@
             - win10cis_account_lockout_counter_reset > win10cis_account_lockout_duration or
               win10cis_account_lockout_counter_reset < 15
 
-      - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable."
+      - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable."
         community.windows.win_security_policy:
             section: System Access
             key: ResetLockoutCount

tasks/section_1/cis_1.2_cloud_lockout_order.yml

@@ -88,7 +88,7 @@
             - win10cis_account_lockout_counter_reset > win10cis_account_lockout_duration or
               win10cis_account_lockout_counter_reset < 15
 
-      - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable."
+      - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable."
         community.windows.win_security_policy:
             section: System Access
             key: ResetLockoutCount