Updated skip_for_test, cloud based controls, added banner

Signed-off-by: Stephen Williams <[email protected]>
ansible-lockdown · May 17, 2023 · 19dc8c9 · 19dc8c9
1 parent 9fb4245
commit 19dc8c9
Show file tree

Hide file tree

Showing 10 changed files with 143 additions and 6 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## May 2023 Update
+  - Updated Pieplines For Testing
+  - Added Banner
+  - Added Skip For Testing to controls that will break in cloud. 
+  - Added Support for Azure for Controls that break. 
+
 ## Release 1.0.0
   - Updated Readme
   - Added Changelog.md and updated.

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -21,10 +21,21 @@ win10stig_disruption_high: false
 # If there is an action tied to the lengthy search the action task will be disabled as well
 win10stig_lengthy_search: true
 
-winstig_skip_for_travis: false
-
-# Some tasks need to be skipped for CI/CD testing to work correctly
-winstig_skip_for_test: false
+# win_skip_for_test is used in the playbook to skip over certain controls that
+# may cause breaking changes when running it for testing purposes.  These generally consist of winrm controls
+# that are needed to keep the ansible connection alive.
+# Controls that will be skipped:
+# WN10-CC-000330 - CAT1
+# WN10-CC-000345 - CAT1
+# WN10-CC-000335 - CAT2
+# WN10-CC-000350 - CAT2
+# WN10-CC-000355 - CAT2
+# WN10-CC-000360 - CAT2
+# WN10-SO-000020 - CAT2
+# WN10-SO-000245 - CAT2
+# WN10-SO-000005 - CAT2
+# WN10-SO-000020 - CAT2
+win_skip_for_test: false
 
 win10stig_workaround_for_disa_benchmark: true
 win10stig_workaround_for_ssg_benchmark: true

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
 
-- name: reboot windows
-  win_reboot:
+- name: reboot_windows
+  ansible.windows.win_reboot:
+      reboot_timeout: 3600
diff --git a/tasks/cat1.yml b/tasks/cat1.yml
@@ -327,6 +327,7 @@
       datatype: dword
   when:
       - wn10_CC_000330
+      - not win_skip_for_test
   tags:
       - WN10-CC-000330
       - CAT1
@@ -344,6 +345,7 @@
       datatype: dword
   when:
       - wn10_CC_000345
+      - not win_skip_for_test
   tags:
       - WN10-CC-000345
       - CAT1

diff --git a/tasks/cat2.yml b/tasks/cat2.yml
@@ -847,6 +847,7 @@
       value: "{{ win10stig_account_settings.lockoutbadcount }}"
   when:
       - wn10_AC_000010
+      - not win10stig_cloud_based_system
   tags:
       - WN10-AC-000010
       - CAT2
@@ -864,6 +865,7 @@
       value: "{{ win10stig_account_settings.resetlockoutcount }}"
   when:
       - wn10_AC_000015
+      - not win10stig_cloud_based_system
   tags:
       - WN10-AC-000015
       - CAT2
@@ -880,6 +882,7 @@
       value: "{{ win10stig_account_settings.lockoutduration }}"
   when:
       - wn10_AC_000005
+      - not win10stig_cloud_based_system
   tags:
       - WN10-AC-000005
       - CAT2
@@ -2563,6 +2566,7 @@
       type: dword
   when:
       - wn10_CC_000335
+      - not win_skip_for_test
   tags:
       - WN10-CC-000335
       - CAT2
@@ -2580,6 +2584,7 @@
       type: dword
   when:
       - wn10_CC_000350
+      - not win_skip_for_test
   tags:
       - WN10-CC-000350
       - CAT2
@@ -2597,6 +2602,7 @@
       type: dword
   when:
       - wn10_CC_000355
+      - not win_skip_for_test
   tags:
       - WN10-CC-000355
       - CAT2
@@ -2613,6 +2619,7 @@
       type: dword
   when:
       - wn10_CC_000360
+      - not win_skip_for_test
   tags:
       - WN10-CC-000360
       - CAT2
@@ -2892,6 +2899,7 @@
       value: 0
   when:
       - wn10_SO_000005
+      - not win_skip_for_test
   tags:
       - WN10-SO-000005
       - CAT2
@@ -2938,6 +2946,7 @@
       value: "{{ win10stig_new_administrator_name }}"
   when:
       - wn10_SO_000020
+      - not win_skip_for_test
   tags:
       - WN10-SO-000020
       - CAT2
@@ -3309,6 +3318,7 @@
       type: dword
   when:
       - wn10_SO_000245
+      - not win_skip_for_test
   tags:
       - WN10-SO-000245
       - CAT2

diff --git a/tasks/cat2_cloud.yml b/tasks/cat2_cloud.yml
@@ -0,0 +1,52 @@
+---
+# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD BASED SYSTEMS
+# CONTROL WN10-AC-000010
+# CONTROL WN10-AC-000005
+# CONTROL WN10-AC-000015
+# Needs to go before WN10-AC-000005 since the Lockout Duration could be disabled if the Lockout Policy is set to 0 causing the task to fail
+- name: "MEDIUM | WN10-AC-000010 | PATCH | The number of allowed bad logon attempts must be configured to 3 or less."
+  community.windows.win_security_policy:
+      section: System Access
+      key: LockoutBadCount
+      value: "{{ win10stig_account_settings.lockoutbadcount }}"
+  when:
+      - wn10_AC_000010
+  tags:
+      - WN10-AC-000010
+      - CAT2
+      - CCI-000044
+      - SRG-OS-000021-GPOS-00005
+      - SV-220740r569187_rule
+      - V-220740
+
+- name: "MEDIUM | WN10-AC-000005 | PATCH | Windows 10 account lockout duration must be configured to 15 minutes or greater."
+  community.windows.win_security_policy:
+      section: System Access
+      key: LockoutDuration
+      value: "{{ win10stig_account_settings.lockoutduration }}"
+  when:
+      - wn10_AC_000005
+  tags:
+      - WN10-AC-000005
+      - CAT2
+      - CCI-002238
+      - SRG-OS-000329-GPOS-00128
+      - SV-220739r569187_rule
+      - V-220739
+
+# The Lockout Duration must be greater or equal to the Reset Account Lockout counter.
+- name: "MEDIUM | WN10-AC-000015 | PATCH | The period of time before the bad logon counter is reset must be configured to 15 minutes."
+  community.windows.win_security_policy:
+      section: System Access
+      key: ResetLockoutCount
+      value: "{{ win10stig_account_settings.resetlockoutcount }}"
+  when:
+      - wn10_AC_000015
+  tags:
+      - WN10-AC-000015
+      - CAT2
+      - CCI-000044
+      - CCI-002238
+      - SRG-OS-000021-GPOS-00005
+      - SV-220741r569187_rule
+      - V-220741
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,5 +1,11 @@
 ---
 
+- name: Display Banner
+  ansible.builtin.debug:
+      msg: "{{ lockdown_banner.split('\n') }}"
+  tags:
+      - always
+
 - name: Gather distribution info
   ansible.builtin.setup:
       gather_subset: distribution,!all,!min
@@ -43,6 +49,20 @@
       - cat1
       - high
 
+# We have found the order of these three tasks varies between cloud based instances
+# and VM based instances. The task below breaks out to run in a different order
+# for cloud based systems
+- name: Execute the category 2 (medium severity) tasks
+  ansible.builtin.import_tasks: cat2_cloud.yml
+  when:
+      - win10stig_cloud_based_system
+      - wn10_AC_000010 or
+        wn10_AC_000005 or
+        wn10_AC_000015
+  tags:
+      - cat2_cloud
+      - medium
+
 - name: Execute the category 2 (medium severity) tasks
   ansible.builtin.import_tasks: cat2.yml
   when: win10stig_cat2_patch | bool

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -18,6 +18,20 @@
 #   tags:
 #       - always
 
+# hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV')
+# This list is not complete and will be updated as we try on more cloud based services.
+# As of now testing is working in azure using Hyper-V. We are curently using this for reference:
+# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
+- name: Set Fact If Cloud Based System.
+  ansible.builtin.set_fact:
+      win10stig_cloud_based_system: true
+  when:
+      - ansible_virtualization_type == 'Hyper-V' or
+        ansible_virtualization_type == 'hvm' or
+        ansible_virtualization_type == 'kvm'
+  tags:
+      - always
+
 - name: "PRELIM | Get Display Version value."
   ansible.windows.win_reg_stat:
       path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion

diff --git a/templates/banner.txt b/templates/banner.txt
@@ -0,0 +1,15 @@
+░█████╗░███╗░░██╗░██████╗██╗██████╗░██╗░░░░░███████╗
+██╔══██╗████╗░██║██╔════╝██║██╔══██╗██║░░░░░██╔════╝ 
+███████║██╔██╗██║╚█████╗░██║██████╦╝██║░░░░░█████╗░░ 
+██╔══██║██║╚████║░╚═══██╗██║██╔══██╗██║░░░░░██╔══╝░░ 
+██║░░██║██║░╚███║██████╔╝██║██████╦╝███████╗███████╗
+╚═╝░░╚═╝╚═╝░░╚══╝╚═════╝░╚═╝╚═════╝░╚══════╝╚══════╝
+          ██╗░░░░░░█████╗░░█████╗░██╗░░██╗██████╗░░█████╗░░██╗░░░░░░░██╗███╗░░██╗
+          ██║░░░░░██╔══██╗██╔══██╗██║░██╔╝██╔══██╗██╔══██╗░██║░░██╗░░██║████╗░██║
+          ██║░░░░░██║░░██║██║░░╚═╝█████═╝░██║░░██║██║░░██║░╚██╗████╗██╔╝██╔██╗██║
+          ██║░░░░░██║░░██║██║░░██╗██╔═██╗░██║░░██║██║░░██║░░████╔═████║░██║╚████║
+          ███████╗╚█████╔╝╚█████╔╝██║░╚██╗██████╔╝╚█████╔╝░░╚██╔╝░╚██╔╝░██║░╚███║
+          ╚══════╝░╚════╝░░╚════╝░╚═╝░░╚═╝╚═════╝░░╚════╝░░░░╚═╝░░░╚═╝░░╚═╝░░╚══╝
+                            .------------------------------.
+                            | SUPPORTED BY MINDPOINT GROUP |
+                            '------------------------------'
diff --git a/vars/main.yml b/vars/main.yml
@@ -4,3 +4,9 @@
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
+
+# This sets the variable that is created for the banner.
+lockdown_banner: "{{lookup('file', './templates/banner.txt')}}"
+
+# This will be changed to true if discovered.
+win10stig_cloud_based_system: false