Updated Controlos, win_skip_for_test, linting

Signed-off-by: Stephen Williams <[email protected]>

.ansible-lint

@@ -6,12 +6,16 @@ skip_list:
     - 'schema'
     - 'no-changed-when'
     - 'experimental'
+    - 'fqcn-builtins'
+    - 'fqcn[action]'
     - 'name[casing]'
     - 'name[template]'
+    - 'name[play]'
     - 'jinja[spacing]'
     - 'yaml[line-length]'
     - 'key-order[task]'
     - 'var-naming'  # Older playbook no new release
+    - 'var-spacing'
     - '204'
     - '208'
     - '305'

.github/workflows/devel_pipeline_validation.yml

@@ -32,7 +32,7 @@ jobs:
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   pr-message: |-
                     Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
     # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance.
     playbook-test:

ChangeLog.md

@@ -2,6 +2,14 @@
 
 ## Release 1.1.0
 
+September 2023 Update
+  - Added Additional Variable Checks For Controls
+    - WN10-SO-000020
+    - WN10-SO-000025
+  - Updated and removed controls not needed in win_skip_for_test
+  - Updated Ansible-Lint
+  - Updated logic for Domain Roles
+
 August 2023 Update
   - Updated Workflows To Central Repo
     - Renamed them to better run across all repos.

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Ansible Lockdown
+Copyright (c) 2023 MindPoint Group / Lockdown Enterprise
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -2,7 +2,7 @@
 
 ## Configure a Windows 10 system to be [DISA STIG](https://public.cyber.mil/stigs/downloads/) compliant.
 
-### Based on [ Windows DISA STIG Version 2, Rel 5 released on Novenber 9th, 2022 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_10_V2R5_STIG.zip)
+### Based on [ Windows DISA STIG Version 2, Rel 7 released on June 27, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_10_V2R7_STIG.zip)
 
 ---
 
@@ -12,7 +12,7 @@
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61461?label=Quality&&logo=ansible)
+![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61846?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
@@ -36,11 +36,11 @@
 
 [Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_10_stig)
 
-[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_10_stig)
+[Ansible Support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_10_stig)
 
 ### Community
 
-Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
+Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
 
 ---
 
@@ -69,8 +69,8 @@ The control found in defaults main also need to reflect true so as this will all
 
 ## Coming from a previous release
 
-STIG releases always contain changes, it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown.
-This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.
+STIG release always contains changes, so it is highly recommended to review the new references and available variables. This have changed significantly since the ansible-lockdown initial release.
+This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly.
 
 Further details can be seen in the [Changelog](./ChangeLog.md)
 

defaults/main.yml

@@ -26,16 +26,9 @@ win10stig_lengthy_search: false
 # may cause breaking changes when running it for testing purposes.  These generally consist of winrm controls
 # that are needed to keep the ansible connection alive.
 # Controls that will be skipped:
-# WN10-CC-000330 - CAT1
-# WN10-CC-000345 - CAT1
-# WN10-CC-000335 - CAT2
-# WN10-CC-000350 - CAT2
-# WN10-CC-000355 - CAT2
-# WN10-CC-000360 - CAT2
-# WN10-SO-000020 - CAT2
-# WN10-SO-000245 - CAT2
-# WN10-SO-000005 - CAT2
-# WN10-SO-000020 - CAT2
+# WN10-CC-000330 - CAT1 - Disables WinRM Allow Client Basic Auth
+# WN10-CC-000345 - CAT1 - Disables WinRM Allow Service Basic Auth
+# WN10-SO-000005 - CAT2 - Disables Built-In Admin Account
 win_skip_for_test: false
 
 # tweak role to run in a non-privileged container
@@ -514,11 +507,11 @@ win10stig_min_pin_length: 6
 
 # WN10-SO-000020
 # win10stig_new_administrator_name is the name the built-in Administrator account will be renamed to
-win10stig_new_administrator_name: newadmin
+win10stig_new_administrator_name: adminchangethis
 
 # WN10-SO-000025
 # win10stig_new_guest_name is the name the built-in Guest account will be renamed to
-win10stig_new_guest_name: newguest
+win10stig_new_guest_name: guestchangethis
 
 # WN10-SO-000070
 # win10stig_inactivity_timeout is the machine inactivity limit in seconds.

tasks/cat2.yml

@@ -2572,7 +2572,6 @@
       type: dword
   when:
       - wn10_CC_000335
-      - not win_skip_for_test
   tags:
       - WN10-CC-000335
       - CAT2
@@ -2590,7 +2589,6 @@
       type: dword
   when:
       - wn10_CC_000350
-      - not win_skip_for_test
   tags:
       - WN10-CC-000350
       - CAT2
@@ -2608,7 +2606,6 @@
       type: dword
   when:
       - wn10_CC_000355
-      - not win_skip_for_test
   tags:
       - WN10-CC-000355
       - CAT2
@@ -2625,7 +2622,6 @@
       type: dword
   when:
       - wn10_CC_000360
-      - not win_skip_for_test
   tags:
       - WN10-CC-000360
       - CAT2
@@ -2944,13 +2940,29 @@
       - V-220910
 
 - name: "MEDIUM | WN10-SO-000020 | PATCH | The built-in administrator account must be renamed."
-  community.windows.win_security_policy:
-      section: System Access
-      key: NewAdministratorName
-      value: "{{ win10stig_new_administrator_name }}"
+  block:
+      - name: "MEDIUM | WN10-SO-000020 | AUDIT | The built-in administrator account must be renamed. | Warning Msg For Default Variable Not Edited."
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! You have not changed the default admin username in win10stig_new_administrator_name please"
+                - "make the necessary change to the variable to be in compliance."
+        when: "'adminchangethis' in win10stig_new_administrator_name"
+
+      - name: "MEDIUM | WN10-SO-000020 | AUDIT | The built-in administrator account must be renamed. | Add Warn Count."
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        vars:
+            warn_control_id: 'WN10-SO-000020'
+        when: "'adminchangethis' in win10stig_new_administrator_name"
+
+      - name: "MEDIUM | WN10-SO-000020 | AUDIT | The built-in administrator account must be renamed. | Change Admin Name."
+        community.windows.win_security_policy:
+            section: System Access
+            key: NewAdministratorName
+            value: "{{ win10stig_new_administrator_name }}"
+        when: "'adminchangethis' not in win10stig_new_administrator_name"
   when:
       - wn10_SO_000020
-      - not win_skip_for_test
   tags:
       - WN10-SO-000020
       - CAT2
@@ -2960,10 +2972,27 @@
       - V-220911
 
 - name: "MEDIUM | WN10-SO-000025 | PATCH | The built-in guest account must be renamed."
-  community.windows.win_security_policy:
-      section: System Access
-      key: NewGuestName
-      value: "{{ win10stig_new_guest_name }}"
+  block:
+      - name: "MEDIUM | WN10-SO-000025 | AUDIT | The built-in guest account must be renamed. | Warning Msg For Default Variable Not Edited."
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! You have not changed the default guest name in win10stig_new_guest_name please"
+                - "make the necessary change to the variable to be in compliance."
+        when: "'guestchangethis' in win10stig_new_guest_name"
+
+      - name: "MEDIUM | WN10-SO-000025 | AUDIT | The built-in guest account must be renamed. | Add Warn Count."
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        vars:
+            warn_control_id: 'WN10-SO-000025'
+        when: "'guestchangethis' in win10stig_new_guest_name"
+
+      - name: "MEDIUM | WN10-SO-000025 | AUDIT | The built-in guest account must be renamed. | Change Guest Name."
+        community.windows.win_security_policy:
+            section: System Access
+            key: NewGuestName
+            value: "{{ win10stig_new_guest_name }}"
+        when: "'guestchangethis' not in win10stig_new_guest_name"
   when:
       - wn10_SO_000025
   tags:
@@ -3322,7 +3351,6 @@
       type: dword
   when:
       - wn10_SO_000245
-      - not win_skip_for_test
   tags:
       - WN10-SO-000245
       - CAT2

tasks/prelim.yml

@@ -1,22 +1,22 @@
 ---
 
-# - name: "PRELIM | Detect if Trusted Platform Module (TPM) is available"
-#   win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType
-#   register: win10stig_tpm_enabled
-#   changed_when: no
-#   failed_when: no
-#   tags:
-#       - always
+- name: "PRELIM | Detect if Trusted Platform Module (TPM) is available"
+  win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType
+  register: win10stig_tpm_enabled
+  changed_when: false
+  failed_when: false
+  tags:
+      - always
 
-# - name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled"
-#   win_reg_stat:
-#       path: HKLM:\System\CurrentControlSet\Control\Terminal Server
-#       name: fDenyTSConnections
-#   register: win10stig_rdp_enabled
-#   changed_when: no
-#   failed_when: no
-#   tags:
-#       - always
+- name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled"
+  win_reg_stat:
+      path: HKLM:\System\CurrentControlSet\Control\Terminal Server
+      name: fDenyTSConnections
+  register: win10stig_rdp_enabled
+  changed_when: false
+  failed_when: false
+  tags:
+      - always
 
 # hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV')
 # This list is not complete and will be updated as we try on more cloud based services.

vars/main.yml

@@ -10,3 +10,9 @@ lockdown_banner: "{{lookup('file', './templates/banner.txt')}}"
 
 # This will be changed to true if discovered.
 win10stig_cloud_based_system: false
+
+# These are default values that will be changed when the prelim
+# runs and finds the correct setting.
+win10stig_is_standalone: false
+win10stig_is_domain_controller: false
+win10stig_is_domain_member: false