From 64755b465750f50375618b51e1fc038510f2ec68 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 26 Sep 2023 16:37:28 -0400 Subject: [PATCH] Updated Controlos, win_skip_for_test, linting Signed-off-by: Stephen Williams --- .ansible-lint | 4 ++ .../workflows/devel_pipeline_validation.yml | 2 +- ChangeLog.md | 8 +++ LICENSE | 2 +- README.md | 12 ++-- defaults/main.yml | 17 ++---- tasks/cat2.yml | 56 ++++++++++++++----- tasks/prelim.yml | 32 +++++------ vars/main.yml | 6 ++ 9 files changed, 89 insertions(+), 50 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 47f63b5..6d72a4a 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,16 @@ skip_list: - 'schema' - 'no-changed-when' - 'experimental' + - 'fqcn-builtins' + - 'fqcn[action]' - 'name[casing]' - 'name[template]' + - 'name[play]' - 'jinja[spacing]' - 'yaml[line-length]' - 'key-order[task]' - 'var-naming' # Older playbook no new release + - 'var-spacing' - '204' - '208' - '305' diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 0aae7a5..870d6d3 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -32,7 +32,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance. playbook-test: diff --git a/ChangeLog.md b/ChangeLog.md index b05b0d6..ca82c4b 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,14 @@ ## Release 1.1.0 +September 2023 Update + - Added Additional Variable Checks For Controls + - WN10-SO-000020 + - WN10-SO-000025 + - Updated and removed controls not needed in win_skip_for_test + - Updated Ansible-Lint + - Updated logic for Domain Roles + August 2023 Update - Updated Workflows To Central Repo - Renamed them to better run across all repos. diff --git a/LICENSE b/LICENSE index 0d0b836..4ed247b 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2021 Ansible Lockdown +Copyright (c) 2023 MindPoint Group / Lockdown Enterprise Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index fe598c4..2add5cd 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a Windows 10 system to be [DISA STIG](https://public.cyber.mil/stigs/downloads/) compliant. -### Based on [ Windows DISA STIG Version 2, Rel 5 released on Novenber 9th, 2022 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_10_V2R5_STIG.zip) +### Based on [ Windows DISA STIG Version 2, Rel 7 released on June 27, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_10_V2R7_STIG.zip) --- @@ -12,7 +12,7 @@ ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61461?label=Quality&&logo=ansible) +![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61846?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) @@ -36,11 +36,11 @@ [Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_10_stig) -[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_10_stig) +[Ansible Support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_10_stig) ### Community -Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. --- @@ -69,8 +69,8 @@ The control found in defaults main also need to reflect true so as this will all ## Coming from a previous release -STIG releases always contain changes, it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +STIG release always contains changes, so it is highly recommended to review the new references and available variables. This have changed significantly since the ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) diff --git a/defaults/main.yml b/defaults/main.yml index fa9516a..389f247 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,16 +26,9 @@ win10stig_lengthy_search: false # may cause breaking changes when running it for testing purposes. These generally consist of winrm controls # that are needed to keep the ansible connection alive. # Controls that will be skipped: -# WN10-CC-000330 - CAT1 -# WN10-CC-000345 - CAT1 -# WN10-CC-000335 - CAT2 -# WN10-CC-000350 - CAT2 -# WN10-CC-000355 - CAT2 -# WN10-CC-000360 - CAT2 -# WN10-SO-000020 - CAT2 -# WN10-SO-000245 - CAT2 -# WN10-SO-000005 - CAT2 -# WN10-SO-000020 - CAT2 +# WN10-CC-000330 - CAT1 - Disables WinRM Allow Client Basic Auth +# WN10-CC-000345 - CAT1 - Disables WinRM Allow Service Basic Auth +# WN10-SO-000005 - CAT2 - Disables Built-In Admin Account win_skip_for_test: false # tweak role to run in a non-privileged container @@ -514,11 +507,11 @@ win10stig_min_pin_length: 6 # WN10-SO-000020 # win10stig_new_administrator_name is the name the built-in Administrator account will be renamed to -win10stig_new_administrator_name: newadmin +win10stig_new_administrator_name: adminchangethis # WN10-SO-000025 # win10stig_new_guest_name is the name the built-in Guest account will be renamed to -win10stig_new_guest_name: newguest +win10stig_new_guest_name: guestchangethis # WN10-SO-000070 # win10stig_inactivity_timeout is the machine inactivity limit in seconds. diff --git a/tasks/cat2.yml b/tasks/cat2.yml index d2033b2..85c1b56 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -2572,7 +2572,6 @@ type: dword when: - wn10_CC_000335 - - not win_skip_for_test tags: - WN10-CC-000335 - CAT2 @@ -2590,7 +2589,6 @@ type: dword when: - wn10_CC_000350 - - not win_skip_for_test tags: - WN10-CC-000350 - CAT2 @@ -2608,7 +2606,6 @@ type: dword when: - wn10_CC_000355 - - not win_skip_for_test tags: - WN10-CC-000355 - CAT2 @@ -2625,7 +2622,6 @@ type: dword when: - wn10_CC_000360 - - not win_skip_for_test tags: - WN10-CC-000360 - CAT2 @@ -2944,13 +2940,29 @@ - V-220910 - name: "MEDIUM | WN10-SO-000020 | PATCH | The built-in administrator account must be renamed." - community.windows.win_security_policy: - section: System Access - key: NewAdministratorName - value: "{{ win10stig_new_administrator_name }}" + block: + - name: "MEDIUM | WN10-SO-000020 | AUDIT | The built-in administrator account must be renamed. | Warning Msg For Default Variable Not Edited." + ansible.builtin.debug: + msg: + - "Warning!! You have not changed the default admin username in win10stig_new_administrator_name please" + - "make the necessary change to the variable to be in compliance." + when: "'adminchangethis' in win10stig_new_administrator_name" + + - name: "MEDIUM | WN10-SO-000020 | AUDIT | The built-in administrator account must be renamed. | Add Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: 'WN10-SO-000020' + when: "'adminchangethis' in win10stig_new_administrator_name" + + - name: "MEDIUM | WN10-SO-000020 | AUDIT | The built-in administrator account must be renamed. | Change Admin Name." + community.windows.win_security_policy: + section: System Access + key: NewAdministratorName + value: "{{ win10stig_new_administrator_name }}" + when: "'adminchangethis' not in win10stig_new_administrator_name" when: - wn10_SO_000020 - - not win_skip_for_test tags: - WN10-SO-000020 - CAT2 @@ -2960,10 +2972,27 @@ - V-220911 - name: "MEDIUM | WN10-SO-000025 | PATCH | The built-in guest account must be renamed." - community.windows.win_security_policy: - section: System Access - key: NewGuestName - value: "{{ win10stig_new_guest_name }}" + block: + - name: "MEDIUM | WN10-SO-000025 | AUDIT | The built-in guest account must be renamed. | Warning Msg For Default Variable Not Edited." + ansible.builtin.debug: + msg: + - "Warning!! You have not changed the default guest name in win10stig_new_guest_name please" + - "make the necessary change to the variable to be in compliance." + when: "'guestchangethis' in win10stig_new_guest_name" + + - name: "MEDIUM | WN10-SO-000025 | AUDIT | The built-in guest account must be renamed. | Add Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: 'WN10-SO-000025' + when: "'guestchangethis' in win10stig_new_guest_name" + + - name: "MEDIUM | WN10-SO-000025 | AUDIT | The built-in guest account must be renamed. | Change Guest Name." + community.windows.win_security_policy: + section: System Access + key: NewGuestName + value: "{{ win10stig_new_guest_name }}" + when: "'guestchangethis' not in win10stig_new_guest_name" when: - wn10_SO_000025 tags: @@ -3322,7 +3351,6 @@ type: dword when: - wn10_SO_000245 - - not win_skip_for_test tags: - WN10-SO-000245 - CAT2 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6088dc4..e1a7844 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,22 +1,22 @@ --- -# - name: "PRELIM | Detect if Trusted Platform Module (TPM) is available" -# win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -# register: win10stig_tpm_enabled -# changed_when: no -# failed_when: no -# tags: -# - always +- name: "PRELIM | Detect if Trusted Platform Module (TPM) is available" + win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType + register: win10stig_tpm_enabled + changed_when: false + failed_when: false + tags: + - always -# - name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled" -# win_reg_stat: -# path: HKLM:\System\CurrentControlSet\Control\Terminal Server -# name: fDenyTSConnections -# register: win10stig_rdp_enabled -# changed_when: no -# failed_when: no -# tags: -# - always +- name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled" + win_reg_stat: + path: HKLM:\System\CurrentControlSet\Control\Terminal Server + name: fDenyTSConnections + register: win10stig_rdp_enabled + changed_when: false + failed_when: false + tags: + - always # hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') # This list is not complete and will be updated as we try on more cloud based services. diff --git a/vars/main.yml b/vars/main.yml index be96b91..f6caba4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,3 +10,9 @@ lockdown_banner: "{{lookup('file', './templates/banner.txt')}}" # This will be changed to true if discovered. win10stig_cloud_based_system: false + +# These are default values that will be changed when the prelim +# runs and finds the correct setting. +win10stig_is_standalone: false +win10stig_is_domain_controller: false +win10stig_is_domain_member: false