Merge pull request #11 from ansible-lockdown/devel

Updated role for STIG Version 2 release 1
Signed-off-by: George Nalen <[email protected]>

README.md

@@ -5,7 +5,7 @@ Windows Server 2016 DISA STIG
 
 Configure a Windows Server 2016 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. ~Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`.~ _To be implemented_
 
-This role is based on Windows Server 2016 DISA STIG: [Version 1, Rel 9 released on July 26, 2019](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2016_V1R9_STIG.zip).
+This role is based on Windows Server 2016 DISA STIG: [Version 2, Rel 1 released on November 13, 2020](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2016_V2R1_STIG.zip).
 
 Requirements
 ------------

defaults/main.yml

@@ -27,7 +27,7 @@ win2016stig_audit_disruptive: yes
 winstig_skip_for_travis: false
 
 # Some tasks need to be skipped for CI/CD testing to work correctly
-win2016stig_skip_for_test: false
+winstig_skip_for_test: false
 
 win2016stig_workaround_for_disa_benchmark: true
 win2016stig_workaround_for_ssg_benchmark: true
@@ -106,6 +106,7 @@ wn16_00_000370: true
 wn16_00_000380: true
 wn16_00_000390: true
 wn16_00_000400: true
+wn16_00_000410: true
 wn16_00_000420: true
 wn16_00_000430: true
 wn16_00_000440: true
@@ -203,6 +204,7 @@ wn16_cc_000390: true
 wn16_cc_000400: true
 wn16_cc_000410: true
 wn16_cc_000420: true
+wn16_cc_000421: true
 wn16_cc_000430: true
 wn16_cc_000440: true
 wn16_cc_000450: true

tasks/cat1.yml

@@ -11,7 +11,6 @@
       - name: "HIGH | WN16-00-000010 | PATCH | Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks."
         win_shell: echo true
         changed_when: no
-
   when:
       - wn16_00_000010
   tags:
@@ -33,7 +32,6 @@
       - name: "HIGH | WN16-DC-000010 | PATCH | Only administrators responsible for the domain controller must have Administrator rights on the system."
         win_shell: echo true
         changed_when: no
-
   when:
       - wn16_dc_000010
       - ansible_windows_domain_role == "Primary domain controller"
@@ -79,7 +77,6 @@
       - name: "HIGH | WN16-00-000040 | PATCH | Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email."
         win_shell: echo true
         changed_when: no
-
   when:
       - wn16_00_000040
   tags:
@@ -124,7 +121,6 @@
         register: wn16_00_000110_audit_currentbuild
         failed_when: wn16_00_000110_audit_currentbuildnumber.value is not version('14393', '>=')
         changed_when: no
-
   when:
       - wn16_00_000110
   tags:
@@ -148,7 +144,6 @@
       - name: "HIGH | WN16-00-000120 | PATCH | The Windows Server 2016 system must use an anti-virus program."
         win_shell: echo true
         changed_when: no
-
   when:
       - wn16_00_000120
   tags:
@@ -176,8 +171,6 @@
         register: wn16_00_000150_audit
         check_mode: no
         changed_when: no
-
-
   when:
       - wn16_00_000150
   tags:
@@ -204,7 +197,6 @@
         # this would be on a DC however?
         # Get-ADUser -Filter * | Set-ADUser -AllowReversiblePasswordEncryption $false
         changed_when: no
-
   when:
       - wn16_ac_000090
   tags:
@@ -507,7 +499,6 @@
       - name: "HIGH | WN16-DC-000300 | PATCH | PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA)."
         win_shell: echo true
         changed_when: no
-
   when:
       - wn16_dc_000300
   tags:
@@ -539,6 +530,8 @@
       section: System Access
       key: LSAAnonymousNameLookup
       value: 0
+  when:
+      - wn16_so_000250
   tags:
       - WN16-SO-000250
       - xccdf_mil.disa.stig_rule_SV-88329r2_rule