update prelim, task, and linting ignore1

Signed-off-by: Frederick Witty <[email protected]>

.ansible-lint

@@ -0,0 +1,24 @@
+---
+
+parseable: true
+quiet: true
+skip_list:
+    - 'schema'
+    - 'no-changed-when'
+    - 'fqcn-builtins'
+    - 'experimental'
+    - 'fqcn[action-core]'
+    - 'fqcn[action]'
+    - 'name[casing]'
+    - 'name[template]'
+    - 'jinja[spacing]'
+    - 'var-naming'  # Older playbook no new release
+    - '204'
+    - '208'
+    - '305'
+    - '303'
+    - '403'
+    - '306'
+    - '602'
+use_default_rules: true
+verbosity: 0

.gitignore

@@ -0,0 +1,45 @@
+.env
+*.log
+*.retry
+.vagrant
+tests/*redhat-subscription
+tests/Dockerfile
+*.iso
+*.box
+packer_cache
+delete*
+ignore*
+# VSCode
+.vscode
+vagrant
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# DS_Store
+.DS_Store
+._*
+
+# Linux Editors
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+.elc
+auto-save-list
+tramp
+.\#*
+*.swp
+*.swo
+rh-creds.env
+travis.env
+
+# Lockdown-specific
+benchparse/
+*xccdf.xml
+*.retry
+
+# GitHub Action/Workflow files
+.github/

.yamllint

@@ -0,0 +1,34 @@
+---
+
+extends: default
+
+ignore: |
+    tests/
+    molecule/
+    .github/
+    .gitlab-ci.yml
+    *molecule.yml
+
+rules:
+    indentation:
+        # Requiring 4 space indentation
+        spaces: 4
+        # Requiring consistent indentation within a file, either indented or not
+        indent-sequences: consistent
+    braces:
+        max-spaces-inside: 1
+        level: error
+    brackets:
+        max-spaces-inside: 1
+        level: error
+    empty-lines:
+        max: 1
+    line-length: disable
+    key-duplicates: enable
+    new-line-at-end-of-file: enable
+    new-lines:
+        type: unix
+    trailing-spaces: enable
+    truthy:
+        allowed-values: ['true', 'false']
+        check-keys: false

CONTRIBUTING.rst

@@ -7,13 +7,14 @@ Rules
 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
 3) All work is done in your own branch
 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
-5) Be open and nice to eachother
+5) Be open and nice to each other
 
 Workflow
 --------
 - Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
 - All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
 - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
+
 Signing your contribution
 -------------------------
 

README.md

@@ -1,11 +1,11 @@
 Windows Server 2022 DISA STIG
-=========
+=============================
 
 ![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2022-STIG?style=plastic)
 
 Configure a Windows Server 2022 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default.
 
-This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 3 released on May 17, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip).
+This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 3 released on May 17, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip).
 
 Caution(s)
 -------

collections/requirements.yml

@@ -0,0 +1,8 @@
+---
+
+collections:
+    - name: ansible.windows
+
+    - name: community.windows
+
+    - name: community.general

handlers/main.yml

@@ -1,2 +1,6 @@
 ---
 # handlers file for Windows-2022-STIG
+
+- name: Reboot_Windows
+  ansible.windows.win_reboot:
+      reboot_timeout: 3600

meta/main.yml

@@ -1,52 +1,33 @@
-galaxy_info:
-  author: your name
-  description: your role description
-  company: your company (optional)
-
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
+---
 
-  # Choose a valid license ID from https://spdx.org - some suggested licenses:
-  # - BSD-3-Clause (default)
-  # - MIT
-  # - GPL-2.0-or-later
-  # - GPL-3.0-only
-  # - Apache-2.0
-  # - CC-BY-4.0
-  license: license (GPL-2.0-or-later, MIT, etc)
-
-  min_ansible_version: 2.1
+galaxy_info:
+    author: "George Nalen"
+    description: "Ansible Role to Apply the DISA Windows Server 2022 STIG"
+    company: "MindPoint Group"
+    license: MIT
+    role_name: windows22_stig
+    namespace: mindpointgroup
+    min_ansible_version: 2.10.1
 
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
+    platforms:
+        - name: Windows Server
+          versions:
+              - 2022
 
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions.
-  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
-  # To view available platforms and versions (or releases), visit:
-  # https://galaxy.ansible.com/api/v1/platforms/
-  #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - 25
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - 1.0
-  #   - 7
-  #   - 99.99
+    galaxy_tags:
+        - system
+        - security
+        - stig
+        - hardening
+        - benchmark
+        - microsoft
+        - windows
+        - complianceascode
+        - compliance
 
-  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes
-    # and categorizes the role. Users find roles by searching for tags. Be sure to
-    # remove the '[]' above, if you add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
+    collections:
+        - ansible.windows
+        - community.windows
+        - community.general
 
-dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.
+    dependencies: []

tasks/main.yml

@@ -1,2 +1,38 @@
 ---
+
 # tasks file for Windows-2022-STIG
+- name: Display Banner
+  ansible.builtin.debug:
+      msg: "{{ lockdown_banner.split('\n') }}"
+  tags:
+      - always
+
+- name: Gather distribution info
+  ansible.builtin.setup:
+      gather_subset: distribution,!all,!min
+  when:
+      - ansible_distribution is not defined
+  tags:
+      - always
+
+- name: Check OS version and family
+  ansible.builtin.assert:
+      that:
+          - ansible_os_family == 'Windows'
+          - ansible_distribution | regex_search('(Microsoft Windows Server 2022)')
+      success_msg: "{{ ansible_distribution }} {{ ansible_distribution_major_version }} is the detected operating system."
+      fail_msg: "This role can only be run against Windows Server 2022 Editions. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
+  tags:
+      - always
+
+- name: Check ansible version
+  ansible.builtin.assert:
+      that: ansible_version.full is version_compare(win2022stig_min_ansible_version, '>=')
+      msg: You must use Ansible {{ win2022stig_min_ansible_version }} or greater
+  tags:
+      - always
+
+- name: Include the preliminary tasks
+  ansible.builtin.import_tasks: prelim.yml
+  tags:
+      - prelim_tasks

tasks/prelim.yml

@@ -0,0 +1,41 @@
+---
+
+- name: "PRELIM | Detect if Trusted Platform Module (TPM) is available"
+  ansible.windows.win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType
+  changed_when: false
+  failed_when: false
+  register: win2022_tpm_enabled
+  tags:
+      - always
+
+# hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for
+# ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV')
+# This list is not complete and will be updated as we try on more cloud based services.
+# As of now testing is working in azure using Hyper-V. We are curently using this for reference:
+# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
+- name: Set Fact If Cloud Based System.
+  ansible.builtin.set_fact:
+      win19stig_cloud_based_system: true
+  when:
+      - ansible_virtualization_type == 'Hyper-V' or
+        ansible_virtualization_type == 'hvm' or
+        ansible_virtualization_type == 'kvm'
+  tags:
+      - always
+
+# 1 = disabled 0 = enabled
+# this reg key may be useful detect is secure conenctions enabled, etc?
+- name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled"
+  ansible.windows.win_reg_stat:
+      path: HKLM:\System\CurrentControlSet\Control\Terminal Server
+      name: fDenyTSConnections
+  changed_when: false
+  failed_when: false
+  register: win2022_rdp_enabled
+  tags:
+      - always
+
+# remove this debug or set a verb level
+- name: win2022_rdp_enabled.value var
+  ansible.builtin.debug:
+      var: win2022_rdp_enabled.value