From 39543be93646dd5b9ce83f6dcf9a0f628bcc8f98 Mon Sep 17 00:00:00 2001
From: Frederick Witty <frederickw@mindpointgroup.com>
Date: Tue, 20 Jun 2023 15:40:24 -0400
Subject: [PATCH] update prelim, task, and linting ignore1

Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
---
 .ansible-lint                | 24 ++++++++++++
 .gitignore                   | 45 ++++++++++++++++++++++
 .yamllint                    | 34 ++++++++++++++++
 CONTRIBUTING.rst             |  3 +-
 README.md                    |  4 +-
 collections/requirements.yml |  8 ++++
 handlers/main.yml            |  4 ++
 meta/main.yml                | 75 ++++++++++++++----------------------
 tasks/main.yml               | 36 +++++++++++++++++
 tasks/prelim.yml             | 41 ++++++++++++++++++++
 tests/inventory              |  2 -
 tests/test.yml               |  5 ---
 12 files changed, 224 insertions(+), 57 deletions(-)
 create mode 100644 .ansible-lint
 create mode 100644 .gitignore
 create mode 100644 .yamllint
 create mode 100644 collections/requirements.yml
 create mode 100644 tasks/prelim.yml
 delete mode 100644 tests/inventory
 delete mode 100644 tests/test.yml

diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 0000000..39c4d62
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,24 @@
+---
+
+parseable: true
+quiet: true
+skip_list:
+    - 'schema'
+    - 'no-changed-when'
+    - 'fqcn-builtins'
+    - 'experimental'
+    - 'fqcn[action-core]'
+    - 'fqcn[action]'
+    - 'name[casing]'
+    - 'name[template]'
+    - 'jinja[spacing]'
+    - 'var-naming'  # Older playbook no new release
+    - '204'
+    - '208'
+    - '305'
+    - '303'
+    - '403'
+    - '306'
+    - '602'
+use_default_rules: true
+verbosity: 0
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4e3ce79
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,45 @@
+.env
+*.log
+*.retry
+.vagrant
+tests/*redhat-subscription
+tests/Dockerfile
+*.iso
+*.box
+packer_cache
+delete*
+ignore*
+# VSCode
+.vscode
+vagrant
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# DS_Store
+.DS_Store
+._*
+
+# Linux Editors
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+.elc
+auto-save-list
+tramp
+.\#*
+*.swp
+*.swo
+rh-creds.env
+travis.env
+
+# Lockdown-specific
+benchparse/
+*xccdf.xml
+*.retry
+
+# GitHub Action/Workflow files
+.github/
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000..a49f497
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,34 @@
+---
+
+extends: default
+
+ignore: |
+    tests/
+    molecule/
+    .github/
+    .gitlab-ci.yml
+    *molecule.yml
+
+rules:
+    indentation:
+        # Requiring 4 space indentation
+        spaces: 4
+        # Requiring consistent indentation within a file, either indented or not
+        indent-sequences: consistent
+    braces:
+        max-spaces-inside: 1
+        level: error
+    brackets:
+        max-spaces-inside: 1
+        level: error
+    empty-lines:
+        max: 1
+    line-length: disable
+    key-duplicates: enable
+    new-line-at-end-of-file: enable
+    new-lines:
+        type: unix
+    trailing-spaces: enable
+    truthy:
+        allowed-values: ['true', 'false']
+        check-keys: false
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
index c8fa576..dda5127 100644
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@@ -7,13 +7,14 @@ Rules
 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <joan.doe@email.com>) in the commit message (details in Signing section)
 3) All work is done in your own branch
 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
-5) Be open and nice to eachother
+5) Be open and nice to each other
 
 Workflow
 --------
 - Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
 - All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
 - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
+
 Signing your contribution
 -------------------------
 
diff --git a/README.md b/README.md
index dc413da..e8ae696 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,11 @@
 Windows Server 2022 DISA STIG
-=========
+=============================
 
 ![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2022-STIG?style=plastic)
 
 Configure a Windows Server 2022 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default.
 
-This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 3 released on May 17, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip).
+This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 3 released on May 17, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip).
 
 Caution(s)
 -------
diff --git a/collections/requirements.yml b/collections/requirements.yml
new file mode 100644
index 0000000..97aad6f
--- /dev/null
+++ b/collections/requirements.yml
@@ -0,0 +1,8 @@
+---
+
+collections:
+    - name: ansible.windows
+
+    - name: community.windows
+
+    - name: community.general
diff --git a/handlers/main.yml b/handlers/main.yml
index 023c9eb..3a979e9 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,2 +1,6 @@
 ---
 # handlers file for Windows-2022-STIG
+
+- name: Reboot_Windows
+  ansible.windows.win_reboot:
+      reboot_timeout: 3600
diff --git a/meta/main.yml b/meta/main.yml
index c572acc..ff0d7f9 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,52 +1,33 @@
-galaxy_info:
-  author: your name
-  description: your role description
-  company: your company (optional)
-
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
+---
 
-  # Choose a valid license ID from https://spdx.org - some suggested licenses:
-  # - BSD-3-Clause (default)
-  # - MIT
-  # - GPL-2.0-or-later
-  # - GPL-3.0-only
-  # - Apache-2.0
-  # - CC-BY-4.0
-  license: license (GPL-2.0-or-later, MIT, etc)
-
-  min_ansible_version: 2.1
+galaxy_info:
+    author: "George Nalen"
+    description: "Ansible Role to Apply the DISA Windows Server 2022 STIG"
+    company: "MindPoint Group"
+    license: MIT
+    role_name: windows22_stig
+    namespace: mindpointgroup
+    min_ansible_version: 2.10.1
 
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
+    platforms:
+        - name: Windows Server
+          versions:
+              - 2022
 
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions.
-  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
-  # To view available platforms and versions (or releases), visit:
-  # https://galaxy.ansible.com/api/v1/platforms/
-  #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - 25
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - 1.0
-  #   - 7
-  #   - 99.99
+    galaxy_tags:
+        - system
+        - security
+        - stig
+        - hardening
+        - benchmark
+        - microsoft
+        - windows
+        - complianceascode
+        - compliance
 
-  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes
-    # and categorizes the role. Users find roles by searching for tags. Be sure to
-    # remove the '[]' above, if you add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
+    collections:
+        - ansible.windows
+        - community.windows
+        - community.general
 
-dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.
+    dependencies: []
diff --git a/tasks/main.yml b/tasks/main.yml
index abbce55..74d6999 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,2 +1,38 @@
 ---
+
 # tasks file for Windows-2022-STIG
+- name: Display Banner
+  ansible.builtin.debug:
+      msg: "{{ lockdown_banner.split('\n') }}"
+  tags:
+      - always
+
+- name: Gather distribution info
+  ansible.builtin.setup:
+      gather_subset: distribution,!all,!min
+  when:
+      - ansible_distribution is not defined
+  tags:
+      - always
+
+- name: Check OS version and family
+  ansible.builtin.assert:
+      that:
+          - ansible_os_family == 'Windows'
+          - ansible_distribution | regex_search('(Microsoft Windows Server 2022)')
+      success_msg: "{{ ansible_distribution }} {{ ansible_distribution_major_version }} is the detected operating system."
+      fail_msg: "This role can only be run against Windows Server 2022 Editions. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
+  tags:
+      - always
+
+- name: Check ansible version
+  ansible.builtin.assert:
+      that: ansible_version.full is version_compare(win2022stig_min_ansible_version, '>=')
+      msg: You must use Ansible {{ win2022stig_min_ansible_version }} or greater
+  tags:
+      - always
+
+- name: Include the preliminary tasks
+  ansible.builtin.import_tasks: prelim.yml
+  tags:
+      - prelim_tasks
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
new file mode 100644
index 0000000..768c82a
--- /dev/null
+++ b/tasks/prelim.yml
@@ -0,0 +1,41 @@
+---
+
+- name: "PRELIM | Detect if Trusted Platform Module (TPM) is available"
+  ansible.windows.win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType
+  changed_when: false
+  failed_when: false
+  register: win2022_tpm_enabled
+  tags:
+      - always
+
+# hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for
+# ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV')
+# This list is not complete and will be updated as we try on more cloud based services.
+# As of now testing is working in azure using Hyper-V. We are curently using this for reference:
+# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
+- name: Set Fact If Cloud Based System.
+  ansible.builtin.set_fact:
+      win19stig_cloud_based_system: true
+  when:
+      - ansible_virtualization_type == 'Hyper-V' or
+        ansible_virtualization_type == 'hvm' or
+        ansible_virtualization_type == 'kvm'
+  tags:
+      - always
+
+# 1 = disabled 0 = enabled
+# this reg key may be useful detect is secure conenctions enabled, etc?
+- name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled"
+  ansible.windows.win_reg_stat:
+      path: HKLM:\System\CurrentControlSet\Control\Terminal Server
+      name: fDenyTSConnections
+  changed_when: false
+  failed_when: false
+  register: win2022_rdp_enabled
+  tags:
+      - always
+
+# remove this debug or set a verb level
+- name: win2022_rdp_enabled.value var
+  ansible.builtin.debug:
+      var: win2022_rdp_enabled.value
diff --git a/tests/inventory b/tests/inventory
deleted file mode 100644
index 878877b..0000000
--- a/tests/inventory
+++ /dev/null
@@ -1,2 +0,0 @@
-localhost
-
diff --git a/tests/test.yml b/tests/test.yml
deleted file mode 100644
index 451da48..0000000
--- a/tests/test.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- hosts: localhost
-  remote_user: root
-  roles:
-    - Windows-2022-STIG