update cat1-1

Signed-off-by: Frederick Witty <[email protected]>

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise
+Copyright (c) 2023 MindPoint Group / Lockdown Enterprise
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

tasks/cat1.yml

@@ -0,0 +1,46 @@
+---
+
+- name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)."
+  block:
+      - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | Message out"
+        ansible.builtin.debug:
+            msg: "Warning!! This is a manual task. Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)."
+
+      - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task."
+        ansible.builtin.import_tasks: warning_facts.yml
+        vars:
+            warn_control_id: 'WN22-DC-000290'
+  when:
+      - wn19_dc_000290
+      - ansible_windows_domain_role == "Primary domain controller"
+  tags:
+      - WN22-DC-000290
+      - V-254413
+      - CAT1
+      - SRG-OS-000066-GPOS-00034
+      - SV-254413r849055_rule
+      - CCI-000185
+      - high
+
+# add some task/external variable for approved CAs, check for DoD and how to pull programatically
+- name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)."
+  block:
+      - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | Message out"
+        ansible.builtin.debug:
+            msg: "Warning!! This is a manual task. Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)."
+
+      - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task."
+        ansible.builtin.import_tasks: warning_facts.yml
+        vars:
+            warn_control_id: 'WN22-DC-000300'
+  when:
+      - wn19_dc_000300
+      - ansible_windows_domain_role == "Primary domain controller"
+  tags:
+      - WN22-DC-000300
+      - V-254414
+      - SRG-OS-000066-GPOS-00034
+      - SV-254414r849058_rule
+      - CCI-000185
+      - high
+      - CAT1

tasks/main.yml

@@ -7,15 +7,15 @@
   tags:
       - always
 
-- name: Gather distribution info
+- name: Gather Distribution Info
   ansible.builtin.setup:
       gather_subset: distribution,!all,!min
   when:
       - ansible_distribution is not defined
   tags:
       - always
 
-- name: Check OS version and family
+- name: Check OS Version and Family
   ansible.builtin.assert:
       that:
           - ansible_os_family == 'Windows'
@@ -25,14 +25,27 @@
   tags:
       - always
 
-- name: Check ansible version
+- name: Check Ansible Version
   ansible.builtin.assert:
       that: ansible_version.full is version_compare(win2022stig_min_ansible_version, '>=')
       msg: You must use Ansible {{ win2022stig_min_ansible_version }} or greater
   tags:
       - always
 
-- name: Include the preliminary tasks
+- name: Include the Preliminary Tasks
   ansible.builtin.import_tasks: prelim.yml
   tags:
       - prelim_tasks
+
+- name: Execute the Category 1 (Highest Severity) Tasks
+  ansible.builtin.import_tasks: cat1.yml
+  when: win2019stig_cat1_patch
+  tags:
+      - CAT1
+
+- name: If Warnings Found Output Count and Control IDs Affected
+  ansible.builtin.debug:
+      msg:
+          - "You have {{ warn_count }} Warning(s) that require investigation(s). Their ID's are listed below:"
+          - "{{ warn_control_list }}"
+  when: warn_count != 0

tasks/prelim.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "PRELIM | Detect if Trusted Platform Module (TPM) is available"
+- name: "PRELIM | Detect if Trusted Platform Module (TPM) is Available"
   ansible.windows.win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType
   changed_when: false
   failed_when: false
@@ -25,7 +25,7 @@
 
 # 1 = disabled 0 = enabled
 # this reg key may be useful detect is secure conenctions enabled, etc?
-- name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled"
+- name: "PRELIM | Detect if Remote Desktop Services (RDP) is Enabled"
   ansible.windows.win_reg_stat:
       path: HKLM:\System\CurrentControlSet\Control\Terminal Server
       name: fDenyTSConnections

tasks/warning_facts.yml

@@ -0,0 +1,21 @@
+---
+
+# This task is used to create variables used in giving a warning summary for manual tasks
+# that need attention
+#
+# The warn_control_list and warn_count vars start life in vars/main.yml but get updated
+# as the tasks that have a warning complete
+#
+# Those two variables are used in the tasks/main.yml to display a list of warnings
+#
+# warn_control_id is set within the task itself and has the control ID as the value
+#
+# warn_control_list is the main variable to be used and is a list made up of the warn_control_id's
+#
+# warn_count the main variable for the number of warnings and each time a warn_control_id is added
+# the count increases by a value of 1
+
+- name: "NO CONTROL ID | AUDIT | Set Fact for Manual Task Warning"
+  ansible.builtin.set_fact:
+      warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]"
+      warn_count: "{{ warn_count | int + 1 }}"