Merge pull request #9 from mfortin/post

Adding post section
ansible-lockdown · Sep 6, 2024 · f235c6d · f235c6d
2 parents c7fdbf4 + 8b3410a
commit f235c6d
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 2 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -54,6 +54,11 @@ win22stig_is_server_core: false
 # WN22-CC-000520 - CAT2
 win_skip_for_test: false
 
+# Changes will be made that will require a system reboot.
+# The following option will allow whether or not to skip the reboot.
+# Default: true
+skip_reboot: true
+
 # CAT 1 rules
 wn22_00_000030: true
 wn22_00_000130: true

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -2,5 +2,7 @@
 # handlers file for Windows-2022-STIG
 
 - name: reboot_windows
-  ansible.windows.win_reboot:
-      reboot_timeout: 3600
+  ansible.builtin.set_fact:
+      reboot_host: true
+  tags:
+      - always
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -55,6 +55,11 @@
   tags:
       - CAT3
 
+- name: Run Post Tasks
+  ansible.builtin.import_tasks: post.yml
+  tags:
+      - always
+
 - name: If Warnings Found Output Count and Control IDs Affected
   ansible.builtin.debug:
       msg:

diff --git a/tasks/post.yml b/tasks/post.yml
@@ -0,0 +1,36 @@
+---
+
+- name: "POST | Flush Handlers"
+  ansible.builtin.meta: flush_handlers
+  tags:
+      - always
+
+- name: "POST | Reboot System Options"
+  block:
+      - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False"
+        ansible.windows.win_reboot:
+            reboot_timeout: 3600
+        when:
+            - reboot_host
+            - not skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set"
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually."
+                - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results."
+        changed_when: true
+        when:
+            - reboot_host
+            - skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        when:
+            - reboot_host
+            - skip_reboot
+  vars:
+      warn_control_id: Reboot_Required
+  tags:
+      - always
diff --git a/vars/main.yml b/vars/main.yml
@@ -7,3 +7,7 @@ warn_count: 0
 
 # This sets the variable that is created for the banner.
 lockdown_banner: "{{lookup('file', './templates/banner.txt')}}"
+
+# Default setting, this should not be changed
+# and is overridden if a task that changed sets the value if required.
+reboot_host: false