Skip to content

Commit

Permalink
Merge pull request #56 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
2023 August Typo Fixes Update part 2
  • Loading branch information
frederickw082922 authored Aug 25, 2023
2 parents 45525e3 + 5faeb45 commit 5c860df
Show file tree
Hide file tree
Showing 8 changed files with 118 additions and 118 deletions.
6 changes: 3 additions & 3 deletions ChangeLog.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ August 2023 Update
- Updated Tags in tasks/main.

June / July 2023 Update
- Updated tags on controls based Version 2 Release 7
- Updated tags on controls based on Version 2 Release 7
- Updated win_skip_for_test var to true
- Updated Readme
- Updated Changelog
Expand All @@ -24,8 +24,8 @@ June / July 2023 Update
- Added Control WN19-AU-000100
- Added Control WN19-AU-000110
- Added Control WN19-SO-000070
- Rule IDs updated due to changes in content management system.
- Updated all tags to proper format.
- Rule IDs updated due to changes in the content management system.
- Updated all tags to the proper format.
- Major updates to all controls
- Updated Misc Controls to have additional data in warning messages.
- Fixed Misc Controls Registry entry errors.
Expand Down
24 changes: 12 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,37 +46,37 @@ Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask ques

## Caution(s)

This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but a remediation tool to be used after an audit.

Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution.
Check Mode is not supported! The role will be completed in check mode without errors, but it is not supported and should be used with caution.

This role was developed against a clean install of the Windows 2019 operating system. If you are implementing to an existing system please review this role for any site specific changes that are needed.
This role was developed against a clean install of the Windows 2019 operating system. If you are implementing an existing system please review this role for any site-specific changes that are needed.

To use release version please point to main branch and relevant release for the STIG benchmark you wish to work with.
To use the release version please point to the main branch and relevant release for the STIG benchmark you wish to work with.

---

## Matching a security Level for STIG

It is possible to to only run controls that are based on a particular for security level for STIG.
It is possible to only run controls that are based on a particular security level for STIG.
This is managed using tags:

- CAT1
- CAT2
- CAT3

The control found in defaults main also need to reflect true so as this will allow the controls to run when the playbook is launched.
The control found in defaults/main.yml also needs to reflect true as this will allow the controls to run when the playbook is launched.

## Coming from a previous release

STIG releases always contain changes, it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown.
This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.
STIG releases always contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown.
This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly.

Further details can be seen in the [Changelog](./ChangeLog.md)

## Auditing (new)

Currently this release does not have a auditing tool.
Currently, this release does not have an auditing tool.

## Documentation

Expand All @@ -97,7 +97,7 @@ Currently this release does not have a auditing tool.
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file.

**Technical Dependencies:**

Expand All @@ -114,11 +114,11 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat

## Role Variables

This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `win19stig_disruption_high` to `yes`.
This role is designed so that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `win19stig_disruption_high` to `true`.

## Tags

There are many tags available for added control precision. Each control may have it's own set of tags noting what category, what OS element it relates to, if it's a patch or audit, and the rule number.
There are many tags available for added control precision. Each control may have its own set of tags noting what category, what OS element it relates to if it's a patch or audit, and the rule number.

Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag CCI-000185, this task will be skipped. The opposite can also happen where you run only controls tagged with CCI-000185.

Expand Down
42 changes: 21 additions & 21 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,13 @@ win2019stig_disruption_high: false
# setting to make them stand out.
win2019stig_audit_disruptive: true

# This parameter disables controls that could have a very lengthy find. For example
# This parameter disables controls that could have a very lengthy find. For example,
# removing all files of a specific file type that search the entire drive.
# If there is an action tied to the lengthy search the action task will be disabled as well.
# WN19-00-000240 - CAT2
win19stig_lengthy_search: false

# win19stig_cloud_based_system is a setting built into the playbook for testing locally vs azure.
# win19stig_cloud_based_system is a setting built into the playbook for testing locally vs. Azure.
# We have found certain controls that need to be set in a different order when being applied in the
# different environments. By Default This is set to false.
win19stig_cloud_based_system: false
Expand All @@ -47,7 +47,7 @@ win19stig_cloud_based_system: false
# WN19-SO-000030 - CAT2
win_skip_for_test: true

# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
# These variables correspond with the STIG IDs defined in the STIG and allow you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
# in order for the variables below to take effect.

Expand Down Expand Up @@ -364,12 +364,12 @@ wn19stig_secreatetokenprivilege: ""
wn19stig_sedebugprivilege: Administrators

# WN19-00-000110
# Windows Server 2019 must use an anti-virus program. We are using powershell here to check the status of
# a user defined anti-virus program installed.
# Option Examples: defnder | mcafee | symantec | etc
# NOTE: If the results of the powershell check come back empty Windows Defender will automatically be installed
# and enabled. If the results of the powershell check come back with outout for 3rd party antivirus,
# Windows defender will be disbaled and the results will be manually audited to verify the 3rd part program is
# Windows Server 2019 must use an anti-virus program. We are using Powershell here to check the status of
# a user-defined anti-virus program installed.
# Option Examples: defender | mcafee | symantec | etc
# NOTE: If the results of the Powershell check come back empty Windows Defender will automatically be installed
# and enabled. If the results of the Powershell check come back with output for 3rd party antivirus,
# Windows Defender will be disabled and the results will be manually audited to verify the 3rd part program is
# currently running.
# Default: defender
wn19stig_antivirus_program: defender
Expand All @@ -394,14 +394,14 @@ wn19stig_lockoutbadcount: 3

# WN19-AC-000030
# Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
# wn19stig_resetlockoutcount is the Reset account lockout counter after value in mintues.
# wn19stig_resetlockoutcount is the Reset account lockout counter after value in minutes.
wn19stig_resetlockoutcount: 15

# WN19-AC-000040
# Windows Server 2019 password history must be configured to 24 passwords remembered.
# wn19stig_passwordhistorysize is the number of passwords windows will remember before you may
# wn19stig_passwordhistorysize is the number of passwords Windows will remember before you may
# be able to reuse that same password. The default value is "24" for Windows domain systems.
# DoD determined appropriate value for all Windows systems.
# DoD determined the appropriate value for all Windows systems.
wn19stig_passwordhistorysize: 24

# WN19-AC-000050
Expand All @@ -416,13 +416,13 @@ wn19stig_minimumpasswordage: 1

# WN19-AC-000070
# Windows Server 2019 minimum password length must be configured to 14 characters or more.
# wn19stig_minimumpasswordlength is the Minimum password characters length value.
# wn19stig_minimumpasswordlength is the Minimum password character length value.
wn19stig_minimumpasswordlength: 14

# WN19-CC-000110
# Windows Server 2019 virtualization-based security must be enabled with the platform security
# level configured to Secure Boot or Secure Boot with DMA Protection.
# win19stig_dma_protection is the level that they would like to setup.
# win19stig_dma_protection is the level that they would like to set up.
# Valid settings are as follows.
# 1 (Secure Boot only)
# 3 (Secure Boot and DMA Protection)
Expand All @@ -436,7 +436,7 @@ wn19stig_dma_protection: 3
# Approved values are below:
# 8 - Good only
# 1 - Good and unknown
# 3 - Good, unknown and bad but critical
# 3 - Good, unknown, and bad but critical
wn19stig_driver_load_policy: 1

# WN19-CC-000270
Expand Down Expand Up @@ -467,7 +467,7 @@ wn19stig_senetworklogonright_dc: Administrators,Authenticated Users,Enterprise D
# WN19-DC-000430
# The password for the krbtgt account on a domain must be reset at least every 180 days.
# The default setting here matches the STIG requirements. If you would like to
# enforce a more strcit policy you may do so for auditing purposes.
# enforce a more strict policy you may do so for auditing purposes.
# NOTE: Valid Days are 180 or less.
wn19stig_krbtgt_account_pass_age: 180

Expand All @@ -483,8 +483,8 @@ wn19stig_senetworklogonright: Administrators,Authenticated Users

# WN19-SO-000030
# Windows Server 2019 built-in administrator account must be renamed.
# wn19stig_newadministratorname is the non-default name for the Administror Account.
# This rule can be skipped during testing, conseqently to not break the box's connection by using
# wn19stig_newadministratorname is the non-default name for the Administrator Account.
# This rule can be skipped during testing, consequently not breaking the box's connection by using
# the toggle win_skip_for_test.
wn19stig_newadministratorname: adminchangethis

Expand All @@ -504,7 +504,7 @@ wn19stig_machineaccountpsswd_max_age: 30
# WN19-SO-000120
# The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.
# wn19stig_inactivitytimeoutsecs is the time in seconds that will be set in the registry that
# enagages the screen saver. Default setting is "900" seconds or less excluding "0"
# enagages the screen saver. The default setting is "900" seconds or less excluding "0"
wn19stig_inactivitytimeoutsecs: 900

# WN19-SO-000130
Expand All @@ -527,14 +527,14 @@ wn19stig_legalnoticetext: |
# WN19-SO-000400
# User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
# The more secure option for this setting, "Prompt for credenti
# The more secure option for this setting, "Prompt for credentials on the secure desktop"
# Default setting is 2
# 2 -(Prompt for consent on the secure desktop)
# 1 -(Prompt for credentials on the secure desktop)
wn19stig_consentprompt: 2

# WN19-UR-000030
# The Allow log on locally user right must only be assigned to the Administrators group.
# The Allow log on local user rights must only be assigned to the Administrators group.
# If any SIDs other than the following are granted the "SeInteractiveLogonRight" user right, this is a finding.
# If an application requires this user right, this would not be a finding. Vendor documentation must support the
# requirement for having the user right. The requirement must be documented with the ISSO.
Expand Down
Loading

0 comments on commit 5c860df

Please sign in to comment.