Skip to content

Commit

Permalink
Merge pull request #16 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Release v2.0.1
Signed-off-by: George Nalen <[email protected]>
  • Loading branch information
georgenalen authored Apr 2, 2021
2 parents c55a5ad + 519f873 commit b293f69
Show file tree
Hide file tree
Showing 6 changed files with 68 additions and 963 deletions.
15 changes: 14 additions & 1 deletion CONTRIBUTING.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,19 @@
Contributing to MindPoint Group Projects
========================================

Rules
-----
1) All commits must be GPG signed (details in Signing section)
2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
3) All work is done in your own branch
4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
5) Be open and nice to eachother

Workflow
--------
- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
Signing your contribution
-------------------------

Expand Down Expand Up @@ -50,4 +63,4 @@ following text in your contribution commit message:

This message can be entered manually, or if you have configured git
with the correct `user.name` and `user.email`, you can use the `-s`
option to `git commit` to automatically include the signoff message.
option to `git commit` to automatically include the signoff message.
71 changes: 48 additions & 23 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,17 +1,44 @@
Windows Server 2019 DISA STIG
=========
![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/Windows-2019-STIG/CommunityToDevel?label=Devel%20Build%20Status&style=plastic)
![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/Windows-2019-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic)
![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-STIG?style=plastic)

Configure a Windows Server 2019 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. ~Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`.~ _To be implemented_
Configure a Windows Server 2019 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default.

This role is based on Windows Server 2019 DISA STIG: [Version 2, Rel 1 released on November 13, 2020](Need URL HEre).
This role is based on Windows Server 2019 DISA STIG: [Version 2, Rel 1 released on November 13, 2020](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V2R1_STIG.zip).

Requirements
------------
Caution(s)
-------
This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.

To use release version please point to main branch
Based on [Windows Server 2019 DISA STIG](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V2R1_STIG.zip).

Windows Server 2019 - Other versions are not supported.
Documentation
-------------
[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)<br>
[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)<br>
[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)<br>
[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)<br>
[Wiki](https://github.com/ansible-lockdown/Windows-2019-STIG/wiki)<br>
[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2019-STIG/)<br>

Dependencies
Requirements
------------
**General:**
- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
- [Main Ansible documentation page](https://docs.ansible.com)
- [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/Windows-2019-STIG/wiki/Main-Variables).

**Technical Dependencies:**
- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)

The following packages must be installed on the controlling host/host where ansible is executed:

Expand All @@ -25,24 +52,22 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat

Role Variables
--------------
This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/Windows-2019-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.

Please see the Ansible docs for understanding [variable precedence](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) to tailor for your needs.

| Name | Default Value | Description |
|--------------------------|-----------------------------------------------------|----------------------|
| `win2019stig_cat1_patch` | `yes` see defaults/main.yml](./defaults/main.yml) | Correct CAT I findings |
| `win2019stig_cat2_patch` | `yes` see defaults/main.yml](./defaults/main.yml) | Correct CAT II findings |
| `win2019stig_cat3_patch` | `yes` see defaults/main.yml](./defaults/main.yml) | Correct CAT III findings |
| `wn19_##_######` | [see defaults/main.yml](./defaults/main.yml) | Individual variables to enable/disable each STIG ID. |
Branches
--------
- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch
- **main** - This is the release branch
- **reports** - This is a protected branch for our scoring reports, no code should ever go here
- **gh-pages** - This is the github pages branch
- **all other branches** - Individual community member branches

Example Playbook
----------------
Community Contribution
----------------------

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
We encourage you (the community) to contribute to this role. Please read the rules below.

- hosts: servers
roles:
- role: win-2k16-stig
when:
- ansible_os_family == 'Windows'
- ansible_distribution | regex_search('(Server 2019)')
- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
- All community Pull Requests are pulled into the devel branch
- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
6 changes: 3 additions & 3 deletions tasks/cat1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -340,7 +340,7 @@
changed_when: no
when:
- wn19_ms_000010
- not ansible_windows_domain_role == "Primary domain controller"
- "'controller' not in ansible_windows_domain_role"
tags:
- WN19-MS-000010
- V-93043
Expand All @@ -353,7 +353,7 @@
- name: "HIGH | WN19-UR-000020 | Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts."
win_user_right:
name: SeTcbPrivilege
users:
users: []
action: set
when: wn19_ur_000020
tags:
Expand Down Expand Up @@ -709,4 +709,4 @@
- SV-103389r1
- CCI-000366
- patch
- high
- high
6 changes: 3 additions & 3 deletions tasks/cat2.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
register: wn19_00_000020_audit_dc
check_mode: no
changed_when: wn19_00_000020_audit_dc.stdout != ""
when: ansible_windows_domain_role == "Primary domain controller"
when: "'controller' in ansible_windows_domain_role"

- name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19_00_000020_pass_age }} days."
debug:
Expand All @@ -24,7 +24,7 @@
win_shell: "Get-Localuser -Name * | Select * | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19_00_000020_pass_age }}))} | Select Name,PasswordLastSet"
register: wn19_00_000020_audit_dm_sa
changed_when: wn19_00_000020_audit_dm_sa.stdout != ""
when: not ansible_windows_domain_role == "Primary domain controller"
when: "'controller' not in ansible_windows_domain_role"

- name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19_00_000020_pass_age }} days."
debug:
Expand Down Expand Up @@ -64,7 +64,7 @@
changed_when: no
when:
- wn19_00_000040
- not ansible_windows_domain_role == "Primary domain controller"
- "'controller' not in ansible_windows_domain_role"
tags:
- WN19-00-000040
- V-93207
Expand Down
Loading

0 comments on commit b293f69

Please sign in to comment.