From bbcbfd8ba04ce128d95bfd5e62f0ba661505144c Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 24 Aug 2023 12:10:07 -0400 Subject: [PATCH 1/9] Typo Fixes readme -1 Signed-off-by: Frederick Witty --- README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index be12f1e..a557f81 100644 --- a/README.md +++ b/README.md @@ -46,37 +46,37 @@ Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask ques ## Caution(s) -This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. +This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but a remediation tool to be used after an audit. -Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. +Check Mode is not supported! The role wil be completed in check mode without errors, but it is not supported and should be used with caution. -This role was developed against a clean install of the Windows 2019 operating system. If you are implementing to an existing system please review this role for any site specific changes that are needed. +This role was developed against a clean install of the Windows 2019 operating system. If you are implementing an existing system please review this role for any site-specific changes that are needed. -To use release version please point to main branch and relevant release for the STIG benchmark you wish to work with. +To use the release version please point to the main branch and relevant release for the STIG benchmark you wish to work with. --- ## Matching a security Level for STIG -It is possible to to only run controls that are based on a particular for security level for STIG. +It is possible to to only run controls that are based on a particular security level for STIG. This is managed using tags: - CAT1 - CAT2 - CAT3 -The control found in defaults main also need to reflect true so as this will allow the controls to run when the playbook is launched. +The control found in defaults/main.yml also needs to reflect true so as this will allow the controls to run when the playbook is launched. ## Coming from a previous release -STIG releases always contain changes, it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +STIG releases always contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which it configures the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -Currently this release does not have a auditing tool. +Currently, this release does not have an auditing tool. ## Documentation @@ -97,7 +97,7 @@ Currently this release does not have a auditing tool. - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file. **Technical Dependencies:** @@ -114,11 +114,11 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `win19stig_disruption_high` to `yes`. +This role is designed so that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `win19stig_disruption_high` to `true`. ## Tags -There are many tags available for added control precision. Each control may have it's own set of tags noting what category, what OS element it relates to, if it's a patch or audit, and the rule number. +There are many tags available for added control precision. Each control may have its own set of tags noting what category, what OS element it relates to, if it's a patch or audit, and the rule number. Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag CCI-000185, this task will be skipped. The opposite can also happen where you run only controls tagged with CCI-000185. From 3be05caa860f99d9976a732683c749cc1c6679a5 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 24 Aug 2023 12:13:12 -0400 Subject: [PATCH 2/9] Typo Fixes readme -2 Signed-off-by: Frederick Witty --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a557f81..92eb909 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask ques This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but a remediation tool to be used after an audit. -Check Mode is not supported! The role wil be completed in check mode without errors, but it is not supported and should be used with caution. +Check Mode is not supported! The role will be completed in check mode without errors, but it is not supported and should be used with caution. This role was developed against a clean install of the Windows 2019 operating system. If you are implementing an existing system please review this role for any site-specific changes that are needed. @@ -58,19 +58,19 @@ To use the release version please point to the main branch and relevant release ## Matching a security Level for STIG -It is possible to to only run controls that are based on a particular security level for STIG. +It is possible to only run controls that are based on a particular security level for STIG. This is managed using tags: - CAT1 - CAT2 - CAT3 -The control found in defaults/main.yml also needs to reflect true so as this will allow the controls to run when the playbook is launched. +The control found in defaults/main.yml also needs to reflect true as this will allow the controls to run when the playbook is launched. ## Coming from a previous release STIG releases always contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. -This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which it configures the system accordingly. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) @@ -118,7 +118,7 @@ This role is designed so that the end user should not have to edit the tasks the ## Tags -There are many tags available for added control precision. Each control may have its own set of tags noting what category, what OS element it relates to, if it's a patch or audit, and the rule number. +There are many tags available for added control precision. Each control may have its own set of tags noting what category, what OS element it relates to if it's a patch or audit, and the rule number. Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag CCI-000185, this task will be skipped. The opposite can also happen where you run only controls tagged with CCI-000185. From 948617f45d53784e328a9e9b9ce3c21d7bb850d3 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 24 Aug 2023 12:31:00 -0400 Subject: [PATCH 3/9] Typo Fixes Default+Main -1 Signed-off-by: Frederick Witty --- defaults/main.yml | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2d56256..b33c386 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -25,13 +25,13 @@ win2019stig_disruption_high: false # setting to make them stand out. win2019stig_audit_disruptive: true -# This parameter disables controls that could have a very lengthy find. For example +# This parameter disables controls that could have a very lengthy find. For example, # removing all files of a specific file type that search the entire drive. # If there is an action tied to the lengthy search the action task will be disabled as well. # WN19-00-000240 - CAT2 win19stig_lengthy_search: false -# win19stig_cloud_based_system is a setting built into the playbook for testing locally vs azure. +# win19stig_cloud_based_system is a setting built into the playbook for testing locally vs. Azure. # We have found certain controls that need to be set in a different order when being applied in the # different environments. By Default This is set to false. win19stig_cloud_based_system: false @@ -47,7 +47,7 @@ win19stig_cloud_based_system: false # WN19-SO-000030 - CAT2 win_skip_for_test: true -# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. +# These variables correspond with the STIG IDs defined in the STIG and allow you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group # in order for the variables below to take effect. @@ -364,12 +364,12 @@ wn19stig_secreatetokenprivilege: "" wn19stig_sedebugprivilege: Administrators # WN19-00-000110 -# Windows Server 2019 must use an anti-virus program. We are using powershell here to check the status of -# a user defined anti-virus program installed. -# Option Examples: defnder | mcafee | symantec | etc -# NOTE: If the results of the powershell check come back empty Windows Defender will automatically be installed -# and enabled. If the results of the powershell check come back with outout for 3rd party antivirus, -# Windows defender will be disbaled and the results will be manually audited to verify the 3rd part program is +# Windows Server 2019 must use an anti-virus program. We are using Powershell here to check the status of +# a user-defined anti-virus program installed. +# Option Examples: defender | mcafee | symantec | etc +# NOTE: If the results of the Powershell check come back empty Windows Defender will automatically be installed +# and enabled. If the results of the Powershell check come back with output for 3rd party antivirus, +# Windows Defender will be disabled and the results will be manually audited to verify the 3rd part program is # currently running. # Default: defender wn19stig_antivirus_program: defender @@ -394,14 +394,14 @@ wn19stig_lockoutbadcount: 3 # WN19-AC-000030 # Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. -# wn19stig_resetlockoutcount is the Reset account lockout counter after value in mintues. +# wn19stig_resetlockoutcount is the Reset account lockout counter after value in minutes. wn19stig_resetlockoutcount: 15 # WN19-AC-000040 # Windows Server 2019 password history must be configured to 24 passwords remembered. -# wn19stig_passwordhistorysize is the number of passwords windows will remember before you may +# wn19stig_passwordhistorysize is the number of passwords Windows will remember before you may # be able to reuse that same password. The default value is "24" for Windows domain systems. -# DoD determined appropriate value for all Windows systems. +# DoD determined the appropriate value for all Windows systems. wn19stig_passwordhistorysize: 24 # WN19-AC-000050 @@ -416,13 +416,13 @@ wn19stig_minimumpasswordage: 1 # WN19-AC-000070 # Windows Server 2019 minimum password length must be configured to 14 characters or more. -# wn19stig_minimumpasswordlength is the Minimum password characters length value. +# wn19stig_minimumpasswordlength is the Minimum password character length value. wn19stig_minimumpasswordlength: 14 # WN19-CC-000110 # Windows Server 2019 virtualization-based security must be enabled with the platform security # level configured to Secure Boot or Secure Boot with DMA Protection. -# win19stig_dma_protection is the level that they would like to setup. +# win19stig_dma_protection is the level that they would like to set up. # Valid settings are as follows. # 1 (Secure Boot only) # 3 (Secure Boot and DMA Protection) @@ -436,7 +436,7 @@ wn19stig_dma_protection: 3 # Approved values are below: # 8 - Good only # 1 - Good and unknown -# 3 - Good, unknown and bad but critical +# 3 - Good, unknown, and bad but critical wn19stig_driver_load_policy: 1 # WN19-CC-000270 @@ -467,7 +467,7 @@ wn19stig_senetworklogonright_dc: Administrators,Authenticated Users,Enterprise D # WN19-DC-000430 # The password for the krbtgt account on a domain must be reset at least every 180 days. # The default setting here matches the STIG requirements. If you would like to -# enforce a more strcit policy you may do so for auditing purposes. +# enforce a more strict policy you may do so for auditing purposes. # NOTE: Valid Days are 180 or less. wn19stig_krbtgt_account_pass_age: 180 @@ -483,8 +483,8 @@ wn19stig_senetworklogonright: Administrators,Authenticated Users # WN19-SO-000030 # Windows Server 2019 built-in administrator account must be renamed. -# wn19stig_newadministratorname is the non-default name for the Administror Account. -# This rule can be skipped during testing, conseqently to not break the box's connection by using +# wn19stig_newadministratorname is the non-default name for the Administrator Account. +# This rule can be skipped during testing, consequently not breaking the box's connection by using # the toggle win_skip_for_test. wn19stig_newadministratorname: adminchangethis @@ -504,7 +504,7 @@ wn19stig_machineaccountpsswd_max_age: 30 # WN19-SO-000120 # The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver. # wn19stig_inactivitytimeoutsecs is the time in seconds that will be set in the registry that -# enagages the screen saver. Default setting is "900" seconds or less excluding "0" +# enagages the screen saver. The default setting is "900" seconds or less excluding "0" wn19stig_inactivitytimeoutsecs: 900 # WN19-SO-000130 @@ -527,14 +527,14 @@ wn19stig_legalnoticetext: | # WN19-SO-000400 # User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. -# The more secure option for this setting, "Prompt for credenti +# The more secure option for this setting, "Prompt for credentials on the secure desktop" # Default setting is 2 # 2 -(Prompt for consent on the secure desktop) # 1 -(Prompt for credentials on the secure desktop) wn19stig_consentprompt: 2 # WN19-UR-000030 -# The Allow log on locally user right must only be assigned to the Administrators group. +# The Allow log on local user rights must only be assigned to the Administrators group. # If any SIDs other than the following are granted the "SeInteractiveLogonRight" user right, this is a finding. # If an application requires this user right, this would not be a finding. Vendor documentation must support the # requirement for having the user right. The requirement must be documented with the ISSO. From 96eaac032ace0f1230cb5652e5c6d5fcb05a0ac6 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 24 Aug 2023 13:41:52 -0400 Subject: [PATCH 4/9] Typo Fixes Cat1+3 -1 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 34 ++++++++++++++++----------------- tasks/cat2.yml | 52 +++++++++++++++++++++++++------------------------- tasks/cat3.yml | 2 +- 3 files changed, 44 insertions(+), 44 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 9312e80..174a710 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -6,7 +6,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks." - - name: "HIGH | WN19-00-000010 | AUDIT | Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. | import reuseable task." + - name: "HIGH | WN19-00-000010 | AUDIT | Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000010' @@ -26,7 +26,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." - - name: "HIGH | WN19-00-000030 | AUDIT | Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | import reuseable task." + - name: "HIGH | WN19-00-000030 | AUDIT | Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000030' @@ -124,7 +124,7 @@ - "Defender was automatically installed by Ansible because your defined Antivirus is not" - "currently Installed on the system or the shell search could not find it." - "Please change the variable in wn19stig_antivirus_program back to defender to satisfy STIG" - - "requiurements or until you properly install a 3rd party Anti-Virus that yields results when searching." + - "requirements or until you properly install a 3rd party Anti-Virus that yields results when searching." when: - wn19_00_000110_virus_audit.stdout_lines | length == 0 - "'defender' not in wn19stig_antivirus_program" @@ -155,8 +155,8 @@ msg: - "Warning!! This is a manual task. Windows Server 2019 must use an anti-virus program." - "Please change the variable in wn19stig_antivirus_program back to defender to satisfy STIG" - - "requiurements or until you properly install a 3rd party Anti-Virus that yields results when searching." - - "By Default Defender Antivirus has been installed, check current status below to verify running." + - "requirements or until you properly install a 3rd party Anti-Virus that yields results when searching." + - "By Default Defender Antivirus has been installed, check the current status below to verify running." - "{{ wn19_00_000110_virus_audit_windefend.stdout_lines | trim }}" when: - wn19_00_000110_virus_audit_windefend.stdout_lines | length > 1 @@ -196,10 +196,10 @@ - "Warning!! This is a manual task. Windows Server 2019 local volumes must use a format" - "that supports NTFS attributes. Please check to verify your system is in compliance." - "ReFS (resilient file system) is also acceptable and would not be a finding." - - "This does not apply to system partitions such the Recovery and EFI System Partition." + - "This does not apply to system partitions such as the Recovery and EFI System Partition." - "{{ wn19_00_000130_audit.stdout.split('\n') }}" - - name: "HIGH | WN19-00-000130 | AUDIT | Windows Server 2019 local volumes must use a format that supports NTFS attributes. | import reuseable task." + - name: "HIGH | WN19-00-000130 | AUDIT | Windows Server 2019 local volumes must use a format that supports NTFS attributes. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000130' @@ -338,7 +338,7 @@ - name: "HIGH | WN19-DC-000010 | AUDIT | Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system." ansible.builtin.debug: msg: - - "Alert! Below are the users in the administrators group. Please review and confirm all users should be in this group" + - "Alert! Below are the users in the Administrators Group. Please review and confirm all users should be in this group" - "{{ wn19_dc_000010_admin_usrs.stdout_lines }}" - name: "HIGH | WN19-DC-000010 | AUDIT | Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system. | Warn Count." @@ -362,7 +362,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access." - - name: "WN19-DC-000070 | AUDIT | Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access. | import reuseable task." + - name: "WN19-DC-000070 | AUDIT | Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000070' @@ -383,7 +383,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions." - - name: "HIGH | WN19-DC-000080 | AUDIT | Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions. | import reuseable task." + - name: "HIGH | WN19-DC-000080 | AUDIT | Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000080' @@ -404,7 +404,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions." - - name: "HIGH | WN19-DC-000090 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. | import reuseable task." + - name: "HIGH | WN19-DC-000090 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000090' @@ -425,7 +425,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." - - name: "HIGH | WN19-DC-000100 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | import reuseable task." + - name: "HIGH | WN19-DC-000100 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000100' @@ -446,7 +446,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." - - name: "HIGH | WN19-DC-000110 | AUDIT | Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | import reuseable task." + - name: "HIGH | WN19-DC-000110 | AUDIT | Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000110' @@ -469,7 +469,7 @@ - "Warning!! This is a manual task. Windows Server 2019 directory data (outside the root DSE) of a non-public" - "directory must be configured to prevent anonymous access." - - name: "HIGH | WN19-DC-000150 | AUDIT | Windows Server 2019 must use an anti-virus program. | import reuseable task." + - name: "HIGH | WN19-DC-000150 | AUDIT | Windows Server 2019 must use an anti-virus program. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000150' @@ -490,7 +490,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." - - name: "HIGH | WN19-DC-000290 | AUDIT | Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + - name: "HIGH | WN19-DC-000290 | AUDIT | Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000290' @@ -505,14 +505,14 @@ - SV-205646r569188_rule - V-205646 -# add some task/external variable for approved CAs, check for DoD and how to pull programatically +# add some task/external variable for approved CAs, check for DoD and how to pull programmatically - name: "HIGH | WN19-DC-000300 | AUDIT | Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." block: - name: "HIGH | WN19-DC-000300 | AUDIT | Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." - - name: "HIGH | WN19-DC-000300 | AUDIT | Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + - name: "HIGH | WN19-DC-000300 | AUDIT | Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000300' diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 3673fb4..f23cc0b 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -132,7 +132,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." - - name: "MEDIUM | WN19-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | import reuseable task." + - name: "MEDIUM | WN19-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000060' @@ -153,7 +153,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 shared user accounts must not be permitted." - - name: "MEDIUM | WN19-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted. | import reuseable task." + - name: "MEDIUM | WN19-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000070' @@ -173,7 +173,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - - name: "MEDIUM | WN19-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | import reuseable task." + - name: "MEDIUM | WN19-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000080' @@ -244,7 +244,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must have a host-based intrusion detection or prevention system." - - name: "MEDIUM | WN19-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | import reuseable task." + - name: "MEDIUM | WN19-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000120' @@ -364,7 +364,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - name: "MEDIUM | WN19-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | import reuseable task." + - name: "MEDIUM | WN19-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000170' @@ -582,7 +582,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 system files must be monitored for unauthorized changes." - - name: "MEDIUM | WN19-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | import reuseable task." + - name: "MEDIUM | WN19-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000220' @@ -690,7 +690,7 @@ - "Warning!! This is a manual task. Windows Server 2019 systems requiring data at rest protections" - "must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." - - name: "MEDIUM | WN19-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reuseable task." + - name: "MEDIUM | WN19-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000250' @@ -747,7 +747,7 @@ - "Document the roles and features required for the system to operate. Uninstall any that are not required." - "{{ wn19_00_000270_audit.stdout_lines }}" - - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented. | import reuseable task." + - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000270' @@ -841,7 +841,7 @@ - "Verify DoD-approved ESS software is installed and properly operating." - "Ask the site ISSM for documentation of the ESS software installation and configuration." - - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reuseable task." + - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000290' @@ -1584,7 +1584,7 @@ - "different system or media than the system being audited. Establish and implement a process" - "for backing up log data to another system or media other than the system being audited." - - name: "MEDIUM | WN19-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited. | import reuseable task." + - name: "MEDIUM | WN19-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-AU-000010' @@ -1604,7 +1604,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." - - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reuseable task." + - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-AU-000020' @@ -3213,7 +3213,7 @@ - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - ">> Enforce user logon restrictions to Enabled" - - name: "MEDIUM | WN19-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced. | import reuseable task." + - name: "MEDIUM | WN19-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000020' @@ -3240,7 +3240,7 @@ - ">> Maximum lifetime for service ticket to a maximum of 600 minutes, but not 0, which equates to" - "Ticket doesn't expire" - - name: "MEDIUM | WN19-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reuseable task." + - name: "MEDIUM | WN19-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000030' @@ -3266,7 +3266,7 @@ - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - ">> Maximum lifetime for user ticket to a maximum of 10 hours but not 0, which equates to Ticket doesn't expire" - - name: "MEDIUM | WN19-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reuseable task." + - name: "MEDIUM | WN19-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000040' @@ -3292,7 +3292,7 @@ - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - ">> Maximum lifetime for user ticket renewal to a maximum of 7 days or less" - - name: "MEDIUM | WN19-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reuseable task." + - name: "MEDIUM | WN19-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000050' @@ -3319,7 +3319,7 @@ - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - ">> Maximum tolerance for computer clock synchronization to a maximum of 5 minutes or less." - - name: "MEDIUM | WN19-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reuseable task." + - name: "MEDIUM | WN19-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000060' @@ -3385,7 +3385,7 @@ - "Review installed applications. Remove additional roles or applications such as web, database," - "and email from the domain controller." - - name: "MEDIUM | WN19-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function. | import reuseable task." + - name: "MEDIUM | WN19-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000130' @@ -3411,7 +3411,7 @@ - "implementations at a classified confidentiality level that transfer replication data through a network cleared" - "to a lower level than the data." - - name: "MEDIUM | WN19-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reuseable task." + - name: "MEDIUM | WN19-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000140' @@ -3434,7 +3434,7 @@ - "Warning!! This is a manual task. Active Directory Group Policy objects must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN19-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN19-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000170' @@ -3458,7 +3458,7 @@ - "Warning!! This is a manual task. The Active Directory Domain object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN19-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN19-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000180' @@ -3482,7 +3482,7 @@ - "Warning!! This is a manual task. The Active Directory Infrastructure object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN19-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN19-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000190' @@ -3507,7 +3507,7 @@ - "Unit (OU) object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN19-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN19-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000200' @@ -3531,7 +3531,7 @@ - "Warning!! This is a manual task. The Active Directory AdminSDHolder object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN19-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN19-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000210' @@ -3555,7 +3555,7 @@ - "Warning!! This is a manual task. The Active Directory RID Manager$ object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN19-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN19-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000220' @@ -3682,7 +3682,7 @@ - "Warning!! This is a manual task. Domain controllers must have a PKI server certificate." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN19-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate. | import reuseable task." + - name: "MEDIUM | WN19-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000280' @@ -3953,7 +3953,7 @@ - wn19stig_krbtgt_account_pass_age <= 180 - wn19_dc_000430_audit.stdout | length > 0 - - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | import reuseable task." + - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-DC-000430' diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 9ddbe75..d7c2a16 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -103,7 +103,7 @@ - SV-205857r569188_rule - V-205857 -- name: "LOW | WN19-CC-000030 | PATCH | Windows Server 2019 internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." +- name: "LOW | WN19-CC-000030 | PATCH | Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters value: DisableIPSourceRouting From ad206b6b95a34fb4b32d44263e6bbd53f3dafe7b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 24 Aug 2023 14:30:51 -0400 Subject: [PATCH 5/9] Typo Fixes Cat2 -1 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 68 ++++++++++++++++++++--------------------- tasks/prelim.yml | 4 +-- tasks/warning_facts.yml | 2 +- 3 files changed, 37 insertions(+), 37 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index f23cc0b..a2f3778 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -270,7 +270,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task to audit. Windows Server 2019 icacls program needs to meet" - - "the STIG requirements. Please check the report below and compare to the STIG requirements." + - "the STIG requirements. Please check the report below and compare it to the STIG requirements." - "{{ wn19_00_000140_drive_root_audit.stdout_lines }}" - name: "MEDIUM | WN19-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | Warn Count" @@ -299,7 +299,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task to audit. Windows Server 2019 icacls program needs to meet" - - "the STIG requirements. Please check the report below and compare to the STIG requirements." + - "the STIG requirements. Please check the report below and compare it to the STIG requirements." - "{{ wn19_00_000150_program_files_audit.stdout_lines }}" - name: "MEDIUM | WN19-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | Obtain icacls for Program Files x86" @@ -312,7 +312,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task to audit. Windows Server 2019 icacls program files x86 needs to meet" - - "the STIG requirements. Please check the report below and compare to the STIG requirements." + - "the STIG requirements. Please check the report below and compare it to the STIG requirements." - "{{ wn19_00_000150_program_files_86_audit.stdout_lines }}" - name: "MEDIUM | WN19-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | Warn Count" @@ -341,7 +341,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task to audit. Windows Server 2019 permissions for the Windows installation directory needs to meet" - - "the STIG requirements. Please check the report below and compare to the STIG requirements." + - "the STIG requirements. Please check the report below and compare it to the STIG requirements." - "{{ wn19_00_000160_windows_dir_audit.stdout_lines }}" - name: "MEDIUM | WN19-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | Warn Count." @@ -475,7 +475,7 @@ ansible.builtin.debug: msg: - "The accounts listed do not require a password and are currently enabled." - - "To conform to STIG complaince configure passwords on all accounts." + - "To conform to STIG complaint configure passwords on all accounts." - "{{ wn19_00_000200_audit_dc.stdout.split('\n') }}" when: - not wn19_00_000200_audit_dc is skipped @@ -492,7 +492,7 @@ ansible.builtin.debug: msg: - "The accounts listed do not require a password and are currently enabled." - - "To conform to STIG complaince configure passwords on all accounts." + - "To conform to STIG complaint configure passwords on all accounts." - "{{ wn19_00_000200_audit_dm_sa.stdout.split('\n') }}" when: - not wn19_00_000200_audit_dm_sa is skipped @@ -680,7 +680,7 @@ - SRG-OS-000480-GPOS-00227 - SV-205852r569188_rule - V-205852 - # do we need async; its very long running to search filesystems + # do we need async?; It's very long-running to search filesystems - name: "MEDIUM | WN19-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." block: @@ -732,7 +732,7 @@ - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented." block: - - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 bust have the roles and features required by the system documented. | Get Roles & Features Installed" + - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented. | Get Roles & Features Installed" ansible.windows.win_shell: Get-WindowsFeature | Where-Object -FilterScript {$_.Installed -EQ $True} changed_when: false failed_when: false @@ -782,7 +782,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2019 must have a host-based firewall installed and enabled." - - "Windows does not currently have its built in firewall enabled." + - "Windows does not currently have its built-in firewall enabled." - "Please check for 3rd party firewall and verify the configuration requirements conform to firewall STIG standards." - "{{ wn19_00_000280_firewall_audit.stdout_lines }}" when: @@ -794,7 +794,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2019 must have a host-based firewall installed and enabled." - - "Windows host based firewall currently is enabled on Domain, Private, And Public Profiles." + - "Windows host-based firewall currently is enabled on Domain, Private, And Public Profiles." - "Please check the firewall and verify the configuration requirements conform to firewall STIG standards." - "{{ wn19_00_000280_firewall_audit.stdout_lines }}" when: @@ -806,7 +806,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2019 must have a host-based firewall installed and enabled." - - "Windows host based firewall currently is partially enabled on Domain, Private, And Public Profiles." + - "Windows host-based firewall currently is partially enabled on Domain, Private, And Public Profiles." - "Please check the firewall and verify the configuration requirements conform to firewall STIG standards." - "{{ wn19_00_000280_firewall_audit.stdout_lines }}" when: @@ -829,9 +829,9 @@ - SV-214936r852535_rule - V-214936 -- name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." +- name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host-Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." block: - - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host-Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2019 must employ automated mechanisms to determine" @@ -841,7 +841,7 @@ - "Verify DoD-approved ESS software is installed and properly operating." - "Ask the site ISSM for documentation of the ESS software installation and configuration." - - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reusable task." + - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host-Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000290' @@ -868,7 +868,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Please review all accounts to verify there are no temporary accounts" - - "listed where the expiration date is longer then 72 hours." + - "listed where the expiration date is longer than 72 hours." - "{{ wn19_00_000300_audit_dc.stdout.split('\n') }}" when: - wn19_00_000300_audit_dc is not skipped @@ -885,7 +885,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Please review all accounts to verify there are no temporary accounts" - - "listed where the expiration date is longer then 72 hours." + - "listed where the expiration date is longer than 72 hours." - "{{ wn19_00_000300_audit_sa.stdout.split('\n') }}" when: - wn19_00_000300_audit_sa is not skipped @@ -1185,7 +1185,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Internet Information Services (IIS) Manager FTP is currently" - - "installed on the system. Anonymous Authentication must be set to diabled per STIG Requirements." + - "installed on the system. Anonymous Authentication must be set to disabled per STIG Requirements." when: "'Installed' in wn19_00_000420_ftp_audit" - name: "MEDIUM | WN19-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons. | Warn Count" @@ -1228,7 +1228,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. For any sites with a Binding that lists FTP, right-click the site and select Explore." - - "If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding" + - "If the site includes any system areas such as the root of the drive, Program Files, or Windows directories, this is a finding" - "Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system." - "{{ wn19_00_000430_isssite_audit.stdout.split('\n') }}" when: "'Installed' in wn19_00_000430_ftp_audit" @@ -1265,7 +1265,7 @@ - name: "MEDIUM | WN19-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message User Accounts" ansible.builtin.debug: msg: - - "Warning!! Please review the User Rights listed for each of any unresolved SID to determine whether they are valid." + - "Warning!! Please review the User Rights listed for each of any unresolved SIDs to determine whether they are valid." - "User Accounts" - "----------------------------------------------------------------------" - "{{ wn19_00_000450_orphaned_user_accounts.stdout_lines }}" @@ -1274,7 +1274,7 @@ - name: "MEDIUM | WN19-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message Group Accounts." ansible.builtin.debug: msg: - - "Warning!! Please review the Group Rights listed for each of any unresolved SID to determine whether they are valid." + - "Warning!! Please review the Group Rights listed for each of any unresolved SIDs to determine whether they are valid." - "Group Accounts" - "----------------------------------------------------------------------" - "{{ wn19_00_000450_orphaned_group_accounts.stdout_lines }}" @@ -1426,7 +1426,7 @@ - name: "MEDIUM | WN19-AC-000040 | AUDIT | Windows Server 2019 password history must be configured to 24 passwords remembered. | Warning Message" ansible.builtin.debug: msg: - - "Warning!! You have an invalid number remembered passwords set for wn19stig_passwordhistorysize please read" + - "Warning!! You have an invalid number of remembered passwords set for wn19stig_passwordhistorysize please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn19stig_passwordhistorysize < 24 @@ -1598,13 +1598,13 @@ - SV-205799r877390_rule - V-205799 -- name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." +- name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real-time and offload standalone or nondomain-joined systems weekly." block: - - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." + - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real-time and offload standalone or nondomain-joined systems weekly." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." + msg: "Warning!! This is a manual task. Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real-time and offload standalone or nondomain-joined systems weekly." - - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reusable task." + - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real-time and offload standalone or nondomain-joined systems weekly. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-AU-000020' @@ -1640,7 +1640,7 @@ - "to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement:" - "Eventlog - Full Control, SYSTEM - Full Control, Administrators - Full Control" - "Current location of Application.evtx is {{ wn19_au_000030_app_log_location.stdout | trim }}" - - "If the location of the logs has been changed, when adding Eventlog to the permissions," + - "If the location of the logs has been changed when adding Eventlog to the permissions," - "it must be entered as NT Service\\Eventlog" - "{{ wn19_au_000030_app_log_permissions.stdout_lines | reject('match', '^$') | list }}" @@ -1681,7 +1681,7 @@ - "to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement:" - "Eventlog - Full Control, SYSTEM - Full Control, Administrators - Full Control" - "Current location of Security.evtx is {{ wn19_au_000040_sec_log_location.stdout | trim }}" - - "If there is no output below If the location of the logs has been changed, when adding Eventlog to the permissions," + - "If there is no output below If the location of the logs has been changed when adding Eventlog to the permissions," - "it must be entered as NT Service\\Eventlog" - "{{ wn19_au_000040_sec_log_permissions.stdout_lines | reject('match', '^$') | list }}" @@ -1722,7 +1722,7 @@ - "to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement:" - "Eventlog - Full Control, SYSTEM - Full Control, Administrators - Full Control" - "Current location of System.evtx is {{ wn19_au_000050_system_log_location.stdout | trim }}" - - "If the location of the logs has been changed, when adding Eventlog to the permissions," + - "If the location of the logs has been changed when adding Eventlog to the permissions," - "it must be entered as NT Service\\Eventlog" - "{{ wn19_au_000050_system_log_permissions.stdout_lines | reject('match', '^$') | list }}" @@ -3237,7 +3237,7 @@ - "Warning!! The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." - "Configure the policy value in the Default Domain Policy for Computer Configuration" - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - - ">> Maximum lifetime for service ticket to a maximum of 600 minutes, but not 0, which equates to" + - ">> Maximum lifetime for a service ticket to a maximum of 600 minutes, but not 0, which equates to" - "Ticket doesn't expire" - name: "MEDIUM | WN19-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reusable task." @@ -3356,7 +3356,7 @@ - "from the directory server data files. Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative" - "shares ending in $). User shares that are hidden (ending with $) should not be ignored." - "If user shares are located on the same logical partition as the directory server data files, this is a finding." - - "Note the directory locations in the values for DSA Database file" + - "Note the directory locations in the values for the DSA Database file" - "{{ wn19_dc_000120_audit_dirlocation.stdout_lines | trim }}" - "Note the logical drive(s) or file system partition for any organization-created data shares." - "{{ wn19_dc_000120_audit_shares.stdout_lines | trim }}" @@ -4529,7 +4529,7 @@ ansible.builtin.debug: msg: - "Warning!! You have not set the right number of days for wn19stig_machineaccountpsswd_max_age" - - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." + - "Please read the notes for the variable and make the necessary changes to the variable to be in compliance." when: - wn19stig_machineaccountpsswd_max_age > 30 or wn19stig_machineaccountpsswd_max_age == 0 @@ -4585,7 +4585,7 @@ ansible.builtin.debug: msg: - "Warning!! You have not set the right number of seconds for wn19stig_inactivitytimeoutsecs" - - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." + - "Please read the notes for the variable and make the necessary changes to the variable to be in compliance." when: - wn19stig_inactivitytimeoutsecs > 900 or wn19stig_inactivitytimeoutsecs == 0 @@ -4941,8 +4941,8 @@ - name: "MEDIUM | WN19-SO-000400 | PATCH | Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. | Variable Check." ansible.builtin.debug: msg: - - "Warning!! You have not choosen a correct setting for wn19stig_consentprompt" - - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." + - "Warning!! You have not chosen the correct setting for wn19stig_consentprompt" + - "Please read the notes for the variable and make the necessary changes to the variable to be in compliance." when: - wn19stig_consentprompt < 1 or wn19stig_consentprompt > 2 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1fd2910..cc12bf3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -8,9 +8,9 @@ tags: - always -# hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') +# hvm is for Amazon AMI's, Hyper-V we have found for Azure, kvm is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') # This list is not complete and will be updated as we try on more cloud based services. -# As of now testing is working in azure using Hyper-V. We are curently using this for reference: +# As of now testing is working in Azure using Hyper-V. We are currently using this for reference: # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 - name: Set Fact If Cloud Based System. ansible.builtin.set_fact: diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index c7e9f9a..eff541f 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -12,7 +12,7 @@ # # warn_control_list is the main variable to be used and is a list made up of the warn_control_id's # -# warn_count the main variable for the number of warnings and each time a warn_control_id is added +# warn_count is the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 - name: "NO CONTROL ID | AUDIT | Set fact for manual task warning" From 40ba143d8d2fcb8caae6607c5c0df192078e8bf0 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 24 Aug 2023 14:42:51 -0400 Subject: [PATCH 6/9] Typo Fixes Cat1 -2 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 174a710..e543caa 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -527,7 +527,7 @@ - SV-205647r569188_rule - V-205647 -# populate a dictionary/list from customer +# populate a dictionary/list from the customer - name: "HIGH | WN19-MS-000010 | AUDIT | Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system" block: - name: "HIGH | WN19-MS-000010 | AUDIT | Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system" @@ -727,7 +727,7 @@ - SV-205753r877392_rule - V-205753 -# fails openscap - the v1r10 xml checks for "Administrators" string but secedit uses the SIDs thus +# fails openscap - the v1r10 xml checks for the "Administrators" string but secedit uses the SIDs thus # "SeDebugPrivilege = *S-1-5-32-544" is Administrators (openscap fails) # emailed_disa.letterkenny.re.mbx.stig-customer-support-mailbox@mail.mil # SCC tool works From c25412c3fe415b6ddf651b035e0b004df068e73a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 24 Aug 2023 14:44:27 -0400 Subject: [PATCH 7/9] Typo Fixes Cat3 -2 Signed-off-by: Frederick Witty --- tasks/cat3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/cat3.yml b/tasks/cat3.yml index d7c2a16..ab663d1 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -89,7 +89,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must have Secure Boot enabled." - - name: "LOW | WN19-00-000470 | AUDIT | Windows Server 2019 must have Secure Boot enabled. | import reuseable task." + - name: "LOW | WN19-00-000470 | AUDIT | Windows Server 2019 must have Secure Boot enabled. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN19-00-000470' From 3d80110b31c895a7e5fe69023788d3b6cabc250a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 24 Aug 2023 14:46:38 -0400 Subject: [PATCH 8/9] Typo Fixes Changelog -1 Signed-off-by: Frederick Witty --- ChangeLog.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 18f1d4d..ab48a8b 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -11,7 +11,7 @@ August 2023 Update - Updated Tags in tasks/main. June / July 2023 Update - - Updated tags on controls based Version 2 Release 7 + - Updated tags on controls based on Version 2 Release 7 - Updated win_skip_for_test var to true - Updated Readme - Updated Changelog @@ -24,8 +24,8 @@ June / July 2023 Update - Added Control WN19-AU-000100 - Added Control WN19-AU-000110 - Added Control WN19-SO-000070 - - Rule IDs updated due to changes in content management system. - - Updated all tags to proper format. + - Rule IDs updated due to changes in the content management system. + - Updated all tags to the proper format. - Major updates to all controls - Updated Misc Controls to have additional data in warning messages. - Fixed Misc Controls Registry entry errors. From 8d79e02770f212ea661f59f32e576e98ac539f27 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 25 Aug 2023 07:40:12 -0400 Subject: [PATCH 9/9] Typo Fixes Cat2 -3 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index a2f3778..6f5ca41 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -475,7 +475,7 @@ ansible.builtin.debug: msg: - "The accounts listed do not require a password and are currently enabled." - - "To conform to STIG complaint configure passwords on all accounts." + - "Configure passwords on all accounts to conform to STIG compliance." - "{{ wn19_00_000200_audit_dc.stdout.split('\n') }}" when: - not wn19_00_000200_audit_dc is skipped @@ -492,7 +492,7 @@ ansible.builtin.debug: msg: - "The accounts listed do not require a password and are currently enabled." - - "To conform to STIG complaint configure passwords on all accounts." + - "Configure passwords on all accounts to conform to STIG compliance." - "{{ wn19_00_000200_audit_dm_sa.stdout.split('\n') }}" when: - not wn19_00_000200_audit_dm_sa is skipped