From 18eb559f862085876642cbf6407d680b0bc4cff2 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Thu, 10 Aug 2023 09:41:57 -0400 Subject: [PATCH 1/3] WhiteSpace Removal Signed-off-by: Stephen Williams --- ChangeLog.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 99fc231..71d3f3a 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -4,8 +4,8 @@ August 2023 Update - Updated Workflows To Central Repo - - Renamed them to better run across all repos. - - Removed Templates & PR Temmplate from repo and adjusted to Org level. + - Renamed them to better run across all repos. + - Removed Templates & PR Temmplate from repo and adjusted to Org level. - Updated Readme Layout to add new pipeline badges. - Fixed WN16 References in defaults/main. - Cat2_Cloud moved from tasks/main and renamed to cat2_cloud_lockout_order and in cat2.yml workflow. @@ -54,4 +54,4 @@ January 2023 Release - Added Version 2 Release 3 changes during this update. - Added Version 2 Release 4 changes during this update. - Added Version 2 Release 5 changes during this update. - - Added Warning Count Summary to the End Of Playbook + - Added Warning Count Summary to the End Of Playbook. From c1fd68b45016f126a3fbe6891dd8bca35fa38f6d Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Thu, 10 Aug 2023 09:59:34 -0400 Subject: [PATCH 2/3] Linting Signed-off-by: Stephen Williams --- .ansible-lint | 3 --- .yamllint | 2 +- tasks/cat2.yml | 12 ++++++------ 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 400a4da..47f63b5 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -5,10 +5,7 @@ quiet: true skip_list: - 'schema' - 'no-changed-when' - - 'fqcn-builtins' - 'experimental' - - 'fqcn[action-core]' - - 'fqcn[action]' - 'name[casing]' - 'name[template]' - 'jinja[spacing]' diff --git a/.yamllint b/.yamllint index ec46929..65faae6 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/tasks/cat2.yml b/tasks/cat2.yml index a0b369d..160b21f 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1079,7 +1079,7 @@ notify: reboot_windows - name: "MEDIUM | WN19-00-000390 | AUDIT | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | Warning Message No SecGuide.admx" - debug: + ansible.builtin.debug: msg: - "Warning!! SecGuide.admx is not installed in C:\\Windows\\PolicyDefinitions folder." - "This policy setting requires the installation of the SecGuide.admx custom templates" @@ -1087,7 +1087,7 @@ when: wn19_secguide_admx_audit.results[0].matched != 1 - name: "MEDIUM | WN19-00-000390 | AUDIT | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | Warning Message No SecGuide.adml" - debug: + ansible.builtin.debug: msg: - "Warning!! SecGuide.adml is not installed in C:\\Windows\\PolicyDefinitions\\en-US folder" - "This policy setting requires the installation of the SecGuide.adml custom templates" @@ -1123,7 +1123,7 @@ notify: reboot_windows - name: "MEDIUM | WN19-00-000400 | AUDIT | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server - mrxsmb10 | Warning Message No SecGuide.admx" - debug: + ansible.builtin.debug: msg: - "Warning!! SecGuide.admx is not installed in C:\\Windows\\PolicyDefinitions folder." - "This policy setting requires the installation of the SecGuide.admx custom templates" @@ -1131,7 +1131,7 @@ when: wn19_secguide_admx_audit.results[0].matched != 1 - name: "MEDIUM | WN19-00-000400 | AUDIT | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server - mrxsmb10 | Warning Message No SecGuide.adml" - debug: + ansible.builtin.debug: msg: - "Warning!! SecGuide.adml is not installed in C:\\Windows\\PolicyDefinitions\\en-US folder" - "This policy setting requires the installation of the SecGuide.adml custom templates" @@ -1225,7 +1225,7 @@ when: "'Installed' in wn19_00_000430_ftp_audit" - name: "MEDIUM | WN19-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive. | Warning Message." - debug: + ansible.builtin.debug: msg: - "Warning!! This is a manual task. For any sites with a Binding that lists FTP, right-click the site and select Explore." - "If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding" @@ -1437,7 +1437,7 @@ when: wn19stig_passwordhistorysize < 24 - name: "MEDIUM | WN19-AC-000040 | PATCH | Windows Server 2019 password history must be configured to 24 passwords remembered. | Apply Variable" - win_security_policy: + community.windows.win_security_policy: section: System Access key: PasswordHistorySize value: "{{ wn19stig_passwordhistorysize }}" From bbe1f7f7aa5ed04e775349f9067bf2081f147840 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Thu, 10 Aug 2023 10:02:44 -0400 Subject: [PATCH 3/3] Update Prelim Signed-off-by: Stephen Williams --- tasks/prelim.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 685c42a..1fd2910 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -22,23 +22,6 @@ tags: - always -# 1 = disabled 0 = enabled -# this reg key may be useful to detect when secure conenctions are enabled, etc? -- name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled" - ansible.windows.win_reg_stat: - path: HKLM:\System\CurrentControlSet\Control\Terminal Server - name: fDenyTSConnections - changed_when: false - failed_when: false - register: win2019_rdp_enabled - tags: - - always - -# remove this debug or set a verbose level -- name: win2019_rdp_enabled.value var - ansible.builtin.debug: - var: win2019_rdp_enabled.value - - name: Get Drive Letters" ansible.windows.win_shell: Get-Volume | ?{ $_.DriveType -eq 'Fixed' } | Select-Object -ExpandProperty 'DriveLetter' changed_when: false