From 5248ab81edfa69643e8acebacfbd260bc2998c62 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 17 Aug 2023 15:10:40 -0400 Subject: [PATCH 1/5] Typo updates 1 Signed-off-by: Frederick Witty --- defaults/main.yml | 6 ++-- tasks/cat2.yml | 45 ++++++++++++++---------------- tasks/cat2_cloud_lockout_order.yml | 6 ++-- tasks/cat3.yml | 2 +- 4 files changed, 28 insertions(+), 31 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0562024..99a107a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -384,7 +384,7 @@ wn19stig_pass_age_administrator: 60 # WN19-AC-000010 # Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. # Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding. -# Valid Variables are 15 or more or 0. +# Valid Variables are equal to 0 or greater than or equal to 15. wn19stig_lockoutduration: 15 # WN19-AC-000020 @@ -422,7 +422,7 @@ wn19stig_minimumpasswordlength: 14 # WN19-CC-000110 # Windows Server 2019 virtualization-based security must be enabled with the platform security # level configured to Secure Boot or Secure Boot with DMA Protection. -# wn16stig_dma_protection is the level that they would like to setup. +# win19stig_dma_protection is the level that they would like to setup. # Valid settings are as follows. # 1 (Secure Boot only) # 3 (Secure Boot and DMA Protection) @@ -430,7 +430,7 @@ wn19stig_dma_protection: 3 # WN19-CC-000140 # Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. -# wn16stig_driver_load_policy is the registry value that will be applied. The default behavior is for +# win19stig_driver_load_policy is the registry value that will be applied. The default behavior is for # Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but # critical" (preventing "bad"). # Approved values are below: diff --git a/tasks/cat2.yml b/tasks/cat2.yml index bb5ea42..3673fb4 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -40,7 +40,7 @@ - name: Warning Message ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_pass_age_administrator please read" + - "Warning!! You have an invalid number of days set for wn19stig_pass_age_administrator please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn19stig_pass_age_administrator > 60 @@ -1312,7 +1312,7 @@ - name: "MEDIUM | WN19-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_lockoutbadcount please read" + - "Warning!! You have an invalid number of days set for wn19stig_lockoutbadcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_lockoutbadcount == 0 or @@ -1351,7 +1351,7 @@ - name: MEDIUM | WN19-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_resetlockoutcount please read" + - "Warning!! You have an invalid number of days set for wn19stig_resetlockoutcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_resetlockoutcount < 15 @@ -1388,7 +1388,7 @@ - name: "MEDIUM | WN19-AC-000010 | AUDIT | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for wn19stig_lockoutduration please read" + - "Warning!! You have an invalid number of minutes set for wn19stig_lockoutduration please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_lockoutduration < 15 @@ -1426,7 +1426,7 @@ - name: "MEDIUM | WN19-AC-000040 | AUDIT | Windows Server 2019 password history must be configured to 24 passwords remembered. | Warning Message" ansible.builtin.debug: msg: - - "Warning!! You have a invalid number remembered passwords set for wn19stig_passwordhistorysize please read" + - "Warning!! You have an invalid number remembered passwords set for wn19stig_passwordhistorysize please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn19stig_passwordhistorysize < 24 @@ -1457,7 +1457,7 @@ - name: "MEDIUM | WN19-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_maximumpasswordage please read" + - "Warning!! You have an invalid number of days set for wn19stig_maximumpasswordage please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_maximumpasswordage == 0 or @@ -1494,7 +1494,7 @@ - name: "MEDIUM | WN19-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_minimumpasswordage please read" + - "Warning!! You have an invalid number of days set for wn19stig_minimumpasswordage please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_minimumpasswordage == 0 @@ -1528,7 +1528,7 @@ - name: "MEDIUM | WN19-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid password length for wn19stig_minimumpasswordlength please read" + - "Warning!! You have an invalid password length for wn19stig_minimumpasswordlength please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_minimumpasswordlength < 14 @@ -2771,7 +2771,7 @@ - name: "MEDIUM | WN19-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater. | Warning Message." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for wn19stig_application_event_log_max_size please read" + - "Warning!! You have an invalid file size set for wn19stig_application_event_log_max_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn19stig_application_event_log_max_size < 32768 @@ -2804,7 +2804,7 @@ - name: "MEDIUM | WN19-CC-000280 | AUDIT | Windows Server 2019 Security event log size must be configured to 196608 KB or greater. | Warning Message." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for wn19stig_security_event_log_max_size please read" + - "Warning!! You have an invalid file size set for wn19stig_security_event_log_max_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn19stig_security_event_log_max_size < 196608 @@ -2837,7 +2837,7 @@ - name: "MEDIUM | WN19-CC-000290 | AUDIT | Windows Server 2019 System event log size must be configured to 32768 KB or greater. | Warning Message." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for wn19stig_system_event_log_max_size please read" + - "Warning!! You have an invalid file size set for wn19stig_system_event_log_max_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn19stig_system_event_log_max_size < 32768 @@ -3939,7 +3939,7 @@ - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | Warning Message Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_krbtgt_account_pass_age please read" + - "Warning!! You have an invalid number of days set for wn19stig_krbtgt_account_pass_age please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn19stig_krbtgt_account_pass_age > 180 @@ -4124,8 +4124,7 @@ - name: "MEDIUM | WN19-MS-000090 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyBatchLogonRight - users: - - Guests + users: Guests action: set when: not ansible_windows_domain_member when: @@ -4173,8 +4172,7 @@ - name: "MEDIUM | WN19-MS-000110 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight - users: - - Guests + users: Guests action: set when: not ansible_windows_domain_member when: @@ -4204,8 +4202,7 @@ - name: "MEDIUM | WN19-MS-000120 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight - users: - - Guests + users: Guests action: set when: not ansible_windows_domain_member when: @@ -4258,7 +4255,7 @@ ansible.builtin.debug: msg: - "Warning!! The DOD Root CA 3 is not installed on the system or" - - "contains a incorrect Thumbprint for the Root CA Certificate." + - "contains an incorrect Thumbprint for the Root CA Certificate." - "Please refer to STIG documentation for proper cert to be installed." when: wn19_pk_000010_root_3_Check.stdout == "" @@ -4266,7 +4263,7 @@ ansible.builtin.debug: msg: - "Warning!! The DOD Root CA 4 is not installed on the system or" - - "contains a incorrect Thumbprint for the Root CA Certificate." + - "contains an incorrect Thumbprint for the Root CA Certificate." - "Please refer to STIG documentation for proper cert to be installed." when: wn19_pk_000010_root_4_Check.stdout == "" @@ -4274,7 +4271,7 @@ ansible.builtin.debug: msg: - "Warning!! The DOD Root CA 5 is not installed on the system or" - - "contains a incorrect Thumbprint for the Root CA Certificate." + - "contains an incorrect Thumbprint for the Root CA Certificate." - "Please refer to STIG documentation for proper cert to be installed." when: wn19_pk_000010_root_5_Check.stdout == "" @@ -4531,7 +4528,7 @@ - name: "MEDIUM | WN19-SO-000100 | AUDIT | Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less. | Number Of Days Check." ansible.builtin.debug: msg: - - "Warning!! You have have not set the right number of days for wn19stig_machineaccountpsswd_max_age" + - "Warning!! You have not set the right number of days for wn19stig_machineaccountpsswd_max_age" - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_machineaccountpsswd_max_age > 30 or @@ -4587,7 +4584,7 @@ - name: "MEDIUM | WN19-SO-000120 | AUDIT | Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | Number Of Seconds Check." ansible.builtin.debug: msg: - - "Warning!! You have have not set the right number of seconds for wn19stig_inactivitytimeoutsecs" + - "Warning!! You have not set the right number of seconds for wn19stig_inactivitytimeoutsecs" - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_inactivitytimeoutsecs > 900 or @@ -4944,7 +4941,7 @@ - name: "MEDIUM | WN19-SO-000400 | PATCH | Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. | Variable Check." ansible.builtin.debug: msg: - - "Warning!! You have have not choosen a correct setting for wn19stig_consentprompt" + - "Warning!! You have not choosen a correct setting for wn19stig_consentprompt" - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_consentprompt < 1 or diff --git a/tasks/cat2_cloud_lockout_order.yml b/tasks/cat2_cloud_lockout_order.yml index c491274..e618600 100644 --- a/tasks/cat2_cloud_lockout_order.yml +++ b/tasks/cat2_cloud_lockout_order.yml @@ -7,7 +7,7 @@ - name: "MEDIUM | WN19-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_lockoutbadcount please read" + - "Warning!! You have an invalid number of days set for wn19stig_lockoutbadcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_lockoutbadcount == 0 or @@ -44,7 +44,7 @@ - name: "MEDIUM | WN19-AC-000010 | AUDIT | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for wn19stig_lockoutduration please read" + - "Warning!! You have an invalid number of minutes set for wn19stig_lockoutduration please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_lockoutduration < 15 @@ -82,7 +82,7 @@ - name: MEDIUM | WN19-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_resetlockoutcount please read" + - "Warning!! You have an invalid number of days set for wn19stig_resetlockoutcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn19stig_resetlockoutcount > wn19stig_lockoutduration or diff --git a/tasks/cat3.yml b/tasks/cat3.yml index b2d7e0b..9ddbe75 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -188,7 +188,7 @@ - name: "LOW | WN19-CC-000260 | AUDIT | Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet. " ansible.builtin.debug: msg: - - "Warning!! You have a incorrect value set for wn19stig_dodownloadmode please read" + - "Warning!! You have an incorrect value set for wn19stig_dodownloadmode please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn19stig_dodownloadmode > 2 and wn19stig_dodownloadmode != 99 and wn19stig_dodownloadmode != 100 From 42c9506db1accdd48719060bef2b146bfe0c220b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 17 Aug 2023 15:41:27 -0400 Subject: [PATCH 2/5] Typo updates 2 Signed-off-by: Frederick Witty --- defaults/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 99a107a..791eb8e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ win2019stig_cat3_patch: true win2019stig_min_ansible_version: "2.10.1" -# We've defined complexity-high to mean that we cannot automatically remediate +# We've defined complexity-high as cannot automatically remediate # the rule in question. In the future, this toggle may cause remediation # to fail in some cases. win2019stig_complexity_high: false @@ -33,7 +33,7 @@ win19stig_lengthy_search: false # win19stig_cloud_based_system is a setting built into the playbook for testing locally vs azure. # We have found certain controls that need to be set in a different order when being applied in the -# different enviroments. By Default This is set to false. +# different environments. By Default This is set to false. win19stig_cloud_based_system: false # win_skip_for_test is used in the playbook to skip over the following controls that @@ -401,7 +401,7 @@ wn19stig_resetlockoutcount: 15 # Windows Server 2019 password history must be configured to 24 passwords remembered. # wn19stig_passwordhistorysize is the number of passwords windows will remember before you may # be able to reuse that same password. The default value is "24" for Windows domain systems. -# DoD has decided this is the appropriate value for all Windows systems. +# DoD determined appropriate value for all Windows systems. wn19stig_passwordhistorysize: 24 # WN19-AC-000050 @@ -484,8 +484,8 @@ wn19stig_senetworklogonright: Administrators,Authenticated Users # WN19-SO-000030 # Windows Server 2019 built-in administrator account must be renamed. # wn19stig_newadministratorname is the non-default name for the Administror Account. -# This can be skipped during testing so as to not break the box connection using -# the toggle win_skip_for_test +# This rule can be skipped during testing, conseqently to not break the box's connection using +# the toggle win_skip_for_test. wn19stig_newadministratorname: adminchangethis # WN19-SO-000040 @@ -570,7 +570,7 @@ wn19stig_secreateglobalprivilege: Administrators,Service,Local Service,Network S wn19stig_seauditprivilege: Local Service,Network Service # WN19-UR-000130 -# The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. +# The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service. # If any SIDs other than the following are granted the "SeImpersonatePrivilege" user right, this is a finding. # If an application requires this user right, this would not be a finding. Vendor documentation must support the # requirement for having the user right. The requirement must be documented with the ISSO. From f81f42ef523fd2847397633b977799305f92f1f4 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 17 Aug 2023 15:57:44 -0400 Subject: [PATCH 3/5] Typo updates 3 Signed-off-by: Frederick Witty --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 791eb8e..6392a12 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ win2019stig_cat3_patch: true win2019stig_min_ansible_version: "2.10.1" # We've defined complexity-high as cannot automatically remediate -# the rule in question. In the future, this toggle may cause remediation +# the rule in question. In the future, this toggle may cause remediation # to fail in some cases. win2019stig_complexity_high: false From 81965c57f813d2996cc8f2e7fd412cc32398278b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 17 Aug 2023 16:00:13 -0400 Subject: [PATCH 4/5] Typo updates 4 Signed-off-by: Frederick Witty --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6392a12..2d56256 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -484,7 +484,7 @@ wn19stig_senetworklogonright: Administrators,Authenticated Users # WN19-SO-000030 # Windows Server 2019 built-in administrator account must be renamed. # wn19stig_newadministratorname is the non-default name for the Administror Account. -# This rule can be skipped during testing, conseqently to not break the box's connection using +# This rule can be skipped during testing, conseqently to not break the box's connection by using # the toggle win_skip_for_test. wn19stig_newadministratorname: adminchangethis From 2ef21fa7fe409b3996ff8b00d2b4db88e2b9b25e Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 18 Aug 2023 12:23:57 -0400 Subject: [PATCH 5/5] Typo updates 5 Signed-off-by: Frederick Witty --- ChangeLog.md | 5 ++--- README.md | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 7e9888e..18f1d4d 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -3,9 +3,8 @@ ## Release 3.0.0 August 2023 Update - - Updated Workflows To Central Repo - - Renamed them to better run across all repos. - - Removed Templates & PR Temmplate from repo and adjusted to Org level. + - Updated Workflows To Centralized Repo and renamed them to better run across all repos. + - Removed Templates & PR Template from repo and adjusted to Org level. - Updated Readme Layout to add new pipeline badges. - Fixed WN16 References in defaults/main. - Cat2_Cloud moved from tasks/main and renamed to cat2_cloud_lockout_order and in cat2.yml workflow. diff --git a/README.md b/README.md index 9ab02ed..be12f1e 100644 --- a/README.md +++ b/README.md @@ -125,11 +125,11 @@ Below is an example of the tag section from a control within this role. Using th ```sh tags: - WN19-DC-000290 - - V-205646 - CAT1 + - CCI-000185 - SRG-OS-000066-GPOS-00034 - SV-205646r569188_rule - - CCI-000185 + - V-205646 ``` ## Community Contribution