2023 August Updates and Typo Fixes

ChangeLog.md

@@ -3,9 +3,8 @@
 ## Release 3.0.0
 
 August 2023 Update
-  - Updated Workflows To Central Repo
-    - Renamed them to better run across all repos.
-  - Removed Templates & PR Temmplate from repo and adjusted to Org level.
+  - Updated Workflows To Centralized Repo and renamed them to better run across all repos.
+  - Removed Templates & PR Template from repo and adjusted to Org level.
   - Updated Readme Layout to add new pipeline badges.
   - Fixed WN16 References in defaults/main.
   - Cat2_Cloud moved from tasks/main and renamed to cat2_cloud_lockout_order and in cat2.yml workflow.

README.md

@@ -125,11 +125,11 @@ Below is an example of the tag section from a control within this role. Using th
 ```sh
   tags:
       - WN19-DC-000290
-      - V-205646
       - CAT1
+      - CCI-000185
       - SRG-OS-000066-GPOS-00034
       - SV-205646r569188_rule
-      - CCI-000185
+      - V-205646
 ```
 
 ## Community Contribution

defaults/main.yml

@@ -6,8 +6,8 @@ win2019stig_cat3_patch: true
 
 win2019stig_min_ansible_version: "2.10.1"
 
-# We've defined complexity-high to mean that we cannot automatically remediate
-# the rule in question.  In the future, this toggle may cause remediation
+# We've defined complexity-high as cannot automatically remediate
+# the rule in question. In the future, this toggle may cause remediation
 # to fail in some cases.
 win2019stig_complexity_high: false
 
@@ -33,7 +33,7 @@ win19stig_lengthy_search: false
 
 # win19stig_cloud_based_system is a setting built into the playbook for testing locally vs azure.
 # We have found certain controls that need to be set in a different order when being applied in the
-# different enviroments. By Default This is set to false.
+# different environments. By Default This is set to false.
 win19stig_cloud_based_system: false
 
 # win_skip_for_test is used in the playbook to skip over the following controls that
@@ -384,7 +384,7 @@ wn19stig_pass_age_administrator: 60
 # WN19-AC-000010
 # Windows Server 2019 account lockout duration must be configured to 15 minutes or greater.
 # Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.
-# Valid Variables are 15 or more or 0.
+# Valid Variables are equal to 0 or greater than or equal to 15.
 wn19stig_lockoutduration: 15
 
 # WN19-AC-000020
@@ -401,7 +401,7 @@ wn19stig_resetlockoutcount: 15
 # Windows Server 2019 password history must be configured to 24 passwords remembered.
 # wn19stig_passwordhistorysize is the number of passwords windows will remember before you may
 # be able to reuse that same password. The default value is "24" for Windows domain systems.
-# DoD has decided this is the appropriate value for all Windows systems.
+# DoD determined appropriate value for all Windows systems.
 wn19stig_passwordhistorysize: 24
 
 # WN19-AC-000050
@@ -422,15 +422,15 @@ wn19stig_minimumpasswordlength: 14
 # WN19-CC-000110
 # Windows Server 2019 virtualization-based security must be enabled with the platform security
 # level configured to Secure Boot or Secure Boot with DMA Protection.
-# wn16stig_dma_protection is the level that they would like to setup.
+# win19stig_dma_protection is the level that they would like to setup.
 # Valid settings are as follows.
 # 1 (Secure Boot only)
 # 3 (Secure Boot and DMA Protection)
 wn19stig_dma_protection: 3
 
 # WN19-CC-000140
 # Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
-# wn16stig_driver_load_policy is the registry value that will be applied. The default behavior is for
+# win19stig_driver_load_policy is the registry value that will be applied. The default behavior is for
 # Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but
 # critical" (preventing "bad").
 # Approved values are below:
@@ -484,8 +484,8 @@ wn19stig_senetworklogonright: Administrators,Authenticated Users
 # WN19-SO-000030
 # Windows Server 2019 built-in administrator account must be renamed.
 # wn19stig_newadministratorname is the non-default name for the Administror Account.
-# This can be skipped during testing so as to not break the box connection using
-# the toggle win_skip_for_test
+# This rule can be skipped during testing, conseqently to not break the box's connection by using
+# the toggle win_skip_for_test.
 wn19stig_newadministratorname: adminchangethis
 
 # WN19-SO-000040
@@ -570,7 +570,7 @@ wn19stig_secreateglobalprivilege: Administrators,Service,Local Service,Network S
 wn19stig_seauditprivilege: Local Service,Network Service
 
 # WN19-UR-000130
-# The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
+# The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
 # If any SIDs other than the following are granted the "SeImpersonatePrivilege" user right, this is a finding.
 # If an application requires this user right, this would not be a finding. Vendor documentation must support the
 # requirement for having the user right. The requirement must be documented with the ISSO.

tasks/cat2.yml

@@ -40,7 +40,7 @@
       - name: Warning Message
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of days set for wn19stig_pass_age_administrator please read"
+                - "Warning!! You have an invalid number of days set for wn19stig_pass_age_administrator please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when: wn19stig_pass_age_administrator > 60
 
@@ -1312,7 +1312,7 @@
       - name: "MEDIUM | WN19-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of days set for wn19stig_lockoutbadcount please read"
+                - "Warning!! You have an invalid number of days set for wn19stig_lockoutbadcount please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_lockoutbadcount == 0 or
@@ -1351,7 +1351,7 @@
       - name: MEDIUM | WN19-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of days set for wn19stig_resetlockoutcount please read"
+                - "Warning!! You have an invalid number of days set for wn19stig_resetlockoutcount please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_resetlockoutcount < 15
@@ -1388,7 +1388,7 @@
       - name: "MEDIUM | WN19-AC-000010 | AUDIT | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of minutes set for wn19stig_lockoutduration please read"
+                - "Warning!! You have an invalid number of minutes set for wn19stig_lockoutduration please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_lockoutduration < 15
@@ -1426,7 +1426,7 @@
       - name: "MEDIUM | WN19-AC-000040 | AUDIT | Windows Server 2019 password history must be configured to 24 passwords remembered. | Warning Message"
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number remembered passwords set for wn19stig_passwordhistorysize please read"
+                - "Warning!! You have an invalid number remembered passwords set for wn19stig_passwordhistorysize please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when: wn19stig_passwordhistorysize < 24
 
@@ -1457,7 +1457,7 @@
       - name: "MEDIUM | WN19-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warning For Bad Variable."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of days set for wn19stig_maximumpasswordage please read"
+                - "Warning!! You have an invalid number of days set for wn19stig_maximumpasswordage please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_maximumpasswordage == 0 or
@@ -1494,7 +1494,7 @@
       - name: "MEDIUM | WN19-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warning For Bad Variable."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of days set for wn19stig_minimumpasswordage please read"
+                - "Warning!! You have an invalid number of days set for wn19stig_minimumpasswordage please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_minimumpasswordage == 0
@@ -1528,7 +1528,7 @@
       - name: "MEDIUM | WN19-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warning For Bad Variable."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid password length for wn19stig_minimumpasswordlength please read"
+                - "Warning!! You have an invalid password length for wn19stig_minimumpasswordlength please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_minimumpasswordlength < 14
@@ -2771,7 +2771,7 @@
       - name: "MEDIUM | WN19-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater. | Warning Message."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid file size set for wn19stig_application_event_log_max_size please read"
+                - "Warning!! You have an invalid file size set for wn19stig_application_event_log_max_size please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when: wn19stig_application_event_log_max_size < 32768
 
@@ -2804,7 +2804,7 @@
       - name: "MEDIUM | WN19-CC-000280 | AUDIT | Windows Server 2019 Security event log size must be configured to 196608 KB or greater. | Warning Message."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid file size set for wn19stig_security_event_log_max_size please read"
+                - "Warning!! You have an invalid file size set for wn19stig_security_event_log_max_size please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when: wn19stig_security_event_log_max_size < 196608
 
@@ -2837,7 +2837,7 @@
       - name: "MEDIUM | WN19-CC-000290 | AUDIT | Windows Server 2019 System event log size must be configured to 32768 KB or greater. | Warning Message."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid file size set for wn19stig_system_event_log_max_size please read"
+                - "Warning!! You have an invalid file size set for wn19stig_system_event_log_max_size please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when: wn19stig_system_event_log_max_size < 32768
 
@@ -3939,7 +3939,7 @@
       - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | Warning Message Variable."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of days set for wn19stig_krbtgt_account_pass_age please read"
+                - "Warning!! You have an invalid number of days set for wn19stig_krbtgt_account_pass_age please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when: wn19stig_krbtgt_account_pass_age > 180
 
@@ -4124,8 +4124,7 @@
       - name: "MEDIUM | WN19-MS-000090 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems."
         ansible.windows.win_user_right:
             name: SeDenyBatchLogonRight
-            users:
-                - Guests
+            users: Guests
             action: set
         when: not ansible_windows_domain_member
   when:
@@ -4173,8 +4172,7 @@
       - name: "MEDIUM | WN19-MS-000110 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems."
         ansible.windows.win_user_right:
             name: SeDenyInteractiveLogonRight
-            users:
-                - Guests
+            users: Guests
             action: set
         when: not ansible_windows_domain_member
   when:
@@ -4204,8 +4202,7 @@
       - name: "MEDIUM | WN19-MS-000120 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems."
         ansible.windows.win_user_right:
             name: SeDenyRemoteInteractiveLogonRight
-            users:
-                - Guests
+            users: Guests
             action: set
         when: not ansible_windows_domain_member
   when:
@@ -4258,23 +4255,23 @@
         ansible.builtin.debug:
             msg:
                 - "Warning!! The DOD Root CA 3 is not installed on the system or"
-                - "contains a incorrect Thumbprint for the Root CA Certificate."
+                - "contains an incorrect Thumbprint for the Root CA Certificate."
                 - "Please refer to STIG documentation for proper cert to be installed."
         when: wn19_pk_000010_root_3_Check.stdout == ""
 
       - name: "MEDIUM | WN19-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | Warning!! No DOD Root CA 4 Certificate Installed."
         ansible.builtin.debug:
             msg:
                 - "Warning!! The DOD Root CA 4 is not installed on the system or"
-                - "contains a incorrect Thumbprint for the Root CA Certificate."
+                - "contains an incorrect Thumbprint for the Root CA Certificate."
                 - "Please refer to STIG documentation for proper cert to be installed."
         when: wn19_pk_000010_root_4_Check.stdout == ""
 
       - name: "MEDIUM | WN19-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | Warning!! No DOD Root CA 5 Certificate Installed."
         ansible.builtin.debug:
             msg:
                 - "Warning!! The DOD Root CA 5 is not installed on the system or"
-                - "contains a incorrect Thumbprint for the Root CA Certificate."
+                - "contains an incorrect Thumbprint for the Root CA Certificate."
                 - "Please refer to STIG documentation for proper cert to be installed."
         when: wn19_pk_000010_root_5_Check.stdout == ""
 
@@ -4531,7 +4528,7 @@
       - name: "MEDIUM | WN19-SO-000100 | AUDIT | Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less. | Number Of Days Check."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have have not set the right number of days for wn19stig_machineaccountpsswd_max_age"
+                - "Warning!! You have not set the right number of days for wn19stig_machineaccountpsswd_max_age"
                 - "Please read the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_machineaccountpsswd_max_age > 30 or
@@ -4587,7 +4584,7 @@
       - name: "MEDIUM | WN19-SO-000120 | AUDIT | Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | Number Of Seconds Check."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have have not set the right number of seconds for wn19stig_inactivitytimeoutsecs"
+                - "Warning!! You have not set the right number of seconds for wn19stig_inactivitytimeoutsecs"
                 - "Please read the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_inactivitytimeoutsecs > 900 or
@@ -4944,7 +4941,7 @@
       - name: "MEDIUM | WN19-SO-000400 | PATCH | Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. | Variable Check."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have have not choosen a correct setting for wn19stig_consentprompt"
+                - "Warning!! You have not choosen a correct setting for wn19stig_consentprompt"
                 - "Please read the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_consentprompt < 1 or

tasks/cat2_cloud_lockout_order.yml

@@ -7,7 +7,7 @@
       - name: "MEDIUM | WN19-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of days set for wn19stig_lockoutbadcount please read"
+                - "Warning!! You have an invalid number of days set for wn19stig_lockoutbadcount please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_lockoutbadcount == 0 or
@@ -44,7 +44,7 @@
       - name: "MEDIUM | WN19-AC-000010 | AUDIT | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of minutes set for wn19stig_lockoutduration please read"
+                - "Warning!! You have an invalid number of minutes set for wn19stig_lockoutduration please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_lockoutduration < 15
@@ -82,7 +82,7 @@
       - name: MEDIUM | WN19-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater."
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have a invalid number of days set for wn19stig_resetlockoutcount please read"
+                - "Warning!! You have an invalid number of days set for wn19stig_resetlockoutcount please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - wn19stig_resetlockoutcount > wn19stig_lockoutduration or