Skip to content

Commit

Permalink
Merge pull request #42 from ansible-lockdown/2024_March_Update
Browse files Browse the repository at this point in the history
2024 March Update: Updates from Sep2023 Branch, Typo fixes and improved reboot notify
  • Loading branch information
frederickw082922 authored Mar 20, 2024
2 parents 99100d8 + 26baa57 commit 1f5f542
Show file tree
Hide file tree
Showing 22 changed files with 222 additions and 110 deletions.
4 changes: 4 additions & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,16 @@ skip_list:
- 'schema'
- 'no-changed-when'
- 'experimental'
- 'fqcn-builtins'
- 'fqcn[action]'
- 'name[casing]'
- 'name[template]'
- 'name[play]'
- 'jinja[spacing]'
- 'yaml[line-length]'
- 'key-order[task]'
- 'var-naming' # Older playbook no new release
- 'var-spacing'
- '204'
- '208'
- '305'
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ on: # yamllint disable-line rule:truthy
- '**.cfg'

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
# This setion contains all the jobs below that are running in the workflow.
# This section contains all the jobs below that are running in the workflow.
jobs:
# This will create messages for first time contributers and direct them to the Discord server
# This will create messages for the first time contributors and direct them to the Discord server
welcome:
# The type of runner that the job will run on.
runs-on: ubuntu-latest
Expand All @@ -32,9 +32,9 @@ jobs:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
# This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance.
# This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance.
playbook-test:
# The type of runner that the job will run on.
runs-on: ubuntu-latest
Expand All @@ -59,13 +59,13 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull In Terraform Code For Windows Azure
- name: Clone github IaC plan
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
Expand All @@ -84,7 +84,7 @@ jobs:
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -93,7 +93,7 @@ jobs:
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -102,15 +102,15 @@ jobs:
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

# Execute The Actions And Build Azure Server
- name: Terraform_Apply
id: apply
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from github variables this is used to load the relevant OS.tfvars file
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
OSVAR: ${{ vars.OSVAR }}
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/main_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ on: # yamllint disable-line rule:truthy
- '**.cfg'

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
# This setion contains all the jobs below that are running in the workflow.
# This section contains all the jobs below that are running in the workflow.
jobs:
# This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance.
# This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance.
playbook-test:
# The type of runner that the job will run on.
runs-on: ubuntu-latest
Expand All @@ -47,13 +47,13 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull In Terraform Code For Windows Azure
- name: Clone github IaC plan
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
Expand All @@ -72,7 +72,7 @@ jobs:
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -81,7 +81,7 @@ jobs:
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -90,15 +90,15 @@ jobs:
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

# Execute The Actions And Build Azure Server
- name: Terraform_Apply
id: apply
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from github variables this is used to load the relevant OS.tfvars file
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
OSVAR: ${{ vars.OSVAR }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/update_galaxy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ jobs:
update_role:
runs-on: ubuntu-latest
steps:
- name: Checkout V3
uses: actions/checkout@v3
- name: Checkout V4
uses: actions/checkout@v4

- name: Update Galaxy
uses: robertdebock/galaxy-action@master
Expand Down
4 changes: 2 additions & 2 deletions CONTRIBUTING.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Rules
2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
3) All work is done in your own branch
4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
5) Be open and nice to eachother
5) Be open and nice to each other

Workflow
--------
Expand Down Expand Up @@ -64,4 +64,4 @@ following text in your contribution commit message:

This message can be entered manually, or if you have configured git
with the correct `user.name` and `user.email`, you can use the `-s`
option to `git commit` to automatically include the signoff message.
option to `git commit` to automatically include the sign-off message.
65 changes: 38 additions & 27 deletions ChangeLog.md
Original file line number Diff line number Diff line change
@@ -1,40 +1,51 @@
# Changelog

## Release 1.3.1

- March 2024 Update
- Typo Fixes

## Release 1.3.0

- August 2023
- September 2023 Updates
- Bug Fixes
- Added Updated Discord Links
- Updated Galaxy Score Links
- Updated Readme
- Control 18.2.6 - Fixed Spelling For Member server
- Control 18.3.1 - Adjusted when statement for Member server only.
- PR'S Closed<br/>
[#37](https://github.com/ansible-lockdown/Windows-2016-CIS/pull/37) - 9.2.1/9.3.1 Fixed Module Parameters in win_firewall - Thanks @gberginc<br/>
[#37](https://github.com/ansible-lockdown/Windows-2016-CIS/pull/37) - Section 18 Fixed Module Parameters in win_regedit - Thanks @gberginc<br/>
- Reviewed all DC Only and MS Only Controls to verify when statements are valid.
- Updated win_skip_for_test controls

- August 2023 Updates
- Updated to Central org based workflow.
- Updated Linting files and ran against playbook
- All modules fit FQCN standard.
- Updated Readme.md

## Possible Future Plans For Repo
- Warning System Added
- More of the defalt main variables will be user defined.
- Update To 2.0.0 once released by CIS, currently in draft status.

## Release 1.2.0

- May 2023 Updates
- Updated pipelines for testing in Azure
- Issues Closed
[#5](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/5) - 9.1.4/9.2.4/9.3.4 - Wrong data value
[#6](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/6) - 2.3.11.4 - Wrong data value
[#7](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/7) - 18.9.95.1 - Wrong data value
[#8](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/8) - 18.9.26.1.1 - Wrong data type
[#9](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/9) - 18.4.1 - Wrong data type
[#10](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/10) - 18.3.4 - Wrong data value
[#11](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/11) - 19.7.4.1 - Wrong data value
[#12](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/12) - 2.3.17.3 - Wrong data value
[#13](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/13) - 2.3.6.4 - Wrong data value
[#14](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/14) - 19.7.41.1 - Wrong data value
[#16](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/16) - 2.3.1.5/2.3.1.6 - Changed value from hardcoded to variable
- Updated Galaxy Workflow
- Updated module names to new standard.
- Major Update: All task rule names updated to add win16cis to them in default main
and in appropriate taks files.
- Updated Ansible_vars_goss file to match new default main.
- Ansible Lockdown Banner In Playbook (Testing)
- Full Linting Check


- Issues Closed<br/>
[#5](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/5) - 9.1.4/9.2.4/9.3.4 - Wrong data value <br/>
[#6](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/6) - 2.3.11.4 - Wrong data value <br/>
[#7](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/7) - 18.9.95.1 - Wrong data value<br/>
[#8](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/8) - 18.9.26.1.1 - Wrong data type<br/>
[#9](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/9) - 18.4.1 - Wrong data type<br/>
[#10](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/10) - 18.3.4 - Wrong data value<br/>
[#11](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/11) - 19.7.4.1 - Wrong data value<br/>
[#12](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/12) - 2.3.17.3 - Wrong data value<br/>
[#13](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/13) - 2.3.6.4 - Wrong data value<br/>
[#14](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/14) - 19.7.41.1 - Wrong data value<br/>
[#16](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/16) - 2.3.1.5/2.3.1.6 - Changed value from hardcoded to variable<br/>
- Updated Galaxy Workflow
- Updated module names to new standard.
- Major Update: All task rule names updated to add win16cis to them in default main
and in appropriate taks files.
- Updated Ansible_vars_goss file to match new default main.
- Ansible Lockdown Banner In Playbook (Testing)
- Full Linting Check
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
MIT License

Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise
Copyright (c) 2024 MindPoint Group / Lockdown Enterprise

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
36 changes: 21 additions & 15 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

## Configure a Windows 2016 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant

### Based on [ Microsoft Windows Server 2019 Benchmark v1.2.0 - 04-21-2022 ](https://www.cisecurity.org/cis-benchmarks/)
### Based on [ Microsoft Windows Server 2016 RTM Benchmark v1.2.0 - 04-21-2022 ](https://www.cisecurity.org/cis-benchmarks/)

---

Expand All @@ -12,7 +12,6 @@
![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)

![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible)
![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)

![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
Expand All @@ -36,11 +35,11 @@

[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_2016_cis)

[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_2016_cis)
[Ansible Support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_2016_cis)

### Community

On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users

---

Expand All @@ -50,28 +49,28 @@ This role **will make changes to the system** which may have unintended conseque

Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution.

This role was developed against a clean install of the Windows 2016 Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
This role was developed against a clean install of the Windows 2016 Operating System. If you are implementing this role on an existing system, please review this role for any site specific changes that are needed.

To use release version please point to main branch and relevant release for the cis benchmark you wish to work with.
To use release version please point to main branch and relevant release for the CIS benchmark you wish to work with.

---

## Matching a security Level for CIS

It is possible to to only run level 1 or level 2 controls for CIS.
It is possible to only run level 1 or level 2 controls for CIS.
This is managed using tags:

- level1-domaincontroller
- level1-memberserver
- level2-domaincontroller
- level2-memberserver

The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component.
The controls found in defaults/main also need to reflect those control numbers due to aligning every control to the audit component.

## Coming from a previous release

CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release.
This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.
CIS releases routinely contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown.
This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly.

Further details can be seen in the [Changelog](./ChangeLog.md)

Expand All @@ -98,7 +97,7 @@ Currently this release does not have a auditing tool that is up to date.
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file.

**Technical Dependencies:**

Expand All @@ -119,12 +118,12 @@ This role is designed that the end user should not have to edit the tasks themse

## Tags

There are many tags available for added control precision. Each control has it's own set of tags noting what level, if it's scored/notscored, what OS element it relates to, if it's a patch or audit, and the rule number.
There are many tags available for added control precision. Each control has its own set of tags noting what level, what OS element it relates to if it's a patch or audit, and the rule number.

Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag smb, this task will be skipped. The opposite can also happen where you run only controls tagged with smb.

```sh
tags:
tags:
- level1-domaincontroller
- level1-memberserver
- win16cis_rule_18.3.3
Expand All @@ -136,9 +135,16 @@ Below is an example of the tag section from a control within this role. Using th

We encourage you (the community) to contribute to this role. Please read the rules below.

- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
- Your work is done in your own individual branch. Make sure to Signed-off-by and GPG sign all commits you intend to merge.
- All community Pull Requests are pulled into the devel branch
- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off-by, and a functional test before being approved
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release

## Pipeline Testing

uses:

- ansible-core 2.12
- ansible collections - pulls in the latest version based on the requirements file
- runs the audit using the devel branch
- This is an automated test that occurs on pull requests into devel
Loading

0 comments on commit 1f5f542

Please sign in to comment.