Merge pull request #39 from ansible-lockdown/audit_branch

tasks/main.yml

@@ -31,6 +31,12 @@
   tags:
       - always
 
+- name: Include the preliminary tasks
+  ansible.builtin.include_tasks: prelim.yml
+  tags:
+      - always
+      - prelim_tasks
+
 - name: Setup for Audit
   ansible.builtin.import_tasks: setup_audit.yml
   when: setup_audit

tasks/audit_prelim.yml → tasks/prelim.yml

@@ -1,12 +1,12 @@
 ---
 
-- name: Set system facts based on gather facts module
+- name: Set System Facts Based On Gather Facts Module
   block:
       - name: Set fact is system is standalone
         ansible.builtin.set_fact:
             win2016cis_is_standalone: true
         when:
-            - ansible_windows_domain_role ==  'Stand-alone server'
+            - ansible_windows_domain_role == 'Stand-alone server'
 
       - name: Set fact if domain controller role
         ansible.builtin.set_fact:
@@ -19,3 +19,19 @@
             win2016cis_is_domain_member: true
         when:
             - ansible_windows_domain_role == 'Member server'
+  tags:
+      - always
+
+- name: Get Windows installation type
+  ansible.windows.win_reg_stat:
+      path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
+      name: InstallationType
+  register: get_windows_installation_type
+  tags:
+      - always
+
+- name: Set Windows installation type
+  ansible.builtin.set_fact:
+      windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
+  tags:
+      - always

tasks/run_audit.yml

@@ -1,7 +1,4 @@
 ---
-- name: Include the preliminary tasks
-  ansible.builtin.include_tasks: audit_prelim.yml
-
 # Copied pre and post to capture output files.
 - name: copy the template used by ansible for consistent checks
   ansible.windows.win_template:

tasks/section01.yml

@@ -127,48 +127,46 @@
       - rule_1.2.2
       - patch
 
-- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
+- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
   block:
-      - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
         ansible.builtin.assert:
-            that: lockoutduration | int is version('15', '<=')
-            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}"
+            that: resetlockoutcount | int is version('15', '>=')
+            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}"
         register: result
         changed_when: false
         ignore_errors: true
 
-      - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
         community.windows.win_security_policy:
             section: System Access
-            key: LockoutDuration
-            value: "{{ lockoutduration }}"
-  when:
-      - win16cis_rule_1_2_1
-      # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
+            key: ResetLockoutCount
+            value: "{{ resetlockoutcount }}"
+  when: win16cis_rule_1_2_3
   tags:
       - level1-domaincontroller
       - level1-memberserver
-      - rule_1.2.1
+      - rule_1.2.3
       - patch
 
-- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
+- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
   block:
-      - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
         ansible.builtin.assert:
-            that: resetlockoutcount | int is version('15', '>=')
-            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}"
+            that: lockoutduration | int is version('15', '<=')
+            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}"
         register: result
         changed_when: false
         ignore_errors: true
 
-      - name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
         community.windows.win_security_policy:
             section: System Access
-            key: ResetLockoutCount
-            value: "{{ resetlockoutcount }}"
-  when: win16cis_rule_1_2_3
+            key: LockoutDuration
+            value: "{{ lockoutduration }}"
+  when: win16cis_rule_1_2_1
   tags:
       - level1-domaincontroller
       - level1-memberserver
-      - rule_1.2.3
+      - rule_1.2.1
       - patch

tasks/section18.yml

@@ -105,7 +105,6 @@
       data: 4
       type: dword
   when:
-      - is_implemented
       - win16cis_rule_18_2_4
       - ansible_windows_domain_role == "Member Server"
   tags:
@@ -2512,7 +2511,6 @@
       type: dword
   when:
       - win16cis_rule_18_9_98_1
-      - is_implemented
       - not win_skip_for_test
   tags:
       - level2-domaincontroller

vars/main.yml

@@ -5,3 +5,8 @@
 # This sets the variable that is created for the banner.
 lockdown_banner: "{{lookup('file', './templates/banner.txt')}}"
 
+# These are default values that will be changed when the prelim
+# runs and finds the correct setting.
+win2016cis_is_standalone: false
+win2016cis_is_domain_controller: false
+win2016cis_is_domain_member: false