Dev PR (#1)

* Update test.yml Updated role name * Update config.yml Updated REPONAME environment variable * Update main.yml * Delete section01.yml * Delete section02.yml * Delete section09.yml * Delete section17.yml * Delete section18.yml * Delete section19.yml * Add files via upload Updated playbook files with Unix line ending type * Update main.yml Removed trailing whitespaces * Update .ansible-lint-rules Updated Skip List * Update README.md
GSA · Sep 23, 2020 · f961476 · f961476
1 parent 538d343
commit f961476
Show file tree

Hide file tree

Showing 12 changed files with 3,536 additions and 3,536 deletions.
diff --git a/.ansible-lint-rules b/.ansible-lint-rules
@@ -17,4 +17,6 @@ skip_list:
 - ANSIBLE0016
 - ANSIBLE0017
 - ANSIBLE0018
+- '106' # GSA standard for Ansible Role names do not match ``^[a-z][a-z0-9_]+$`` pattern
+- '204' # Some Ansible Task Name lines are longer than 160 chars to provide for an exact match to the CIS Setting Title
 verbosity: 1
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,4 +1,4 @@
-version: 2
+version: 2.1
 jobs:
   ansible_lint:
     docker:
@@ -15,7 +15,7 @@ jobs:
           name: Create symlink for role
           command: >
             mkdir -p ~/.ansible/roles
-              ln -s $(pwd) ~/.ansible/roles/${CIRCLE_PROJECT_REPONAME##*-}
+              ln -s $(pwd) ~/.ansible/roles/${CIRCLE_PROJECT_REPONAME}
       - run:
           name: Syntax check playbook
           command: pwd; ls; ansible-playbook --syntax-check tests/test.yml
@@ -34,7 +34,7 @@ jobs:
           command: yamllint -s .
 
 workflows:
-  version: 2
+  version: 2.1
   lint_and_test:
     jobs:
       - ansible_lint
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-Windows Server 2019 GSA Benchmark
+Windows Server 2019 GSA Benchmark   [![documentation](https://img.shields.io/badge/documentation-ansible-blue.svg)](https://docs.ansible.com/ansible/latest/user_guide/windows.html) [![CircleCI](https://circleci.com/gh/GSA/ansible-os-win-2019.svg?style=shield)](https://circleci.com/gh/GSA/ansible-os-win-2019)
 =================================
 
 This Ansible content will configure a Windows Server 2019 machine to be GSA compliant.

diff --git a/meta/main.yml b/meta/main.yml
@@ -8,7 +8,6 @@ galaxy_info:
 
   # If this a Container Enabled role, provide the minimum Ansible Container version.
   # min_ansible_container_version:
-
   #
   # Provide a list of supported platforms, and for each platform a list of versions.
   # If you don't wish to enumerate all versions for a particular platform, use 'all'.
@@ -21,18 +20,19 @@ galaxy_info:
   #      - 7
    - name: Windows
      versions:
-  #   - 2016
+  #  - 2016
      - 2019
-
-  galaxy_tags: 
+  #
+  galaxy_tags:
     - system
+    - windows
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.
     #
     # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
     #       Maximum 20 tags per role.
-
+    #
 dependencies: []
   # List your role dependencies here, one per line. Be sure to remove the '[]' above,
   # if you add dependencies to this list.
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,12 +1,9 @@
 ---
-- name: Harden Win2019 Server
-  hosts: all
-  tasks:
-       - include_role:
+  - include_role:
            name: ansible-os-win-2019
-       - import_tasks: section01.yml
-       - import_tasks: section02.yml
-       - import_tasks: section09.yml
-       - import_tasks: section17.yml
-       - import_tasks: section18.yml
-       - import_tasks: section19.yml
+  - import_tasks: section01.yml
+  - import_tasks: section02.yml
+  - import_tasks: section09.yml
+  - import_tasks: section17.yml
+  - import_tasks: section18.yml
+  - import_tasks: section19.yml
diff --git a/tasks/section01.yml b/tasks/section01.yml
@@ -1,85 +1,85 @@
-##########################
-##########################
-## CIS LEVEL 1 SETTINGS ##
-##########################
-##########################
-
-   - name: "1.1.1,CCE-37166-6 | Ensure 'Enforce password history' is set to '24 or more password(s)'"
-     win_security_policy:
-        section: System Access
-        key: PasswordHistorySize
-        value: 24
-     tags:
-         - rule_1.1.1
-     
-   - name: "1.1.2,CCE-37167-4 | Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' [GSA-90]"
-     win_security_policy:
-        section: System Access
-        key: MaximumPasswordAge
-        value: 90
-     tags:
-         - rule_1.1.2
-
-   - name: "1.1.3,CCE-37073-4 | Ensure 'Minimum password age' is set to '1 or more day(s)' [GSA-0]"
-     win_security_policy:
-        section: System Access
-        key: MinimumPasswordAge
-        value: 0
-     tags:
-         - rule_1.1.3
-
-     #Local Security Policy limited to 14 chars at most for 'Minimum password length'; 16 chars (GSA Policy) implemented via Default Domain Policy Attribute for domain-joined nodes
-   - name: "1.1.4,CCE-36534-6 | Ensure 'Minimum password length' is set to '14 or more character(s)' [GSA-16]"
-     win_security_policy:
-        section: System Access
-        key: MinimumPasswordLength
-        value: 14 #16
-     tags:
-         - rule_1.1.4
-
-     #CIS-CAT unable to audit this control for non-domain-joined nodes
-   - name: "1.1.5,CCE-37063-5 | Ensure 'Password must meet complexity requirements' is set to 'Enabled' [GSA-Disabled]"
-     win_security_policy:
-        section: System Access
-        key: PasswordComplexity
-        value: 0
-     tags:
-         - rule_1.1.5
-
-     #CIS-CAT unable to audit this control for non-domain-joined nodes
-   - name: "1.1.6,CCE-36286-3 | Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
-     win_security_policy:
-        section: System Access
-        key: ClearTextPassword
-        value: 0
-     tags:
-         - rule_1.1.6
-
-     #This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable
-   - name: "1.2.2,CCE-36008-1 | Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' [GSA-5]"
-     win_security_policy:
-        section: System Access
-        key: LockoutBadCount
-        value: 5
-     tags:
-         - rule_1.2.2
-
-   - name: "1.2.1,CCE-37034-6 | Ensure 'Account lockout duration' is set to '15 or more minute(s)' [GSA-30]"
-     win_security_policy:
-        section: System Access
-        key: LockoutDuration
-        value: 1800
-     tags:
-         - rule_1.2.1
-
-   - name: "1.2.3,CCE-36883-7 | Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' [GSA-30]"
-     win_security_policy:
-        section: System Access
-        key: ResetLockoutCount
-        value: 1800
-     tags:
-         - rule_1.2.3
-
-#########
-## EOF ##
-#########
+##########################
+##########################
+## CIS LEVEL 1 SETTINGS ##
+##########################
+##########################
+
+   - name: "1.1.1,CCE-37166-6 | Ensure 'Enforce password history' is set to '24 or more password(s)'"
+     win_security_policy:
+        section: System Access
+        key: PasswordHistorySize
+        value: 24
+     tags:
+         - rule_1.1.1
+
+   - name: "1.1.2,CCE-37167-4 | Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' [GSA-90]"
+     win_security_policy:
+        section: System Access
+        key: MaximumPasswordAge
+        value: 90
+     tags:
+         - rule_1.1.2
+
+   - name: "1.1.3,CCE-37073-4 | Ensure 'Minimum password age' is set to '1 or more day(s)' [GSA-0]"
+     win_security_policy:
+        section: System Access
+        key: MinimumPasswordAge
+        value: 0
+     tags:
+         - rule_1.1.3
+
+     #Local Security Policy limited to 14 chars at most for 'Minimum password length'; 16 chars (GSA Policy) implemented via Default Domain Policy Attribute for domain-joined nodes
+   - name: "1.1.4,CCE-36534-6 | Ensure 'Minimum password length' is set to '14 or more character(s)' [GSA-16]"
+     win_security_policy:
+        section: System Access
+        key: MinimumPasswordLength
+        value: 14 #16
+     tags:
+         - rule_1.1.4
+
+     #CIS-CAT unable to audit this control for non-domain-joined nodes
+   - name: "1.1.5,CCE-37063-5 | Ensure 'Password must meet complexity requirements' is set to 'Enabled' [GSA-Disabled]"
+     win_security_policy:
+        section: System Access
+        key: PasswordComplexity
+        value: 0
+     tags:
+         - rule_1.1.5
+
+     #CIS-CAT unable to audit this control for non-domain-joined nodes
+   - name: "1.1.6,CCE-36286-3 | Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
+     win_security_policy:
+        section: System Access
+        key: ClearTextPassword
+        value: 0
+     tags:
+         - rule_1.1.6
+
+     #This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable
+   - name: "1.2.2,CCE-36008-1 | Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' [GSA-5]"
+     win_security_policy:
+        section: System Access
+        key: LockoutBadCount
+        value: 5
+     tags:
+         - rule_1.2.2
+
+   - name: "1.2.1,CCE-37034-6 | Ensure 'Account lockout duration' is set to '15 or more minute(s)' [GSA-30]"
+     win_security_policy:
+        section: System Access
+        key: LockoutDuration
+        value: 1800
+     tags:
+         - rule_1.2.1
+
+   - name: "1.2.3,CCE-36883-7 | Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' [GSA-30]"
+     win_security_policy:
+        section: System Access
+        key: ResetLockoutCount
+        value: 1800
+     tags:
+         - rule_1.2.3
+
+#########
+## EOF ##
+#########