Merge pull request #16 from ansible-lockdown/devel

Release v2.0.1
Signed-off-by: George Nalen <[email protected]>

CONTRIBUTING.rst

@@ -1,6 +1,19 @@
 Contributing to MindPoint Group Projects
 ========================================
 
+Rules
+-----
+1) All commits must be GPG signed (details in Signing section)
+2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
+3) All work is done in your own branch
+4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
+5) Be open and nice to eachother
+
+Workflow
+--------
+- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
+- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
 Signing your contribution
 -------------------------
 
@@ -50,4 +63,4 @@ following text in your contribution commit message:
 
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
-option to `git commit` to automatically include the signoff message.
+option to `git commit` to automatically include the signoff message.

README.md

@@ -1,17 +1,44 @@
 Windows Server 2019 DISA STIG
 =========
+![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/Windows-2019-STIG/CommunityToDevel?label=Devel%20Build%20Status&style=plastic)
+![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/Windows-2019-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic)
+![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-STIG?style=plastic)
 
-Configure a Windows Server 2019 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. ~Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`.~ _To be implemented_
+Configure a Windows Server 2019 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default.
 
-This role is based on Windows Server 2019 DISA STIG: [Version 2, Rel 1 released on November 13, 2020](Need URL HEre).
+This role is based on Windows Server 2019 DISA STIG: [Version 2, Rel 1 released on November 13, 2020](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V2R1_STIG.zip).
 
-Requirements
-------------
+Caution(s)
+-------
+This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
+
+This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
+
+To use release version please point to main branch
+Based on [Windows Server 2019 DISA STIG](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V2R1_STIG.zip).
 
-Windows Server 2019 - Other versions are not supported.
+Documentation
+-------------
+[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)<br>
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)<br>
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)<br>
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)<br>
+[Wiki](https://github.com/ansible-lockdown/Windows-2019-STIG/wiki)<br>
+[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2019-STIG/)<br>
 
-Dependencies
+Requirements
 ------------
+**General:**
+- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
+  - [Main Ansible documentation page](https://docs.ansible.com)
+  - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
+  - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
+  - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
+- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. 
+- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/Windows-2019-STIG/wiki/Main-Variables).
+
+**Technical Dependencies:**
+- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
 
 The following packages must be installed on the controlling host/host where ansible is executed:
 
@@ -25,24 +52,22 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat
 
 Role Variables
 --------------
+This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/Windows-2019-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.
 
-Please see the Ansible docs for understanding [variable precedence](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) to tailor for your needs. 
-
-| Name                     | Default Value       | Description                   |
-|--------------------------|-----------------------------------------------------|----------------------|
-| `win2019stig_cat1_patch` | `yes` see defaults/main.yml](./defaults/main.yml)   | Correct CAT I findings        |
-| `win2019stig_cat2_patch` | `yes`  see defaults/main.yml](./defaults/main.yml)  | Correct CAT II findings       |
-| `win2019stig_cat3_patch` | `yes`  see defaults/main.yml](./defaults/main.yml)  | Correct CAT III findings      |
-| `wn19_##_######`         | [see defaults/main.yml](./defaults/main.yml)        | Individual variables to enable/disable each STIG ID. |
+Branches
+--------
+- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch
+- **main** - This is the release branch
+- **reports** - This is a protected branch for our scoring reports, no code should ever go here
+- **gh-pages** - This is the github pages branch
+- **all other branches** - Individual community member branches
 
-Example Playbook
-----------------
+Community Contribution
+----------------------
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+We encourage you (the community) to contribute to this role. Please read the rules below.
 
-    - hosts: servers
-      roles:
-         - role: win-2k16-stig
-           when:
-                - ansible_os_family == 'Windows'
-                - ansible_distribution | regex_search('(Server 2019)')
+- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
+- All community Pull Requests are pulled into the devel branch
+- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release

tasks/cat1.yml

@@ -340,7 +340,7 @@
         changed_when: no
   when:
       - wn19_ms_000010
-      - not ansible_windows_domain_role == "Primary domain controller"
+      - "'controller' not in ansible_windows_domain_role"
   tags:
       - WN19-MS-000010
       - V-93043
@@ -353,7 +353,7 @@
 - name: "HIGH | WN19-UR-000020 | Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts."
   win_user_right:
     name: SeTcbPrivilege
-    users: 
+    users: []
     action: set
   when: wn19_ur_000020
   tags:
@@ -709,4 +709,4 @@
       - SV-103389r1
       - CCI-000366
       - patch
-      - high
+      - high

tasks/cat2.yml

@@ -8,7 +8,7 @@
         register: wn19_00_000020_audit_dc
         check_mode: no
         changed_when: wn19_00_000020_audit_dc.stdout != ""
-        when: ansible_windows_domain_role == "Primary domain controller"
+        when: "'controller' in ansible_windows_domain_role"
 
       - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19_00_000020_pass_age }} days."
         debug:
@@ -24,7 +24,7 @@
         win_shell: "Get-Localuser -Name * | Select * | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19_00_000020_pass_age }}))} | Select Name,PasswordLastSet"
         register: wn19_00_000020_audit_dm_sa
         changed_when: wn19_00_000020_audit_dm_sa.stdout != ""
-        when: not ansible_windows_domain_role == "Primary domain controller"
+        when: "'controller' not in ansible_windows_domain_role"
 
       - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19_00_000020_pass_age }} days."
         debug:
@@ -64,7 +64,7 @@
         changed_when: no
   when:
       - wn19_00_000040
-      - not ansible_windows_domain_role == "Primary domain controller"
+      - "'controller' not in ansible_windows_domain_role"
   tags:
       - WN19-00-000040
       - V-93207