Fix For Lockout Order And Audit Fixes

defaults/main.yml

@@ -50,15 +50,9 @@ disruption_high: false
 # setting to make them stand out.
 audit_disruptive: true
 
-workaround_for_disa_benchmark: true
-workaround_for_ssg_benchmark: true
-
 # tweak role to run in a non-privileged container
 system_is_container: false
 
-# set to false to skip tasks that either have not been developed or cannot be automated
-is_implemented: false
-
 # set to false to skip long running tasks
 long_running: false
 
@@ -89,7 +83,7 @@ copy_audit_exe: false
 # download audit content
 download_goss_config: true
 
-# enable audits to run - this  runs the audit and get the latest content
+# enable audits to run - this runs the audit and get the latest content
 run_audit: false
 
 # output location for the audit
@@ -598,26 +592,27 @@ win16cis_wupdate_options: 4
 ### Goss audit variables
 
 ## Goss Binary settings
-goss_version: v0.3.16
-goss_url: https://github.com/aelsabbahy/goss/releases/download/
+goss_version: v0.3.23
+goss_url: https://github.com/goss-org/goss/releases/download/
 goss_dl_exe: goss-alpha-windows-amd64.exe
-goss_dl_sha: dd5fd18a2c42ae05215b1fca3cf7d0d4e4d318011c67be13cb37545e368d4323
+goss_dl_sha: 011477201088cac0bb8762dc0c861215b2585e0873d16277375947afe29146da
 goss_exe: goss.exe  # Note any path to be a forward slash
 audit_format: json
 
-# Goss opy download options
+# Goss copy download options
 goss_download_url: "{{ goss_url }}{{ goss_version }}/{{ goss_dl_exe }}"
-goss_copy_src: Full to copy the exe
+goss_copy_src: Full Path To Local Copy Of .Exe Inserted In This Variable
 
 # Goss Audit config when using git to download
-goss_conf_git_branch: main
+goss_conf_git_branch: devel
 goss_conf_url: "https://github.com/ansible-lockdown/{{ os_distribution }}-{{ benchmark }}-Audit/archive/refs/heads/{{ goss_conf_git_branch }}.zip"
+goss_conf_unzipped_dir: "c:/{{ audit_dir }}/{{ os_distribution }}-{{ benchmark }}-Audit-{{ goss_conf_git_branch }}"
 
 ## Goss running
 audit_scripts_dir: "c:/{{ audit_dir }}/{{ os_distribution }}-{{ benchmark }}-Audit"
 run_audit_script: "{{ audit_scripts_dir }}/run_audit.ps1"
 goss_vars_path: "{{ audit_scripts_dir }}/{{ ansible_hostname }}.yml"
-audit_results_file: "{{ audit_capture_path }}{{ ansible_hostname }}_{{ audit_time }}_remediate_{{ ansible_date_time.epoch }}.{{ audit_format }}"
+audit_results_file: "{{ audit_capture_path }}/{{ ansible_hostname }}_{{ audit_time }}_remediate_{{ ansible_date_time.epoch }}.{{ audit_format }}"
 
 audit_results: |
       The pre remediation results are: {{ pre_audit_summary }}.

meta/main.yml

@@ -8,6 +8,9 @@ galaxy_info:
     namespace: mindpointgroup
     min_ansible_version: 2.6
 
+# The galaxy api currently supports only Win 2008R2, 2008x64, 2008x86,
+# 2012, 2012R2, 2016, and 2019 versions. And using anything else will lower
+# galaxy score.
     platforms:
         - name: Windows
           versions:

tasks/main.yml

@@ -6,7 +6,7 @@
   tags:
       - always
 
-- name: Gather distribution info
+- name: Gather Distribution Info
   ansible.builtin.setup:
       gather_subset: distribution,!all,!min
   when:
@@ -31,6 +31,12 @@
   tags:
       - always
 
+- name: Include the preliminary tasks
+  ansible.builtin.include_tasks: prelim.yml
+  tags:
+      - always
+      - prelim_tasks
+
 - name: Setup for Audit
   ansible.builtin.import_tasks: setup_audit.yml
   when: setup_audit
@@ -39,8 +45,7 @@
 
 - name: Run Audit
   ansible.builtin.import_tasks: run_audit.yml
-  when:
-      - run_audit
+  when: run_audit
   vars:
       audit_time: pre
   tags:

tasks/audit_prelim.yml → tasks/prelim.yml

@@ -1,12 +1,12 @@
 ---
 
-- name: Set system facts based on gather facts module
+- name: Set System Facts Based On Gather Facts Module
   block:
       - name: Set fact is system is standalone
         ansible.builtin.set_fact:
             win2016cis_is_standalone: true
         when:
-            - ansible_windows_domain_role ==  'Stand-alone server'
+            - ansible_windows_domain_role == 'Stand-alone server'
 
       - name: Set fact if domain controller role
         ansible.builtin.set_fact:
@@ -19,3 +19,19 @@
             win2016cis_is_domain_member: true
         when:
             - ansible_windows_domain_role == 'Member server'
+  tags:
+      - always
+
+- name: Get Windows installation type
+  ansible.windows.win_reg_stat:
+      path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
+      name: InstallationType
+  register: get_windows_installation_type
+  tags:
+      - always
+
+- name: Set Windows installation type
+  ansible.builtin.set_fact:
+      windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
+  tags:
+      - always

tasks/run_audit.yml

@@ -1,17 +1,14 @@
 ---
-- name: Include the preliminary tasks
-  ansible.builtin.include_tasks: audit_prelim.yml
-
 # Copied pre and post to capture output files.
 - name: copy the template used by ansible for consistent checks
   ansible.windows.win_template:
-      src: ansible_vars_goss.yml.j2
+      src: templates/ansible_vars_goss.yml.j2
       dest: "{{ goss_vars_path }}"
   when:
       - audit_time == 'pre'
 
 - name: Run the goss audit
-  ansible.windows.win_shell: "{{ run_audit_script }} -auditbin {{ audit_capture_path }}{{ goss_exe }} -auditdir {{audit_capture_path }} -varsfile {{ ansible_hostname }}.yml -outfile {{ audit_results_file }}"
+  ansible.windows.win_shell: "{{ run_audit_script }} -auditbin {{ audit_capture_path }}{{ goss_exe }} -auditdir {{ audit_capture_path }} -varsfile {{ ansible_hostname }}.yml -outfile {{ audit_results_file }}"
   failed_when: false
 
 - name: Capture the pre remediation audit data summary

tasks/section01.yml

@@ -127,49 +127,46 @@
       - rule_1.2.2
       - patch
 
-- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
+- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
   block:
-      - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
         ansible.builtin.assert:
-            that: lockoutduration | int is version('15', '<=')
-            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}"
+            that: resetlockoutcount | int is version('15', '>=')
+            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}"
         register: result
         changed_when: false
         ignore_errors: true
 
-      - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
         community.windows.win_security_policy:
             section: System Access
-            key: LockoutDuration
-            value: "{{ lockoutduration }}"
-  when:
-      - win16cis_rule_1_2_1
-      # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
-      - is_implemented
+            key: ResetLockoutCount
+            value: "{{ resetlockoutcount }}"
+  when: win16cis_rule_1_2_3
   tags:
       - level1-domaincontroller
       - level1-memberserver
-      - rule_1.2.1
+      - rule_1.2.3
       - patch
 
-- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
+- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
   block:
-      - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
         ansible.builtin.assert:
-            that: resetlockoutcount | int is version('15', '>=')
-            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}"
+            that: lockoutduration | int is version('15', '<=')
+            fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}"
         register: result
         changed_when: false
         ignore_errors: true
 
-      - name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
+      - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
         community.windows.win_security_policy:
             section: System Access
-            key: ResetLockoutCount
-            value: "{{ resetlockoutcount }}"
-  when: win16cis_rule_1_2_3
+            key: LockoutDuration
+            value: "{{ lockoutduration }}"
+  when: win16cis_rule_1_2_1
   tags:
       - level1-domaincontroller
       - level1-memberserver
-      - rule_1.2.3
+      - rule_1.2.1
       - patch

tasks/section18.yml

@@ -105,7 +105,6 @@
       data: 4
       type: dword
   when:
-      - is_implemented
       - win16cis_rule_18_2_4
       - ansible_windows_domain_role == "Member Server"
   tags:
@@ -2512,7 +2511,6 @@
       type: dword
   when:
       - win16cis_rule_18_9_98_1
-      - is_implemented
       - not win_skip_for_test
   tags:
       - level2-domaincontroller

tasks/setup_audit.yml

@@ -25,6 +25,7 @@
   ansible.windows.win_get_url:
       url: "{{ goss_conf_url }}"
       dest: "{{ audit_capture_path }}goss_conf.zip"
+  register: audit_downloaded
   when:
       - download_goss_config
 
@@ -34,3 +35,10 @@
       dest: "{{ audit_capture_path }}"
   when:
       - download_goss_config
+      - audit_downloaded.changed
+
+- name: Rename Goss Config Folder
+  ansible.windows.win_shell: Rename-Item {{ goss_conf_unzipped_dir }} {{ audit_scripts_dir }}
+  when:
+      - download_goss_config
+      - audit_downloaded.changed

vars/main.yml

@@ -4,3 +4,9 @@
 
 # This sets the variable that is created for the banner.
 lockdown_banner: "{{lookup('file', './templates/banner.txt')}}"
+
+# These are default values that will be changed when the prelim
+# runs and finds the correct setting.
+win2016cis_is_standalone: false
+win2016cis_is_domain_controller: false
+win2016cis_is_domain_member: false