Readme Update, Discord Links, Fixed Controls, Fixed DC & MS Controls

.ansible-lint

@@ -6,12 +6,16 @@ skip_list:
     - 'schema'
     - 'no-changed-when'
     - 'experimental'
+    - 'fqcn-builtins'
+    - 'fqcn[action]'
     - 'name[casing]'
     - 'name[template]'
+    - 'name[play]'
     - 'jinja[spacing]'
     - 'yaml[line-length]'
     - 'key-order[task]'
     - 'var-naming'  # Older playbook no new release
+    - 'var-spacing'
     - '204'
     - '208'
     - '305'

.github/workflows/devel_pipeline_validation.yml

@@ -32,7 +32,7 @@ jobs:
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   pr-message: |-
                     Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
     # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance.
     playbook-test:

CONTRIBUTING.rst

@@ -7,7 +7,7 @@ Rules
 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
 3) All work is done in your own branch
 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
-5) Be open and nice to eachother
+5) Be open and nice to each other
 
 Workflow
 --------
@@ -64,4 +64,4 @@ following text in your contribution commit message:
 
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
-option to `git commit` to automatically include the signoff message.
+option to `git commit` to automatically include the sign-off message.

ChangeLog.md

@@ -1,40 +1,53 @@
 # Changelog
 
+## Possible Future Plans For Repo
+
+- Warning System Added
+- More of the default main variables will be user defined.
+- Update To 2.0.0 once released by CIS, currently in draft status.
+
 ## Release 1.3.0
 
-- August 2023
+- September 2023 Updates
+  - Added Updated Discord Links
+  - Updated Galaxy Score Links
+  - Updated Readme
+  - Control 18.2.6 - Fixed Spelling For Member server
+  - Control 18.3.1 - Adjusted when statement for Member server only.
+  - Pr'S Closed<br/>
+  [#37](https://github.com/ansible-lockdown/Windows-2016-CIS/pull/37) - 9.2.1/9.3.1 Fixed Module Parameters in win_firewall - Thanks @gberginc<br/>
+  [#37](https://github.com/ansible-lockdown/Windows-2016-CIS/pull/37) - Section 18 Fixed Module Parameters in win_regedit - Thanks @gberginc<br/>
+  - Reviewed all DC Only and MS Only Controls to verify when statements are valid.
+  - Updated win_skip_for_test controls
+
+- August 2023 Updates
   - Updated to Central org based workflow.
   - Updated Linting files and ran against playbook
   - All modules fit FQCN standard.
   - Updated Readme.md
 
-## Possible Future Plans For Repo
-- Warning System Added
-- More of the defalt main variables will be user defined.
-- Update To 2.0.0 once released by CIS, currently in draft status.
-
 ## Release 1.2.0
 
 - May 2023 Updates
   - Updated pipelines for testing in Azure
-- Issues Closed
-  [#5](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/5) - 9.1.4/9.2.4/9.3.4 - Wrong data value
-  [#6](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/6) - 2.3.11.4 - Wrong data value
-  [#7](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/7) - 18.9.95.1 - Wrong data value
-  [#8](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/8) - 18.9.26.1.1 - Wrong data type
-  [#9](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/9) - 18.4.1 - Wrong data type
-  [#10](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/10) - 18.3.4 - Wrong data value
-  [#11](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/11) - 19.7.4.1 - Wrong data value
-  [#12](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/12) - 2.3.17.3 - Wrong data value
-  [#13](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/13) - 2.3.6.4 - Wrong data value
-  [#14](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/14) - 19.7.41.1 - Wrong data value
-  [#16](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/16) - 2.3.1.5/2.3.1.6 - Changed value from hardcoded to variable
-- Updated Galaxy Workflow
-- Updated module names to new standard.
-- Major Update: All task rule names updated to add win16cis to them in default main
-  and in appropriate taks files.
-- Updated Ansible_vars_goss file to match new default main.
-- Ansible Lockdown Banner In Playbook (Testing)
-- Full Linting Check
+  - Issues Closed<br/>
+    [#5](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/5) - 9.1.4/9.2.4/9.3.4 - Wrong data value <br/>
+    [#6](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/6) - 2.3.11.4 - Wrong data value <br/>
+    [#7](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/7) - 18.9.95.1 - Wrong data value<br/>
+    [#8](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/8) - 18.9.26.1.1 - Wrong data type<br/>
+    [#9](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/9) - 18.4.1 - Wrong data type<br/>
+    [#10](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/10) - 18.3.4 - Wrong data value<br/>
+    [#11](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/11) - 19.7.4.1 - Wrong data value<br/>
+    [#12](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/12) - 2.3.17.3 - Wrong data value<br/>
+    [#13](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/13) - 2.3.6.4 - Wrong data value<br/>
+    [#14](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/14) - 19.7.41.1 - Wrong data value<br/>
+    [#16](https://github.com/ansible-lockdown/Windows-2016-CIS/issues/16) - 2.3.1.5/2.3.1.6 - Changed value from hardcoded to variable<br/>
+  - Updated Galaxy Workflow
+  - Updated module names to new standard.
+  - Major Update: All task rule names updated to add win16cis to them in default main
+    and in appropriate taks files.
+  - Updated Ansible_vars_goss file to match new default main.
+  - Ansible Lockdown Banner In Playbook (Testing)
+  - Full Linting Check
 
 

README.md

@@ -2,7 +2,7 @@
 
 ## Configure a Windows 2016 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
 
-### Based on [ Microsoft Windows Server 2019 Benchmark v1.2.0 - 04-21-2022 ](https://www.cisecurity.org/cis-benchmarks/)
+### Based on [ Microsoft Windows Server 2016 RTM Benchmark v1.2.0 - 04-21-2022 ](https://www.cisecurity.org/cis-benchmarks/)
 
 ---
 
@@ -12,7 +12,7 @@
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible)
+![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/55061?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
@@ -36,11 +36,11 @@
 
 [Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_2016_cis)
 
-[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_2016_cis)
+[Ansible Support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_2016_cis)
 
 ### Community
 
-On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
+On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
 
 ---
 
@@ -70,9 +70,10 @@ The control found in defaults main also need to reflect this as this control the
 
 ## Coming from a previous release
 
-CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release.
+CIS releases always contain changes, it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown.
 This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.
 
+
 Further details can be seen in the [Changelog](./ChangeLog.md)
 
 ## Auditing (new)
@@ -124,7 +125,7 @@ There are many tags available for added control precision. Each control has it's
 Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag smb, this task will be skipped. The opposite can also happen where you run only controls tagged with smb.
 
 ```sh
-      tags:
+  tags:
       - level1-domaincontroller
       - level1-memberserver
       - win16cis_rule_18.3.3

defaults/main.yml

@@ -59,14 +59,12 @@ long_running: false
 # win_skip_for_test is used in the playbook to skip over certain controls that
 # may cause breaking changes when running it for testing purposes.
 # Controls that will be skipped:
-# 2.3.1.5
-# 9.3.5
-# 18.9.97.1.1
-# 18.9.97.1.2
-# 18.9.97.2.1
-# 18.9.97.2.2
-# 18.9.97.2.3
-# 18.9.98.1
+# 2.3.1.5 - Renames Administrator Account
+# 9.3.5 - Enables Firewall Public Rules *Breaks Reboot*
+# 18.9.97.1.1 - Disables WinRM Allow Client Basic Auth
+# 18.9.97.2.1 - Disables WinRM Allow Service Basic Auth
+# 18.9.97.2.2 - Disables Remote Server Management through WinRM
+# 18.9.98.1 - Disables Remote Shell Access
 win_skip_for_test: false
 
 #### Basic external audit enablement settings ####

meta/main.yml

@@ -8,9 +8,9 @@ galaxy_info:
     namespace: mindpointgroup
     min_ansible_version: 2.6
 
-# The galaxy api currently supports only Win 2008R2, 2008x64, 2008x86,
-# 2012, 2012R2, 2016, and 2019 versions. And using anything else will lower
-# galaxy score.
+    # The galaxy api currently supports only Win 2008R2, 2008x64, 2008x86,
+    # 2012, 2012R2, 2016, and 2019 versions. And using anything else will lower
+    # galaxy score.
     platforms:
         - name: Windows
           versions:

tasks/main.yml

@@ -27,7 +27,7 @@
 - name: Check ansible version
   ansible.builtin.assert:
       that: ansible_version.full is version_compare(min_ansible_version, '>=')
-      msg: You must use Ansible {{ min_ansible_version }} or greater
+      fail_msg: You must use Ansible {{ min_ansible_version }} or greater
   tags:
       - always
 

tasks/section01.yml

@@ -106,7 +106,7 @@
   community.windows.win_security_policy:
       section: System Access
       key: ClearTextPassword
-      value: "0"
+      value: 0
   when: win16cis_rule_1_1_6
   tags:
       - level1-domaincontroller

tasks/section02.yml

@@ -1135,7 +1135,7 @@
       type: dword
   when:
       - win16cis_rule_2_3_9_5
-      - not ansible_windows_domain_role == "Primary domain controller"
+      - ansible_windows_domain_role == "Member server"
   tags:
       - level1-memberserver
       - rule_2.3.9.5
@@ -1281,7 +1281,7 @@
       data: "O:BAG:BAD:(A;;RC;;;BA)"
       type: string
   when:
-      - not ansible_windows_domain_role == "Primary domain controller"
+      - ansible_windows_domain_role == "Member server"
       - win16cis_rule_2_3_10_11
   tags:
       - level1-memberserver
@@ -1582,4 +1582,7 @@
       type: dword
   when: win16cis_rule_2_3_17_8
   tags:
-      - level1s
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_2.3.17.8
+      - patch

tasks/section09.yml

@@ -115,7 +115,7 @@
 - name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'"
   community.windows.win_firewall:
       state: enabled
-      profile: Private
+      profiles: Private
   when:
       - win16cis_rule_9_2_1
   tags:
@@ -226,7 +226,7 @@
 - name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'"
   community.windows.win_firewall:
       state: enabled
-      profile: Public
+      profiles: Public
   when:
       - win16cis_rule_9_3_1
   tags: