ansible-lockdown / windows-2019-stig Goto Github PK

STIG Baseline Ansible Role for Windows 2019

License: MIT License

YAML 100.00%

windows-server-2019 windows-server compliance-as-code security ansible ansible-playbook ansible-role baseline compliance-automation disa-stig

windows-2019-stig's Introduction

Windows 2019 DISA STIG

Configure a Windows 2019 system to be DISA STIG compliant.

Based on Windows DISA STIG Version 2, Rel 7 released on June 7th, 2023

Looking for support?

Lockdown Enterprise

Ansible support

Community

Join us on our Discord Server to ask questions, discuss features, or just chat with other Ansible-Lockdown users.

Caution(s)

This role will make changes to the system which may have unintended consequences. This is not an auditing tool but a remediation tool to be used after an audit.

Check Mode is not supported! The role will be completed in check mode without errors, but it is not supported and should be used with caution.

This role was developed against a clean install of the Windows 2019 operating system. If you are implementing an existing system please review this role for any site-specific changes that are needed.

To use the release version please point to the main branch and relevant release for the STIG benchmark you wish to work with.

Matching a security Level for STIG

It is possible to only run controls that are based on a particular security level for STIG. This is managed using tags:

CAT1
CAT2
CAT3

The control found in defaults/main.yml also needs to reflect true as this will allow the controls to run when the playbook is launched.

Coming from a previous release

STIG releases always contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly.

Further details can be seen in the Changelog

Auditing (new)

Currently, this release does not have an auditing tool.

Documentation

Requirements

General:

Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file.

Technical Dependencies:

Windows 2019 - Other versions are not supported
Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
Python3 Ansible run environment
passlib (or python2-passlib, if using python2)
python-lxml
python-xmltodict
python-jmespath
pywinrm

Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.

Role Variables

This role is designed so that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting win19stig_disruption_high to true.

Community Contribution

We encourage you (the community) to contribute to this role. Please read the rules below.

Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
All community Pull Requests are pulled into the devel branch.
Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved.
Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release.

Pipeline Testing

uses:

ansible-core 2.12
ansible collections - pulls in the latest version based on requirements file
runs the audit using the devel branch
This is an automated test that occurs on pull requests into devel

windows-2019-stig's People

Contributors

Stargazers

Watchers

Forkers

jeanonana reb1995 kclinden supersushiroll spreeoadmin mwilkins10 satish5555555 amir-tajdar pboyle21 rlakey voskampm kaoscoach xjason81x urena-01 mikecantcode mfann-or pil123 rlmass

windows-2019-stig's Issues

Put roles into blocks to prevent unwanted execution - force failure

Issue:

If your playbook contains ignore_errors: yes, then the possibility of erroring out and the play failing won't happen if a conditional check isn't matching. Therefore, as a failsafe conditional check, a block module is needed to prevent unnecessary task execution.

The return code values need to be registered in /tasks/main.yml

Create a boolean conditional check on the registered values before processing prelim, cat1,cat2,cat3.

Code:

block:
  - name: Include the preliminary tasks
    include_tasks: prelim.yml
    tags:
        - prelim_tasks

  - name: Execute the category 1 (highest severity) tasks
    import_tasks: cat1.yml
    when: win2019stig_cat1_patch | bool
    tags:
        - cat1
        - high

  - name: Execute the category 2 (medium severity) tasks
    import_tasks: cat2.yml
    when: win2019stig_cat2_patch | bool
    tags:
        - cat2
        - medium

  - name: Execute the category 3 (lowest severity) tasks
    import_tasks: cat3.yml
    when: win2019stig_cat3_patch | bool
    tags:
        - cat3
        - medium
when: 
  - os_version_check is true 
  - ansible_version_check is true

Updates to Version Tagging

Hello,
I wanted to give an update on a tagging change that will take place on the next release, scheduled at some point in May. Without realizing that Ansible Galaxy needs version numbers in the Semantic format that excludes the preceding “v”, for example 1.2.1 vs v1.2., we have been using tags with the preceding v. This has caused our galaxy space to not update with our latest releases.

The plan going forward we plan to adjust the version number formatting on the first release for each repo in May. Please make note that if you are relying on release tags to keep up with latest versions, the numbering format will change. The cadence of the version numbers will continue and progress through as they have been, however the preceding “v” will be dropped from the tag.

George

Bad conditionals make Backup Domain Controllers evaluate Member Server rules rather than Domain Controller rules

Here is one example of many where the role needs to update this conditional to account for Backup Domain Controllers.

Issue:

Bad conditionals make Backup Domain Controllers evaluate Member Server rules rather than Domain Controller rules

Possible Solutions:

The conditional could use the same Ansible fact, but change the logic.

when:
  - "'domain controller' in ansible_windows_domain_role"

The conditional could use a different Ansible fact that is the same across Domain Controller types.

when:
  - ansible_os_product_type == "domain_controller"

Update exclusion on Secondary DC controls

There are some controls that need to be excluded from the domain controllers. In their current arrangement those controls still run on a secondary domain controller. I have those controls listed below

WN19-00-000040
WN19-00-000020
WN19-MS-000010

WN19-UR-000020 - Null Value Breaks Control

When trying to run task WN19-UR-000020 it fails since it is not given a value. The value should be changed to ""

Error

TASK [Windows-2019-STIG : HIGH | WN19-UR-000020 | Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.] *******************************
task path: /Users/kclinden/.ansible/roles/Windows-2019-STIG/tasks/cat1.yml:353
redirecting (type: modules) ansible.builtin.win_user_right to ansible.windows.win_user_right
Using module file /Users/kclinden/.ansible/collections/ansible_collections/ansible/windows/plugins/modules/win_user_right.ps1
Pipelining is enabled.
<192.168.67.8> ESTABLISH WINRM CONNECTION FOR USER: vagrant on PORT 5985 TO 192.168.67.8
EXEC (via pipeline wrapper)
The full traceback is:
Cannot bind argument to parameter 'InputObject' because it is an empty string.
At line:346 char:34
+ $userSids = [String[]]@($users | ConvertTo-SecurityIdentifier | ForEa ...
+                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [ConvertTo-SecurityIdentifier], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,ConvertTo-SecurityIdentifier

ScriptStackTrace:
at <ScriptBlock>, <No file>: line 346

System.Management.Automation.ParameterBindingValidationException: Cannot bind argument to parameter 'InputObject' because it is an empty string.
   at System.Management.Automation.CmdletParameterBinderController.BindValueFromPipeline(PSObject inputToOperateOn, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
   at System.Management.Automation.CmdletParameterBinderController.BindUnboundParametersForBindingStateInParameterSet(PSObject inputToOperateOn, CurrentlyBinding currentlyBinding, UInt32 validParameterSets)
   at System.Management.Automation.CmdletParameterBinderController.BindUnboundParametersForBindingState(PSObject inputToOperateOn, CurrentlyBinding currentlyBinding, UInt32 validParameterSets)
   at System.Management.Automation.CmdletParameterBinderController.BindPipelineParametersPrivate(PSObject inputToOperateOn)
   at System.Management.Automation.CmdletParameterBinderController.BindPipelineParameters(PSObject inputToOperateOn)
   at System.Management.Automation.CommandProcessor.Read()
fatal: [w2019-test]: FAILED! => {
    "changed": false,
    "msg": "Unhandled exception while executing module: Cannot bind argument to parameter 'InputObject' because it is an empty string."

Code

- name: "HIGH | WN19-UR-000020 | Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts."
  win_user_right:
    name: SeTcbPrivilege
    users: 
    action: set
  when: wn19_ur_000020
  tags:
      - WN19-UR-000020
      - V-93051
      - SRG-OS-000324-GPOS-00125
      - SV-103139r1
      - CCI-002235
      - patch
      - high

update readme to reflect 2019 in example playbook

Expected:

- hosts: servers
  roles:
     - role: win-2k19-stig
       when:
            - ansible_os_family == 'Windows'
            - ansible_distribution | regex_search('(Server 2019)')

Experienced instead:

- hosts: servers
  roles:
     - role: win-2k16-stig
       when:
            - ansible_os_family == 'Windows'
            - ansible_distribution | regex_search('(Server 2016)')

Recommended fix:
change to:

- hosts: servers
  roles:
     - role: win-2k19-stig
       when:
            - ansible_os_family == 'Windows'
            - ansible_distribution | regex_search('(Server 2019)')