swissmakers_gmbh/Windows-2019-CIS
12
0
Fork 0
mirror of https://github.com/ansible-lockdown/Windows-2019-CIS.git synced 2026-05-09 04:19:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

April 26 Updates

Browse Source 
Signed-off-by: Stephen Williams <stephen.williams@gotyto.com>
This commit is contained in:
Stephen Williams
2026-04-16 11:30:27 -04:00
parent 3c79eb680c
commit ba170db1d1
15 changed files with 169 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/devel_pipeline_validation.yml
+2 -2
View File
@@ -60,7 +60,7 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
@@ -76,7 +76,7 @@ jobs:
# Pull In OpenTofu Code For Windows Azure
- name: Clone IaC Repository
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
.github/workflows/devel_pipeline_validation_gpo.yml
+2 -2
View File
@@ -60,7 +60,7 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
@@ -76,7 +76,7 @@ jobs:
# Pull In OpenTofu Code For Windows Azure
- name: Clone IaC Repository
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
.github/workflows/main_pipeline_validation.yml
+2 -2
View File
@@ -49,7 +49,7 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
@@ -65,7 +65,7 @@ jobs:
# Pull In OpenTofu Code For Windows Azure
- name: Clone IaC Repository
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
.github/workflows/main_pipeline_validation_gpo.yml
+2 -2
View File
@@ -49,7 +49,7 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
@@ -65,7 +65,7 @@ jobs:
# Pull In OpenTofu Code For Windows Azure
- name: Clone IaC Repository
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
.github/workflows/update_galaxy.yml
+1 -1
View File
@@ -16,7 +16,7 @@ jobs:
steps:
- name: Checkout V4
uses: actions/checkout@v4
uses: actions/checkout@v6.0.2
- name: Update Galaxy
uses: ansible-actions/ansible-galaxy-action@main
ChangeLog.md
+19
View File
@@ -1,5 +1,24 @@
# Changelog
## Release 4.1.0
April 2026
- Updated the cloud based system check for manual overrides. New variable now in the defualt main. Please read the comments for the new variable.
- Updated 18.10.57.3.10.1 variable accept anything between 1 and 900000 in Hardening & GPO.
- Updated Section 2 GPO for win_skip_for_test controls. Read comments in default/main.
- Issues Addressed:
- [#107](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/107) - Thanks @kpi-nourman
- [#122](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/122) - Thanks @kpi-nourman
- [#124](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/124) - Thanks @IoannisPant
- [#2](https://github.com/ansible-lockdown/Windows-2025-CIS/issues/2) - Thanks @davidstanaway (Windows 2025 Issue Added Here To Update 2019)
- [#7](https://github.com/ansible-lockdown/Windows-2025-CIS/issues/7) - Thanks @R2J2 - Updated When Statement to take into account Bool now (Windows 2025 Issue Added Here To Update 2019)
- [#86](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/86) - Thanks @git-cgallagher (Windows 2022 Issue Added Here To Update 2019)
- [#84](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/84) - Thanks @Randriy-bulynko (Windows 2022 Issue Added Here To Update 2019)
- [#87](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/87) - Thanks @Randriy-bulynko (Windows 2022 Issue Added Here To Update 2019)
- [#83](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/83) - Thanks @exu-g (Windows 2022 Issue Added Here To Update 2019)
- PR's Addressed:
- [#3](https://github.com/ansible-lockdown/Windows-2025-CIS/pull/3) - Thanks @MatthieuLeboeuf
## Release 4.0.0
September 2025
defaults/main.yml
+52 -20
View File
@@ -102,26 +102,58 @@ win19cis_section19: true
# errors due to missing features or incompatible syntax in earlier versions of Ansible.
min_ansible_version: "2.16"
# win_skip_for_test is the setting that will skip tasks that may cause changes that will affect the system.
# Controls that will be skipped:
# win19cis_rule_2_2_26 - Breaks Local Admin Connection
# win19cis_rule_2_2_27 - Breaks Local Admin Connection
# win19cis_rule_2_3_1_3 - Rename default administrator account
# win19cis_rule_9_3_4 - Enables Firewall Public Rules *Breaks Reboot*
# win19cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth
# win19cis_rule_18_10_89_1_2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control.
# win19cis_rule_18_10_89_1_3 - Ensure Disallow Digest authentication is set to Enabled
# win19cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth
# win19cis_rule_18_10_89_2_2 - Disables Remote Server Management through WinRM
# win19cis_rule_18_10_89_2_3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control.
# win19cis_rule_18_10_90_1 - Disables Remote Shell Access
win_skip_for_test: false
# Changes will be made that will require a system reboot.
# The following option will allow whether or not to skip the reboot.
# Default: true
skip_reboot: true
# ╔═══════════════════════════════════════════════════════════════════════════════╗
# ║ win_skip_for_test ║
# ║ ║
# ║ Skips tasks that may cause disruptive changes to the system during testing. ║
# ║ ║
# ║ NOTE: When set to true, the corresponding GPO entries for the controls ║
# ║ listed below will also not be created. This applies to both the Ansible ║
# ║ remediation path and the GPO creation path. ║
# ║ ║
# ║ Controls that will be skipped: ║
# ║ win22cis_rule_2_2_26 - Breaks Local Admin Connection ║
# ║ win22cis_rule_2_2_27 - Breaks Local Admin Connection ║
# ║ win22cis_rule_2_3_1_3 - Rename default administrator account ║
# ║ win22cis_rule_9_3_4 - Enables Firewall Public Rules *Breaks Reboot* ║
# ║ win22cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth ║
# ║ win22cis_rule_18_10_89_1_2 - Disables Client Allow Unencrypted Traffic ║
# ║ win22cis_rule_18_10_89_1_3 - Disallow Digest Authentication ║
# ║ win22cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth ║
# ║ win22cis_rule_18_10_89_2_2 - Disables Remote Server Management via WinRM ║
# ║ win22cis_rule_18_10_89_2_3 - Disables Service Allow Unencrypted Traffic ║
# ║ win22cis_rule_18_10_90_1 - Disables Remote Shell Access ║
# ╚═══════════════════════════════════════════════════════════════════════════════╝
win_skip_for_test: true
# ╔═══════════════════════════════════════════════════════════════════════════════╗
# ║ Hosted Virtual System Override ║
# ║ ║
# ║ By default, the role auto-detects whether the target is a cloud-based ║
# ║ hosted virtual system (Azure, AWS, GCE, DigitalOcean, etc.). ║
# ║ ║
# ║ The auto-detection when condition covers the most common combinations of ║
# ║ ansible_virtualization_type and ansible_system_vendor, however the number ║
# ║ of possible hypervisor/cloud combinations makes it impossible to account ║
# ║ for every environment. Known cases where auto-detection has produced ║
# ║ incorrect results include VMware vSphere on-prem, AWS GovCloud EC2, and ║
# ║ standalone (non-domain) VMware instances where virtualization_type ║
# ║ returns 'NA'. In these cases the secedit lockout control order (1.2.1-1.2.4) ║
# ║ will fail with 'The parameter is incorrect' from secedit. ║
# ║ ║
# ║ If you encounter this error, set the override below to force the correct ║
# ║ order for your environment manually. ║
# ║ ║
# ║ true = treat as hosted/cloud virtual system ║
# ║ false = treat as bare-metal or local VM ║
# ╚═══════════════════════════════════════════════════════════════════════════════╝
# hosted_virtual_system_override: true
# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
@@ -805,10 +837,10 @@ win19cis_ldap_client_integrity: 1
# Log\Microsoft\Windows\NTLM). Configuring this setting to Deny All also conforms to the benchmark.
# The recommended state for this setting is: Audit All.
# Note: Possible Valid Settings
# 1 - Deny All
# 2 - Audit All
# Default: 2
win19cis_restrict_sending_ntlm_traffic: 2
# 1 - Audit All
# 2 - Deny All
# Default: 1
win19cis_restrict_sending_ntlm_traffic: 1
# 2.3.17.2
# win19cis_consent_prompt_behavior_admin is the policy setting controls the behavior of the elevation prompt for administrators.
@@ -1020,7 +1052,7 @@ win19cis_remote_encryption_protection_aggressiveness: 1
# win19cis_idle_rdp_session_disconnect_time is the setting that allows you to specify the maximum amount of time that an active Remote Desktop
# Services session can be idle (without user input) before it is automatically disconnected.
# The recommended state for this setting is: Enabled: 15 minutes or less, but not Never (0).
# 1 min = 60000, 5 min = 300000, 10 min = 600000, 15 min = 900000
# This now accepts any value between 1 and 900000.
# Default: 900000
win19cis_idle_rdp_session_disconnect_time: 900000
tasks/ansible_hardening/prelim.yml
+38 -28
View File
@@ -29,8 +29,9 @@
# Current list is elastic and will be updated as we test more cloud based services.
# Current testing is working in Azure using Hyper-V. We are currently using this for reference:
# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
- name: "PRELIM | Set Fact If Cloud-Based System."
- name: "PRELIM | Set Fact If Cloud-Based System (auto-detect)."
when:
- hosted_virtual_system_override is not defined
- not ansible_virtualization_type == 'VMware' or
(ansible_system_vendor == 'Microsoft Corporation' and
ansible_virtualization_type in ['Hyper-V', 'hvm', 'kvm'])
@@ -38,37 +39,46 @@
ansible.builtin.set_fact:
prelim_win19cis_cloud_based_system: true
- name: PRELIM | Obtain Then Load Default And User Hives
- name: "PRELIM | Set Fact If Cloud-Based System (manual override)."
when: hosted_virtual_system_override is defined
tags: always
ansible.builtin.set_fact:
prelim_win19cis_cloud_based_system: "{{ hosted_virtual_system_override }}"
# ╔═══════════════════════════════════════════════════════════════════════════════╗
# ║ PRELIM | Section 19 HKU Scope (Per CIS Specification) ║
# ║ ║
# ║ Section 19 targets domain-joined interactive users only. The correct ║
# ║ source is HKEY_USERS subkeys already loaded in the registry by Windows ║
# ║ at logon — no manual NTUSER.DAT loading is required or recommended. ║
# ║ ║
# ║ Per CIS, include only subkeys where: ║
# ║ - SID begins with S-1-5-21-* (domain interactive users) ║
# ║ - Does NOT end with _Classes ║
# ║ - Is NOT .DEFAULT, S-1-5-18, S-1-5-19, or S-1-5-20 ║
# ║ - Is NOT an NT SERVICE SID (S-1-5-80-*) ║
# ║ ║
# ║ If no users are currently logged on, section 19 is not considered out of ║
# ║ compliance per CIS. Tasks will simply loop over an empty list. ║
# ╚═══════════════════════════════════════════════════════════════════════════════╝
- name: "PRELIM | Obtain Current Interactive User Hives"
when: win19cis_section19
tags: always
block:
- name: PRELIM | Obtain Then Load Default And User Hives | Load default user hive (Account that all new users get created from profile)
ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT
- name: PRELIM | Obtain Current Interactive User Hives | Retrieve live domain user SIDs from HKEY_USERS
vars:
hku_script: |
$users = (Get-ChildItem 'REGISTRY::HKEY_USERS').Name
$users | Where-Object {
$_ -match 'S-1-5-21-' -and
$_ -notlike '*_Classes' -and
$_ -notmatch 'S-1-5-18|S-1-5-19|S-1-5-20' -and
$_ -notmatch 'S-1-5-80-'
} | ForEach-Object { $_ -replace 'HKEY_USERS\\', '' }
ansible.windows.win_shell: "{{ hku_script }}"
changed_when: false
failed_when: false
- name: PRELIM | Obtain Then Load Default And User Hives | Pull all username and SIDs
ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
changed_when: false
failed_when: false
register: prelim_all_users
- name: PRELIM | Obtain Then Load Default And User Hives | Create Results list fact for username and SIDs
ansible.builtin.set_fact:
prelim_username_and_sid_results_list: "{{ prelim_all_users.stdout_lines | map('split', ' ') | list }}"
- name: PRELIM | Obtain Then Load Default And User Hives | Load all user hives from username and SIDs list
ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
changed_when: false
failed_when: false
loop: "{{ prelim_username_and_sid_results_list }}"
- name: PRELIM | Obtain Then Load Default And User Hives | Retrieve current users SIDs from HKEY_USERS
ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
changed_when: false
failed_when: false
register: prelim_current_users_loaded_hku
- name: PRELIM | Obtain Then Load Default And User Hives | Create list fact for current users SIDs from HKEY_USERS
- name: PRELIM | Obtain Current Interactive User Hives | Set list fact for live user SIDs
ansible.builtin.set_fact:
prelim_hku_loaded_list: "{{ prelim_current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\', '') | split }}"
prelim_hku_loaded_list: "{{ prelim_current_users_loaded_hku.stdout_lines }}"
tasks/ansible_hardening/section02.yml
+6 -4
View File
@@ -635,7 +635,6 @@
when:
- win19cis_rule_2_2_21
- prelim_win19cis_is_domain_controller
- not win_skip_for_test
tags:
- level1-domaincontroller
- rule_2.2.21
@@ -790,7 +789,8 @@
when:
- win19cis_rule_2_2_26
- prelim_win19cis_is_domain_controller
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- rule_2.2.26
@@ -822,7 +822,8 @@
when:
- win19cis_rule_2_2_27
- prelim_win19cis_is_domain_member
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-memberserver
- rule_2.2.27
@@ -1604,7 +1605,8 @@
- name: "2.3.1.3 | PATCH | Configure Accounts Rename administrator account"
when:
- win19cis_rule_2_3_1_3
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
tasks/ansible_hardening/section09.yml
+2 -1
View File
@@ -454,7 +454,8 @@
- name: "9.3.4 | PATCH | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'"
when:
- win19cis_rule_9_3_4
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
tasks/ansible_hardening/section18.yml
+16 -11
View File
@@ -4686,10 +4686,8 @@
block:
- name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Set Variable."
when:
- win19cis_idle_rdp_session_disconnect_time == 60000 or
win19cis_idle_rdp_session_disconnect_time == 300000 or
win19cis_idle_rdp_session_disconnect_time == 600000 or
win19cis_idle_rdp_session_disconnect_time == 900000
- win19cis_idle_rdp_session_disconnect_time > 0
- win19cis_idle_rdp_session_disconnect_time <= 900000
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services
name: MaxIdleTime
@@ -5081,7 +5079,8 @@
- name: "18.10.89.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled"
when:
- win19cis_rule_18_10_89_1_1
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -5110,7 +5109,8 @@
- name: "18.10.89.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled"
when:
- win19cis_rule_18_10_89_1_2
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -5139,7 +5139,8 @@
- name: "18.10.89.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled"
when:
- win19cis_rule_18_10_89_1_3
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -5168,7 +5169,8 @@
- name: "18.10.89.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled"
when:
- win19cis_rule_18_10_89_2_1
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -5198,7 +5200,8 @@
- name: "18.10.89.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled"
when:
- win19cis_rule_18_10_89_2_2
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level2-domaincontroller
- level2-memberserver
@@ -5221,7 +5224,8 @@
- name: "18.10.89.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled"
when:
- win19cis_rule_18_10_89_2_3
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -5269,7 +5273,8 @@
- name: "18.10.90.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled"
when:
- win19cis_rule_18_10_90_1
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level2-domaincontroller
- level2-memberserver
tasks/gpo_creation/gpo_section02.yml
+5 -1
View File
@@ -990,6 +990,7 @@
when:
- win19cis_rule_2_2_26
- "'Skipped' not in item.gpo_guid"
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- rule_2.2.26
@@ -1027,6 +1028,7 @@
when:
- win19cis_rule_2_2_27
- "'Skipped' not in item.gpo_guid"
- not (win_skip_for_test | bool)
tags:
- level1-memberserver
- rule_2.2.27
@@ -2087,7 +2089,9 @@
register: rule_2_3_1_2_results
- name: "2.3.1.3 | GPO | Configure Accounts Rename administrator account"
when: win19cis_rule_2_3_1_3
when:
- win19cis_rule_2_3_1_3
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
tasks/gpo_creation/gpo_section09.yml
+2 -1
View File
@@ -847,7 +847,8 @@
when:
- win19cis_rule_9_3_4
- "'(Skipped)' not in item"
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
tasks/gpo_creation/gpo_section18.yml
+16 -11
View File
@@ -9241,10 +9241,8 @@
- name: "18.10.57.3.10.1 | GPO | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Set 'Time Limit for Active but Idle RDP Sessions' to 15 minutes or less."
when:
- "'(Skipped)' not in item"
- win19cis_idle_rdp_session_disconnect_time == 60000 or
win19cis_idle_rdp_session_disconnect_time == 300000 or
win19cis_idle_rdp_session_disconnect_time == 600000 or
win19cis_idle_rdp_session_disconnect_time == 900000
- win19cis_idle_rdp_session_disconnect_time > 0
- win19cis_idle_rdp_session_disconnect_time <= 900000
ansible.windows.win_shell: |
$gpoName = "{{ item }}"
$registryKeyPath = "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
@@ -10067,7 +10065,8 @@
when:
- win19cis_rule_18_10_89_1_1
- "'(Skipped)' not in item"
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -10118,7 +10117,8 @@
when:
- win19cis_rule_18_10_89_1_2
- "'(Skipped)' not in item"
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -10169,7 +10169,8 @@
when:
- win19cis_rule_18_10_89_1_3
- "'(Skipped)' not in item"
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -10220,7 +10221,8 @@
when:
- win19cis_rule_18_10_89_2_1
- "'(Skipped)' not in item"
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -10271,7 +10273,8 @@
when:
- win19cis_rule_18_10_89_2_2
- "'(Skipped)' not in item"
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level2-domaincontroller
- level2-memberserver
@@ -10316,7 +10319,8 @@
when:
- win19cis_rule_18_10_89_2_3
- "'(Skipped)' not in item"
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level1-domaincontroller
- level1-memberserver
@@ -10409,7 +10413,8 @@
when:
- win19cis_rule_18_10_90_1
- "'(Skipped)' not in item"
- not win_skip_for_test
- not (win_skip_for_test | bool)
tags:
- level2-domaincontroller
- level2-memberserver
tasks/main.yml
+4 -4
View File
@@ -20,7 +20,7 @@
ansible.builtin.assert:
that:
- ansible_os_family == 'Windows'
- ansible_distribution | regex_search('(Microsoft Windows Server 2019)')
- ansible_distribution is regex('Microsoft Windows Server 2019')
success_msg: "{{ ansible_distribution }} {{ ansible_distribution_major_version }} is the detected operating system."
fail_msg: "This role can only be run against Windows Server 2019 Editions. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
@@ -61,7 +61,7 @@
tags:
- gpo
- create_domain
ansible.builtin.import_tasks:
ansible.builtin.include_tasks:
file: domain_creation/prelim_create_dc_and_promote.yml
- name: "Main | Import Create GPO Tasks"
@@ -71,7 +71,7 @@
tags:
- gpo
- domain
ansible.builtin.import_tasks:
ansible.builtin.include_tasks:
file: gpo_creation/main.yml
- name: "Main | Import Remediation Tasks"
@@ -81,7 +81,7 @@
tags:
- remediation
- local
ansible.builtin.import_tasks:
ansible.builtin.include_tasks:
file: ansible_hardening/main.yml
- name: "Main | Warnings Section"