Merge pull request #59 from mfortin/fortinm/patch-1

Fixing issue #57 and #58
ansible-lockdown · Jun 19, 2024 · 8427ea0 · 8427ea0
2 parents 5faeb45 + 9547586
commit 8427ea0
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 27 deletions.
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -49,6 +49,9 @@ jobs:
             ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
             WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
             WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
+            OSVAR: ${{ vars.OSVAR }}
+            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+            TF_VAR_run_job_id: ${{ github.run_id }}
 
         defaults:
             run:
@@ -83,38 +86,20 @@ jobs:
                 echo "benchmark_type = $benchmark_type"
                 pwd
                 ls
-              env:
-                  # Imported from github variables this is used to load the relvent OS.tfvars file
-                  OSVAR: ${{ vars.OSVAR }}
-                  TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
           # Initialize The Terraform Working Directory
             - name: Terraform_Init
               id: init
               run: terraform init
-              env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
-                  OSVAR: ${{ vars.OSVAR }}
-                  TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
           # Validate The Syntax Of Terraform Files
             - name: Terraform_Validate
               id: validate
               run: terraform validate
-              env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
-                  OSVAR: ${{ vars.OSVAR }}
-                  TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
           # Execute The Actions And Build Azure Server
             - name: Terraform_Apply
               id: apply
-              env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
-                  WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
-                  WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
-                  OSVAR: ${{ vars.OSVAR }}
-                  TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
               run: terraform apply -var-file "${OSVAR}.tfvars" --auto-approve
 
           # Debug Section
@@ -137,7 +122,4 @@ jobs:
           # Destroy The Azure Test System
             - name: Terraform_Destroy
               if: always() && env.ENABLE_DEBUG == 'false'
-              env:
-                  OSVAR: ${{ vars.OSVAR }}
-                  TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
               run: terraform destroy -var-file "${OSVAR}.tfvars" --auto-approve
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -351,8 +351,8 @@ wn19stig_setcbprivilege: []
 # If an application requires this user right, this would not be a finding. Vendor documentation must support the
 # requirement for having the user right. The requirement must be documented with the ISSO.
 # NOTE: Improper Accounts Or Groups listed here will FAIL task.
-# Default: ""
-wn19stig_secreatetokenprivilege: ""
+# Default: []
+wn19stig_secreatetokenprivilege: []
 
 # WN19-UR-000100
 # Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.

diff --git a/tasks/cat1.yml b/tasks/cat1.yml
@@ -713,10 +713,10 @@
       - V-205750
 
 - name: "HIGH | WN19-UR-000060 | PATCH | Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts."
-  community.windows.win_security_policy:
-      section: Privilege Rights
-      key: SeCreateTokenPrivilege
-      value: "{{ wn19stig_secreatetokenprivilege }}"
+  ansible.windows.win_user_right:
+      name: SeCreateTokenPrivilege
+      users: "{{ wn19stig_secreatetokenprivilege }}"
+      action: set
   when:
       - wn19_ur_000060
   tags:

diff --git a/tasks/cat2.yml b/tasks/cat2.yml
@@ -972,6 +972,7 @@
   notify: reboot_windows
   when:
       - wn19_00_000320
+      - not wn19stig_is_server_core
   tags:
       - WN19-00-000320
       - CAT2
@@ -1044,6 +1045,7 @@
       state: absent
   when:
       - wn19_00_000370
+      - not wn19stig_is_server_core
   tags:
       - WN19-00-000370
       - CAT2

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -16,6 +16,7 @@
   ansible.builtin.set_fact:
       win19stig_cloud_based_system: true
   when:
+      - ansible_system_vendor == 'Microsoft Corporation'
       - ansible_virtualization_type == 'Hyper-V' or
         ansible_virtualization_type == 'hvm' or
         ansible_virtualization_type == 'kvm'
@@ -60,3 +61,10 @@
   when:
       - wn19_00_000390 or
         wn19_00_000400
+
+- name: Set Fact If Server Core installation
+  ansible.builtin.set_fact:
+      wn19stig_is_server_core: true
+  when: ansible_os_installation_type == 'Server Core'
+  tags:
+      - always
diff --git a/vars/main.yml b/vars/main.yml
@@ -9,3 +9,6 @@ lockdown_banner: "{{lookup('file', './templates/banner.txt')}}"
 
 # This will be changed to true if discovered for cloud based systems.
 wn19stig_cloud_based_system: false
+
+# This will be changed to true if discovered for server core type.
+wn19stig_is_server_core: false