Merge pull request #120 from ansible-lockdown/benchmark_3.0.1

MrSteve81 · web-flow · commit 223c95209eb2 · 2025-05-16T11:04:01.000-04:00
Updates to Workflows, Readme, Changelog, General Fixes As Well
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -6,12 +6,13 @@ name: Ansible Remediate Devel Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
-# events but only for the devel branch
+# events but only for the devel branch and any branch that contains benchmark in name.
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - devel
+      - benchmark*
     paths:
       - '**.yml'
       - '**.sh'
diff --git a/.github/workflows/devel_pipeline_validation_gpo.yml b/.github/workflows/devel_pipeline_validation_gpo.yml
@@ -6,12 +6,13 @@ name: GPO Devel Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
-# events but only for the devel branch
+# events but only for the devel branch and any branch that contains benchmark in name.
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - devel
+      - benchmark*
     paths:
       - '**.yml'
       - '**.sh'
diff --git a/.github/workflows/export_badges_private.yml b/.github/workflows/export_badges_private.yml
@@ -0,0 +1,27 @@
+---
+
+name: Export Private Repo Badges
+
+# Use different minute offsets with the same hourly pattern:
+# Repo Group Suggested Cron Expression Explanation
+# Group A 0 */6 * * * Starts at top of hour
+# Group B 10 */6 * * * Starts art 10 after
+# And So On
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 */6 * * *'
+  workflow_dispatch:
+
+jobs:
+  export-badges:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && startsWith(github.repository, 'ansible-lockdown/Private-')) || (github.event_name == 'push' && github.ref_name == 'latest')
+    uses: ansible-lockdown/github_windows_IaC/.github/workflows/export_badges_private.yml@self_hosted
+    with:
+      # Full org/repo path passed for GitHub API calls (e.g., ansible-lockdown/Private-Windows-2016-CIS)
+      repo_name: ${{ github.repository }}
+    secrets:
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
diff --git a/.github/workflows/export_badges_public.yml b/.github/workflows/export_badges_public.yml
@@ -0,0 +1,19 @@
+---
+
+name: Export Public Repo Badges
+
+on:
+  push:
+    branches:
+      - main
+      - devel
+  workflow_dispatch:
+
+jobs:
+  export-badges:
+    if: github.repository_visibility == 'public' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && (github.ref_name == 'devel' || github.ref_name == 'main')))
+    uses: ansible-lockdown/github_windows_IaC/.github/workflows/export_badges_public.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
@@ -6,12 +6,13 @@ name: Ansible Remediate Main Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
-# events but only for the devel branch
+# events but only for the main or latest branch
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - main
+      - latest
     paths:
       - '**.yml'
       - '**.sh'
diff --git a/.github/workflows/main_pipeline_validation_gpo.yml b/.github/workflows/main_pipeline_validation_gpo.yml
@@ -6,12 +6,13 @@ name: GPO Main Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
-# events but only for the devel branch
+# events but only for the main or latest branch
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - main
+      - latest
     paths:
       - '**.yml'
       - '**.sh'
diff --git a/.gitignore b/.gitignore
@@ -45,3 +45,4 @@ benchparse/
 .github/
 .github/.ansible/.lock
 .ansible/
+.DS_Store
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,13 +1,27 @@
 # Changelog
 
+## Release 3.1.1
+
+May 2025 Update
+  - Fixed Control 18.6.14.1 For Missing RequirePrivacy=1 in Ansible Hardening And title. - Thanks @mfortin
+  - Updated 18.10.56.3.10.2 value to 60000 from 6000 in remediate and GPO - Thanks @mfortin
+  - Updated 18.10.79.2 Path In Remediate - Thanks @mfortin
+  - Updated 18.10.92.4.1 ManagePreviewBuildsPolicyValue to 1. - Thanks @mfortin
+  - Updated Pipelines Branches Trigger
+  - Updated Readme with New Badges
+
 ## Release 3.1.0
 
+February 2025 Update
+  - Added the cloud lockout cloud tasks import that was removed last release.
+
+## Release 3.0.2
+
 February 2025 Update
   - Added new Readme Badges
   - General Typos and Fixes
   - All Workflows Updated
   - Fixed Control Tag for rule_2.3.10.9
-  - Added the cloud lockout cloud tasks import that was removed last release.
 
 ## Release 3.0.1
 
diff --git a/README.md b/README.md
@@ -6,30 +6,54 @@
 
 ---
 
+## Public Repository 📣
+
 ![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social)
 ![Stars](https://img.shields.io/github/stars/ansible-lockdown/Windows-2019-CIS?label=Repo%20Stars&style=social)
 ![Forks](https://img.shields.io/github/forks/ansible-lockdown/Windows-2019-CIS?style=social)
-![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
+![Followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
-
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
+![License](https://img.shields.io/github/license/ansible-lockdown/Windows-2019-CIS?label=License)
+
+## Lint & Pre-Commit Tools 🔧
+
+[![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Windows-2019-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/Windows-2019-CIS/devel)
+![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white)
+![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white)
+
+## Community Release Information 📂
+
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
 ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/Windows-2019-CIS?label=Release%20Tag&&color=success)
 ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/Windows-2019-CIS?label=Release%20Date)
+![Benchmark Version Main](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Windows-2019-CIS/benchmark-version-main.json)
+![Benchmark Version Devel](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Windows-2019-CIS/benchmark-version-devel.json)
 
 [![Main Pipeline Status](https://github.com/ansible-lockdown/Windows-2019-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2019-CIS/actions/workflows/main_pipeline_validation.yml)
 [![GPO Main Pipeline Status](https://github.com/ansible-lockdown/Windows-2019-CIS/actions/workflows/main_pipeline_validation_gpo.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2019-CIS/actions/workflows/main_pipeline_validation_gpo.yml)
 
 [![Devel Pipeline Status](https://github.com/ansible-lockdown/Windows-2019-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2019-CIS/actions/workflows/devel_pipeline_validation.yml)
 [![GPO Devel Pipeline Status](https://github.com/ansible-lockdown/Windows-2019-CIS/actions/workflows/devel_pipeline_validation_gpo.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2019-CIS/actions/workflows/devel_pipeline_validation_gpo.yml)
-![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-2019-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)
 
-![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/Windows-2019-CIS?label=Open%20Issues)
-![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/Windows-2019-CIS?label=Closed%20Issues&&color=success)
+![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-2019-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)
+![Open Issues](https://img.shields.io/github/issues-raw/ansible-lockdown/Windows-2019-CIS?label=Open%20Issues)
+![Closed Issues](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/Windows-2019-CIS?label=Closed%20Issues&&color=success)
 ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/Windows-2019-CIS?label=Pull%20Requests)
 
-![License](https://img.shields.io/github/license/ansible-lockdown/Windows-2019-CIS?label=License)
+---
+
+## Subscriber Release Information 🔐
+
+![Private Release Branch](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2019-CIS/release-branch.json)
+![Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2019-CIS/benchmark-version.json)
+
+[![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2019-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-Windows-2019-CIS/actions/workflows/main_pipeline_validation.yml)
+[![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2019-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-Windows-2019-CIS/actions/workflows/main_pipeline_validation_gpo.yml)
+
+![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2019-CIS/prs.json)
+![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2019-CIS/issues-closed.json)
 
 ---
 
diff --git a/tasks/ansible_hardening/prelim.yml b/tasks/ansible_hardening/prelim.yml
@@ -53,7 +53,7 @@
       failed_when: false
       register: prelim_all_users
 
-    - name: PRELIM | Obtain Then Load Default And User Hives | Create results list fact for username and SIDs
+    - name: PRELIM | Obtain Then Load Default And User Hives | Create Results list fact for username and SIDs
       ansible.builtin.set_fact:
         prelim_username_and_sid_results_list: "{{ prelim_all_users.stdout_lines | map('split', ' ') | list }}"
 
diff --git a/tasks/ansible_hardening/section18.yml b/tasks/ansible_hardening/section18.yml
@@ -902,7 +902,7 @@
     data: 1
     type: dword
 
-- name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares"
+- name: "18.6.14.1 | PATCH | Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication, Require Integrity, and Require Privacy set for all NETLOGON and SYSVOL shares"
   when: win19cis_rule_18_6_14_1
   tags:
     - level1-domaincontroller
@@ -914,18 +914,18 @@
     - NIST800-53_IA-3_1
     - NIST800-53R5_IA-3_1
   block:
-    - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares"
+    - name: "18.6.14.1 | PATCH | Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication, Require Integrity, and Require Privacy set for all NETLOGON and SYSVOL shares"
       ansible.windows.win_regedit:
         path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths
         name: "\\\\*\\NETLOGON"
-        data: "RequireMutualAuthentication=1, RequireIntegrity=1"
+        data: "RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1"
         type: string
 
-    - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares"
+    - name: "18.6.14.1 | PATCH | Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication, Require Integrity, and Require Privacy set for all NETLOGON and SYSVOL shares"
       ansible.windows.win_regedit:
         path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths
         name: "\\\\*\\SYSVOL"
-        data: "RequireMutualAuthentication=1, RequireIntegrity=1"
+        data: "RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1"
         type: string
 
 - name: "18.6.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255"
@@ -4285,7 +4285,7 @@
   ansible.windows.win_regedit:
     path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services
     name: MaxDisconnectionTime
-    data: 6000
+    data: 60000
     type: dword
 
 - name: "18.10.56.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled"
@@ -4488,7 +4488,7 @@
     - name: "18.10.79.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Set Variable."
       when: win19cis_allow_windows_ink_workspace == 0 or win19cis_allow_windows_ink_workspace == 1
       ansible.windows.win_regedit:
-        path: HKLM:\SOFTWARE\Microsoft\Policies\Microsoft\WindowsInkWorkspace
+        path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace
         name: AllowWindowsInkWorkspace
         data: "{{ win19cis_allow_windows_ink_workspace }}"
         type: dword
@@ -4936,7 +4936,7 @@
       ansible.windows.win_regedit:
         path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
         name: ManagePreviewBuildsPolicyValue
-        data: 0
+        data: 1
         type: dword
 
 - name: "18.10.92.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'"
diff --git a/tasks/gpo_creation/gpo_section18.yml b/tasks/gpo_creation/gpo_section18.yml
@@ -8623,7 +8623,7 @@
     $registryKeyPath = "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
     $registryValueName = "MaxDisconnectionTime"
     $type = "DWORD"
-    $desiredValue = 6000
+    $desiredValue = 60000
 
     # Get the current value of the registry key in the GPO
     $currentValue = (Get-GPRegistryValue -Name $gpoName -Key $registryKeyPath -ValueName $registryValueName -ErrorAction SilentlyContinue).Value
@@ -9954,7 +9954,7 @@
         $registryKeyPath = "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
         $registryValueName2 = "ManagePreviewBuildsPolicyValue"
         $type2 = "DWORD"
-        $desiredValue2 = 0
+        $desiredValue2 = 1
 
         # Get the current value of the registry key in the GPO
         $currentValue2 = (Get-GPRegistryValue -Name $gpoName -Key $registryKeyPath -ValueName $registryValueName2 -ErrorAction SilentlyContinue).Value
