Add testing for controls that uses ansible for hardening

Gemfile

@@ -4,6 +4,9 @@ gem 'test-kitchen'
 gem 'kitchen-vagrant'
 gem 'kitchen-inspec'
 gem 'inspec-bin'
-gem 'inspec_tools'
 gem 'berkshelf'
-gem 'inspec'
+gem 'winrm'
+gem 'winrm-fs'
+gem 'vagrant-winrm'
+gem 'kitchen-ansible'
+gem 'inspec'

kitchen-ansible.yml

@@ -0,0 +1,52 @@
+driver:
+  name: vagrant
+  #provision: true
+  guest: :windows
+  gui: true
+  winrm:
+     username: vagrant
+     password: vagrant
+  customize:
+    cpus: 4
+    memory: 8192
+    accelerate3d: "off"
+    accelerate2dvideo: "off"
+    audio: "none"
+    usbcardreader: "off"
+    vrde: "off"
+    usb: "off"
+    nictype1: "82540EM"
+    clipboard: "disabled"
+    #nestedpaging: "off"
+
+transport:
+  name: winrm
+#  elevated: true
+
+provisioner:
+  name: ansible_playbook
+  roles_path: ./test/ansible
+  playbook: ./test/ansible/site.yml
+  hosts: all
+  deprecations_as_errors: true
+  ansible_connection: winrm
+  require_windows_support: true
+  require_chef_for_busser: false
+
+verifier:
+  name: inspec
+  inspec_tests:
+    - name: microsoft-windows-server-2019-stig
+      path: .
+  reporter:
+    - cli
+    - json:results/%{suite}-test-result.json
+
+
+platforms:
+  - name: windows-2019
+    driver:
+      box: stromweld/windows-2019
+
+suites:
+  - name: AnsibleWin2019STIG

test/ansible/.ansible-lint

@@ -0,0 +1,21 @@
+parseable: true
+quiet: true
+skip_list:
+  - 'schema'
+  - 'no-changed-when'
+  - 'fqcn-builtins'
+  - 'experimental'
+  - 'fqcn[action-core]'
+  - 'fqcn[action]'
+  - 'name[casing]'
+  - 'name[template]'
+  - 'jinja[spacing]'
+  - 'var-naming'  # Older playbook no new release
+  - '204'
+  - '305'
+  - '303'
+  - '403'
+  - '306'
+  - '602'
+use_default_rules: true
+verbosity: 0

test/ansible/.gitignore

@@ -0,0 +1,44 @@
+.env
+*.log
+*.retry
+.vagrant
+tests/*redhat-subscription
+tests/Dockerfile
+*.iso
+*.box
+packer_cache
+delete*
+ignore*
+# VSCode
+.vscode
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# DS_Store
+.DS_Store
+._*
+
+# Linux Editors
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+.elc
+auto-save-list
+tramp
+.\#*
+*.swp
+*.swo
+rh-creds.env
+travis.env
+
+# Lockdown-specific
+benchparse/
+*xccdf.xml
+*.retry
+
+# GitHub Action/Workflow files
+.github/

test/ansible/.yamllint

@@ -0,0 +1,24 @@
+---
+ignore: |
+  tests/
+  molecule/
+  .github/
+  .gitlab-ci.yml
+  *molecule.yml
+
+extends: default
+
+rules:
+  indentation:
+    # Requiring 4 space indentation
+    spaces: 4
+    # Requiring consistent indentation within a file, either indented or not
+    indent-sequences: consistent
+  truthy: disable
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable

test/ansible/CONTRIBUTING.rst

@@ -0,0 +1,66 @@
+Contributing to MindPoint Group Projects
+========================================
+
+Rules
+-----
+1) All commits must be GPG signed (details in Signing section)
+2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
+3) All work is done in your own branch
+4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
+5) Be open and nice to eachother
+
+Workflow
+--------
+- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
+- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
+Signing your contribution
+-------------------------
+
+We've chosen to use the Developer's Certificate of Origin (DCO) method
+that is employed by the Linux Kernel Project, which provides a simple
+way to contribute to MindPoint Group projects.
+
+The process is to certify the below DCO 1.1 text
+::
+
+    Developer's Certificate of Origin 1.1
+
+    By making a contribution to this project, I certify that:
+
+    (a) The contribution was created in whole or in part by me and I
+        have the right to submit it under the open source license
+        indicated in the file; or
+
+    (b) The contribution is based upon previous work that, to the best
+        of my knowledge, is covered under an appropriate open source
+        license and I have the right under that license to submit that
+        work with modifications, whether created in whole or in part
+        by me, under the same open source license (unless I am
+        permitted to submit under a different license), as indicated
+        in the file; or
+
+    (c) The contribution was provided directly to me by some other
+        person who certified (a), (b) or (c) and I have not modified
+        it.
+
+    (d) I understand and agree that this project and the contribution
+        are public and that a record of the contribution (including all
+        personal information I submit with it, including my sign-off) is
+        maintained indefinitely and may be redistributed consistent with
+        this project or the open source license(s) involved.
+::
+
+Then, when it comes time to submit a contribution, include the
+following text in your contribution commit message:
+
+::
+
+   Signed-off-by: Joan Doe <[email protected]>
+
+::
+
+
+This message can be entered manually, or if you have configured git
+with the correct `user.name` and `user.email`, you can use the `-s`
+option to `git commit` to automatically include the signoff message.

test/ansible/ChangeLog.md

@@ -0,0 +1,8 @@
+Release 1.0.0
+
+Added Changelog.md
+Updated Readme
+Added Version 2 Release 3 changes during this update.
+Added Version 2 Release 4 changes during this update.
+Added Version 2 Release 5 changes during this update.
+Added Warning Count Summary to the End Of Playbook

test/ansible/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

test/ansible/README.md

@@ -0,0 +1,72 @@
+Windows Server 2019 DISA STIG
+=========
+
+![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-STIG?style=plastic)
+
+Configure a Windows Server 2019 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default.
+
+This role is based on Windows Server 2019 DISA STIG: [Version 2, Rel 5 released on November 14, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V2R5_STIG.zip).
+
+Caution(s)
+-------
+This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
+
+This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
+
+To use release version please point to main branch
+Based on [Windows Server 2019 DISA STIG](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2019_V2R5_STIG.zip).
+
+Documentation
+-------------
+[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)<br>
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)<br>
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)<br>
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)<br>
+[Wiki](https://github.com/ansible-lockdown/Windows-2019-STIG/wiki)<br>
+[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2019-STIG/)<br>
+
+Requirements
+------------
+**General:**
+- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
+  - [Main Ansible documentation page](https://docs.ansible.com)
+  - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
+  - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
+  - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
+- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. 
+- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/Windows-2019-STIG/wiki/Main-Variables).
+
+**Technical Dependencies:**
+- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
+
+The following packages must be installed on the controlling host/host where ansible is executed:
+
+- passlib (or python2-passlib, if using python2)
+- python-lxml
+- python-xmltodict
+- python-jmespath
+- pywinrm
+
+Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.
+
+Role Variables
+--------------
+This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/Windows-2019-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.
+
+Branches
+--------
+- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch
+- **main** - This is the release branch
+- **reports** - This is a protected branch for our scoring reports, no code should ever go here
+- **gh-pages** - This is the github pages branch
+- **all other branches** - Individual community member branches
+
+Community Contribution
+----------------------
+
+We encourage you (the community) to contribute to this role. Please read the rules below.
+
+- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
+- All community Pull Requests are pulled into the devel branch
+- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release

test/ansible/collections/requirements.yml

@@ -0,0 +1,6 @@
+---
+
+collections:
+  - name: community.windows
+  - name: community.general
+