Remove references to legacy facts that were breaking testing

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## Release 1.0.0
+
+**Features**
+- Rename disabled_administrator references and hiera to administrator as enabling is configurable
+- Update dependency versions
+
+**Bugfixes**
+- Remove references to legacy facts that were breaking testing
+- Improve Puppet 8 compatability
+
+
 ## Release 0.2.3
 
 **Features**

README.md

@@ -37,8 +37,8 @@ This module applies CIS benchmark hardening to:
 Additional resources are also defined, including:
 
 ### Windows 10 / 11
-- remote desktop
 - users
+- remote desktop
 - firewall (limited)
 
 
@@ -59,7 +59,7 @@ Other Windows 10 / 11 parameters include:
 ### Defence in-depth
 
 This module takes a defence in-depth approach, with the following built-in functions:
-- undefined users are purged (except system users)
+- undefined users can be optionally purged (except system users)
 - where CIS recommendations have more than 1 acceptable setting, the more stringent is used
 
 
@@ -79,7 +79,7 @@ To use this module, `include cis_security_hardening_windows` in your Node Classi
 
 
 
-See example minimum hiera data [here](data/minimum.yaml)
+See example minimum hiera data [here](spec/fixtures/data/minimum.yaml)
 
 
 ## CIS Enforcement Levels

REFERENCE.md

@@ -7,6 +7,8 @@
 ### Classes
 
 * [`cis_security_hardening_windows`](#cis_security_hardening_windows): Windows main class.  The entry point with most parameters processed here. It applies CIS hardening
+* [`cis_security_hardening_windows::cis`](#cis_security_hardening_windows--cis): Windows cis class.  It is called from the cis_security_hardening_windows class.  Params are derived from in-module hiera and can be excluded.
+* [`cis_security_hardening_windows::remote_desktop`](#cis_security_hardening_windows--remote_desktop): Windows remote_desktop class.  It is called from the cis_security_hardening_windows class when $allow_remote_desktop is true.
 
 ## Classes
 
@@ -181,3 +183,93 @@ Do not cache the puppet catalog on disk, as passwords and other values are in pl
 
 Default value: `lookup( 'catalog_no_cache',         Boolean,                      undef,    false )`
 
+### <a name="cis_security_hardening_windows--cis"></a>`cis_security_hardening_windows::cis`
+
+Windows cis class.  It is called from the cis_security_hardening_windows class.  Params are derived from in-module hiera and can be excluded.
+
+#### Examples
+
+##### Declaring the class
+
+```puppet
+include cis_security_hardening_windows
+```
+
+#### Parameters
+
+The following parameters are available in the `cis_security_hardening_windows::cis` class:
+
+* [`cis_profile_type`](#-cis_security_hardening_windows--cis--cis_profile_type)
+* [`cis_enforcement_level`](#-cis_security_hardening_windows--cis--cis_enforcement_level)
+* [`cis_include_bitlocker`](#-cis_security_hardening_windows--cis--cis_include_bitlocker)
+* [`cis_include_nextgen`](#-cis_security_hardening_windows--cis--cis_include_nextgen)
+* [`cis_exclude_rules`](#-cis_security_hardening_windows--cis--cis_exclude_rules)
+* [`cis_include_hkcu`](#-cis_security_hardening_windows--cis--cis_include_hkcu)
+
+##### <a name="-cis_security_hardening_windows--cis--cis_profile_type"></a>`cis_profile_type`
+
+Data type: `Enum['domain', 'standalone']`
+
+Apply domain or standalone CIS benchmark
+
+##### <a name="-cis_security_hardening_windows--cis--cis_enforcement_level"></a>`cis_enforcement_level`
+
+Data type: `Integer[1, 2]`
+
+CIS level to apply. Level 2 includes level 1
+
+##### <a name="-cis_security_hardening_windows--cis--cis_include_bitlocker"></a>`cis_include_bitlocker`
+
+Data type: `Boolean`
+
+If cis bitlocker rules should be included
+
+##### <a name="-cis_security_hardening_windows--cis--cis_include_nextgen"></a>`cis_include_nextgen`
+
+Data type: `Boolean`
+
+If cis nextgen rules should be included
+
+##### <a name="-cis_security_hardening_windows--cis--cis_exclude_rules"></a>`cis_exclude_rules`
+
+Data type: `Hash`
+
+Lookup of optional array for cis_exclude_rules (to opt out of included rules)
+
+##### <a name="-cis_security_hardening_windows--cis--cis_include_hkcu"></a>`cis_include_hkcu`
+
+Data type: `Boolean`
+
+If true, lgpo is used to import group policy objects for HKCU as puppetlabs/registry cannot apply them
+
+### <a name="cis_security_hardening_windows--remote_desktop"></a>`cis_security_hardening_windows::remote_desktop`
+
+Windows remote_desktop class.  It is called from the cis_security_hardening_windows class when $allow_remote_desktop is true.
+
+#### Examples
+
+##### Declaring the class
+
+```puppet
+include cis_security_hardening_windows
+```
+
+#### Parameters
+
+The following parameters are available in the `cis_security_hardening_windows::remote_desktop` class:
+
+* [`trusted_rdp_subnets`](#-cis_security_hardening_windows--remote_desktop--trusted_rdp_subnets)
+* [`remote_local_accounts`](#-cis_security_hardening_windows--remote_desktop--remote_local_accounts)
+
+##### <a name="-cis_security_hardening_windows--remote_desktop--trusted_rdp_subnets"></a>`trusted_rdp_subnets`
+
+Data type: `Array`
+
+Trusted subnets for inbound rdp connections for firewall rules. Undef will be converted to 'any'
+
+##### <a name="-cis_security_hardening_windows--remote_desktop--remote_local_accounts"></a>`remote_local_accounts`
+
+Data type: `Boolean`
+
+If local accounts are permitted to connect remotely. Required if not domain joined
+

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "canihavethisone-cis_security_hardening_windows",
-  "version": "0.2.3",
+  "version": "1.0.0",
   "author": "canihavethisone",
   "summary": "Harden Windows 10 & 11 to CIS standards",
   "license": "Apache-2.0",

spec/acceptance/cis_security_hardening_windows_spec.rb

@@ -34,6 +34,7 @@
     if File.file?("#{PROJECT_ROOT}/spec/acceptance/overrides.yaml")
       print_stage('Copying environment specific hiera overrides from spec/acceptance/overrides.yaml to master')
       scp_to(master, "#{PROJECT_ROOT}/spec/acceptance/overrides.yaml", "/etc/puppetlabs/code/environments/#{ENVIRONMENT}/data/overrides.yaml")
+      on(master, "echo -e \"  - name: 'Override hiera'\\n    path: 'overrides.yaml'\" >> /etc/puppetlabs/code/environments/#{ENVIRONMENT}/hiera.yaml")
     end
 
     # Chown and chmod testing environment

spec/acceptance/overrides.yaml

@@ -1,36 +1,30 @@
 ---
-# Overrides used for acceptance testing.  Set according to your environment
-
-# This allows root user to ssh during acceptance tests
-cis_security_hardening_windows::enable_remote_desktop:  true
-
-# Trusted subnets allowed in for RDP if enabled
-# cis_security_hardening_windows::trusted_rdp_subnets:  
-#   - 192.168.100.0/24
-#   - 192.168.102.0/24
+## - This file provides minimum testing data for this module
 
 # Banners must be specified
-cis_security_hardening_windows::logon_banner:           'notice and consent banner'
-cis_security_hardening_windows::logon_message:          'all activities performed on this system will be monitored.'
+cis_security_hardening_windows::logon_banner:              'notice and consent banner'
+cis_security_hardening_windows::logon_message:             'all activities performed on this system will be monitored.'
 
-# CIS recommend that the administrator and guest accounts are disabled and renamed
+# CIS recommend that the administrator and guest accounts are renamed and guest disabled 
 cis_security_hardening_windows::administrator_newname:     'NewAdministratorName'
 cis_security_hardening_windows::administrator_newpassword: 'Compl3xP4s$word'
-cis_security_hardening_windows::disabled_guest_newname:             'NewGuestName'
+cis_security_hardening_windows::disabled_guest_newname:    'NewGuestName'
 
-# A user must be specified
+# A user must be specified as Administrator is disabled.  Root is also present for acceptance test ssh connection
 cis_security_hardening_windows::users:
   'User':
-    groups:   ['Administrators']
-    password: 'Password12345!'
-  'root':
-    groups:   ['Administrators']
-    password: 'Password123'
+    groups:      ['Administrators']
+    password:    'Password12345!'
+#  'root':
+#    groups:   ['Administrators']
+#    password: 'Password123'
 
-# Some exclude rules to test that the optout works
+# Add some exclude rules to test that the optout works
 cis_security_hardening_windows::cis_exclude_rules:
   - "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'"  # registry
-#  - "(L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'" # secpol
+
+# This allows root user to ssh during acceptance tests
+cis_security_hardening_windows::enable_remote_desktop:  true
 
 # Local accounts must be allowed remote access for acceptance tests, so reduce this to 'guests' only
 cis_security_hardening_windows::cis_secpol: