diff --git a/README.md b/README.md index 0c30e3f..faa8cac 100644 --- a/README.md +++ b/README.md @@ -72,10 +72,10 @@ To use this module, `include cis_security_hardening_windows` in your Node Classi #### Windows 10 / 11: - `cis_security_hardening_windows::logon_banner` (string) - `cis_security_hardening_windows::logon_message` (string) -- `cis_security_hardening_windows::disabled_administrator_newname` (string) -- `cis_security_hardening_windows::disabled_administrator_newpassword` (string) +- `cis_security_hardening_windows::administrator_newname` (string) +- `cis_security_hardening_windows::administrator_newpassword` (string) - `cis_security_hardening_windows::disabled_guest_newname` (string) -- `cis_security_hardening_windows::users` (hash) is required as built-in administrator will be disabled +- `cis_security_hardening_windows::users` (hash) is required if the built-in administrator is disabled (default) @@ -97,18 +97,21 @@ See example minimum hiera data [here](spec/fixtures/data/minimum.yaml) ``` - A reference list of rules enforced via the system registry is in the hiera folder for each Windows version, eg [here](data/windows/11/cis_include_rules.txt). Note that some additional rules are applied by Local Security Policy and Audit Policy resources however. - Individual controls can be overridden by any of the following methods: - - creating a optional hiera **array** for `cis_security_hardening_windows::cis_exclude_rules` containing rule titles to be subtracted from the default included hashes (note however that some rules are enforced by the local_security_policy or windows_firewall modules): + - creating a optional hiera **array** for `cis_security_hardening_windows::cis_exclude_rules` containing rule titles to be subtracted from the default included hashes (note that some rules are managed by the local_security_policy or cis_auditpol): ```yaml cis_security_hardening_windows::cis_exclude_rules: - "(L1) Ensure 'Allow users to enable online speech recognition services is set to 'Disabled'" - "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" ``` - - creating a hiera hash containing registry keys with different values at a higher precedence (eg domain or node) and titled any of: + - creating a hiera hash containing keys with different values at a higher precedence (eg domain or node) and titled any of: ```yaml - cis_security_hardening_windows::cis_level_1 (or windows_standalone) - cis_security_hardening_windows::cis_level_2 (or windows_standalone) - cis_security_hardening_windows::cis_bitlocker (or windows_standalone) - cis_security_hardening_windows::cis_nextgen (or windows_standalone) + cis_security_hardening_windows::cis_level_1 + cis_security_hardening_windows::cis_level_2 + cis_security_hardening_windows::cis_bitlocker + cis_security_hardening_windows::cis_nextgen + cis_security_hardening_windows::cis_secpol_level_1 + cis_security_hardening_windows::cis_secpol_level_2 + cis_security_hardening_windows::cis_auditpol ``` - other methods such as resource collectors to override registry key values if wrapping this module into your own classes diff --git a/spec/acceptance/overrides.yaml b/spec/acceptance/overrides.yaml index 1e3be84..8cffc95 100644 --- a/spec/acceptance/overrides.yaml +++ b/spec/acceptance/overrides.yaml @@ -13,11 +13,11 @@ cis_security_hardening_windows::disabled_guest_newname: 'NewGuestName' # A user must be specified as Administrator is disabled. Root is also present for acceptance test ssh connection cis_security_hardening_windows::users: 'User': - groups: ['Administrators'] - password: 'Password12345!' -# 'root': -# groups: ['Administrators'] -# password: 'Password123' + groups: ['Administrators'] + password: 'Password12345!' + 'root': + groups: ['Administrators'] + password: 'Password123' # Add some exclude rules to test that the optout works cis_security_hardening_windows::cis_exclude_rules: