REQUEST - enable Audit only mode

[FilBot3]

Could a variable be added to enable just audit only so as to perform checks for existing systems?

---
# vars.yaml
audit_mode: true
remediate_mode: false

Then, you could do something similar to:

---
- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords"
  block:
      - name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords"
        assert:
            that: passwordhistorysize | int is version('24', '>=')
            fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}"
        changed_when: false
        ignore_errors: true
        register: result

      - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords"
        when: ( remediate_mode | bool )
        win_security_policy:
            section: System Access
            key: PasswordHistorySize
            value: "{{ passwordhistorysize }}"
  when:
      - rule_1_1_1
  tags:
      - level1-domaincontroller
      - level1-memberserver
      - rule_1.1.1
      - patch
# ...
...

[uk-bolly]

hi @FilBot3

Thank you for taking the time to raise this question, apologies for the delay in responding. We are releasing a separate role for the audit over the next couple of weeks. This give the ability to run the audit in isolation checking that this remediation role is actually doing what is expected and without the need for ansible is that is a requirement. It is almost ready so when we release will let you know any feedback will be appreciated.

[FilBot3]

Thank you for the heads up. I'll check soon.

[uk-bolly]

hi @FilBot3

Thanks for closing this, this is taking slightly longer than anticipated. We are hoping to release along with a whole pipeline very shortly. As you are not the only person asking for this, we may release a beta sooner.

Thanks

uk-bolly