Update reboot notify

Signed-off-by: Frederick Witty <[email protected]>

defaults/main.yml

@@ -70,6 +70,11 @@ long_running: false
 # 18.9.98.1 - Disables Remote Shell Access
 win_skip_for_test: false
 
+# Changes will be made that will require a system reboot.
+# The following option will allow whether or not to skip the reboot.
+# Default: true
+skip_reboot: true
+
 #### Basic external audit enablement settings ####
 #### Precise details - per setting can be found at the bottom of this file ####
 

handlers/main.yml

@@ -1,4 +1,7 @@
 ---
-- name: reboot_windows
-  ansible.windows.win_reboot:
-      reboot_timeout: 3600
+
+- name: change_requires_reboot
+  ansible.builtin.set_fact:
+      reboot_host: true
+  tags:
+      - always

tasks/main.yml

@@ -103,3 +103,10 @@
       - run_audit
   tags:
       - run_audit
+
+- name: If Warnings found Output count and control IDs affected
+  ansible.builtin.debug:
+      msg:
+          - "You have {{ warn_count }} Warning(s) that require investigation(s). Their IDs are listed below:"
+          - "{{ warn_control_list }}"
+  when: warn_count != 0

tasks/post.yml

@@ -0,0 +1,36 @@
+---
+
+- name: "POST | Flush Handlers"
+  ansible.builtin.meta: flush_handlers
+  tags:
+      - always
+
+- name: "POST | Reboot System Options"
+  block:
+      - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False"
+        ansible.windows.win_reboot:
+            reboot_timeout: 3600
+        when:
+            - reboot_host
+            - not skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set"
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually."
+                - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results."
+        changed_when: true
+        when:
+            - reboot_host
+            - skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        when:
+            - reboot_host
+            - skip_reboot
+  vars:
+      warn_control_id: Reboot_Required
+  tags:
+      - always

tasks/section18.yml

@@ -175,7 +175,7 @@
       data: 0
       type: dword
       state: present
-  notify: reboot_windows
+  notify: change_requires_reboot
   when:
       - win16cis_rule_18_3_3
   tags:

tasks/warning_facts.yml

@@ -0,0 +1,20 @@
+---
+
+# This task is used to create variables used in giving a warning summary for manual tasks
+# that need attention
+#
+# The warn_control_list and warn_count vars start life in vars/main.yml but get updated
+# as the tasks that have a warning complete
+#
+# Those two variables are used in the tasks/main.yml to display a list of warnings
+#
+# warn_control_id is set within the task itself and has the control ID as the value
+#
+# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s
+#
+# warn_count is the main variable for the number of warnings and each time a warn_control_id is added
+# the count increases by a value of 1
+- name: "NO CONTROL ID | AUDIT | Set fact for manual task warning."
+  ansible.builtin.set_fact:
+      warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]"
+      warn_count: "{{ warn_count | int + 1 }}"

vars/main.yml

@@ -1,6 +1,10 @@
 ---
 
-# vars file for .
+# vars file for Windows-2016-CIS
+
+# Used to control warning summary
+warn_control_list: ""
+warn_count: 0
 
 # This sets the variable that is created for the banner.
 lockdown_banner: "{{lookup('file', './templates/banner.txt')}}"
@@ -10,3 +14,7 @@ lockdown_banner: "{{lookup('file', './templates/banner.txt')}}"
 win2016cis_is_standalone: false
 win2016cis_is_domain_controller: false
 win2016cis_is_domain_member: false
+
+# Default setting, this should not be changed
+# and is overridden if a task that changed sets the value if required.
+reboot_host: false