Fix Title In 9.3.8

Signed-off-by: Stephen Williams <[email protected]>

defaults/main.yml

@@ -647,6 +647,15 @@ win19cis_cached_logons_count: 1
 # The recommended state for this setting is: between 5 and 14 days.
 win19cis_password_expiry_warning_days: 14
 
+# 2.3.7.9
+# win19cis_sc_remove_option is the setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
+# Note: Possible Valid Settings
+# 1 - Lock Workstation
+# 2 - Force Loggoff
+# 3 - Disconnect if a Remote Desktop Services session
+# Default: 1
+win19cis_sc_remove_option: 1
+
 # 2.3.9.1
 # win19cis_smb_auto_disconnect_time is the policy setting that allows you to specify the amount of continuous idle time that must pass in an
 # SMB session before the session is suspended because of inactivity.

tasks/section02.yml

@@ -1316,12 +1316,35 @@
       - patch
       - logon
 
-- name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher"
-  ansible.windows.win_regedit:
-      path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon
-      name: ScRemoveOption
-      data: 1
-      type: string
+- name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher."
+  block:
+      - name: "2.3.7.9 | AUDIT | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher | Warning Check For Variable Standards."
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! You have an invalid setting for win19cis_sc_remove_option. Please read"
+                - "the notes for the variable and make the necessary change to the variable to be in compliance."
+        when:
+            - win19cis_sc_remove_option == 0 or
+              win19cis_sc_remove_option > 3
+
+      - name: "2.3.7.9 | AUDIT | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher | Warn Count."
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        vars:
+            warn_control_id: '2.3.7.9'
+        when:
+            - win19cis_sc_remove_option == 0 or
+              win19cis_sc_remove_option > 3
+
+      - name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher | Apply Settings To Registry."
+        ansible.windows.win_regedit:
+            path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon
+            name: ScRemoveOption
+            data: "{{ win19cis_sc_remove_option }}"
+            type: string
+        when:
+            - win19cis_sc_remove_option >= 1
+            - win19cis_sc_remove_option <= 3
   when:
       - win19cis_rule_2_3_7_9
   tags:
@@ -1457,7 +1480,7 @@
       - name: "2.3.9.5 | AUDIT | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher. | Warning Check For Variable Standards. | MS Only"
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have an invalid number variable set for win10cis_smb_server_name_hardening_level. Please read"
+                - "Warning!! You have an invalid number variable set for win19cis_smb_server_name_hardening_level. Please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when:
             - win19cis_smb_server_name_hardening_level == 0 or

tasks/section09.yml

@@ -422,7 +422,7 @@
             warn_control_id: '9.3.8'
         when: win19cis_public_firewall_log_size < 16384
 
-      - name: Apply Settings To Registry."
+      - name: "9.3.8 | PATCH | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Apply Settings To Registry."
         ansible.windows.win_regedit:
             path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging
             name: LogFileSize