Headline
Applied the community ansible-lockdown/Windows-2022-STIG role to LAB-DC01 from a WSL2 control node in three severity-tagged phases (CAT I → II → III). 8 CAT I findings verified closed in the POA&M. Per-CAT closures: CAT I Fail 9→1, CAT II Fail 105→27, CAT III Fail 6→1.
What shipped
- New module:
Lab-Kit/08-Ansible-STIG/(13 files +utilities/+ full runbook) - Scan evidence:
Compliance-Reports/After-Ansible/(2 SCC archives with XCCDF + CKL) - Visual proof:
08a-stig-dc01-CAT1-45.41pct.png·08b-stig-dc01-CAT2-84.4pct.png·08c-stig-dc01-CAT3-86.7pct.png - Phase 8 Zero Trust: 13 scaffolds → 21 full parse-clean scripts in
Lab-Kit/07-ZeroTrust/ - Defensive cert-audit tool:
security/scripts/Check-SelfSignedCerts.ps1(offline-CA thumbprint protection) - Portfolio refresh: 5 docx files + new
Portfolio/CAC-Program-Plain-English-Overview.docx+ newProject-Narrative.mdat repo root - Lab topology: LAB-DC01 dual-NIC recorded (10.10.20.10 + 10.10.10.10 for WSL reach path) — see
Architecture/Lab-Topology.md
Honest framing
The remaining 29 CAT-fails on LAB-DC01 are exactly what the role's disruption_high:false + complexity_high:false safety guards exclude, plus manual AUDIT items, plus 4 Server-2025 N/A controls. Federal disposition pattern — explain the gap, don't fake the score.
Full changelog: see CHANGELOG.md — [Phase 8 — Session 17] entry.
First-person project story with 10 Q&A (design decisions, hardest bugs, lessons learned): Project-Narrative.md.