mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
WIN CIS 17.6.1 (#10912)
This commit is contained in:
Sharon Katz
GitHub
parent
ba290ffbb7
commit
992a68c435
@ -3023,6 +3023,246 @@ spec:
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Audit Detailed File Share' is set to include 'Failure'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include:
|
||||
- 5145: network share object was checked to see whether client can be granted desired access.
|
||||
The recommended state for this setting is to include: Failure
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Failure:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Detailed File Share'
|
||||
query: |
|
||||
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditDetailedFileShare</LocURI></Target></Item></Get></SyncBody>"
|
||||
AND (mdm_command_output = 2 OR mdm_command_output = 3);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.6.1
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Audit File Share' is set to 'Success and Failure'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure.
|
||||
Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to Success and Failure:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit File Share'
|
||||
query: |
|
||||
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditFileShare</LocURI></Target></Item></Get></SyncBody>"
|
||||
AND mdm_command_output = 3;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.6.2
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
|
||||
For scheduler jobs, the following are audited:
|
||||
- Job created.
|
||||
- Job deleted.
|
||||
- Job enabled.
|
||||
- Job disabled.
|
||||
- Job updated.
|
||||
For COM+ objects, the following are audited:
|
||||
- Catalog object added.
|
||||
- Catalog object updated.
|
||||
- Catalog object deleted.
|
||||
The recommended state for this setting is: Success and Failure.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to Success and Failure:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Other Object Access Events'
|
||||
query: |
|
||||
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditOtherObjectAccessEvents</LocURI></Target></Item></Get></SyncBody>"
|
||||
AND mdm_command_output = 3;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.6.3
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Audit Removable Storage' is set to 'Success and Failure'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage.
|
||||
The recommended state for this setting is: Success and Failure.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to Success and Failure:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Removable Storage'
|
||||
query: |
|
||||
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditRemovableStorage</LocURI></Target></Item></Get></SyncBody>"
|
||||
AND mdm_command_output = 3;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.6.4
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Audit Audit Policy Change' is set to include 'Success'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include:
|
||||
- 4715: The audit policy (SACL) on an object was changed.
|
||||
- 4719: System audit policy was changed.
|
||||
- 4902: The Per-user audit policy table was created.
|
||||
- 4904: An attempt was made to register a security event source.
|
||||
- 4905: An attempt was made to unregister a security event source.
|
||||
- 4906: The CrashOnAuditFail value has changed.
|
||||
- 4907: Auditing settings on object were changed.
|
||||
- 4908: Special Groups Logon table modified.
|
||||
- 4912: Per User Audit Policy was changed.
|
||||
The recommended state for this setting is to include: Success.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
|
||||
query: |
|
||||
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditPolicyChange</LocURI></Target></Item></Get></SyncBody>"
|
||||
AND (mdm_command_output = 1 OR mdm_command_output = 3);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.7.1
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Audit Authentication Policy Change' is set to include 'Success'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This subcategory reports changes in authentication policy. Events for this subcategory include:
|
||||
- 4706: A new trust was created to a domain.
|
||||
- 4707: A trust to a domain was removed.
|
||||
- 4713: Kerberos policy was changed.
|
||||
- 4716: Trusted domain information was modified.
|
||||
- 4717: System security access was granted to an account.
|
||||
- 4718: System security access was removed from an account.
|
||||
- 4739: Domain Policy was changed.
|
||||
- 4864: A namespace collision was detected.
|
||||
- 4865: A trusted forest information entry was added.
|
||||
- 4866: A trusted forest information entry was removed.
|
||||
- 4867: A trusted forest information entry was modified.
|
||||
The recommended state for this setting is to include: Success.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authentication Policy Change'
|
||||
query: |
|
||||
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditAuthenticationPolicyChange</LocURI></Target></Item></Get></SyncBody>"
|
||||
AND (mdm_command_output = 1 OR mdm_command_output = 3);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.7.2
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Audit Authorization Policy Change' is set to include 'Success'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This subcategory reports changes in authorization policy. Events for this subcategory include:
|
||||
- 4704: A user right was assigned.
|
||||
- 4705: A user right was removed.
|
||||
- 4706: A new trust was created to a domain.
|
||||
- 4707: A trust to a domain was removed.
|
||||
- 4714: Encrypted data recovery policy was changed.
|
||||
The recommended state for this setting is to include: Success.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
|
||||
query: |
|
||||
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditAuthorizationPolicyChange</LocURI></Target></Item></Get></SyncBody>"
|
||||
AND (mdm_command_output = 1 OR mdm_command_output = 3);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.7.3
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include:
|
||||
- 4944: The following policy was active when the Windows Firewall started.
|
||||
- 4945: A rule was listed when the Windows Firewall started.
|
||||
- 4946: A change has been made to Windows Firewall exception list. A rule was added.
|
||||
- 4947: A change has been made to Windows Firewall exception list. A rule was modified.
|
||||
- 4948: A change has been made to Windows Firewall exception list. A rule was deleted.
|
||||
- 4949: Windows Firewall settings were restored to the default values.
|
||||
- 4950: A Windows Firewall setting has changed.
|
||||
- 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.
|
||||
- 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
|
||||
- 4953: A rule has been ignored by Windows Firewall because it could not parse the rule.
|
||||
- 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.
|
||||
- 4956: Windows Firewall has changed the active profile.
|
||||
- 4957: Windows Firewall did not apply the following rule.
|
||||
- 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
|
||||
The recommended state for this setting is : Success and Failure
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success and Failure:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit MPSSVC Rule- Level Policy Change'
|
||||
query: |
|
||||
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange</LocURI></Target></Item></Get></SyncBody>"
|
||||
AND mdm_command_output = 3;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.7.4
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Audit Other Policy Change Events' is set to include 'Failure'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
|
||||
- 5063: A cryptographic provider operation was attempted.
|
||||
- 5064: A cryptographic context operation was attempted.
|
||||
- 5065: A cryptographic context modification was attempted.
|
||||
- 5066: A cryptographic function operation was attempted.
|
||||
- 5067: A cryptographic function modification was attempted.
|
||||
- 5068: A cryptographic function provider operation was attempted.
|
||||
- 5069: A cryptographic function property operation was attempted.
|
||||
- 5070: A cryptographic function property modification was attempted.
|
||||
- 6145: One or more errors occurred while processing security policy in the group
|
||||
policy objects.
|
||||
The recommended state for this setting is to include: Failure.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Failure:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Other Policy Change Events'
|
||||
query: |
|
||||
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditOtherPolicyChangeEvents</LocURI></Target></Item></Get></SyncBody>"
|
||||
AND (mdm_command_output = 2 OR mdm_command_output = 3);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.7.5
|
||||
contributors: sharon-fdm
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
|
||||
|
||||
Loading…
Reference in New Issue
Block a user