Adding CIS non completed items that requires cis_audit table (#11380)

This relates to #11245
2024-11-06 08:55:24 +00:00 · 2023-05-12 11:55:46 -03:00 · 2023-05-12 11:55:46 -03:00 · e46d748bd2
commit e46d748bd2
parent 719af4a585
2 changed files with 445 additions and 0 deletions
--- a/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml
+++ b/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml
--- a/ee/cis/win-10/cis-policy-queries.yml
+++ b/ee/cis/win-10/cis-policy-queries.yml
@ -134,6 +134,68 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Account lockout duration' is set to '15 or more minute(s)'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them.
    Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.
    The recommended state for this setting is: 15 or more minute(s).
    Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '15 or more minute(s)':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration'
  query: |
    SELECT 1 FROM cis_audit where item = "1.2.1" and CAST(value as integer) >= 15;
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.1
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold.
    The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0.
    Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '5 or fewer invalid login attempt(s), but not 0':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold'
  query: |
    SELECT 1 FROM cis_audit where item = "1.2.2" and CAST(value as integer) <= 5 and CAST(value as integer) > 0;
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.2
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.
    If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically.
    The recommended state for this setting is: 15 or more minute(s).
    Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '15 or more minute(s)':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after'
  query: |
    SELECT 1 FROM cis_audit where item = "1.2.3" and CAST(value as integer) >= 15;
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.3
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
  platforms: win10
@ -194,6 +256,25 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
  platforms: win10
  platform: windows
  description: |
    This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack.
    The recommended state for this setting is: Administrators, LOCAL SERVICE, NETWORK SERVICE.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a list of only 'Administrators', 'LOCAL SERVICE' and 'NETWORK SERVICE':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.4" AND (regex_match(value,".*(?=.*Administrators)(?=.*LOCAL SERVICE)(?=.*NETWORK SERVICE).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.4, english-support-only
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Allow log on locally' is set to 'Administrators, Users'
  platforms: win10
@ -220,6 +301,28 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines which users or groups have the right to log on as a Remote Desktop Services client. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, assign this user right only to the Administrators group or use the Restricted Groups feature to ensure that no user accounts are part of the Remote Desktop Users group.
    Restrict this user right to the Administrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature.
    The recommended state for this setting is: Administrators, Remote Desktop Users. Note: The above list is to be treated as a whitelist, which implies that the above
    principals need not be present for assessment of this recommendation to pass.
    Note #2: In all versions of Windows prior to Windows 7, Remote Desktop Services was known as Terminal Services, so you should substitute the older term if comparing against an older OS.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, Remote Desktop Users':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.6" AND (regex_match(value,".*(?=.*Administrators)(?=.*Remote Desktop Users).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.6, english-support-only
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Back up files and directories' is set to 'Administrators'
  platforms: win10
@ -261,6 +364,24 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'
  platforms: win10
  platform: windows
  description: |
    This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, LOCAL SERVICE, Users':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.9" AND (regex_match(value,".*(?=.*Administrators)(?=.*Users)(?=.*LOCAL SERVICE).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.9, english-support-only
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Create a pagefile' is set to 'Administrators'
  platforms: win10
@ -406,6 +527,44 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Deny log on as a batch job' includes 'Guests'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines which accounts will not be able to log on to the computer as a
    batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests'
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.17" AND (regex_match(value,".*(?=.*Guests).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.17, english-support-only
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Deny log on as a service' includes 'Guests'
  platforms: win10
  platform: windows
  description: |
    This security setting determines which service accounts are prevented from registering a process
    as a service. This user right supersedes the Log on as a service user right if an account is subject to both policies.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests'
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.18" AND (regex_match(value,".*(?=.*Guests).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.18, english-support-only
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Deny log on locally' includes 'Guest'
  platforms: win10
@ -583,6 +742,50 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Log on as a batch job' is set to 'Administrators'
  platforms: win10
  platform: windows
  description: |
    This policy setting allows accounts to log on using the task scheduler service. Because the task
    scheduler is often used for administrative purposes, it may be needed in enterprise
    environments. However, its use should be restricted in high security environments to prevent
    misuse of system resources or to prevent attackers from using the right to launch malicious code
    after gaining user level access to a computer.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.28" AND (regex_match(value,".*(?=.*Administrators).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.28, english-support-only
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Configure 'Log on as a service'
  platforms: win10
  platform: windows
  description: |
    This policy setting allows accounts to launch network services or to register a process as a
    service running on the system. This user right should be restricted on any computer in a high
    security environment, but because many applications may require this privilege, it should be
    carefully evaluated and tested before configuring it in an enterprise environment. On Windows
    Vista-based (and newer) computers, no users or groups have this privilege by default.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.29" AND value = ",";
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.29, english-support-only
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Manage auditing and security log' is set to 'Administrators'
  platforms: win10
@ -641,6 +844,24 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
  platforms: win10
  platform: windows
  description: |
    This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-ofservice condition.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.33" AND (regex_match(value,".*(?=.*Administrators).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.33, english-support-only
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Profile single process' is set to 'Administrators'
  platforms: win10
@ -664,6 +885,45 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
  platforms: win10
  platform: windows
  description: |
    This policy setting allows users to use tools to view the performance of different system
    processes, which could be abused to allow attackers to determine a system's active processes and
    provide insight into the potential attack surface of the computer.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to 'Administrators, NT SERVICE\WdiServiceHost'
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.35" AND (regex_match(value,".*(?=.*Administrators)(?=.*NT SERVICE\WdiServiceHost).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.35, english-support-only
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
  platforms: win10
  platform: windows
  description: |
    This policy setting allows one process or service to start another service or process with a
    different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.36" AND (regex_match(value,".*(?=.*LOCAL SERVICE)(?=.*NETWORK SERVICE).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.36, english-support-only
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Restore files and directories' is set to 'Administrators'
  platforms: win10
@ -686,6 +946,25 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Shut down the system' is set to 'Administrators, Users'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines which users who are logged on locally to the computers in your
    environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system'
  query: |
    SELECT 1 FROM cis_audit where item = "2.2.38" AND (regex_match(value,".*(?=.*Administrators)(?=.*Users).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.38, english-support-only
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Take ownership of files or other objects' is set to 'Administrators'
  platforms: win10
@ -1352,6 +1631,26 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: >
    CIS - Ensure 'Network access : Allow anonymous SID/Name translation' is set to 'Disabled'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines whether an anonymous user can request security identifier
    (SID) attributes for another user, or use a SID to obtain its corresponding user name.
    The recommended state for this setting is: Disabled.
  resolution: |
    To establish the recommended configuration via GP, set the following UI path to Disabled:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation'
  query: |
    SELECT 1 FROM cis_audit where item = "2.3.10.1" AND value = "0";
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.10.1
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: >
    CIS - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
@ -1690,6 +1989,26 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Network security Force logoff when logon hours expire' is set to 'Enabled'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines whether to disconnect users who are connected to the local
    computer outside their user account's valid logon hours. This setting affects the Server Message
    Block (SMB) component.
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire'
  query: |
    SELECT 1 FROM cis_audit where item = "2.3.11.6" AND value = "1";
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.6
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Network security LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
  platforms: win10
@ -3464,6 +3783,132 @@ spec:
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: >
    CIS - Ensure 'Audit Account Lockout' is set to include 'Failure'
  platforms: win10
  platform: windows
  description: |
    This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include:
    - 4625: An account failed to log on.
  resolution: |
    To establish the recommended configuration via GP, set the following UI path to include Failure:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Account Lockout'
  query: |
    SELECT 1 FROM cis_audit where item = "17.5.1" AND (regex_match(value,".*(?=.*Failure).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.1
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: >
    CIS - Ensure 'Audit Group Membership' is set to include 'Success'
  platforms: win10
  platform: windows
  description: |
    This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
  resolution: |
    To establish the recommended configuration via GP, set the following UI path to include Success:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Group Membership'
  query: |
    SELECT 1 FROM cis_audit where item = "17.5.2" AND (regex_match(value,".*(?=.*Success).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.2
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: >
    CIS - Ensure 'Audit Logoff' is set to include 'Success'
  platforms: win10
  platform: windows
  description: |
    This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include:
    - 4634: An account was logged off.
    - 4647: User initiated logoff.
  resolution: |
    To establish the recommended configuration via GP, set the following UI path to include Success:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Logoff'
  query: |
    SELECT 1 FROM cis_audit where item = "17.5.3" AND (regex_match(value,".*(?=.*Success).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.3
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: >
    CIS - Ensure 'Audit Logon' is set to 'Success and Failure'
  platforms: win10
  platform: windows
  description: |
    This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include:
    - 4624: An account was successfully logged on.
    - 4625: An account failed to log on.
    - 4648: A logon was attempted using explicit credentials.
    - 4675: SIDs were filtered.
  resolution: |
    To establish the recommended configuration via GP, set the following UI path to Success and Failure:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Logon'
  query: |
    SELECT 1 FROM cis_audit where item = "17.5.4" AND (regex_match(value,".*(?=.*Success)(?=.*Failure).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.4
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: >
    CIS - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
  platforms: win10
  platform: windows
  description: |
    This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include:
    - 4649: A replay attack was detected.
    - 4778: A session was reconnected to a Window Station.
    - 4779: A session was disconnected from a Window Station.
    - 4800: The workstation was locked.
    - 4801: The workstation was unlocked.
    - 4802: The screen saver was invoked.
    - 4803: The screen saver was dismissed.
    - 5378: The requested credentials delegation was disallowed by policy.
    - 5632: A request was made to authenticate to a wireless network.
    - 5633: A request was made to authenticate to a wired network.
  resolution: |
    To establish the recommended configuration via GP, set the following UI path to Success and Failure:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Other Logon/Logoff Events'
  query: |
    SELECT 1 FROM cis_audit where item = "17.5.5" AND (regex_match(value,".*(?=.*Success)(?=.*Failure).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.5
  contributors: marcosd4h
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: >
    CIS - Ensure 'Audit Special Logon' is set to include 'Success'
  platforms: win10
  platform: windows
  description: |
    This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include:
    - 4964 : Special groups have been assigned to a new logon.
  resolution: |
    To establish the recommended configuration via GP, set the following UI path to include Success:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Special Logon'
  query: |
    SELECT 1 FROM cis_audit where item = "17.5.6" AND (regex_match(value,".*(?=.*Success).*",0) is not null);
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.6
  contributors: marcosd4h  
 ---
 apiVersion: v1
 kind: policy
 spec:
  name: CIS - Ensure 'Audit Detailed File Share' is set to include 'Failure'
  platforms: win10