From 05c24caa9529349db51ba7b8d0ca39c8bd04efa2 Mon Sep 17 00:00:00 2001 From: Marcos Oviedo Date: Thu, 8 Jun 2023 10:47:04 -0300 Subject: [PATCH] Addressing system test findings (#12210) This relates to #11245 --- ee/cis/win-10/cis-policy-queries.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index 519bcf2e7c..680ac5b70c 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -898,7 +898,7 @@ spec: Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to 'Administrators, NT SERVICE\WdiServiceHost' 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance' query: | - SELECT 1 FROM cis_audit where item = "2.2.35" AND (regex_match(value,".*(?=.*Administrators)(?=.*NT SERVICE\WdiServiceHost).*",0) is not null); + SELECT 1 FROM cis_audit where item = "2.2.35" AND (regex_match(value,".*(?=.*Administrators)(?=.*WdiServiceHost).*",0) is not null); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.35, english-support-only contributors: marcosd4h @@ -914,7 +914,7 @@ spec: different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. resolution: | Automatic method: - Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to 'LOCAL SERVICE, NETWORK SERVICE' 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token' query: | SELECT 1 FROM cis_audit where item = "2.2.36" AND (regex_match(value,".*(?=.*LOCAL SERVICE)(?=.*NETWORK SERVICE).*",0) is not null); @@ -955,7 +955,7 @@ spec: environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. resolution: | Automatic method: - Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to 'Administrators, Users' 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system' query: | SELECT 1 FROM cis_audit where item = "2.2.38" AND (regex_match(value,".*(?=.*Administrators)(?=.*Users).*",0) is not null);