From a819a16fc463241629d2fac8861f2f579663afac Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Thu, 4 May 2023 10:44:26 -0400
Subject: [PATCH] 17.8.1 (#11347)

Tested for Positive and Negative cases on my Win 10 Pro.
---
 ee/cis/win-10/cis-policy-queries.yml | 181 +++++++++++++++++++++++++++
 1 file changed, 181 insertions(+)

diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml
index f7bc82b13a..485c7c2bbc 100644
--- a/ee/cis/win-10/cis-policy-queries.yml
+++ b/ee/cis/win-10/cis-policy-queries.yml
@@ -3233,6 +3233,187 @@ spec:
 ---
 apiVersion: v1
 kind: policy
+spec:
+  name: CIS - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'
+  platforms: win10
+  platform: windows
+  description: |
+    This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights:
+      -  Act as part of the operating system
+      -  Back up files and directories
+      -  Create a token object
+      -  Debug programs
+      -  Enable computer and user accounts to be trusted for delegation
+      -  Generate security audits
+      -  Impersonate a client after authentication
+      -  Load and unload device drivers
+      -  Manage auditing and security log
+      -  Modify firmware environment values
+      -  Replace a process-level token
+      -  Restore files and directories
+      -  Take ownership of files or other objects
+      Auditing this subcategory will create a high volume of events. Events for this subcategory include:
+      -  4672: Special privileges assigned to new logon.
+      -  4673: A privileged service was called.
+      -  4674: An operation was attempted on a privileged object.
+      The recommended state for this setting is: 'Success and Failure'.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success and Failure:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use\Audit Sensitive Privilege Use'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/PrivilegeUse_AuditSensitivePrivilegeUse</LocURI></Target></Item></Get></SyncBody>" 
+    AND mdm_command_output = 3;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.8.1
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Audit IPsec Driver' is set to 'Success and Failure'
+  platforms: win10
+  platform: windows
+  description: |
+    This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include:
+    -  4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
+    -  4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
+    -  4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
+    -  4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
+    -  4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
+    -  5478: IPsec Services has started successfully.
+    -  5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
+    -  5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
+    -  5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started.
+    -  5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
+    -  5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
+    The recommended state for this setting is: Success and Failure. 
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success and Failure:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit IPsec Driver'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditIPsecDriver</LocURI></Target></Item></Get></SyncBody>" 
+    AND mdm_command_output = 3;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.9.1
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Audit Other System Events' is set to 'Success and Failure'
+  platforms: win10
+  platform: windows
+  description: |
+    This subcategory reports on other system events. Events for this subcategory include:
+    -  5024 : The Windows Firewall Service has started successfully.
+    -  5025 : The Windows Firewall Service has been stopped.
+    -  5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
+    -  5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
+    -  5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
+    -  5030: The Windows Firewall Service failed to start.
+    -  5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
+    -  5033 : The Windows Firewall Driver has started successfully.
+    -  5034 : The Windows Firewall Driver has been stopped.
+    -  5035 : The Windows Firewall Driver failed to start.
+    -  5037 : The Windows Firewall Driver detected critical runtime error. Terminating.
+    -  5058: Key file operation.
+    -  5059: Key migration operation.
+    The recommended state for this setting is: 'Success and Failure'.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success and Failure:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Other System Events'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditOtherSystemEvents</LocURI></Target></Item></Get></SyncBody>" 
+    AND mdm_command_output = 3;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.9.2
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Audit Security State Change' is set to include 'Success'
+  platforms: win10
+  platform: windows
+  description: |
+    This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include:
+    -  4608: Windows is starting up.
+    -  4609: Windows is shutting down.
+    -  4616: The system time was changed.
+    -  4621: Administrator recovered system from CrashOnAuditFail. Users who are not
+    administrators will now be allowed to log on. Some audit-able activity might not have been recorded.
+    The recommended state for this setting is to include: 'Success'.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditSecurityStateChange</LocURI></Target></Item></Get></SyncBody>" 
+    AND (mdm_command_output = 3 OR mdm_command_output = 1);
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.9.3
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Audit Security System Extension' is set to include 'Success'
+  platforms: win10
+  platform: windows
+  description: |
+    This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include:
+    -  4610: An authentication package has been loaded by the Local Security Authority.
+    -  4611: A trusted logon process has been registered with the Local Security Authority.
+    -  4614: A notification package has been loaded by the Security Account Manager.
+    -  4622: A security package has been loaded by the Local Security Authority.
+    -  4697: A service was installed in the system.
+    The recommended state for this setting is to include: Success.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security System Extension'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditSecuritySystemExtension</LocURI></Target></Item></Get></SyncBody>" 
+    AND (mdm_command_output = 3 OR mdm_command_output = 1);
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.9.4
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Audit System Integrity' is set to 'Success and Failure'
+  platforms: win10
+  platform: windows
+  description: |
+    This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include:
+    -  4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
+    -  4615 : Invalid use of LPC port.
+    -  4618 : A monitored security event pattern has occurred.
+    -  4816 : RPC detected an integrity violation while decrypting an incoming message.
+    -  5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
+    -  5056: A cryptographic self test was performed.
+    -  5057: A cryptographic primitive operation failed.
+    -  5060: Verification operation failed.
+    -  5061: Cryptographic operation.
+    -  5062: A kernel-mode cryptographic self test was performed.
+    The recommended state for this setting is: Success and Failure.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to include Success and Failure:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit System Integrity'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditSystemIntegrity</LocURI></Target></Item></Get></SyncBody>" 
+    AND mdm_command_output = 3;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.9.5
+  contributors: sharon-fdm
+---
+apiVersion: v1
+kind: policy
 spec:
   name: CIS - Ensure 'Audit Other Policy Change Events' is set to include 'Failure'
   platforms: win10