Skip to content

Commit

Permalink
Improving the windows policies
Browse files Browse the repository at this point in the history 
Signed-off-by: Hossein Rouhani <[email protected]>
  • Loading branch information
@HRouhani
HRouhani committed Dec 8, 2023
1 parent 7651a4d commit fee08e4
Showing 1 changed file with 27 additions and 81 deletions.
108 changes: 27 additions & 81 deletions core/mondoo-windows-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -937,9 +937,7 @@ queries:
title: Ensure 'Audit Credential Validation' is set to 'Success and Failure'
impact: 30
mql: |
auditpol.where(subcategory == 'Credential Validation').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Credential Validation').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include:
Expand All @@ -964,9 +962,7 @@ queries:
title: Ensure 'Audit Application Group Management' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Application Group Management').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Application Group Management').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This policy setting allows you to audit events generated by changes to application groups such as the following:
Expand All @@ -991,9 +987,7 @@ queries:
title: Ensure 'Audit Security Group Management' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Security Group Management').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Security Group Management').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include:
Expand Down Expand Up @@ -1030,9 +1024,7 @@ queries:
title: Ensure 'Audit User Account Management' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'User Account Management').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'User Account Management').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include:
Expand Down Expand Up @@ -1069,9 +1061,7 @@ queries:
title: Ensure 'Audit PNP Activity' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Plug and Play Events').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Plug and Play Events').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This policy setting allows you to audit when plug and play detects an external device.
Expand All @@ -1094,9 +1084,7 @@ queries:
title: Ensure 'Audit Process Creation' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Process Creation').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Process Creation').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include:
Expand All @@ -1122,9 +1110,7 @@ queries:
title: Ensure 'Audit Account Lockout' is set to include 'Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Account Lockout').list {
inclusionsetting == 'Failure' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Account Lockout').one(inclusionsetting == 'Failure' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include:
Expand All @@ -1146,9 +1132,7 @@ queries:
title: Ensure 'Audit Group Membership' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Group Membership').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Group Membership').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
Expand All @@ -1171,9 +1155,7 @@ queries:
title: Ensure 'Audit Logoff' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Logoff').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Logoff').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include:
Expand All @@ -1196,9 +1178,7 @@ queries:
title: Ensure 'Audit Logon' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Logon').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Logon').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include:
Expand All @@ -1223,9 +1203,7 @@ queries:
title: Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Other Logon/Logoff Events').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Other Logon/Logoff Events').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include:
Expand Down Expand Up @@ -1256,9 +1234,7 @@ queries:
title: Ensure 'Audit Special Logon' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Special Logon').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Special Logon').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include:
Expand All @@ -1280,9 +1256,7 @@ queries:
title: Ensure 'Audit Detailed File Share' is set to include 'Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Detailed File Share').list {
inclusionsetting == 'Failure' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Detailed File Share').one(inclusionsetting == 'Failure' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include:
Expand All @@ -1304,9 +1278,7 @@ queries:
title: Ensure 'Audit File Share' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'File Share').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'File Share').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This policy setting allows you to audit attempts to access a shared folder.
Expand All @@ -1329,9 +1301,7 @@ queries:
title: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Other Object Access Events').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Other Object Access Events').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
Expand Down Expand Up @@ -1365,9 +1335,7 @@ queries:
title: Ensure 'Audit Removable Storage' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Removable Storage').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Removable Storage').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage.
Expand All @@ -1390,9 +1358,7 @@ queries:
title: Ensure 'Audit Audit Policy Change' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Audit Policy Change').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Audit Policy Change').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include:
Expand Down Expand Up @@ -1422,9 +1388,7 @@ queries:
title: Ensure 'Audit Authentication Policy Change' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Authentication Policy Change').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Authentication Policy Change').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports changes in authentication policy. Events for this subcategory include:
Expand Down Expand Up @@ -1456,9 +1420,7 @@ queries:
title: Ensure 'Audit Authorization Policy Change' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Authorization Policy Change').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Authorization Policy Change').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports changes in authorization policy. Events for this subcategory include:
Expand All @@ -1484,9 +1446,7 @@ queries:
title: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'MPSSVC Rule-Level Policy Change').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'MPSSVC Rule-Level Policy Change').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include:
Expand Down Expand Up @@ -1522,9 +1482,7 @@ queries:
title: Ensure 'Audit Other Policy Change Events' is set to include 'Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Other Policy Change Events').list {
inclusionsetting == 'Failure' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Other Policy Change Events').one(inclusionsetting == 'Failure' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
Expand Down Expand Up @@ -1554,9 +1512,7 @@ queries:
title: Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Sensitive Privilege Use').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Sensitive Privilege Use').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights:
Expand Down Expand Up @@ -1596,9 +1552,7 @@ queries:
title: Ensure 'Audit IPsec Driver' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'IPsec Driver').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'IPsec Driver').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include:
Expand Down Expand Up @@ -1630,9 +1584,7 @@ queries:
title: Ensure 'Audit Other System Events' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'Other System Events').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Other System Events').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports on other system events. Events for this subcategory include:
Expand Down Expand Up @@ -1666,9 +1618,7 @@ queries:
title: Ensure 'Audit Security State Change' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Security State Change').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Security State Change').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include:
Expand All @@ -1693,9 +1643,7 @@ queries:
title: Ensure 'Audit Security System Extension' is set to include 'Success'
impact: 40
mql: |
auditpol.where(subcategory == 'Security System Extension').list {
inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'Security System Extension').one(inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include:
Expand All @@ -1721,9 +1669,7 @@ queries:
title: Ensure 'Audit System Integrity' is set to 'Success and Failure'
impact: 40
mql: |
auditpol.where(subcategory == 'System Integrity').list {
inclusionsetting == 'Success and Failure'
}
auditpol.where(subcategory == 'System Integrity').one(inclusionsetting == 'Success and Failure')
docs:
desc: |-
This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include:
Expand Down

0 comments on commit fee08e4

Please sign in to comment.