diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220748.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220748.java index 818d372..bb2a35f 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220748.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220748.java @@ -38,12 +38,12 @@ public class V_220748 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220748r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nAccount Logon >> Credential Validation - Failure"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Logon >> Credential Validation - Failure"), Map.entry("checkid", "C-22493r554819_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> \"Audit Credential Validation\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> \\Audit Credential Validation\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22482r554820_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nCredential validation records events related to validation tests on credentials for a user account logon."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nCredential validation records events related to validation tests on credentials for a user account logon."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000005") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220749.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220749.java index 9084095..8be5006 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220749.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220749.java @@ -38,12 +38,12 @@ public class V_220749 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220749r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nAccount Logon >> Credential Validation - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Logon >> Credential Validation - Success"), Map.entry("checkid", "C-22490r554810_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> \"Audit Credential Validation\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> \\Audit Credential Validation\\ with \\Success\\ selected."), Map.entry("fixid", "F-22479r554811_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nCredential validation records events related to validation tests on credentials for a user account logon."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nCredential validation records events related to validation tests on credentials for a user account logon."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000010") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220750.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220750.java index e8239aa..0433601 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220750.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220750.java @@ -14,7 +14,7 @@ public class V_220750 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220750", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9237-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220750 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220750", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9237-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220750 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220750r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nAccount Management >> Security Group Management - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Management >> Security Group Management - Success"), Map.entry("checkid", "C-22489r554807_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \"Audit Security Group Management\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \\Audit Security Group Management\\ with \\Success\\ selected."), Map.entry("fixid", "F-22478r554808_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nCredential validation records events related to validation tests on credentials for a user account logon."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nCredential validation records events related to validation tests on credentials for a user account logon."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000030") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220751.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220751.java index d61ec61..6a33adf 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220751.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220751.java @@ -14,7 +14,7 @@ public class V_220751 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220751", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9237-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220751 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220751", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9237-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220751 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220751r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nAccount Management >> User Account Management - Failure"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Management >> User Account Management - Failure"), Map.entry("checkid", "C-22492r554816_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \"Audit User Account Management\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \\Audit User Account Management\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22481r554817_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nSecurity Group Management records events such as creating, deleting or changing of security groups, including changes in group members."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSecurity Group Management records events such as creating, deleting or changing of security groups, including changes in group members."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000035") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220752.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220752.java index 0c068b1..d4d91e5 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220752.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220752.java @@ -14,7 +14,7 @@ public class V_220752 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220752", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9235-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220752 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220752", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9235-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220752 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220752r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nAccount Management >> User Account Management - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Management >> User Account Management - Success"), Map.entry("checkid", "C-22491r554813_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \"Audit User Account Management\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \\Audit User Account Management\\ with \\Success\\ selected."), Map.entry("fixid", "F-22480r554814_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nUser Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nUser Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000040") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220753.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220753.java index 7055e37..ca3e3bd 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220753.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220753.java @@ -14,7 +14,7 @@ public class V_220753 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220753", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0cce9248-69ae-11d9-bed3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220753 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220753", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0cce9248-69ae-11d9-bed3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220753 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220753r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nDetailed Tracking >> Plug and Play Events - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nDetailed Tracking >> Plug and Play Events - Success"), Map.entry("checkid", "C-22486r554798_chk"), - Map.entry("fixtext", "Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> \"Audit PNP Activity\" with \"Success\" selected."), + Map.entry("fixtext", "Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> \\Audit PNP Activity\\ with \\Success\\ selected."), Map.entry("fixid", "F-22475r554799_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nUser Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nUser Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000045") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220754.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220754.java index f249963..e3913d3 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220754.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220754.java @@ -14,7 +14,7 @@ public class V_220754 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220754", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE922B-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220754 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220754", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE922B-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220754 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220754r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nDetailed Tracking >> Process Creation - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nDetailed Tracking >> Process Creation - Success"), Map.entry("checkid", "C-22488r554804_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> \"Audit Process Creation\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> \\Audit Process Creation\\ with \\Success\\ selected."), Map.entry("fixid", "F-22477r554805_fix"), Map.entry("description","Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this."), - Map.entry("iacontrols", "None"), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000050") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220755.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220755.java index 8dc9336..8d7a575 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220755.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220755.java @@ -14,7 +14,7 @@ public class V_220755 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220755", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9217-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220755 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220755", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9217-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220755 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220755r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\n\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\n\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nLogon/Logoff >> Account Lockout - Failure"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\n\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon/Logoff >> Account Lockout - Failure"), Map.entry("checkid", "C-22487r554801_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \"Audit Account Lockout\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\Audit Account Lockout\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22476r554802_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nProcess creation records events related to the creation of a process and the source."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nProcess creation records events related to the creation of a process and the source."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000054") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220756.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220756.java index 1ab8a64..140eb5f 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220756.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220756.java @@ -14,7 +14,7 @@ public class V_220756 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220756", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0cce9249-69ae-11d9-bed3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220756 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220756", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0cce9249-69ae-11d9-bed3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220756 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220756r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nLogon/Logoff >> Group Membership - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon/Logoff >> Group Membership - Success"), Map.entry("checkid", "C-22470r554750_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \"Audit Group Membership\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\Audit Group Membership\\ with \\Success\\ selected."), Map.entry("fixid", "F-22459r554751_fix"), Map.entry("description","Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart."), - Map.entry("iacontrols", "None"), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000060") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220757.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220757.java index 57d4def..2c7b077 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220757.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220757.java @@ -14,7 +14,7 @@ public class V_220757 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220757", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9216-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220757 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220757", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9216-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220757 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220757r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nLogon/Logoff >> Logoff - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon/Logoff >> Logoff - Success"), Map.entry("checkid", "C-22463r554729_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \"Audit Logoff\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\Audit Logoff\\ with \\Success\\ selected."), Map.entry("fixid", "F-22452r554730_fix"), - Map.entry("description","Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.\n\nAccounts with the \"Force shutdown from a remote system\" user right can remotely shut down a system which could result in a DoS."), - Map.entry("iacontrols", "None"), + Map.entry("description","Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.\\n\\nAccounts with the \\Force shutdown from a remote system\\ user right can remotely shut down a system which could result in a DoS."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000065") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220758.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220758.java index 4195444..7b7250c 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220758.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220758.java @@ -14,7 +14,7 @@ public class V_220758 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220758", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9215-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220758 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220758", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9215-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220758 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220758r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nLogon/Logoff >> Logon - Failure"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon/Logoff >> Logon - Failure"), Map.entry("checkid", "C-22464r554732_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\Audit Logon\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22453r554733_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nLogoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nLogoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000070") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220759.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220759.java index b0ae631..b6c4195 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220759.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220759.java @@ -14,7 +14,7 @@ public class V_220759 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220759", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9215-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220759 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220759", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9215-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220759 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220759r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nLogon/Logoff >> Logon - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon/Logoff >> Logon - Success"), Map.entry("checkid", "C-22472r554756_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \"Audit Logon\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\Audit Logon\\ with \\Success\\ selected."), Map.entry("fixid", "F-22461r554757_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nEnabling PowerShell Transcription will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nEnabling PowerShell Transcription will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000075") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220760.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220760.java index d554e12..369d4f7 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220760.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220760.java @@ -14,7 +14,7 @@ public class V_220760 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220760", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE921B-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220760 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220760", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE921B-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220760 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220760r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nLogon/Logoff >> Special Logon - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon/Logoff >> Special Logon - Success"), Map.entry("checkid", "C-22471r554753_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \"Audit Special Logon\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\Audit Special Logon\\ with \\Success\\ selected."), Map.entry("fixid", "F-22460r554754_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nLogon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nLogon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000080") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220761.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220761.java index 269a068..0e4b9aa 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220761.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220761.java @@ -14,7 +14,7 @@ public class V_220761 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220761", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9244-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220761 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220761", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9244-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220761 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220761r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\n\nOpen PowerShell or a Command Prompt with elevated privileges (\"Run as Administrator\").\n\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following:\n\nObject Access >> File Share - Failure\n\nIf the system does not audit the above, this is a finding."), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen PowerShell or a Command Prompt with elevated privileges (\\Run as Administrator\\).\\n\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following:\\n\\nObject Access >> File Share - Failure\\n\\nIf the system does not audit the above, this is a finding."), Map.entry("checkid", "C-22468r554744_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \"Audit File Share\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\Audit File Share\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22457r554745_fix"), Map.entry("description","Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level."), - Map.entry("iacontrols", "None"), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000081") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220762.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220762.java index f9c7e54..90aefcd 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220762.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220762.java @@ -14,7 +14,7 @@ public class V_220762 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220762", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9244-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220762 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220762", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9244-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220762 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220762r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\n\nOpen PowerShell or a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following:\n\nObject Access >> File Share - Success\n\nIf the system does not audit the above, this is a finding."), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen PowerShell or a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following:\\n\\nObject Access >> File Share - Success\\n\\nIf the system does not audit the above, this is a finding."), Map.entry("checkid", "C-22467r554741_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \"Audit File Share\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\Audit File Share\\ with \\Success\\ selected."), Map.entry("fixid", "F-22456r554742_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAuditing file shares records events related to connection to shares on a system including system shares such as C$."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAuditing file shares records events related to connection to shares on a system including system shares such as C$."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000082") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220763.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220763.java index fa9614b..28f4b9e 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220763.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220763.java @@ -14,7 +14,7 @@ public class V_220763 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220763", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9227-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220763 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220763", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9227-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220763 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220763r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\n\nOpen PowerShell or a Command Prompt with elevated privileges (\"Run as Administrator\").\n\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following:\n\nObject Access >> Other Object Access Events - Success\n\nIf the system does not audit the above, this is a finding."), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen PowerShell or a Command Prompt with elevated privileges (\\Run as Administrator\\).\\n\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following:\\n\\nObject Access >> Other Object Access Events - Success\\n\\nIf the system does not audit the above, this is a finding."), Map.entry("checkid", "C-22466r554738_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \"Audit Other Object Access Events\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\Audit Other Object Access Events\\ with \\Success\\ selected."), Map.entry("fixid", "F-22455r554739_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAuditing file shares records events related to connection to shares on a system including system shares such as C$."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAuditing file shares records events related to connection to shares on a system including system shares such as C$."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000083") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220764.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220764.java index a151389..1b1e2ad 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220764.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220764.java @@ -14,7 +14,7 @@ public class V_220764 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220764", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9227-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220764 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220764", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9227-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220764 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220764r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\n\nOpen PowerShell or a Command Prompt with elevated privileges (\"Run as Administrator\").\n\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following:\n\nObject Access >> Other Object Access Events - Failure\n\nIf the system does not audit the above, this is a finding."), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen PowerShell or a Command Prompt with elevated privileges (\\Run as Administrator\\).\\n\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following:\\n\\nObject Access >> Other Object Access Events - Failure\\n\\nIf the system does not audit the above, this is a finding."), Map.entry("checkid", "C-22465r554735_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \"Audit Other Object Access Events\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\Audit Other Object Access Events\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22454r554736_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAuditing for other object access records events related to the management of task scheduler jobs and COM+ objects."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAuditing for other object access records events related to the management of task scheduler jobs and COM+ objects."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000084") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220765.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220765.java index df55ecb..6b176bb 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220765.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220765.java @@ -14,7 +14,7 @@ public class V_220765 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220765", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9245-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220765 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220765", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9245-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220765 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220765r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nObject Access >> Removable Storage - Failure\n\nSome virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM."), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nObject Access >> Removable Storage - Failure\\n\\nSome virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM."), Map.entry("checkid", "C-22474r554762_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \"Audit Removable Storage\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\Audit Removable Storage\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22463r554763_fix"), Map.entry("description","Basic authentication uses plain text passwords that could be used to compromise a system."), - Map.entry("iacontrols", "None"), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000085") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220766.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220766.java index 8f8cf5a..d47b4c7 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220766.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220766.java @@ -14,7 +14,7 @@ public class V_220766 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220766", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9245-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220766 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220766", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9245-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220766 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220766r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nObject Access >> Removable Storage - Success\n\nSome virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM."), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nObject Access >> Removable Storage - Success\\n\\nSome virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM."), Map.entry("checkid", "C-22485r554795_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \"Audit Removable Storage\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\Audit Removable Storage\\ with \\Success\\ selected."), Map.entry("fixid", "F-22474r554796_fix"), - Map.entry("description","Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.\n\nAccounts with the \"Create global objects\" user right can create objects that are available to all sessions, which could affect processes in other users' sessions."), - Map.entry("iacontrols", "None"), + Map.entry("description","Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.\\n\\nAccounts with the \\Create global objects\\ user right can create objects that are available to all sessions, which could affect processes in other users' sessions."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000090") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220767.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220767.java index 4923218..6375dfb 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220767.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220767.java @@ -14,7 +14,7 @@ public class V_220767 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220767", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE922F-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220767 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220767", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE922F-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220767 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220767r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nPolicy Change >> Audit Policy Change - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPolicy Change >> Audit Policy Change - Success"), Map.entry("checkid", "C-22469r554747_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \"Audit Audit Policy Change\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\Audit Audit Policy Change\\ with \\Success\\ selected."), Map.entry("fixid", "F-22458r554748_fix"), Map.entry("description","Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks."), - Map.entry("iacontrols", "None"), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000100") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220768.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220768.java index 6766549..ed3b75f 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220768.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220768.java @@ -14,7 +14,7 @@ public class V_220768 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220768", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE922F-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220768 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220768", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE922F-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220768 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220768r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nPolicy Change >> Authentication Policy Change - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPolicy Change >> Authentication Policy Change - Success"), Map.entry("checkid", "C-22473r554759_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \"Audit Authentication Policy Change\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\Audit Authentication Policy Change\\ with \\Success\\ selected."), Map.entry("fixid", "F-22462r554760_fix"), Map.entry("description","Anonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system."), - Map.entry("iacontrols", "None"), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000105") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220769.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220769.java index 2688f88..2ad736d 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220769.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220769.java @@ -14,7 +14,7 @@ public class V_220769 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220769", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9231-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220769 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220769", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9231-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220769 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220769r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \n\nUse the AuditPol tool to review the current Audit Policy configuration:\n-Open a Command Prompt with elevated privileges (\"Run as Administrator\").\n-Enter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding.\n\nPolicy Change >> Authorization Policy Change - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n-Open a Command Prompt with elevated privileges (\\Run as Administrator\\).\\n-Enter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding.\\n\\nPolicy Change >> Authorization Policy Change - Success"), Map.entry("checkid", "C-22483r554789_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \"Audit Authorization Policy Change\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\Audit Authorization Policy Change\\ with \\Success\\ selected."), Map.entry("fixid", "F-22472r554790_fix"), Map.entry("description","Allowing autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs or music on audio media may start. By default, autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. If you enable this policy, you can also disable autoplay on all drives."), - Map.entry("iacontrols", "None"), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000107") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220770.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220770.java index 0fa3ee2..ba66448 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220770.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220770.java @@ -14,7 +14,7 @@ public class V_220770 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220770", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9228-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220770 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220770", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9228-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220770 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220770r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nPrivilege Use >> Sensitive Privilege Use - Failure"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPrivilege Use >> Sensitive Privilege Use - Failure"), Map.entry("checkid", "C-22484r554792_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> \\Audit Sensitive Privilege Use\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22473r554793_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAuthorization Policy Change records events related to changes in user rights, such as Create a token object."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAuthorization Policy Change records events related to changes in user rights, such as Create a token object."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000110") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220771.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220771.java index fc33e7d..e887b1e 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220771.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220771.java @@ -14,7 +14,7 @@ public class V_220771 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220771", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9228-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220771 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220771", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9228-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220771 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220771r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nPrivilege Use >> Sensitive Privilege Use - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPrivilege Use >> Sensitive Privilege Use - Success"), Map.entry("checkid", "C-22477r554771_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> \"Audit Sensitive Privilege Use\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> \\Audit Sensitive Privilege Use\\ with \\Success\\ selected."), Map.entry("fixid", "F-22466r554772_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nSensitive Privilege Use records events related to use of sensitive privileges, such as \"Act as part of the operating system\" or \"Debug programs\"."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSensitive Privilege Use records events related to use of sensitive privileges, such as \\Act as part of the operating system\\ or \\Debug programs\\."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000115") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220772.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220772.java index 49eb5f8..1aa718e 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220772.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220772.java @@ -14,7 +14,7 @@ public class V_220772 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220772", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9213-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220772 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220772", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9213-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220772 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220772r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nSystem >> IPSec Driver - Failure"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> IPSec Driver - Failure"), Map.entry("checkid", "C-22478r554774_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \"Audit IPSec Driver\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\Audit IPSec Driver\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22467r554775_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nSensitive Privilege Use records events related to use of sensitive privileges, such as \"Act as part of the operating system\" or \"Debug programs\"."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSensitive Privilege Use records events related to use of sensitive privileges, such as \\Act as part of the operating system\\ or \\Debug programs\\."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000120") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220773.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220773.java index 91bf6f9..da071a1 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220773.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220773.java @@ -14,7 +14,7 @@ public class V_220773 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220773", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9214-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220773 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220773", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9214-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220773 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220773r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nSystem >> Other System Events - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> Other System Events - Success"), Map.entry("checkid", "C-22475r554765_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \"Audit Other System Events\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\Audit Other System Events\\ with \\Success\\ selected."), Map.entry("fixid", "F-22464r554766_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nIPSec Driver records events related to the IPSec Driver such as dropped packets."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nIPSec Driver records events related to the IPSec Driver such as dropped packets."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000130") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220774.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220774.java index b1b966a..7998193 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220774.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220774.java @@ -14,7 +14,7 @@ public class V_220774 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220774", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9214-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220774 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220774", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9214-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220774 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220774r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\"\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nSystem >> Other System Events - Failure"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> Other System Events - Failure"), Map.entry("checkid", "C-22476r554768_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \"Audit Other System Events\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\Audit Other System Events\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22465r554769_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAudit Other System Events records information related to cryptographic key operations and the Windows Firewall service."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit Other System Events records information related to cryptographic key operations and the Windows Firewall service."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000135") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220775.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220775.java index ee60e72..7d4f87e 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220775.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220775.java @@ -14,7 +14,7 @@ public class V_220775 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220775", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9210-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220775 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220775", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9210-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220775 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220775r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nSystem >> Security State Change - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> Security State Change - Success"), Map.entry("checkid", "C-22481r554783_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \"Audit Security State Change\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\Audit Security State Change\\ with \\Success\\ selected."), Map.entry("fixid", "F-22470r554784_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAudit Other System Events records information related to cryptographic key operations and the Windows Firewall service."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit Other System Events records information related to cryptographic key operations and the Windows Firewall service."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000140") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220776.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220776.java index 6f07d3f..2f2c15c 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220776.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220776.java @@ -14,7 +14,7 @@ public class V_220776 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220776", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9210-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220776 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220776", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9210-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220776 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220776r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nSystem >> Security System Extension - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> Security System Extension - Success"), Map.entry("checkid", "C-22482r554786_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \"Audit Security System Extension\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\Audit Security System Extension\\ with \\Success\\ selected."), Map.entry("fixid", "F-22471r554787_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nSecurity State Change records events related to changes in the security state, such as startup and shutdown of the system."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSecurity State Change records events related to changes in the security state, such as startup and shutdown of the system."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000150") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220777.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220777.java index d8558b1..fbf0311 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220777.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220777.java @@ -14,7 +14,7 @@ public class V_220777 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220777", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9212-69AE-11D9-BED3-505054503030}", "subcat_es", "errores", "subcat_eng", "failure" ); @@ -24,7 +24,7 @@ public class V_220777 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220777", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9212-69AE-11D9-BED3-505054503030}", "parameter", "Failure", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220777 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220777r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nSystem >> System Integrity - Failure"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> System Integrity - Failure"), Map.entry("checkid", "C-22479r554777_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \"Audit System Integrity\" with \"Failure\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\Audit System Integrity\\ with \\Failure\\ selected."), Map.entry("fixid", "F-22468r554778_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nSecurity System Extension records events related to extension code being loaded by the security subsystem."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSecurity System Extension records events related to extension code being loaded by the security subsystem."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000155") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220778.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220778.java index 643b7b2..ddc6a57 100644 --- a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220778.java +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220778.java @@ -14,7 +14,7 @@ public class V_220778 extends AuditPolStig { */ private final static Map CHECK_VALUES = Map.of( "id", "V_220778", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9212-69AE-11D9-BED3-505054503030}", "subcat_es", "acierto", "subcat_eng", "success" ); @@ -24,7 +24,7 @@ public class V_220778 extends AuditPolStig { */ private final static Map ENFORCE_VALUES = Map.of( "id", "V_220778", - "guid", "{0CCE923F-69AE-11D9-BED3-505054503030}", + "guid", "{0CCE9212-69AE-11D9-BED3-505054503030}", "parameter", "Success", "value", "enable" ); @@ -38,12 +38,12 @@ public class V_220778 extends AuditPolStig { Map.entry("date", "2021-08-18"), Map.entry("ruleID", "SV_220778r569187_rule"), Map.entry("severity", "medium"), - Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nSystem >> System Integrity - Success"), + Map.entry("checktext", "Security Option \\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\ must be set to \\Enabled\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\Run as Administrator\\).\\nEnter \\AuditPol /get /category:*\\.\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> System Integrity - Success"), Map.entry("checkid", "C-22480r554780_chk"), - Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \"Audit System Integrity\" with \"Success\" selected."), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\Audit System Integrity\\ with \\Success\\ selected."), Map.entry("fixid", "F-22469r554781_fix"), - Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nSystem Integrity records events related to violations of integrity to the security subsystem."), - Map.entry("iacontrols", "None"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSystem Integrity records events related to violations of integrity to the security subsystem."), + Map.entry("iacontrols", "null"), Map.entry("version", "WN10-AU-000160") ); diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220785.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220785.java new file mode 100644 index 0000000..2f0e932 --- /dev/null +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220785.java @@ -0,0 +1,73 @@ +package rqcode.stigs.win10_v3.AuditPolicy; + +import rqcode.stigs.STIG; +import rqcode.stigs.win10_v3.WinScriptHelper; + +import java.util.Map; + +/** + * V_220785: Windows 10 must be configured to audit Other Policy Change Events Successes. + */ +public class V_220785 extends AuditPolStig { + /** + * Initiating parameters for the check script + */ + private final static Map CHECK_VALUES = Map.of( + "id", "V_220785", + "guid", "{0CCE9234-69AE-11D9-BED3-505054503030}", + "subcat_es", "acierto", + "subcat_eng", "success" + ); + + /** + * Initiating parameters for the enforce script + */ + private final static Map ENFORCE_VALUES = Map.of( + "id", "V_220785", + "guid", "{0CCE9234-69AE-11D9-BED3-505054503030}", + "parameter", "Success", + "value", "enable" + ); + /** + * Initiating information defining the security requirements from the STIG + * database + */ + private final static Map INFO = Map.ofEntries( + Map.entry("id", "V_220785"), + Map.entry("title", "Windows 10 must be configured to audit Other Policy Change Events Successes."), + Map.entry("date", "2021-08-18"), + Map.entry("ruleID", "SV_220785r569187_rule"), + Map.entry("severity", "medium"), + Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nPolicy Change >> Other Policy Change Events - Success\n"), + Map.entry("checkid", "C-22500r554840_chk"), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change>> \"Audit Other Policy Change Events\" with \"Success\" selected."), + Map.entry("fixid", "F-22489r554841_fix"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAudit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations."), + Map.entry("iacontrols", "null"), + Map.entry("version", "WN10-AU-000550") + ); + + /** + * Setting up STIG information and initializing the windows script helper with + * the check and enforce parameters + */ + public V_220785() { + setStigInfo(INFO); + WinScriptHelper helper = this.getHelper(); + helper.setCheckValues(CHECK_VALUES); + helper.setEnforceValues(ENFORCE_VALUES); + } + + /** + * Simple test for the STIG check + */ + public static void main(String[] args) { + STIG stig = new V_220785(); + + System.out.println(stig); + + stig.check(); + System.out.println("1st check:" + stig.getLastCheckStatus()); + } + +} \ No newline at end of file diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220786.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220786.java new file mode 100644 index 0000000..259ac76 --- /dev/null +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220786.java @@ -0,0 +1,73 @@ +package rqcode.stigs.win10_v3.AuditPolicy; + +import rqcode.stigs.STIG; +import rqcode.stigs.win10_v3.WinScriptHelper; + +import java.util.Map; + +/** + * V_220786: Windows 10 must be configured to audit Other Policy Change Events Failures. + */ +public class V_220786 extends AuditPolStig { + /** + * Initiating parameters for the check script + */ + private final static Map CHECK_VALUES = Map.of( + "id", "V_220786", + "guid", "{0CCE9234-69AE-11D9-BED3-505054503030}", + "subcat_es", "errores", + "subcat_eng", "failure" + ); + + /** + * Initiating parameters for the enforce script + */ + private final static Map ENFORCE_VALUES = Map.of( + "id", "V_220786", + "guid", "{0CCE9234-69AE-11D9-BED3-505054503030}", + "parameter", "Failure", + "value", "enable" + ); + /** + * Initiating information defining the security requirements from the STIG + * database + */ + private final static Map INFO = Map.ofEntries( + Map.entry("id", "V_220786"), + Map.entry("title", "Windows 10 must be configured to audit Other Policy Change Events Failures."), + Map.entry("date", "2021-08-18"), + Map.entry("ruleID", "SV_220786r569187_rule"), + Map.entry("severity", "medium"), + Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nPolicy Change >> Other Policy Change Events - Failure\n"), + Map.entry("checkid", "C-22501r554843_chk"), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change>> \"Audit Other Policy Change Events\" with \"Failure\" selected."), + Map.entry("fixid", "F-22490r554844_fix"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAudit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations."), + Map.entry("iacontrols", "null"), + Map.entry("version", "WN10-AU-000555") + ); + + /** + * Setting up STIG information and initializing the windows script helper with + * the check and enforce parameters + */ + public V_220786() { + setStigInfo(INFO); + WinScriptHelper helper = this.getHelper(); + helper.setCheckValues(CHECK_VALUES); + helper.setEnforceValues(ENFORCE_VALUES); + } + + /** + * Simple test for the STIG check + */ + public static void main(String[] args) { + STIG stig = new V_220786(); + + System.out.println(stig); + + stig.check(); + System.out.println("1st check:" + stig.getLastCheckStatus()); + } + +} \ No newline at end of file diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220787.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220787.java new file mode 100644 index 0000000..36e98c0 --- /dev/null +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220787.java @@ -0,0 +1,73 @@ +package rqcode.stigs.win10_v3.AuditPolicy; + +import rqcode.stigs.STIG; +import rqcode.stigs.win10_v3.WinScriptHelper; + +import java.util.Map; + +/** + * V_220787: Windows 10 must be configured to audit other Logon/Logoff Events Successes. + */ +public class V_220787 extends AuditPolStig { + /** + * Initiating parameters for the check script + */ + private final static Map CHECK_VALUES = Map.of( + "id", "V_220787", + "guid", "{0CCE921C-69AE-11D9-BED3-505054503030}", + "subcat_es", "acierto", + "subcat_eng", "success" + ); + + /** + * Initiating parameters for the enforce script + */ + private final static Map ENFORCE_VALUES = Map.of( + "id", "V_220787", + "guid", "{0CCE921C-69AE-11D9-BED3-505054503030}", + "parameter", "Success", + "value", "enable" + ); + /** + * Initiating information defining the security requirements from the STIG + * database + */ + private final static Map INFO = Map.ofEntries( + Map.entry("id", "V_220787"), + Map.entry("title", "Windows 10 must be configured to audit other Logon/Logoff Events Successes."), + Map.entry("date", "2021-08-18"), + Map.entry("ruleID", "SV_220787r569187_rule"), + Map.entry("severity", "medium"), + Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nLogon/Logoff >> Other Logon/Logoff Events - Success\n"), + Map.entry("checkid", "C-22502r554846_chk"), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \"Audit Other Logon/Logoff Events\" with \"Success\" selected."), + Map.entry("fixid", "F-22491r554847_fix"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAudit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. Logon events are essential to understanding user activity and detecting potential attacks."), + Map.entry("iacontrols", "null"), + Map.entry("version", "WN10-AU-000560") + ); + + /** + * Setting up STIG information and initializing the windows script helper with + * the check and enforce parameters + */ + public V_220787() { + setStigInfo(INFO); + WinScriptHelper helper = this.getHelper(); + helper.setCheckValues(CHECK_VALUES); + helper.setEnforceValues(ENFORCE_VALUES); + } + + /** + * Simple test for the STIG check + */ + public static void main(String[] args) { + STIG stig = new V_220787(); + + System.out.println(stig); + + stig.check(); + System.out.println("1st check:" + stig.getLastCheckStatus()); + } + +} \ No newline at end of file diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220788.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220788.java new file mode 100644 index 0000000..20a8f8b --- /dev/null +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220788.java @@ -0,0 +1,73 @@ +package rqcode.stigs.win10_v3.AuditPolicy; + +import rqcode.stigs.STIG; +import rqcode.stigs.win10_v3.WinScriptHelper; + +import java.util.Map; + +/** + * V_220788: Windows 10 must be configured to audit other Logon/Logoff Events Failures. + */ +public class V_220788 extends AuditPolStig { + /** + * Initiating parameters for the check script + */ + private final static Map CHECK_VALUES = Map.of( + "id", "V_220788", + "guid", "{0CCE921C-69AE-11D9-BED3-505054503030}", + "subcat_es", "errores", + "subcat_eng", "failure" + ); + + /** + * Initiating parameters for the enforce script + */ + private final static Map ENFORCE_VALUES = Map.of( + "id", "V_220788", + "guid", "{0CCE921C-69AE-11D9-BED3-505054503030}", + "parameter", "Failure", + "value", "enable" + ); + /** + * Initiating information defining the security requirements from the STIG + * database + */ + private final static Map INFO = Map.ofEntries( + Map.entry("id", "V_220788"), + Map.entry("title", "Windows 10 must be configured to audit other Logon/Logoff Events Failures."), + Map.entry("date", "2021-08-18"), + Map.entry("ruleID", "SV_220788r569187_rule"), + Map.entry("severity", "medium"), + Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nLogon/Logoff >> Other Logon/Logoff Events - Failure\n"), + Map.entry("checkid", "C-22503r554849_chk"), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \"Audit Other Logon/Logoff Events\" with \"Failure\" selected."), + Map.entry("fixid", "F-22492r554850_fix"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAudit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. Logon events are essential to understanding user activity and detecting potential attacks."), + Map.entry("iacontrols", "null"), + Map.entry("version", "WN10-AU-000565") + ); + + /** + * Setting up STIG information and initializing the windows script helper with + * the check and enforce parameters + */ + public V_220788() { + setStigInfo(INFO); + WinScriptHelper helper = this.getHelper(); + helper.setCheckValues(CHECK_VALUES); + helper.setEnforceValues(ENFORCE_VALUES); + } + + /** + * Simple test for the STIG check + */ + public static void main(String[] args) { + STIG stig = new V_220788(); + + System.out.println(stig); + + stig.check(); + System.out.println("1st check:" + stig.getLastCheckStatus()); + } + +} \ No newline at end of file diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220789.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220789.java new file mode 100644 index 0000000..1a6f2d3 --- /dev/null +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220789.java @@ -0,0 +1,73 @@ +package rqcode.stigs.win10_v3.AuditPolicy; + +import rqcode.stigs.STIG; +import rqcode.stigs.win10_v3.WinScriptHelper; + +import java.util.Map; + +/** + * V_220789: Windows 10 must be configured to audit Detailed File Share Failures. + */ +public class V_220789 extends AuditPolStig { + /** + * Initiating parameters for the check script + */ + private final static Map CHECK_VALUES = Map.of( + "id", "V_220789", + "guid", "{0CCE9244-69AE-11D9-BED3-505054503030}", + "subcat_es", "errores", + "subcat_eng", "failure" + ); + + /** + * Initiating parameters for the enforce script + */ + private final static Map ENFORCE_VALUES = Map.of( + "id", "V_220789", + "guid", "{0CCE9244-69AE-11D9-BED3-505054503030}", + "parameter", "Failure", + "value", "enable" + ); + /** + * Initiating information defining the security requirements from the STIG + * database + */ + private final static Map INFO = Map.ofEntries( + Map.entry("id", "V_220789"), + Map.entry("title", "Windows 10 must be configured to audit Detailed File Share Failures."), + Map.entry("date", "2021-08-18"), + Map.entry("ruleID", "SV_220789r569187_rule"), + Map.entry("severity", "medium"), + Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nObject Access >> Detailed File Share - Failure\n"), + Map.entry("checkid", "C-22504r554852_chk"), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \u201cDetailed File Share\" with \"Failure\" selected."), + Map.entry("fixid", "F-22493r554853_fix"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAudit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.\nThe Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access."), + Map.entry("iacontrols", "null"), + Map.entry("version", "WN10-AU-000570") + ); + + /** + * Setting up STIG information and initializing the windows script helper with + * the check and enforce parameters + */ + public V_220789() { + setStigInfo(INFO); + WinScriptHelper helper = this.getHelper(); + helper.setCheckValues(CHECK_VALUES); + helper.setEnforceValues(ENFORCE_VALUES); + } + + /** + * Simple test for the STIG check + */ + public static void main(String[] args) { + STIG stig = new V_220789(); + + System.out.println(stig); + + stig.check(); + System.out.println("1st check:" + stig.getLastCheckStatus()); + } + +} \ No newline at end of file diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220790.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220790.java new file mode 100644 index 0000000..e2c301e --- /dev/null +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220790.java @@ -0,0 +1,73 @@ +package rqcode.stigs.win10_v3.AuditPolicy; + +import rqcode.stigs.STIG; +import rqcode.stigs.win10_v3.WinScriptHelper; + +import java.util.Map; + +/** + * V_220790: Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes. + */ +public class V_220790 extends AuditPolStig { + /** + * Initiating parameters for the check script + */ + private final static Map CHECK_VALUES = Map.of( + "id", "V_220790", + "guid", "{0CCE9232-69AE-11D9-BED3-505054503030}", + "subcat_es", "acierto", + "subcat_eng", "success" + ); + + /** + * Initiating parameters for the enforce script + */ + private final static Map ENFORCE_VALUES = Map.of( + "id", "V_220790", + "guid", "{0CCE9232-69AE-11D9-BED3-505054503030}", + "parameter", "Success", + "value", "enable" + ); + /** + * Initiating information defining the security requirements from the STIG + * database + */ + private final static Map INFO = Map.ofEntries( + Map.entry("id", "V_220790"), + Map.entry("title", "Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes."), + Map.entry("date", "2021-08-18"), + Map.entry("ruleID", "SV_220790r569187_rule"), + Map.entry("severity", "medium"), + Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nPolicy Change >> MPSSVC Rule-Level Policy Change - Success\n"), + Map.entry("checkid", "C-22505r554855_chk"), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \u201cAudit MPSSVC Rule-Level Policy Change\" with \"Success\" selected."), + Map.entry("fixid", "F-22494r554856_fix"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAudit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). "), + Map.entry("iacontrols", "null"), + Map.entry("version", "WN10-AU-000575") + ); + + /** + * Setting up STIG information and initializing the windows script helper with + * the check and enforce parameters + */ + public V_220790() { + setStigInfo(INFO); + WinScriptHelper helper = this.getHelper(); + helper.setCheckValues(CHECK_VALUES); + helper.setEnforceValues(ENFORCE_VALUES); + } + + /** + * Simple test for the STIG check + */ + public static void main(String[] args) { + STIG stig = new V_220790(); + + System.out.println(stig); + + stig.check(); + System.out.println("1st check:" + stig.getLastCheckStatus()); + } + +} \ No newline at end of file diff --git a/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220791.java b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220791.java new file mode 100644 index 0000000..5b4062b --- /dev/null +++ b/src/main/java/rqcode/stigs/win10_v3/AuditPolicy/V_220791.java @@ -0,0 +1,73 @@ +package rqcode.stigs.win10_v3.AuditPolicy; + +import rqcode.stigs.STIG; +import rqcode.stigs.win10_v3.WinScriptHelper; + +import java.util.Map; + +/** + * V_220791: Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures. + */ +public class V_220791 extends AuditPolStig { + /** + * Initiating parameters for the check script + */ + private final static Map CHECK_VALUES = Map.of( + "id", "V_220791", + "guid", "{0CCE9232-69AE-11D9-BED3-505054503030}", + "subcat_es", "errores", + "subcat_eng", "failure" + ); + + /** + * Initiating parameters for the enforce script + */ + private final static Map ENFORCE_VALUES = Map.of( + "id", "V_220791", + "guid", "{0CCE9232-69AE-11D9-BED3-505054503030}", + "parameter", "Failure", + "value", "enable" + ); + /** + * Initiating information defining the security requirements from the STIG + * database + */ + private final static Map INFO = Map.ofEntries( + Map.entry("id", "V_220791"), + Map.entry("title", "Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures."), + Map.entry("date", "2021-08-18"), + Map.entry("ruleID", "SV_220791r569187_rule"), + Map.entry("severity", "medium"), + Map.entry("checktext", "Security Option \"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\" must be set to \"Enabled\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\n\nUse the AuditPol tool to review the current Audit Policy configuration:\nOpen a Command Prompt with elevated privileges (\"Run as Administrator\").\nEnter \"AuditPol /get /category:*\".\n\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\n\nPolicy Change >> MPSSVC Rule-Level Policy Change - Failure\n"), + Map.entry("checkid", "C-22506r554858_chk"), + Map.entry("fixtext", "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \u201cAudit MPSSVC Rule-Level Policy Change\" with \"Failure\" selected."), + Map.entry("fixid", "F-22495r554859_fix"), + Map.entry("description","Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\n\nAudit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). "), + Map.entry("iacontrols", "null"), + Map.entry("version", "WN10-AU-000580") + ); + + /** + * Setting up STIG information and initializing the windows script helper with + * the check and enforce parameters + */ + public V_220791() { + setStigInfo(INFO); + WinScriptHelper helper = this.getHelper(); + helper.setCheckValues(CHECK_VALUES); + helper.setEnforceValues(ENFORCE_VALUES); + } + + /** + * Simple test for the STIG check + */ + public static void main(String[] args) { + STIG stig = new V_220791(); + + System.out.println(stig); + + stig.check(); + System.out.println("1st check:" + stig.getLastCheckStatus()); + } + +} \ No newline at end of file diff --git a/src/test/resources/templates/auditPol/auditpol.json b/src/test/resources/templates/auditPol/auditpol.json index 3238799..59a8843 100644 --- a/src/test/resources/templates/auditPol/auditpol.json +++ b/src/test/resources/templates/auditPol/auditpol.json @@ -1,591 +1,724 @@ [ { - "id":"V_220748", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000005", - "ruleID":"SV_220748r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Account Logon - Credential Validation failures.", - "checkid":"C-22493r554819_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Logon >> Credential Validation - Failure", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nCredential validation records events related to validation tests on credentials for a user account logon.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22482r554820_fix", - "iacontrols": null - }, - { - "id":"V_220749", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000010", - "ruleID":"SV_220749r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Account Logon - Credential Validation successes.", - "checkid":"C-22490r554810_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Logon >> Credential Validation - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nCredential validation records events related to validation tests on credentials for a user account logon.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> \\\"Audit Credential Validation\\\" with \\\"Success\\\" selected.", - "fixid":"F-22479r554811_fix", - "iacontrols": null - }, - { - "id":"V_220750", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000030", - "ruleID":"SV_220750r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Account Management - Security Group Management successes.", - "checkid":"C-22489r554807_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Management >> Security Group Management - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nCredential validation records events related to validation tests on credentials for a user account logon.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \\\"Audit Security Group Management\\\" with \\\"Success\\\" selected.", - "fixid":"F-22478r554808_fix", - "iacontrols": null - }, - { - "id":"V_220751", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000035", - "ruleID":"SV_220751r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Account Management - User Account Management failures.", - "checkid":"C-22492r554816_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Management >> User Account Management - Failure", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSecurity Group Management records events such as creating, deleting or changing of security groups, including changes in group members.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \\\"Audit User Account Management\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22481r554817_fix", - "iacontrols": null - }, - { - "id":"V_220752", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000040", - "ruleID":"SV_220752r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Account Management - User Account Management successes.", - "checkid":"C-22491r554813_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nAccount Management >> User Account Management - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nUser Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \\\"Audit User Account Management\\\" with \\\"Success\\\" selected.", - "fixid":"F-22480r554814_fix", - "iacontrols": null - }, - { - "id":"V_220753", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000045", - "ruleID":"SV_220753r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Detailed Tracking - PNP Activity successes.", - "checkid":"C-22486r554798_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nDetailed Tracking >> Plug and Play Events - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nUser Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.", - "fixtext":"Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> \\\"Audit PNP Activity\\\" with \\\"Success\\\" selected.", - "fixid":"F-22475r554799_fix", - "iacontrols": null - }, - { - "id":"V_220754", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000050", - "ruleID":"SV_220754r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Detailed Tracking - Process Creation successes.", - "checkid":"C-22488r554804_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nDetailed Tracking >> Process Creation - Success", - "description":"Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> \\\"Audit Process Creation\\\" with \\\"Success\\\" selected.", - "fixid":"F-22477r554805_fix", - "iacontrols": null - }, - { - "id":"V_220755", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000054", - "ruleID":"SV_220755r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Logon\/Logoff - Account Lockout failures.", - "checkid":"C-22487r554801_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\n\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon\/Logoff >> Account Lockout - Failure", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nProcess creation records events related to the creation of a process and the source.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon\/Logoff >> \\\"Audit Account Lockout\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22476r554802_fix", - "iacontrols": null - }, - { - "id":"V_220756", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000060", - "ruleID":"SV_220756r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Logon\/Logoff - Group Membership successes.", - "checkid":"C-22470r554750_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon\/Logoff >> Group Membership - Success", - "description":"Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon\/Logoff >> \\\"Audit Group Membership\\\" with \\\"Success\\\" selected.", - "fixid":"F-22459r554751_fix", - "iacontrols": null - }, - { - "id":"V_220757", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000065", - "ruleID":"SV_220757r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Logon\/Logoff - Logoff successes.", - "checkid":"C-22463r554729_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon\/Logoff >> Logoff - Success", - "description":"Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.\\n\\nAccounts with the \\\"Force shutdown from a remote system\\\" user right can remotely shut down a system which could result in a DoS.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon\/Logoff >> \\\"Audit Logoff\\\" with \\\"Success\\\" selected.", - "fixid":"F-22452r554730_fix", - "iacontrols": null - }, - { - "id":"V_220758", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000070", - "ruleID":"SV_220758r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Logon\/Logoff - Logon failures.", - "checkid":"C-22464r554732_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon\/Logoff >> Logon - Failure", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nLogoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon\/Logoff >> \\\"Audit Logon\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22453r554733_fix", - "iacontrols": null - }, - { - "id":"V_220759", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000075", - "ruleID":"SV_220759r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Logon\/Logoff - Logon successes.", - "checkid":"C-22472r554756_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon\/Logoff >> Logon - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nEnabling PowerShell Transcription will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon\/Logoff >> \\\"Audit Logon\\\" with \\\"Success\\\" selected.", - "fixid":"F-22461r554757_fix", - "iacontrols": null - }, - { - "id":"V_220760", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000080", - "ruleID":"SV_220760r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Logon\/Logoff - Special Logon successes.", - "checkid":"C-22471r554753_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon\/Logoff >> Special Logon - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nLogon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon\/Logoff >> \\\"Audit Special Logon\\\" with \\\"Success\\\" selected.", - "fixid":"F-22460r554754_fix", - "iacontrols": null - }, - { - "id":"V_220761", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000081", - "ruleID":"SV_220761r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"Windows 10 must be configured to audit Object Access - File Share failures.", - "checkid":"C-22468r554744_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen PowerShell or a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\n\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following:\\n\\nObject Access >> File Share - Failure\\n\\nIf the system does not audit the above, this is a finding.", - "description":"Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\"Audit File Share\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22457r554745_fix", - "iacontrols": null - }, - { - "id":"V_220762", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000082", - "ruleID":"SV_220762r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"Windows 10 must be configured to audit Object Access - File Share successes.", - "checkid":"C-22467r554741_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen PowerShell or a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following:\\n\\nObject Access >> File Share - Success\\n\\nIf the system does not audit the above, this is a finding.", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAuditing file shares records events related to connection to shares on a system including system shares such as C$.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\"Audit File Share\\\" with \\\"Success\\\" selected.", - "fixid":"F-22456r554742_fix", - "iacontrols": null - }, - { - "id":"V_220763", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000083", - "ruleID":"SV_220763r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"Windows 10 must be configured to audit Object Access - Other Object Access Events successes.", - "checkid":"C-22466r554738_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen PowerShell or a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\n\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following:\\n\\nObject Access >> Other Object Access Events - Success\\n\\nIf the system does not audit the above, this is a finding.", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAuditing file shares records events related to connection to shares on a system including system shares such as C$.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\" with \\\"Success\\\" selected.", - "fixid":"F-22455r554739_fix", - "iacontrols": null - }, - { - "id":"V_220764", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000084", - "ruleID":"SV_220764r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"Windows 10 must be configured to audit Object Access - Other Object Access Events failures.", - "checkid":"C-22465r554735_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n\\nOpen PowerShell or a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\n\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following:\\n\\nObject Access >> Other Object Access Events - Failure\\n\\nIf the system does not audit the above, this is a finding.", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAuditing for other object access records events related to the management of task scheduler jobs and COM+ objects.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\"Audit Other Object Access Events\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22454r554736_fix", - "iacontrols": null - }, - { - "id":"V_220765", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000085", - "ruleID":"SV_220765r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Object Access - Removable Storage failures.", - "checkid":"C-22474r554762_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nObject Access >> Removable Storage - Failure\\n\\nSome virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM.", - "description":"Basic authentication uses plain text passwords that could be used to compromise a system.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22463r554763_fix", - "iacontrols": null - }, - { - "id":"V_220766", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000090", - "ruleID":"SV_220766r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Object Access - Removable Storage successes.", - "checkid":"C-22485r554795_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nObject Access >> Removable Storage - Success\\n\\nSome virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM.", - "description":"Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.\\n\\nAccounts with the \\\"Create global objects\\\" user right can create objects that are available to all sessions, which could affect processes in other users' sessions.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\"Audit Removable Storage\\\" with \\\"Success\\\" selected.", - "fixid":"F-22474r554796_fix", - "iacontrols": null - }, - { - "id":"V_220767", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000100", - "ruleID":"SV_220767r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Policy Change - Audit Policy Change successes.", - "checkid":"C-22469r554747_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPolicy Change >> Audit Policy Change - Success", - "description":"Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\\"Audit Audit Policy Change\\\" with \\\"Success\\\" selected.", - "fixid":"F-22458r554748_fix", - "iacontrols": null - }, - { - "id":"V_220768", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000105", - "ruleID":"SV_220768r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Policy Change - Authentication Policy Change successes.", - "checkid":"C-22473r554759_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPolicy Change >> Authentication Policy Change - Success", - "description":"Anonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\\"Audit Authentication Policy Change\\\" with \\\"Success\\\" selected.", - "fixid":"F-22462r554760_fix", - "iacontrols": null - }, - { - "id":"V_220769", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000107", - "ruleID":"SV_220769r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Policy Change - Authorization Policy Change successes.", - "checkid":"C-22483r554789_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\n-Open a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\n-Enter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding.\\n\\nPolicy Change >> Authorization Policy Change - Success", - "description":"Allowing autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs or music on audio media may start. By default, autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. If you enable this policy, you can also disable autoplay on all drives.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\\"Audit Authorization Policy Change\\\" with \\\"Success\\\" selected.", - "fixid":"F-22472r554790_fix", - "iacontrols": null - }, - { - "id":"V_220770", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000110", - "ruleID":"SV_220770r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.", - "checkid":"C-22484r554792_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPrivilege Use >> Sensitive Privilege Use - Failure", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAuthorization Policy Change records events related to changes in user rights, such as Create a token object.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22473r554793_fix", - "iacontrols": null - }, - { - "id":"V_220771", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000115", - "ruleID":"SV_220771r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.", - "checkid":"C-22477r554771_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPrivilege Use >> Sensitive Privilege Use - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSensitive Privilege Use records events related to use of sensitive privileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug programs\\\".", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> \\\"Audit Sensitive Privilege Use\\\" with \\\"Success\\\" selected.", - "fixid":"F-22466r554772_fix", - "iacontrols": null - }, - { - "id":"V_220772", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000120", - "ruleID":"SV_220772r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit System - IPSec Driver failures.", - "checkid":"C-22478r554774_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> IPSec Driver - Failure", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSensitive Privilege Use records events related to use of sensitive privileges, such as \\\"Act as part of the operating system\\\" or \\\"Debug programs\\\".", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\"Audit IPSec Driver\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22467r554775_fix", - "iacontrols": null - }, - { - "id":"V_220773", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000130", - "ruleID":"SV_220773r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit System - Other System Events successes.", - "checkid":"C-22475r554765_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> Other System Events - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nIPSec Driver records events related to the IPSec Driver such as dropped packets.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\"Audit Other System Events\\\" with \\\"Success\\\" selected.", - "fixid":"F-22464r554766_fix", - "iacontrols": null - }, - { - "id":"V_220774", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000135", - "ruleID":"SV_220774r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit System - Other System Events failures.", - "checkid":"C-22476r554768_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\"\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> Other System Events - Failure", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit Other System Events records information related to cryptographic key operations and the Windows Firewall service.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\"Audit Other System Events\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22465r554769_fix", - "iacontrols": null - }, - { - "id":"V_220775", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000140", - "ruleID":"SV_220775r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit System - Security State Change successes.", - "checkid":"C-22481r554783_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> Security State Change - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit Other System Events records information related to cryptographic key operations and the Windows Firewall service.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\"Audit Security State Change\\\" with \\\"Success\\\" selected.", - "fixid":"F-22470r554784_fix", - "iacontrols": null - }, - { - "id":"V_220776", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000150", - "ruleID":"SV_220776r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit System - Security System Extension successes.", - "checkid":"C-22482r554786_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> Security System Extension - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSecurity State Change records events related to changes in the security state, such as startup and shutdown of the system.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\"Audit Security System Extension\\\" with \\\"Success\\\" selected.", - "fixid":"F-22471r554787_fix", - "iacontrols": null - }, - { - "id":"V_220777", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000155", - "ruleID":"SV_220777r569187_rule", - "parameter":"Failure", - "subcat_eng":"failure", - "subcat_es":"errores", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit System - System Integrity failures.", - "checkid":"C-22479r554777_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> System Integrity - Failure", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSecurity System Extension records events related to extension code being loaded by the security subsystem.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Failure\\\" selected.", - "fixid":"F-22468r554778_fix", - "iacontrols": null - }, - { - "id":"V_220778", - "date":"2021-08-18", - "severity":"medium", - "version":"WN10-AU-000160", - "ruleID":"SV_220778r569187_rule", - "parameter":"Success", - "subcat_eng":"success", - "subcat_es":"acierto", - "value":"enable", - "guid":"{0CCE923F-69AE-11D9-BED3-505054503030}", - "title":"The system must be configured to audit System - System Integrity successes.", - "checkid":"C-22480r554780_chk", - "checktext":"Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol \/get \/category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nSystem >> System Integrity - Success", - "description":"Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nSystem Integrity records events related to violations of integrity to the security subsystem.", - "fixtext":"Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\"Audit System Integrity\\\" with \\\"Success\\\" selected.", - "fixid":"F-22469r554781_fix", - "iacontrols": null + "id": "V_220748", + "guid": "{0CCE923F-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Account Logon - Credential Validation failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000005", + "ruleID": "SV_220748r569187_rule", + "checkid": "C-22493r554819_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nAccount Logon >> Credential Validation - Failure", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> \\\\Audit Credential Validation\\\\ with \\\\Failure\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nCredential validation records events related to validation tests on credentials for a user account logon.", + "fixid": "F-22482r554820_fix", + "iacontrols": "null" + }, + { + "id": "V_220749", + "guid": "{0CCE923F-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Account Logon - Credential Validation successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000010", + "ruleID": "SV_220749r569187_rule", + "checkid": "C-22490r554810_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nAccount Logon >> Credential Validation - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> \\\\Audit Credential Validation\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nCredential validation records events related to validation tests on credentials for a user account logon.", + "fixid": "F-22479r554811_fix", + "iacontrols": "null" + }, + { + "id": "V_220750", + "guid": "{0CCE9237-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Account Management - Security Group Management successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000030", + "ruleID": "SV_220750r569187_rule", + "checkid": "C-22489r554807_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nAccount Management >> Security Group Management - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \\\\Audit Security Group Management\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nCredential validation records events related to validation tests on credentials for a user account logon.", + "fixid": "F-22478r554808_fix", + "iacontrols": "null" + }, + { + "id": "V_220751", + "guid": "{0CCE9237-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Account Management - User Account Management failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000035", + "ruleID": "SV_220751r569187_rule", + "checkid": "C-22492r554816_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nAccount Management >> User Account Management - Failure", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \\\\Audit User Account Management\\\\ with \\\\Failure\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nSecurity Group Management records events such as creating, deleting or changing of security groups, including changes in group members.", + "fixid": "F-22481r554817_fix", + "iacontrols": "null" + }, + { + "id": "V_220752", + "guid": "{0CCE9235-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Account Management - User Account Management successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000040", + "ruleID": "SV_220752r569187_rule", + "checkid": "C-22491r554813_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nAccount Management >> User Account Management - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> \\\\Audit User Account Management\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nUser Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.", + "fixid": "F-22480r554814_fix", + "iacontrols": "null" + }, + { + "id": "V_220753", + "guid": "{0cce9248-69ae-11d9-bed3-505054503030}", + "title": "The system must be configured to audit Detailed Tracking - PNP Activity successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000045", + "ruleID": "SV_220753r569187_rule", + "checkid": "C-22486r554798_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nDetailed Tracking >> Plug and Play Events - Success", + "fixtext": "Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> \\\\Audit PNP Activity\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nUser Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.", + "fixid": "F-22475r554799_fix", + "iacontrols": "null" + }, + { + "id": "V_220754", + "guid": "{0CCE922B-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Detailed Tracking - Process Creation successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000050", + "ruleID": "SV_220754r569187_rule", + "checkid": "C-22488r554804_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nDetailed Tracking >> Process Creation - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> \\\\Audit Process Creation\\\\ with \\\\Success\\\\ selected.", + "description": "Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.", + "fixid": "F-22477r554805_fix", + "iacontrols": "null" + }, + { + "id": "V_220755", + "guid": "{0CCE9217-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Logon/Logoff - Account Lockout failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000054", + "ruleID": "SV_220755r569187_rule", + "checkid": "C-22487r554801_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\n\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\n\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nLogon/Logoff >> Account Lockout - Failure", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\\\Audit Account Lockout\\\\ with \\\\Failure\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nProcess creation records events related to the creation of a process and the source.", + "fixid": "F-22476r554802_fix", + "iacontrols": "null" + }, + { + "id": "V_220756", + "guid": "{0cce9249-69ae-11d9-bed3-505054503030}", + "title": "The system must be configured to audit Logon/Logoff - Group Membership successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000060", + "ruleID": "SV_220756r569187_rule", + "checkid": "C-22470r554750_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nLogon/Logoff >> Group Membership - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\\\Audit Group Membership\\\\ with \\\\Success\\\\ selected.", + "description": "Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.", + "fixid": "F-22459r554751_fix", + "iacontrols": "null" + }, + { + "id": "V_220757", + "guid": "{0CCE9216-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Logon/Logoff - Logoff successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000065", + "ruleID": "SV_220757r569187_rule", + "checkid": "C-22463r554729_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nLogon/Logoff >> Logoff - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\\\Audit Logoff\\\\ with \\\\Success\\\\ selected.", + "description": "Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.\\\\n\\\\nAccounts with the \\\\Force shutdown from a remote system\\\\ user right can remotely shut down a system which could result in a DoS.", + "fixid": "F-22452r554730_fix", + "iacontrols": "null" + }, + { + "id": "V_220758", + "guid": "{0CCE9215-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Logon/Logoff - Logon failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000070", + "ruleID": "SV_220758r569187_rule", + "checkid": "C-22464r554732_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nLogon/Logoff >> Logon - Failure", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\\\Audit Logon\\\\ with \\\\Failure\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nLogoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.", + "fixid": "F-22453r554733_fix", + "iacontrols": "null" + }, + { + "id": "V_220759", + "guid": "{0CCE9215-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Logon/Logoff - Logon successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000075", + "ruleID": "SV_220759r569187_rule", + "checkid": "C-22472r554756_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nLogon/Logoff >> Logon - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\\\Audit Logon\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nEnabling PowerShell Transcription will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system.", + "fixid": "F-22461r554757_fix", + "iacontrols": "null" + }, + { + "id": "V_220760", + "guid": "{0CCE921B-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Logon/Logoff - Special Logon successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000080", + "ruleID": "SV_220760r569187_rule", + "checkid": "C-22471r554753_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nLogon/Logoff >> Special Logon - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\\\Audit Special Logon\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nLogon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.", + "fixid": "F-22460r554754_fix", + "iacontrols": "null" + }, + { + "id": "V_220761", + "guid": "{0CCE9244-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit Object Access - File Share failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000081", + "ruleID": "SV_220761r569187_rule", + "checkid": "C-22468r554744_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\n\\\\nOpen PowerShell or a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\n\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following:\\\\n\\\\nObject Access >> File Share - Failure\\\\n\\\\nIf the system does not audit the above, this is a finding.", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\\Audit File Share\\\\ with \\\\Failure\\\\ selected.", + "description": "Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.", + "fixid": "F-22457r554745_fix", + "iacontrols": "null" + }, + { + "id": "V_220762", + "guid": "{0CCE9244-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit Object Access - File Share successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000082", + "ruleID": "SV_220762r569187_rule", + "checkid": "C-22467r554741_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\n\\\\nOpen PowerShell or a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following:\\\\n\\\\nObject Access >> File Share - Success\\\\n\\\\nIf the system does not audit the above, this is a finding.", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\\Audit File Share\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nAuditing file shares records events related to connection to shares on a system including system shares such as C$.", + "fixid": "F-22456r554742_fix", + "iacontrols": "null" + }, + { + "id": "V_220763", + "guid": "{0CCE9227-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit Object Access - Other Object Access Events successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000083", + "ruleID": "SV_220763r569187_rule", + "checkid": "C-22466r554738_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\n\\\\nOpen PowerShell or a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\n\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following:\\\\n\\\\nObject Access >> Other Object Access Events - Success\\\\n\\\\nIf the system does not audit the above, this is a finding.", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\\Audit Other Object Access Events\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nAuditing file shares records events related to connection to shares on a system including system shares such as C$.", + "fixid": "F-22455r554739_fix", + "iacontrols": "null" + }, + { + "id": "V_220764", + "guid": "{0CCE9227-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit Object Access - Other Object Access Events failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000084", + "ruleID": "SV_220764r569187_rule", + "checkid": "C-22465r554735_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\n\\\\nOpen PowerShell or a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\n\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following:\\\\n\\\\nObject Access >> Other Object Access Events - Failure\\\\n\\\\nIf the system does not audit the above, this is a finding.", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\\Audit Other Object Access Events\\\\ with \\\\Failure\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nAuditing for other object access records events related to the management of task scheduler jobs and COM+ objects.", + "fixid": "F-22454r554736_fix", + "iacontrols": "null" + }, + { + "id": "V_220765", + "guid": "{0CCE9245-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Object Access - Removable Storage failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000085", + "ruleID": "SV_220765r569187_rule", + "checkid": "C-22474r554762_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nObject Access >> Removable Storage - Failure\\\\n\\\\nSome virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM.", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\\Audit Removable Storage\\\\ with \\\\Failure\\\\ selected.", + "description": "Basic authentication uses plain text passwords that could be used to compromise a system.", + "fixid": "F-22463r554763_fix", + "iacontrols": "null" + }, + { + "id": "V_220766", + "guid": "{0CCE9245-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Object Access - Removable Storage successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000090", + "ruleID": "SV_220766r569187_rule", + "checkid": "C-22485r554795_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nObject Access >> Removable Storage - Success\\\\n\\\\nSome virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM.", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\\\Audit Removable Storage\\\\ with \\\\Success\\\\ selected.", + "description": "Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.\\\\n\\\\nAccounts with the \\\\Create global objects\\\\ user right can create objects that are available to all sessions, which could affect processes in other users' sessions.", + "fixid": "F-22474r554796_fix", + "iacontrols": "null" + }, + { + "id": "V_220767", + "guid": "{0CCE922F-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Policy Change - Audit Policy Change successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000100", + "ruleID": "SV_220767r569187_rule", + "checkid": "C-22469r554747_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nPolicy Change >> Audit Policy Change - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\\\Audit Audit Policy Change\\\\ with \\\\Success\\\\ selected.", + "description": "Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks.", + "fixid": "F-22458r554748_fix", + "iacontrols": "null" + }, + { + "id": "V_220768", + "guid": "{0CCE922F-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Policy Change - Authentication Policy Change successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000105", + "ruleID": "SV_220768r569187_rule", + "checkid": "C-22473r554759_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nPolicy Change >> Authentication Policy Change - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\\\Audit Authentication Policy Change\\\\ with \\\\Success\\\\ selected.", + "description": "Anonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.", + "fixid": "F-22462r554760_fix", + "iacontrols": "null" + }, + { + "id": "V_220769", + "guid": "{0CCE9231-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Policy Change - Authorization Policy Change successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000107", + "ruleID": "SV_220769r569187_rule", + "checkid": "C-22483r554789_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\n-Open a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\n-Enter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding.\\\\n\\\\nPolicy Change >> Authorization Policy Change - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\\\Audit Authorization Policy Change\\\\ with \\\\Success\\\\ selected.", + "description": "Allowing autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs or music on audio media may start. By default, autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. If you enable this policy, you can also disable autoplay on all drives.", + "fixid": "F-22472r554790_fix", + "iacontrols": "null" + }, + { + "id": "V_220770", + "guid": "{0CCE9228-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000110", + "ruleID": "SV_220770r569187_rule", + "checkid": "C-22484r554792_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nPrivilege Use >> Sensitive Privilege Use - Failure", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> \\\\Audit Sensitive Privilege Use\\\\ with \\\\Failure\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nAuthorization Policy Change records events related to changes in user rights, such as Create a token object.", + "fixid": "F-22473r554793_fix", + "iacontrols": "null" + }, + { + "id": "V_220771", + "guid": "{0CCE9228-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000115", + "ruleID": "SV_220771r569187_rule", + "checkid": "C-22477r554771_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nPrivilege Use >> Sensitive Privilege Use - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> \\\\Audit Sensitive Privilege Use\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nSensitive Privilege Use records events related to use of sensitive privileges, such as \\\\Act as part of the operating system\\\\ or \\\\Debug programs\\\\.", + "fixid": "F-22466r554772_fix", + "iacontrols": "null" + }, + { + "id": "V_220772", + "guid": "{0CCE9213-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit System - IPSec Driver failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000120", + "ruleID": "SV_220772r569187_rule", + "checkid": "C-22478r554774_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nSystem >> IPSec Driver - Failure", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\\Audit IPSec Driver\\\\ with \\\\Failure\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nSensitive Privilege Use records events related to use of sensitive privileges, such as \\\\Act as part of the operating system\\\\ or \\\\Debug programs\\\\.", + "fixid": "F-22467r554775_fix", + "iacontrols": "null" + }, + { + "id": "V_220773", + "guid": "{0CCE9214-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit System - Other System Events successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000130", + "ruleID": "SV_220773r569187_rule", + "checkid": "C-22475r554765_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nSystem >> Other System Events - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\\Audit Other System Events\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nIPSec Driver records events related to the IPSec Driver such as dropped packets.", + "fixid": "F-22464r554766_fix", + "iacontrols": "null" + }, + { + "id": "V_220774", + "guid": "{0CCE9214-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit System - Other System Events failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000135", + "ruleID": "SV_220774r569187_rule", + "checkid": "C-22476r554768_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective. \\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nSystem >> Other System Events - Failure", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\\Audit Other System Events\\\\ with \\\\Failure\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nAudit Other System Events records information related to cryptographic key operations and the Windows Firewall service.", + "fixid": "F-22465r554769_fix", + "iacontrols": "null" + }, + { + "id": "V_220775", + "guid": "{0CCE9210-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit System - Security State Change successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000140", + "ruleID": "SV_220775r569187_rule", + "checkid": "C-22481r554783_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nSystem >> Security State Change - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\\Audit Security State Change\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nAudit Other System Events records information related to cryptographic key operations and the Windows Firewall service.", + "fixid": "F-22470r554784_fix", + "iacontrols": "null" + }, + { + "id": "V_220776", + "guid": "{0CCE9210-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit System - Security System Extension successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000150", + "ruleID": "SV_220776r569187_rule", + "checkid": "C-22482r554786_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nSystem >> Security System Extension - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\\Audit Security System Extension\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nSecurity State Change records events related to changes in the security state, such as startup and shutdown of the system.", + "fixid": "F-22471r554787_fix", + "iacontrols": "null" + }, + { + "id": "V_220777", + "guid": "{0CCE9212-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit System - System Integrity failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000155", + "ruleID": "SV_220777r569187_rule", + "checkid": "C-22479r554777_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nSystem >> System Integrity - Failure", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\\Audit System Integrity\\\\ with \\\\Failure\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nSecurity System Extension records events related to extension code being loaded by the security subsystem.", + "fixid": "F-22468r554778_fix", + "iacontrols": "null" + }, + { + "id": "V_220778", + "guid": "{0CCE9212-69AE-11D9-BED3-505054503030}", + "title": "The system must be configured to audit System - System Integrity successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000160", + "ruleID": "SV_220778r569187_rule", + "checkid": "C-22480r554780_chk", + "checktext": "Security Option \\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\\ must be set to \\\\Enabled\\\\ (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\\\n\\\\nUse the AuditPol tool to review the current Audit Policy configuration:\\\\nOpen a Command Prompt with elevated privileges (\\\\Run as Administrator\\\\).\\\\nEnter \\\\AuditPol /get /category:*\\\\.\\\\n\\\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\\\n\\\\nSystem >> System Integrity - Success", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> \\\\Audit System Integrity\\\\ with \\\\Success\\\\ selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\\\n\\\\nSystem Integrity records events related to violations of integrity to the security subsystem.", + "fixid": "F-22469r554781_fix", + "iacontrols": "null" + }, + { + "id": "V_220785", + "guid": "{0CCE9234-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit Other Policy Change Events Successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000550", + "ruleID": "SV_220785r569187_rule", + "checkid": "C-22500r554840_chk", + "checktext": "Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol /get /category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPolicy Change >> Other Policy Change Events - Success\\n", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change>> \\\"Audit Other Policy Change Events\\\" with \\\"Success\\\" selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.", + "fixid": "F-22489r554841_fix", + "iacontrols": "null" + }, + { + "id": "V_220786", + "guid": "{0CCE9234-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit Other Policy Change Events Failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000555", + "ruleID": "SV_220786r569187_rule", + "checkid": "C-22501r554843_chk", + "checktext": "Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol /get /category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPolicy Change >> Other Policy Change Events - Failure\\n", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change>> \\\"Audit Other Policy Change Events\\\" with \\\"Failure\\\" selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.", + "fixid": "F-22490r554844_fix", + "iacontrols": "null" + }, + { + "id": "V_220787", + "guid": "{0CCE921C-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit other Logon/Logoff Events Successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000560", + "ruleID": "SV_220787r569187_rule", + "checkid": "C-22502r554846_chk", + "checktext": "Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol /get /category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon/Logoff >> Other Logon/Logoff Events - Success\\n", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\\"Audit Other Logon/Logoff Events\\\" with \\\"Success\\\" selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. Logon events are essential to understanding user activity and detecting potential attacks.", + "fixid": "F-22491r554847_fix", + "iacontrols": "null" + }, + { + "id": "V_220788", + "guid": "{0CCE921C-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit other Logon/Logoff Events Failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000565", + "ruleID": "SV_220788r569187_rule", + "checkid": "C-22503r554849_chk", + "checktext": "Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol /get /category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nLogon/Logoff >> Other Logon/Logoff Events - Failure\\n", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> \\\"Audit Other Logon/Logoff Events\\\" with \\\"Failure\\\" selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. Logon events are essential to understanding user activity and detecting potential attacks.", + "fixid": "F-22492r554850_fix", + "iacontrols": "null" + }, + { + "id": "V_220789", + "guid": "{0CCE9244-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit Detailed File Share Failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000570", + "ruleID": "SV_220789r569187_rule", + "checkid": "C-22504r554852_chk", + "checktext": "Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol /get /category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nObject Access >> Detailed File Share - Failure\\n", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> \\u201cDetailed File Share\\\" with \\\"Failure\\\" selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.\\nThe Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.", + "fixid": "F-22493r554853_fix", + "iacontrols": "null" + }, + { + "id": "V_220790", + "guid": "{0CCE9232-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes.", + "parameter": "Success", + "subcat_eng": "success", + "subcat_es": "acierto", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000575", + "ruleID": "SV_220790r569187_rule", + "checkid": "C-22505r554855_chk", + "checktext": "Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol /get /category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPolicy Change >> MPSSVC Rule-Level Policy Change - Success\\n", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\u201cAudit MPSSVC Rule-Level Policy Change\\\" with \\\"Success\\\" selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ", + "fixid": "F-22494r554856_fix", + "iacontrols": "null" + }, + { + "id": "V_220791", + "guid": "{0CCE9232-69AE-11D9-BED3-505054503030}", + "title": "Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures.", + "parameter": "Failure", + "subcat_eng": "failure", + "subcat_es": "errores", + "value": "enable", + "date": "2021-08-18", + "severity": "medium", + "version": "WN10-AU-000580", + "ruleID": "SV_220791r569187_rule", + "checkid": "C-22506r554858_chk", + "checktext": "Security Option \\\"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\\\" must be set to \\\"Enabled\\\" (WN10-SO-000030) for the detailed auditing subcategories to be effective.\\n\\nUse the AuditPol tool to review the current Audit Policy configuration:\\nOpen a Command Prompt with elevated privileges (\\\"Run as Administrator\\\").\\nEnter \\\"AuditPol /get /category:*\\\".\\n\\nCompare the AuditPol settings with the following. If the system does not audit the following, this is a finding:\\n\\nPolicy Change >> MPSSVC Rule-Level Policy Change - Failure\\n", + "fixtext": "Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> \\u201cAudit MPSSVC Rule-Level Policy Change\\\" with \\\"Failure\\\" selected.", + "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.\\n\\nAudit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ", + "fixid": "F-22495r554859_fix", + "iacontrols": "null" } ] \ No newline at end of file