Capacity
CCI-001084
Isolate security functions from nonsecurity functions.
30
Rule
Severity: High
Ensure SELinux State is Enforcing
11
Rule
Severity: Medium
Disable vsyscalls
11
Rule
Severity: Medium
Enable page allocator poisoning
11
Rule
Severity: Medium
Enable SLUB/SLAB allocator poisoning
13
Rule
Severity: Low
Install policycoreutils Package
1
Rule
Severity: Medium
Ensure sudo group has only necessary members
6
Rule
Severity: Medium
The Apache web server document directory must be in a separate partition from the Apache web servers system files.
2
Rule
Severity: Medium
The application must isolate security functions from non-security functions.
2
Rule
Severity: Medium
CA IDMS must isolate the security manager to which users, groups, roles are assigned authorities/permissions to resources.
1
Rule
Severity: Medium
DB2 must isolate security functions from non-security functions.
1
Rule
Severity: Medium
CA VM:Secure must have a security group for Security Administrators only.
2
Rule
Severity: Medium
The Mainframe Product must isolate security functions from nonsecurity functions.
2
Rule
Severity: Medium
The Azure SQL Database must isolate security functions from nonsecurity functions.
1
Rule
Severity: Medium
SQL Server must isolate security functions from nonsecurity functions.
1
Rule
Severity: Medium
Nutanix AOS must be configured to run SELinux Policies.
1
Rule
Severity: Medium
Nutanix AOS must be configured to use SELinux Enforcing mode.
1
Rule
Severity: Medium
OHS must have the DocumentRoot directive set to a separate partition from the OHS system files.
1
Rule
Severity: Medium
OHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files.
2
Rule
Severity: Medium
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.
2
Rule
Severity: Medium
The SDN controller must be configured to isolate security functions from non-security functions.
1
Rule
Severity: Medium
The Tanium Server must be configured with a connector to sync to Microsoft Active Directory for account management functions, must isolate security functions from non-security functions, and must terminate shared/group account credentials when members leave the group.
5
Rule
Severity: Medium
The Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.
4
Rule
Severity: Medium
The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.
1
Rule
Severity: High
The Ubuntu operating system must be configured so that only users who need access to security functions are part of the sudo group.
2
Rule
Severity: High
The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group.
3
Rule
Severity: Medium
PostgreSQL must isolate security functions from non-security functions.
2
Rule
Severity: Medium
The container platform runtime must isolate security functions from non-security functions.
2
Rule
Severity: Medium
The EDB Postgres Advanced Server must isolate security functions from nonsecurity functions.
2
Rule
Severity: Medium
The DBMS must isolate security functions from non-security functions.
2
Rule
Severity: Medium
The operating system must isolate security functions from nonsecurity functions.
2
Rule
Severity: Medium
AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.
2
Rule
Severity: High
CA-TSS security data sets and/or databases must be properly protected.
2
Rule
Severity: High
ACF2 security data sets and/or databases must be properly protected.
2
Rule
Severity: High
The IBM RACF System REXX IRRPWREX security data set must be properly protected.
2
Rule
Severity: High
IBM RACF security data sets and/or databases must be properly protected.
2
Rule
Severity: High
Kubernetes Kubelet must enable kernel protection.
1
Rule
Severity: Medium
MongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
1
Rule
Severity: Medium
The 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on.
1
Rule
Severity: Medium
Protected Mode must be enforced (Internet zone).
1
Rule
Severity: Medium
Protected Mode must be enforced (Restricted Sites zone).
1
Rule
Severity: Medium
Internet Explorer Processes for Zone Elevation must be enforced (Reserved).
1
Rule
Severity: Medium
Internet Explorer Processes for Zone Elevation must be enforced (Explorer).
1
Rule
Severity: Medium
Internet Explorer Processes for Zone Elevation must be enforced (iexplore).
2
Rule
Severity: Medium
The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.
2
Rule
Severity: Low
SQL Server must isolate security functions from non-security functions.
6
Rule
Severity: Medium
Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
6
Rule
Severity: Medium
Administrator accounts must not be enumerated during elevation.
2
Rule
Severity: Medium
User Account Control must, at minimum, prompt administrators for consent on the secure desktop.
6
Rule
Severity: Medium
User Account Control must be configured to detect application installations and prompt for elevation.
6
Rule
Severity: Medium
User Account Control must only elevate UIAccess applications that are installed in secure locations.
6
Rule
Severity: Medium
User Account Control must virtualize file and registry write failures to per-user locations.
2
Rule
Severity: Medium
User Account Control must prompt administrators for consent on the secure desktop.
2
Rule
Severity: Medium
UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
2
Rule
Severity: Medium
User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
2
Rule
Severity: Medium
Windows Server 2019 administrator accounts must not be enumerated during elevation.
2
Rule
Severity: Medium
Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
2
Rule
Severity: Medium
Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
2
Rule
Severity: Medium
Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
2
Rule
Severity: Medium
Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.
2
Rule
Severity: Medium
Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
2
Rule
Severity: Medium
Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
2
Rule
Severity: Medium
Windows Server 2022 administrator accounts must not be enumerated during elevation.
2
Rule
Severity: Medium
Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
2
Rule
Severity: Medium
Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
2
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop.
2
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) must be configured to detect application installations and prompt for elevation.
2
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
2
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
1
Rule
Severity: Medium
The DBMS must isolate security functions from non-security functions by means of separate security domains.
3
Rule
Severity: Medium
Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.
2
Rule
Severity: Medium
The DBMS must isolate security functions from nonsecurity functions by means of separate security domains.
2
Rule
Severity: Medium
OL 8 must use a Linux Security Module configured to enforce limits on system services.
2
Rule
Severity: Low
OL 8 must have the "policycoreutils" package installed.
2
Rule
Severity: Medium
OL 8 must clear the page allocator to prevent use-after-free attacks.
2
Rule
Severity: Medium
OL 8 must disable virtual syscalls.
2
Rule
Severity: Medium
OL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must isolate security functions from non-security functions.
2
Rule
Severity: Medium
Rancher RKE2 runtime must isolate security functions from nonsecurity functions.
2
Rule
Severity: Medium
OpenShift runtime must isolate security functions from nonsecurity functions.
2
Rule
Severity: Medium
RHEL 8 must use a Linux Security Module configured to enforce limits on system services.
2
Rule
Severity: Low
RHEL 8 must have policycoreutils package installed.
2
Rule
Severity: Medium
The Automation Controller NGINX web server document directory must be in a separate partition from the web server's system files.
2
Rule
Severity: Medium
RHEL 8 must clear the page allocator to prevent use-after-free attacks.
2
Rule
Severity: Medium
RHEL 8 must disable virtual syscalls.
2
Rule
Severity: Medium
RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.
2
Rule
Severity: Medium
RHEL 9 must disable virtual system calls.
2
Rule
Severity: Medium
RHEL 9 must clear the page allocator to prevent use-after-free attacks.
2
Rule
Severity: Medium
RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
2
Rule
Severity: High
RHEL 9 must use a Linux Security Module configured to enforce limits on system services.
2
Rule
Severity: Medium
RHEL 9 must have policycoreutils package installed.
2
Rule
Severity: Medium
The VMM must isolate security functions from non-security functions.
3
Rule
Severity: Medium
The vCenter Server user roles must be verified.
1
Rule
Severity: Medium
VMware Postgres must not allow schema access to unauthorized accounts.
1
Rule
Severity: Medium
The vCenter Server users must have the correct roles assigned.
2
Rule
Severity: Medium
The web server document directory must be in a separate partition from the web servers system files.
1
Rule
Severity: Medium
The EDB Postgres Advanced Server must isolate security functions from non-security functions.
1
Rule
Severity: High
Ubuntu 22.04 LTS must ensure only users who need access to security functions are part of sudo group.
1
Rule
Severity: Medium
PostgreSQL must isolate security functions from nonsecurity functions.
1
Rule
Severity: Medium
Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.
1
Rule
Severity: Medium
MKE must enable kernel protection.
1
Rule
Severity: Low
SLEM 5 must have policycoreutils package installed.
1
Rule
Severity: High
SLEM 5 must use a Linux Security Module configured to enforce limits on system services.
1
Rule
Severity: Medium
TOSS must use a Linux Security Module configured to enforce limits on system services.
1
Rule
Severity: Low
TOSS must have policycoreutils package installed.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules