Skip to content
Log In

CCI-001084

Isolate security functions from nonsecurity functions.

Ensure SELinux State is Enforcing

35 rules found Severity: High

Logo

Disable vsyscalls

13 rules found Severity: Medium

Logo

Enable page allocator poisoning

15 rules found Severity: Medium

Logo

Enable SLUB/SLAB allocator poisoning

15 rules found Severity: Medium

Logo

Install policycoreutils Package

15 rules found Severity: Low

Logo

Ensure sudo group has only necessary members

2 rules found Severity: Medium

Logo

DB2 must isolate security functions from non-security functions.

1 rule found Severity: Medium

Logo

CA VM:Secure must have a security group for Security Administrators only.

1 rule found Severity: Medium

Logo

SQL Server must isolate security functions from nonsecurity functions.

1 rule found Severity: Medium

Logo

Nutanix AOS must be configured to run SELinux Policies.

1 rule found Severity: Medium

Logo

Nutanix AOS must be configured to use SELinux Enforcing mode.

1 rule found Severity: Medium

Logo

OHS must have the DocumentRoot directive set to a separate partition from the OHS system files.

1 rule found Severity: Medium

Logo

OHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files.

1 rule found Severity: Medium

Logo

The Tanium Server must be configured with a connector to sync to Microsoft Active Directory for account management functions, must isolate security functions from non-security functions, and must terminate shared/group account credentials when members leave the group.

1 rule found Severity: Medium

Logo

The Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.

4 rules found Severity: Medium

Logo

The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.

3 rules found Severity: Medium

Logo

The Ubuntu operating system must be configured so that only users who need access to security functions are part of the sudo group.

1 rule found Severity: High

Logo

MongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

1 rule found Severity: Medium

Logo

The 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on.

1 rule found Severity: Medium

Logo

Protected Mode must be enforced (Internet zone).

1 rule found Severity: Medium

Logo

Protected Mode must be enforced (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for Zone Elevation must be enforced (Reserved).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for Zone Elevation must be enforced (Explorer).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for Zone Elevation must be enforced (iexplore).

1 rule found Severity: Medium

Logo

The DBMS must isolate security functions from non-security functions by means of separate security domains.

1 rule found Severity: Medium

Logo

Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.

2 rules found Severity: Medium

Logo

PostgreSQL must isolate security functions from non-security functions.

2 rules found Severity: Medium

Logo

The EDB Postgres Advanced Server must isolate security functions from non-security functions.

1 rule found Severity: Medium

Logo

CA IDMS must isolate the security manager to which users, groups, roles are assigned authorities/permissions to resources.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group.

1 rule found Severity: High

Logo

PostgreSQL must isolate security functions from nonsecurity functions.

1 rule found Severity: Medium

Logo

The EDB Postgres Advanced Server must isolate security functions from nonsecurity functions.

1 rule found Severity: Medium

Logo

AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.

1 rule found Severity: Medium

Logo

Kubernetes Kubelet must enable kernel protection.

1 rule found Severity: High

Logo

The Azure SQL Database must isolate security functions from nonsecurity functions.

1 rule found Severity: Medium

Logo

MKE must enable kernel protection.

1 rule found Severity: Medium

Logo

The IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.

1 rule found Severity: Medium

Logo

Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.

3 rules found Severity: Medium

Logo

Administrator accounts must not be enumerated during elevation.

3 rules found Severity: Medium

Logo

User Account Control must prompt administrators for consent on the secure desktop.

1 rule found Severity: Medium

Logo

User Account Control must be configured to detect application installations and prompt for elevation.

3 rules found Severity: Medium

Logo

User Account Control must only elevate UIAccess applications that are installed in secure locations.

3 rules found Severity: Medium

Logo

User Account Control must virtualize file and registry write failures to per-user locations.

3 rules found Severity: Medium

Logo

UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.

1 rule found Severity: Medium

Logo

User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.

1 rule found Severity: Medium

Logo

The MySQL Database Server 8.0 must isolate security functions from non-security functions.

1 rule found Severity: Medium

Logo

The Automation Controller NGINX web server document directory must be in a separate partition from the web server's system files.

1 rule found Severity: Medium

Logo

The SDN controller must be configured to isolate security functions from non-security functions.

1 rule found Severity: Medium

Logo

SLEM 5 must have policycoreutils package installed.

1 rule found Severity: Low

Logo

SLEM 5 must use a Linux Security Module configured to enforce limits on system services.

1 rule found Severity: High

Logo

TOSS must use a Linux Security Module configured to enforce limits on system services.

1 rule found Severity: Medium

Logo

TOSS must have policycoreutils package installed.

1 rule found Severity: Low

Logo

The web server document directory must be in a separate partition from the web servers system files.

1 rule found Severity: Medium

Logo

The Apache web server document directory must be in a separate partition from the Apache web servers system files.

3 rules found Severity: Medium

Logo

The application must isolate security functions from non-security functions.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must ensure only users who need access to security functions are part of sudo group.

1 rule found Severity: High

Logo

AlmaLinux OS 9 must use a Linux Security Module configured to enforce limits on system services.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must have the policycoreutils package installed.

1 rule found Severity: Medium

Logo

The container platform runtime must isolate security functions from non-security functions.

1 rule found Severity: Medium

Logo

The DBMS must isolate security functions from non-security functions.

1 rule found Severity: Medium

Logo

Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.

1 rule found Severity: Medium

Logo

The operating system must isolate security functions from nonsecurity functions.

1 rule found Severity: Medium

Logo

ACF2 security data sets and/or databases must be properly protected.

1 rule found Severity: High

Logo

The IBM RACF System REXX IRRPWREX security data set must be properly protected.

1 rule found Severity: High

Logo

IBM RACF security data sets and/or databases must be properly protected.

1 rule found Severity: High

Logo

CA-TSS security data sets and/or databases must be properly protected.

1 rule found Severity: High

Logo

The Mainframe Product must isolate security functions from nonsecurity functions.

1 rule found Severity: Medium

Logo

SQL Server must isolate security functions from non-security functions.

1 rule found Severity: Low

Logo

Windows Server 2019 administrator accounts must not be enumerated during elevation.

1 rule found Severity: Medium

Logo

Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.

1 rule found Severity: Medium

Logo

Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.

1 rule found Severity: Medium

Logo

Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.

1 rule found Severity: Medium

Logo

Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.

1 rule found Severity: Medium

Logo

Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.

1 rule found Severity: Medium

Logo

Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.

1 rule found Severity: Medium

Logo

User Account Control must, at minimum, prompt administrators for consent on the secure desktop.

1 rule found Severity: Medium

Logo

Windows Server 2022 administrator accounts must not be enumerated during elevation.

1 rule found Severity: Medium

Logo

Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.

1 rule found Severity: Medium

Logo

The DBMS must isolate security functions from nonsecurity functions by means of separate security domains.

1 rule found Severity: Medium

Logo

Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.

1 rule found Severity: Medium

Logo

Windows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop.

1 rule found Severity: Medium

Logo

Windows Server 2022 User Account Control (UAC) must be configured to detect application installations and prompt for elevation.

1 rule found Severity: Medium

Logo

Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.

1 rule found Severity: Medium

Logo

Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.

1 rule found Severity: Medium

Logo

Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.

1 rule found Severity: Medium

Logo

OL 8 must use a Linux Security Module configured to enforce limits on system services.

1 rule found Severity: Medium

Logo

OL 8 must have the "policycoreutils" package installed.

1 rule found Severity: Low

Logo

OL 8 must clear the page allocator to prevent use-after-free attacks.

1 rule found Severity: Medium

Logo

OL 8 must disable virtual syscalls.

1 rule found Severity: Medium

Logo

OL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.

1 rule found Severity: Medium

Logo

Rancher RKE2 runtime must isolate security functions from nonsecurity functions.

1 rule found Severity: Medium

Logo

OpenShift runtime must isolate security functions from nonsecurity functions.

1 rule found Severity: Medium

Logo

RHEL 8 must use a Linux Security Module configured to enforce limits on system services.

1 rule found Severity: Medium

Logo

RHEL 8 must have policycoreutils package installed.

1 rule found Severity: Low

Logo

RHEL 9 must disable virtual system calls.

1 rule found Severity: Medium

Logo

RHEL 9 must clear the page allocator to prevent use-after-free attacks.

1 rule found Severity: Medium

Logo

RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.

1 rule found Severity: Medium

Logo

RHEL 8 must clear the page allocator to prevent use-after-free attacks.

1 rule found Severity: Medium

Logo

RHEL 8 must disable virtual syscalls.

1 rule found Severity: Medium

Logo

RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.

1 rule found Severity: Medium

Logo

RHEL 9 must use a Linux Security Module configured to enforce limits on system services.

1 rule found Severity: High

Logo

RHEL 9 must have policycoreutils package installed.

1 rule found Severity: Medium

Logo

The VMM must isolate security functions from non-security functions.

1 rule found Severity: Medium

Logo

The vCenter Server user roles must be verified.

2 rules found Severity: Medium

Logo

VMware Postgres must not allow schema access to unauthorized accounts.

1 rule found Severity: Medium

Logo

The vCenter Server users must have the correct roles assigned.

1 rule found Severity: Medium

Logo