Skip to content
Log In

CCI-001090

Prevent unauthorized and unintended information transfer via shared system resources.

Verify that All World-Writable Directories Have Sticky Bits Set

35 rules found Severity: Medium

Logo

Restrict Access to Kernel Message Buffer

23 rules found Severity: Low

Logo

Disallow kernel profiling by unprivileged users

18 rules found Severity: Low

Logo

Apple iOS/iPadOS 15 must not allow backup to remote systems (iCloud).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 15 must not allow backup to remote systems (iCloud document and data synchronization).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 15 must not allow backup to remote systems (iCloud Keychain).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 15 must not allow backup to remote systems (My Photo Stream).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 15 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 15 must not allow backup to remote systems (managed applications data stored in iCloud).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 15 must not allow backup to remote systems (enterprise books).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 15 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

1 rule found Severity: Medium

Logo

A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

1 rule found Severity: Medium

Logo

A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.

1 rule found Severity: Medium

Logo

Google Android 12 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

2 rules found Severity: Medium

Logo

Google Android 12 must be configured to not allow backup of [all applications, configuration data] to remote systems.

2 rules found Severity: Medium

Logo

Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.

14 rules found Severity: Medium

Logo

Access to database files must be limited to relevant processes and to authorized, administrative users.

12 rules found Severity: Medium

Logo

The IBM z/VM SYSTEM CONFIG file must be configured to clear TDISK on IPL.

1 rule found Severity: Medium

Logo

Microsoft Android 11 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

2 rules found Severity: Medium

Logo

Microsoft Android 11 must be configured to not allow backup of all applications and configuration data to remote systems.

2 rules found Severity: Medium

Logo

Nutanix AOS must be configured to restrict public directories.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 16 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

2 rules found Severity: Medium

Logo

The Ubuntu operating system must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must restrict access to the kernel message buffer.

2 rules found Severity: Low

Logo

MongoDB must prevent unauthorized and unintended information transfer via shared system resources.

3 rules found Severity: Medium

Logo

The DBMS must prevent unauthorized and unintended information transfer via shared system resources.

3 rules found Severity: Medium

Logo

The DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.

2 rules found Severity: Medium

Logo

DBMS backup and restoration files must be protected from unauthorized access.

2 rules found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer.

1 rule found Severity: Low

Logo

Samsung Android must be configured to not allow backup of all applications and configuration data to remote systems.

1 rule found Severity: Medium

Logo

Samsung Android must be configured to not allow backup of all applications, configuration data to locally connected systems.

1 rule found Severity: Medium

Logo

Samsung Android must be configured to not allow backup of all applications, configuration data to remote systems. - Disable Data Sync Framework

1 rule found Severity: Medium

Logo

Samsung Android must be configured to not allow backup of all applications' configuration data to locally connected systems.

1 rule found Severity: Medium

Logo

Samsung Android's Work profile must be configured to not allow backup of [all applications, configuration data] to remote systems. - Disable Data Sync Framework

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 17 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

2 rules found Severity: Medium

Logo

Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 17 must not allow backup to remote systems (iCloud).

1 rule found Severity: Medium

Logo

A BIND 9.x server implementation must be running in a chroot(ed) directory structure.

1 rule found Severity: Low

Logo

IDMS must prevent unauthorized and unintended information transfer via database buffers.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources.

1 rule found Severity: Medium

Logo

The DNS server implementation must prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data transfer policy.

1 rule found Severity: Medium

Logo

Google Android 14 must be configured to not allow backup of all work profile applications to remote systems.

1 rule found Severity: Medium

Logo

Google Android 13 must be configured to not allow backup of all work profile applications to remote systems.

1 rule found Severity: Medium

Logo

Access to MarkLogic Server files must be limited to relevant processes and to authorized, administrative users.

1 rule found Severity: Medium

Logo

Azure SQL Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.

1 rule found Severity: Medium

Logo

All containers must be restricted from acquiring additional privileges.

1 rule found Severity: Medium

Logo

Host IPC namespace must not be shared.

1 rule found Severity: Medium

Logo

Non-system-created file shares on a system must limit access to groups that require it.

2 rules found Severity: Medium

Logo

Solicited Remote Assistance must not be allowed.

2 rules found Severity: High

Logo

Local drives must be prevented from sharing with Remote Desktop Session Hosts.

3 rules found Severity: Medium

Logo

Anonymous enumeration of shares must be restricted.

2 rules found Severity: High

Logo

Anonymous access to Named Pipes and Shares must be restricted.

3 rules found Severity: High

Logo

Data files owned by users must be on a different logical partition from the directory server data files.

1 rule found Severity: Medium

Logo

Anonymous enumeration of shares must not be allowed.

1 rule found Severity: High

Logo

The Oracle Linux operating system must restrict access to the kernel message buffer.

1 rule found Severity: Low

Logo

Redis Enterprise DBMS must prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

SLEM 5 must restrict access to the kernel message buffer.

1 rule found Severity: Medium

Logo

The sticky bit must be set on all SLEM 5 world-writable directories.

1 rule found Severity: Medium

Logo

Samsung Android's Work profile must be configured to not allow backup of all applications, configuration data to remote systems.- Disable Data Sync Framework.

2 rules found Severity: Medium

Logo

TOSS must prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

Ensure All World-Writable Directories Are Owned by root User

13 rules found Severity: Medium

Logo

A sticky bit must be set on all NixOS public directories to prevent unauthorized and unintended information transferred via shared system resources.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must not allow backup to remote systems (iCloud).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must not allow backup to remote systems (iCloud document and data synchronization).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must not allow backup to remote systems (iCloud Keychain).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must not allow backup to remote systems (Cloud Photo Library).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Stream or Shared Photo Stream).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must not allow backup to remote systems (managed applications data stored in iCloud).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must not allow backup to remote systems (enterprise books).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DOD-approved USB storage drives with iOS/iPadOS devices.

1 rule found Severity: Medium

Logo

The macOS system must ensure System Integrity Protection is enabled.

1 rule found Severity: High

Logo

Ubuntu 22.04 LTS must restrict access to the kernel message buffer.

1 rule found Severity: Low

Logo

Applications must prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must restrict access to the kernel message buffer.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must prevent kernel profiling by nonprivileged users.

1 rule found Severity: Medium

Logo

Any AlmaLinux OS 9 world-writable directories must be owned by root, sys, bin, or an application user.

1 rule found Severity: Medium

Logo

A sticky bit must be set on all AlmaLinux OS 9 public directories.

1 rule found Severity: Medium

Logo

The container platform must prohibit containers from accessing privileged resources.

1 rule found Severity: Medium

Logo

The container platform must prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

Google Android 13 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

2 rules found Severity: Medium

Logo

Google Android 13 must be configured to not allow backup of [all applications, configuration data] to remote systems.

2 rules found Severity: Medium

Logo

Google Android 13 must allow only the Administrator (MDM) to perform the following management function: Disable Phone Hub.

2 rules found Severity: Low

Logo

Google Android 14 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

2 rules found Severity: Medium

Logo

Google Android 14 must be configured to not allow backup of [all applications, configuration data] to remote systems.

2 rules found Severity: Medium

Logo

Google Android 14 must allow only the administrator (MDM) to perform the following management function: Disable Phone Hub.

2 rules found Severity: Low

Logo

Google Android 15 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

2 rules found Severity: Medium

Logo

Google Android 15 must be configured to not allow backup of [all applications, configuration data] to remote systems.

2 rules found Severity: Medium

Logo

Google Android 15 must allow only the administrator (MDM) to perform the following management function: Disable Phone Hub.

2 rules found Severity: Low

Logo

Operating systems must prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

ACF2 AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets.

1 rule found Severity: Medium

Logo

IBM z/OS sensitive and critical system data sets must not exist on shared DASD.

2 rules found Severity: Medium

Logo

The IBM RACF ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.

1 rule found Severity: Medium

Logo

IBM z/OS sensitive and critical system data sets must not exist on shared DASDs.

1 rule found Severity: Medium

Logo

The CA-TSS AUTOERASE Control Option must be set to ALL for all systems.

1 rule found Severity: Medium

Logo

MariaDB must prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

SQL Server must prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

SQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI).

1 rule found Severity: Medium

Logo

Non system-created file shares on a system must limit access to groups that require it.

1 rule found Severity: Medium

Logo

Windows Server 2019 non-system-created file shares must limit access to groups that require it.

1 rule found Severity: Medium

Logo

Windows Server 2019 Remote Desktop Services must prevent drive redirection.

1 rule found Severity: Medium

Logo

Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.

1 rule found Severity: Medium

Logo

Windows Server 2019 must not allow anonymous enumeration of shares.

1 rule found Severity: High

Logo

Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.

1 rule found Severity: High

Logo

Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled.

1 rule found Severity: Medium

Logo

Windows Server 2022 nonsystem-created file shares must limit access to groups that require it.

1 rule found Severity: Medium

Logo

Windows Server 2022 Remote Desktop Services must prevent drive redirection.

1 rule found Severity: Medium

Logo

Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files.

1 rule found Severity: Medium

Logo

Windows Server 2022 must not allow anonymous enumeration of shares.

1 rule found Severity: High

Logo

Windows Server 2022 must restrict anonymous access to Named Pipes and Shares.

1 rule found Severity: High

Logo

A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.

1 rule found Severity: Medium

Logo

OL 8 must restrict access to the kernel message buffer.

1 rule found Severity: Low

Logo

OL 8 must prevent kernel profiling by unprivileged users.

1 rule found Severity: Low

Logo

Prisma Cloud Compute must prevent unauthorized and unintended information transfer.

1 rule found Severity: Medium

Logo

Rancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.

1 rule found Severity: Medium

Logo

OpenShift must disable virtual syscalls.

1 rule found Severity: Medium

Logo

OpenShift must enable poisoning of SLUB/SLAB objects.

1 rule found Severity: Medium

Logo

OpenShift must set the sticky bit for world-writable directories.

1 rule found Severity: Medium

Logo

OpenShift must restrict access to the kernel buffer.

1 rule found Severity: Medium

Logo

OpenShift must prevent kernel profiling.

1 rule found Severity: Medium

Logo

Container images instantiated by OpenShift must execute using least privileges.

1 rule found Severity: High

Logo

A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.

1 rule found Severity: Medium

Logo

RHEL 9 must restrict access to the kernel message buffer.

1 rule found Severity: Medium

Logo

RHEL 9 must prevent kernel profiling by nonprivileged users.

1 rule found Severity: Medium

Logo

RHEL 8 must restrict access to the kernel message buffer.

1 rule found Severity: Low

Logo

RHEL 8 must prevent kernel profiling by unprivileged users.

1 rule found Severity: Low

Logo

All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.

1 rule found Severity: Medium

Logo

A sticky bit must be set on all RHEL 9 public directories.

1 rule found Severity: Medium

Logo

The sticky bit must be set on all SUSE operating system world-writable directories.

2 rules found Severity: Medium

Logo

The SUSE operating system must restrict access to the kernel message buffer.

2 rules found Severity: Low

Logo

Samsung Android must be configured to not allow backup of all applications and configuration data to locally connected systems.

6 rules found Severity: Medium

Logo

Samsung Android must be configured to not allow backup of all applications, configuration data to remote systems. (This requirement applies to the Work Profile for COPE.) - Disable Data Sync Framework.

2 rules found Severity: Medium

Logo

Samsung Android must be configured to not allow backup of all applications and configuration data to remote systems. - Disable Backup Services.

3 rules found Severity: Medium

Logo

The Samsung Android device must be configured to perform the following management function: Disable Phone Hub.

4 rules found Severity: Low

Logo

Samsung Android must be configured to not allow backup of all applications, configuration data to remote systems. - Disable Data Sync Framework.

1 rule found Severity: Medium

Logo

Samsung Android's Work profile must be configured to not allow backup of all applications, configuration data to remote systems. - Disable Data Sync Framework.

1 rule found Severity: Medium

Logo

Samsung Android must be configured to not allow backup of all applications, configuration data to remote systems.- Disable Data Sync Framework.

1 rule found Severity: Medium

Logo

The VMM must prevent unauthorized and unintended information transfer via shared system resources.

1 rule found Severity: Medium

Logo

The Photon operating system must restrict access to the kernel message buffer.

2 rules found Severity: Medium

Logo

Zebra Android 13 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.

2 rules found Severity: Medium

Logo

Zebra Android 13 must be configured to not allow backup of [all applications, configuration data] to remote systems.

2 rules found Severity: Medium

Logo

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

1 rule found Severity: High

Logo