Skip to content
ATO Pathways
  Log In

CCI-001499

Limit privileges to change software resident within software libraries.

Logo
29

Rule

Severity: Medium
Verify that Shared Library Directories Have Root Ownership
Logo
29

Rule

Severity: Medium
Verify that Shared Library Directories Have Restrictive Permissions
Logo
29

Rule

Severity: Medium
Verify that System Executables Have Root Ownership
Logo
29

Rule

Severity: Medium
Verify that Shared Library Files Have Root Ownership
Logo
29

Rule

Severity: Medium
Verify that System Executables Have Restrictive Permissions
Logo
29

Rule

Severity: Medium
Verify that Shared Library Files Have Restrictive Permissions
Logo
11

Rule

Severity: Medium
Verify that Shared Library Directories Have Root Group Ownership
Logo
11

Rule

Severity: Medium
Verify that system commands files are group owned by root or a system account
Logo
11

Rule

Severity: Medium
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
Logo
2

Rule

Severity: Medium
Verify that system commands directories have root as a group owner
Logo
2

Rule

Severity: Medium
Verify that system commands directories have root ownership
Logo
2

Rule

Severity: Medium
Verify that system commands are protected from unauthorized access
Logo
1

Rule

Severity: Medium
OS commands and libraries must have the proper permissions to protect from unauthorized access
Logo
1

Rule

Severity: Low
Adobe Acrobat Pro DC Continuous Default Handler changes must be disabled.
Logo
1

Rule

Severity: Low
Adobe Reader DC must disable the ability to change the Default Handler.
Logo
2

Rule

Severity: Medium
The application server must limit privileges to change the software resident within software libraries.
Logo
2

Rule

Severity: Medium
The applications must limit privileges to change the software resident within software libraries.
Logo
2

Rule

Severity: Medium
Database objects in an IDMS environment must be secured to prevent privileged actions from being performed by unauthorized users.
Logo
2

Rule

Severity: Medium
The programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks.
Logo
2

Rule

Severity: Medium
The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.
Logo
2

Rule

Severity: Medium
Databases must be secured to protect from structural changes.
Logo
2

Rule

Severity: Medium
Database utilities must be secured in CA IDMS and permissions given to appropriate role(s)/groups(s) in the external security manager (ESM).
Logo
2

Rule

Severity: Medium
The online debugger which can change programs and storage in the CA IDMS address space must be secured.
Logo
2

Rule

Severity: Medium
CA IDMS must secure the ability to create, alter, drop, grant, and revoke user and/or system profiles to users or groups.
Logo
1

Rule

Severity: Medium
The FortiGate device must limit privileges to change the software resident within software libraries.
Logo
1

Rule

Severity: Medium
CounterACT must limit privileges to change the software resident within software libraries.
Logo
2

Rule

Severity: Medium
Forescout must limit privileges to change the modules and OSs resident within software libraries.
Logo
1

Rule

Severity: Medium
The DataPower Gateway must limit privileges to change the software resident within software libraries.
Logo
1

Rule

Severity: Medium
DB2 must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to DB2.
Logo
1

Rule

Severity: Medium
The OS must limit privileges to change the DB2 software resident within software libraries (including privileged programs).
Logo
1

Rule

Severity: Medium
The DB2 software installation account must be restricted to authorized users.
Logo
3

Rule

Severity: Medium
Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
Logo
1

Rule

Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to DB2, etc.) must be owned by database/DBMS principals authorized for ownership.
Logo
1

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to DB2, etc.) must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
The WebSphere Liberty Server must protect software libraries from unauthorized access.
Logo
1

Rule

Severity: Medium
The WebSphere Application Server users in a local user registry group must be authorized for that group.
Logo
1

Rule

Severity: Medium
The IBM z/VM must restrict link access to the disk on which system software resides.
Logo
2

Rule

Severity: Medium
mgmt-users.properties file permissions must be set to allow access to authorized users only.
Logo
2

Rule

Severity: Medium
The Juniper router must be configured to limit privileges to change the software resident within software libraries.
Logo
2

Rule

Severity: Medium
The Mainframe Product must limit privileges to change the Mainframe Product installation datasets to system programmers and authorized users in accordance with applicable access control policies.
Logo
2

Rule

Severity: Medium
The Mainframe Product must limit privileges to change Mainframe Product started task and job datasets to system programmers and authorized users in accordance with applicable access control policies.
Logo
2

Rule

Severity: Medium
The Mainframe Product must limit privileges to change Mainframe Product user datasets to authorized individuals.
Logo
2

Rule

Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to Azure SQL Database, etc.) must be owned by database/Azure SQL Database principals authorized for ownership.
Logo
2

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to Azure SQL Database, etc.) must be restricted to authorized users.
Logo
1

Rule

Severity: Medium
SQL Server must be monitored to discover unauthorized changes to functions.
Logo
1

Rule

Severity: Medium
SQL Server must be monitored to discover unauthorized changes to triggers.
Logo
1

Rule

Severity: Medium
SQL Server must be monitored to discover unauthorized changes to stored procedures.
Logo
3

Rule

Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership.
Logo
1

Rule

Severity: Medium
In a database owned by a login not having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF unless required and authorized.
Logo
1

Rule

Severity: Medium
In a database owned by [sa], or by any other login having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF.
Logo
1

Rule

Severity: Medium
SQL Server security-relevant configuration settings must be monitored to discover unauthorized changes.
Logo
1

Rule

Severity: Medium
Software, applications, and configuration files that are part of, or related to, the SQL Server installation must be monitored to discover unauthorized changes.
Logo
1

Rule

Severity: Medium
SQL Server software installation account(s) must be restricted to authorized users.
Logo
1

Rule

Severity: Low
Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
Logo
3

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
The network device must limit privileges to change the software resident within software libraries.
Logo
1

Rule

Severity: Medium
Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).
Logo
2

Rule

Severity: Medium
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.
Logo
2

Rule

Severity: High
Prisma Cloud Compute host compliance baseline policies must be set.
Logo
2

Rule

Severity: High
The configuration integrity of the container platform must be ensured and compliance policies must be configured.
Logo
4

Rule

Severity: Medium
All installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.
Logo
2

Rule

Severity: Medium
The UEM server must limit privileges to change the software resident within software libraries.
Logo
2

Rule

Severity: Medium
Tomcat user UMASK must be set to 0027.
Logo
1

Rule

Severity: Medium
The macOS system must enable System Integrity Protection.
Logo
3

Rule

Severity: High
The macOS system must enable System Integrity Protection.
Logo
3

Rule

Severity: High
The macOS system must ensure System Integrity Protection is enabled.
Logo
3

Rule

Severity: Medium
The Ubuntu operating system library files must have mode 0755 or less permissive.
Logo
3

Rule

Severity: Medium
The Ubuntu operating system library directories must have mode 0755 or less permissive.
Logo
3

Rule

Severity: Medium
The Ubuntu operating system library files must be owned by root.
Logo
3

Rule

Severity: Medium
The Ubuntu operating system library directories must be owned by root.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system library files must be group-owned by root.
Logo
3

Rule

Severity: Medium
The Ubuntu operating system library directories must be group-owned by root.
Logo
3

Rule

Severity: Medium
The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must have system commands owned by root.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must have directories that contain system commands owned by root.
Logo
3

Rule

Severity: Medium
The Ubuntu operating system must have system commands group-owned by root or a system account.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must have directories that contain system commands group-owned by root.
Logo
2

Rule

Severity: Medium
The Ubuntu operating system library files must be group-owned by root or a system account.
Logo
2

Rule

Severity: Medium
The Ubuntu operating system must have system commands owned by root or a system account.
Logo
3

Rule

Severity: Medium
Privileges to change PostgreSQL software modules must be limited.
Logo
3

Rule

Severity: Medium
PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL.
Logo
3

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (functions, trigger procedures, links to software external to PostgreSQL, etc.) must be restricted to authorized users.
Logo
3

Rule

Severity: Medium
Database objects (including but not limited to tables, indexes, storage, trigger procedures, functions, links to software external to PostgreSQL, etc.) must be owned by database/DBMS principals authorized for ownership.
Logo
4

Rule

Severity: High
The PostgreSQL software installation account must be restricted to authorized users.
Logo
3

Rule

Severity: Medium
Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications.
Logo
4

Rule

Severity: Medium
The Cisco router must be configured to limit privileges to change the software resident within software libraries.
Logo
4

Rule

Severity: Medium
The Cisco switch must be configured to limit privileges to change the software resident within software libraries.
Logo
2

Rule

Severity: Medium
The container platform must limit privileges to the container platform registry.
Logo
2

Rule

Severity: Medium
The container platform must limit privileges to the container platform runtime.
Logo
2

Rule

Severity: Medium
The container platform must limit privileges to the container platform keystore.
Logo
2

Rule

Severity: Medium
Configuration files for the container platform must be protected.
Logo
2

Rule

Severity: Medium
Authentication files for the container platform must be protected.
Logo
2

Rule

Severity: Medium
Software, applications, and configuration files that are part of, or related to, the EDB Postgres Advanced Server installation must be monitored to discover unauthorized changes.
Logo
3

Rule

Severity: Medium
EDB Postgres Advanced Server software modules, to include stored procedures, functions, and triggers must be monitored to discover unauthorized changes.
Logo
3

Rule

Severity: High
The EDB Postgres Advanced Server software installation account must be restricted to authorized users.
Logo
3

Rule

Severity: Medium
Database software, including EDB Postgres Advanced Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
Logo
2

Rule

Severity: Medium
Database objects must be owned by database/EDB Postgres Advanced Server principals authorized for ownership.
Logo
2

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure and logic modules must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
The DBMS must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the DBMS.
Logo
4

Rule

Severity: High
The DBMS software installation account must be restricted to authorized users.
Logo
7

Rule

Severity: Medium
Database software, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
Logo
2

Rule

Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be owned by database/DBMS principals authorized for ownership.
Logo
2

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
The operating system must limit privileges to change software resident within software libraries.
Logo
2

Rule

Severity: Medium
All system files, programs, and directories must be owned by a system account.
Logo
2

Rule

Severity: Medium
AIX device files and directories must only be writable by users with a system account or as configured by the vendor.
Logo
2

Rule

Severity: Medium
AIX system files, programs, and directories must be group-owned by a system group.
Logo
2

Rule

Severity: Medium
AIX library files must have mode 0755 or less permissive.
Logo
2

Rule

Severity: Medium
All system command files must not have extended ACLs.
Logo
2

Rule

Severity: Medium
All library files must not have extended ACLs.
Logo
2

Rule

Severity: High
CA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
Logo
2

Rule

Severity: High
CA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.
Logo
2

Rule

Severity: High
CA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.
Logo
2

Rule

Severity: High
CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.
Logo
2

Rule

Severity: High
CA-ACF2 must limit Write and Allocate access to all APF-authorized libraries to system programmers only.
Logo
2

Rule

Severity: High
CA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only.
Logo
2

Rule

Severity: Medium
CA-ACF2 must limit Write and Allocate access to LINKLIST libraries to system programmers only.
Logo
2

Rule

Severity: Medium
CA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only.
Logo
2

Rule

Severity: High
CA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only.
Logo
2

Rule

Severity: Medium
CA-ACF2 Access to SYS1.LINKLIB must be properly protected.
Logo
6

Rule

Severity: High
IBM z/OS SYS1.PARMLIB must be properly protected.
Logo
2

Rule

Severity: Medium
CA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
Logo
2

Rule

Severity: Low
CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.
Logo
2

Rule

Severity: Medium
CA-TSS access to SYS1.LINKLIB must be properly protected.
Logo
2

Rule

Severity: High
CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only.
Logo
2

Rule

Severity: High
CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
Logo
2

Rule

Severity: High
CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only.
Logo
2

Rule

Severity: High
CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
Logo
4

Rule

Severity: High
IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.
Logo
2

Rule

Severity: High
CA-TSS must limit Write or greater access to all LPA libraries to system programmers only.
Logo
2

Rule

Severity: High
CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
Logo
2

Rule

Severity: Low
CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.
Logo
2

Rule

Severity: Medium
CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only.
Logo
2

Rule

Severity: High
CA-TSS security data sets and/or databases must be properly protected.
Logo
2

Rule

Severity: Medium
CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.
Logo
2

Rule

Severity: Medium
CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
Logo
2

Rule

Severity: Medium
CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only.
Logo
2

Rule

Severity: High
ACF2 security data sets and/or databases must be properly protected.
Logo
6

Rule

Severity: Medium
IBM z/OS data sets for the Base TCP/IP component must be properly protected.
Logo
4

Rule

Severity: Medium
IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
Logo
4

Rule

Severity: Medium
IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected.
Logo
6

Rule

Severity: Medium
IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
Logo
6

Rule

Severity: Medium
IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.
Logo
6

Rule

Severity: Medium
IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
Logo
2

Rule

Severity: Medium
IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected or specified.
Logo
4

Rule

Severity: Medium
IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.
Logo
4

Rule

Severity: Medium
IBM z/OS System data sets used to support the VTAM network must be properly secured.
Logo
6

Rule

Severity: Medium
IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals.
Logo
6

Rule

Severity: Medium
IBM Integrated Crypto Service Facility (ICSF) STC data sets must be properly protected.
Logo
2

Rule

Severity: High
IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
Logo
2

Rule

Severity: Low
IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.
Logo
2

Rule

Severity: High
IBM RACF must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
Logo
2

Rule

Severity: High
IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users.
Logo
2

Rule

Severity: High
IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only.
Logo
2

Rule

Severity: High
IBM RACF must limit write or greater access to all LPA libraries to system programmers only.
Logo
2

Rule

Severity: High
IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.
Logo
2

Rule

Severity: Medium
IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.
Logo
2

Rule

Severity: Medium
IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only.
Logo
2

Rule

Severity: High
IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
Logo
2

Rule

Severity: Medium
IBM RACF access to SYS1.LINKLIB must be properly protected.
Logo
2

Rule

Severity: High
The IBM RACF System REXX IRRPWREX security data set must be properly protected.
Logo
2

Rule

Severity: High
IBM RACF security data sets and/or databases must be properly protected.
Logo
2

Rule

Severity: Medium
IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
Logo
2

Rule

Severity: High
CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.
Logo
2

Rule

Severity: Medium
IBM z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS must be properly protected.
Logo
2

Rule

Severity: Medium
IBM z/OS System datasets used to support the VTAM network must be properly secured.
Logo
2

Rule

Severity: Medium
IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only.
Logo
2

Rule

Severity: Medium
IBM z/OS UNIX system file security settings must be properly protected or specified.
Logo
2

Rule

Severity: Medium
IBM z/OS HFS objects for the z/OS UNIX Telnet server must be properly protected.
Logo
2

Rule

Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
Logo
2

Rule

Severity: Medium
The Juniper EX switch must be configured to limit privileges to change the software resident within software libraries.
Logo
2

Rule

Severity: Medium
Kubernetes Kubelet must deny hostname override.
Logo
2

Rule

Severity: Medium
The Kubernetes manifests must be owned by root.
Logo
2

Rule

Severity: Medium
The Kubernetes KubeletConfiguration file must be owned by root.
Logo
2

Rule

Severity: Medium
The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive.
Logo
2

Rule

Severity: Medium
The Kubernetes manifest files must have least privileges.
Logo
2

Rule

Severity: Medium
MarkLogic Server must limit privileges to change software modules, including stored procedures, functions, and triggers, and links to software external to the DBMS.
Logo
2

Rule

Severity: Medium
MarkLogic Server software installation account must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
MarkLogic Server software, including configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
Logo
2

Rule

Severity: Medium
MarkLogic Server objects (including but not limited to indexes, storage, functions, triggers, links to software external to the server, etc.) must be owned by database/MarkLogic Server principals authorized for ownership.
Logo
2

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to indexes, storage, etc.) and logic modules (functions, triggers, links to software external to the MarkLogic Server, etc.) must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
MariaDB must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the DBMS.
Logo
2

Rule

Severity: High
The MariaDB software installation account must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
Database software, including MariaDB configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
Logo
2

Rule

Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to MariaDB, etc.) must be owned by database/MariaDB principals authorized for ownership.
Logo
2

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the MariaDB, etc.) must be restricted to authorized users.
Logo
3

Rule

Severity: High
MongoDB software installation account must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
MongoDB must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to MongoDB.
Logo
2

Rule

Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be owned by database/DBMS principals authorized for ownership.
Logo
2

Rule

Severity: Medium
SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers.
Logo
2

Rule

Severity: Medium
SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server.
Logo
2

Rule

Severity: Medium
SQL Server must limit privileges to change software modules and links to software external to SQL Server.
Logo
2

Rule

Severity: Medium
SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.
Logo
2

Rule

Severity: High
SQL Server software installation account must be restricted to authorized users.
Logo
3

Rule

Severity: Medium
Database objects must be owned by accounts authorized for ownership.
Logo
3

Rule

Severity: Medium
Database software, applications, and configuration files must be monitored to discover unauthorized changes.
Logo
3

Rule

Severity: Medium
Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.
Logo
1

Rule

Severity: Medium
The DBMS software installation account must be restricted to authorized users.
Logo
3

Rule

Severity: Medium
Database software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
Logo
3

Rule

Severity: Medium
The DBMS must be protected from unauthorized access by developers.
Logo
3

Rule

Severity: Medium
Administrative privileges must be assigned to database accounts via database roles.
Logo
1

Rule

Severity: Medium
The DBMS must verify there have not been unauthorized changes to the DBMS software and information.
Logo
1

Rule

Severity: Medium
Use of the DBMS software installation account must be restricted.
Logo
3

Rule

Severity: Medium
The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).
Logo
2

Rule

Severity: High
Oracle software must be evaluated and patched against newly found vulnerabilities.
Logo
2

Rule

Severity: High
Use of the DBMS software installation account must be restricted.
Logo
2

Rule

Severity: Medium
OL 8 system commands must have mode 755 or less permissive.
Logo
2

Rule

Severity: Medium
OL 8 system commands must be owned by root.
Logo
2

Rule

Severity: Medium
OL 8 system commands must be group-owned by root or a system account.
Logo
2

Rule

Severity: Medium
OL 8 library files must have mode 755 or less permissive.
Logo
2

Rule

Severity: Medium
OL 8 library files must be owned by root.
Logo
2

Rule

Severity: Medium
OL 8 library files must be group-owned by root.
Logo
2

Rule

Severity: Medium
OL 8 library directories must have mode 755 or less permissive.
Logo
2

Rule

Severity: Medium
OL 8 library directories must be owned by root.
Logo
2

Rule

Severity: Medium
OL 8 library directories must be group-owned by root or a system account.
Logo
2

Rule

Severity: Medium
The MySQL Database Server 8.0 must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the MySQL Database Server 8.0.
Logo
2

Rule

Severity: Medium
The MySQL Database Server 8.0 software installation account must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
Database software, including MySQL Database Server 8.0 configuration files, must be stored in dedicated directories, or DASD pools (remove), separate from the host OS and other applications.
Logo
2

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the MySQL Database Server 8.0, etc.) must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
Automation Controller must be capable of reverting to the last known good configuration in the event of failed installations and upgrades.
Logo
2

Rule

Severity: Medium
Redis Enterprise DBMS must limit privileges to change software modules; to include stored procedures, functions, and triggers, and links to software external to Redis Enterprise DBMS.
Logo
2

Rule

Severity: Medium
Redis Enterprise DBMS software installation account must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to Redis Enterprise DBMS, etc.) must be restricted to authorized users.
Logo
2

Rule

Severity: Medium
Configuration and authentication files for Rancher RKE2 must be protected.
Logo
2

Rule

Severity: High
OpenShift RBAC access controls must be enforced.
Logo
2

Rule

Severity: Medium
RHEL 8 system commands must have mode 755 or less permissive.
Logo
2

Rule

Severity: Medium
RHEL 8 system commands must be owned by root.
Logo
2

Rule

Severity: Medium
RHEL 8 system commands must be group-owned by root or a system account.
Logo
2

Rule

Severity: Medium
RHEL 8 library files must have mode 755 or less permissive.
Logo
2

Rule

Severity: Medium
RHEL 8 library files must be owned by root.
Logo
2

Rule

Severity: Medium
RHEL 8 library files must be group-owned by root or a system account.
Logo
2

Rule

Severity: Medium
RHEL 8 library directories must have mode 755 or less permissive.
Logo
2

Rule

Severity: Medium
RHEL 8 library directories must be owned by root.
Logo
2

Rule

Severity: Medium
RHEL 8 library directories must be group-owned by root or a system account.
Logo
2

Rule

Severity: Medium
RHEL 9 system commands must have mode 755 or less permissive.
Logo
2

Rule

Severity: Medium
RHEL 9 library directories must have mode 755 or less permissive.
Logo
2

Rule

Severity: Medium
RHEL 9 library files must have mode 755 or less permissive.
Logo
2

Rule

Severity: Medium
RHEL 9 system commands must be owned by root.
Logo
2

Rule

Severity: Medium
RHEL 9 system commands must be group-owned by root or a system account.
Logo
2

Rule

Severity: Medium
RHEL 9 library files must be owned by root.
Logo
2

Rule

Severity: Medium
RHEL 9 library files must be group-owned by root or a system account.
Logo
2

Rule

Severity: Medium
RHEL 9 library directories must be owned by root.
Logo
2

Rule

Severity: Medium
RHEL 9 library directories must be group-owned by root or a system account.
Logo
4

Rule

Severity: Medium
The SUSE operating system library files must have mode 0755 or less permissive.
Logo
4

Rule

Severity: Medium
The SUSE operating system library directories must have mode 0755 or less permissive.
Logo
4

Rule

Severity: Medium
The SUSE operating system library files must be owned by root.
Logo
4

Rule

Severity: Medium
The SUSE operating system library directories must be owned by root.
Logo
4

Rule

Severity: Medium
The SUSE operating system library files must be group-owned by root.
Logo
4

Rule

Severity: Medium
The SUSE operating system library directories must be group-owned by root.
Logo
2

Rule

Severity: Medium
The SUSE operating system must have system commands set to a mode of 755 or less permissive.
Logo
4

Rule

Severity: Medium
The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
Logo
4

Rule

Severity: Medium
The SUSE operating system must have system commands owned by root.
Logo
4

Rule

Severity: Medium
The SUSE operating system must have directories that contain system commands owned by root.
Logo
4

Rule

Severity: Medium
The SUSE operating system must have system commands group-owned by root or a system account.
Logo
4

Rule

Severity: Medium
The SUSE operating system must have directories that contain system commands group-owned by root.
Logo
2

Rule

Severity: Medium
The SUSE operating system must have system commands set to a mode of 0755 or less permissive.
Logo
2

Rule

Severity: Medium
The VMM must limit privileges to change software resident within software libraries.
Logo
3

Rule

Severity: Medium
The vCenter ESX Agent Manager service must limit privileges for creating or modifying hosted application shared files.
Logo
1

Rule

Severity: Medium
All vCenter database (VCDB) tables must be owned by the "vc" user account.
Logo
1

Rule

Severity: Medium
VMware Postgres must limit modify privileges to authorized accounts.
Logo
3

Rule

Severity: Medium
The vCenter Lookup service must limit privileges for creating or modifying hosted application shared files.
Logo
3

Rule

Severity: Medium
The vCenter Perfcharts service must limit privileges for creating or modifying hosted application shared files.
Logo
6

Rule

Severity: Medium
BMC CONTROL-D STC data sets must be properly protected.
Logo
6

Rule

Severity: Medium
BMC CONTROL-O STC data sets must be properly protected.
Logo
6

Rule

Severity: Medium
BMC IOA STC data sets must be properly protected.
Logo
6

Rule

Severity: Medium
BMC MAINVIEW for z/OS STC data sets are not properly protected.
Logo
6

Rule

Severity: Medium
CA Auditor User data sets are not properly protected.
Logo
6

Rule

Severity: Medium
CA VTAPE STC data sets will be properly protected.
Logo
6

Rule

Severity: Medium
BMC CONTROL-M STC data sets will be properly protected.
Logo
3

Rule

Severity: Medium
The vCenter STS service must limit privileges for creating or modifying hosted application shared files.
Logo
3

Rule

Severity: Medium
The vCenter UI service must limit privileges for creating or modifying hosted application shared files.
Logo
6

Rule

Severity: Medium
CA-1 Tape Management STC data sets must be properly protected.
Logo
6

Rule

Severity: Medium
CA MIM Resource Sharing STC data sets will be properly protected.
Logo
6

Rule

Severity: Medium
CL/SuperSession STC data sets must be properly protected.
Logo
4

Rule

Severity: Medium
Compuware Abend-AID STC data sets must be properly protected.
Logo
2

Rule

Severity: Medium
IBM Communications Server Simple Mail Transfer Protocol (CSSMTP) STC data sets must be properly protected.
Logo
6

Rule

Severity: Medium
NCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.
Logo
6

Rule

Severity: Medium
IBM Hardware Configuration Definition (HCD) User data sets are not properly protected.
Logo
2

Rule

Severity: Medium
CICS system data sets are not properly protected.
Logo
2

Rule

Severity: Medium
ACF2/CICS parameter data sets are not protected in accordance with the proper security requirements.
Logo
6

Rule

Severity: Medium
Quest NC-Pass STC data sets will be properly protected.
Logo
6

Rule

Severity: Medium
Tivoli Asset Discovery for zOS (TADz) STC and/or batch data sets are not properly protected.
Logo
6

Rule

Severity: Medium
WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted.
Logo
2

Rule

Severity: Medium
IBM Health Checker STC data sets will be properly protected.
Logo
6

Rule

Severity: Medium
NetView STC data sets are not properly protected.
Logo
6

Rule

Severity: Medium
SRRAUDIT User data sets are not properly protected.
Logo
6

Rule

Severity: Medium
ROSCOE STC data sets are not properly protected.
Logo
2

Rule

Severity: Medium
Compuware Abend-AID STC data sets will be properly protected.
Logo
1

Rule

Severity: Medium
Software, applications, and configuration files that are part of, or related to, the Postgres Plus Advanced Server installation must be monitored to discover unauthorized changes.
Logo
1

Rule

Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the EDB Postgres Advanced Server, etc.) must be owned by database/EDB Postgres Advanced Server principals authorized for ownership.
Logo
1

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the EDB Postgres Advanced Server, etc.) must be restricted to authorized users.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must have system commands set to a mode of "755" or less permissive.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS library files must have mode "755" or less permissive.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must have system commands owned by "root" or a system account.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must have system commands group-owned by "root" or a system account.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS library directories must be owned by "root".
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS library directories must be group-owned by "root".
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS library files must be owned by "root".
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS library files must be group-owned by "root".
Logo
1

Rule

Severity: Medium
PostgreSQL must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to PostgreSQL.
Logo
1

Rule

Severity: Medium
Database software, including PostgreSQL configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
Logo
1

Rule

Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be owned by database/PostgreSQL principals authorized for ownership.
Logo
1

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to PostgreSQL, etc.) must be restricted to authorized users.
Logo
1

Rule

Severity: High
Dragos Platforms must limit privileges and not allow the ability to run shell.
Logo
1

Rule

Severity: Medium
Access to zSecure installation data must be properly restricted and logged.
Logo
1

Rule

Severity: Medium
Access to IBM Security zSecure STC data sets must be properly restricted and logged.
Logo
1

Rule

Severity: Medium
IBM Security zSecure access to user data sets must be properly restricted and logged.
Logo
1

Rule

Severity: Medium
In an MSR organization, user permissions and repositories must be configured.
Logo
1

Rule

Severity: High
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
Logo
1

Rule

Severity: Medium
Swarm Secrets or Kubernetes Secrets must be used.
Logo
1

Rule

Severity: Medium
The role(s)/group(s) used to modify database structure (including but not limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be restricted to authorized users.
Logo
1

Rule

Severity: Medium
SLEM 5 must have directories that contain system commands set to a mode of 755 or less permissive.
Logo
1

Rule

Severity: Medium
SLEM 5 must have system commands set to a mode of 755 or less permissive.
Logo
1

Rule

Severity: Medium
SLEM 5 library directories must have mode 755 or less permissive.
Logo
1

Rule

Severity: Medium
SLEM 5 library files must have mode 755 or less permissive.
Logo
1

Rule

Severity: Medium
SLEM 5 library files must be owned by root.
Logo
1

Rule

Severity: Medium
SLEM 5 library files must be group-owned by root.
Logo
1

Rule

Severity: Medium
SLEM 5 library directories must be owned by root.
Logo
1

Rule

Severity: Medium
SLEM 5 library directories must be group-owned by root.
Logo
1

Rule

Severity: Medium
SLEM 5 must have system commands owned by root.
Logo
1

Rule

Severity: Medium
SLEM 5 must have system commands group-owned by root or a system account.
Logo
1

Rule

Severity: Medium
SLEM 5 must have directories that contain system commands owned by root.
Logo
1

Rule

Severity: Medium
SLEM 5 must have directories that contain system commands group-owned by root.
Logo
1

Rule

Severity: Medium
TOSS must limit privileges to change software resident within software libraries.
Logo
1

Rule

Severity: High
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules