CCI-001499
Limit privileges to change software resident within software libraries.
18 rules found Severity: Medium
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
14 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
The FortiGate device must limit privileges to change the software resident within software libraries.
1 rule found Severity: Medium
1 rule found Severity: Medium
The DataPower Gateway must limit privileges to change the software resident within software libraries.
1 rule found Severity: Medium
DB2 must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to DB2.
1 rule found Severity: Medium
The OS must limit privileges to change the DB2 software resident within software libraries (including privileged programs).
1 rule found Severity: Medium
1 rule found Severity: Medium
Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
2 rules found Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to DB2, etc.) must be owned by database/DBMS principals authorized for ownership.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to DB2, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
The WebSphere Application Server users in a local user registry group must be authorized for that group.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be owned by database/DBMS principals authorized for ownership.
2 rules found Severity: Medium
In a database owned by a login not having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF unless required and authorized.
1 rule found Severity: Medium
In a database owned by [sa], or by any other login having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF.
1 rule found Severity: Medium
SQL Server security-relevant configuration settings must be monitored to discover unauthorized changes.
1 rule found Severity: Medium
Software, applications, and configuration files that are part of, or related to, the SQL Server installation must be monitored to discover unauthorized changes.
1 rule found Severity: Medium
1 rule found Severity: Medium
Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
1 rule found Severity: Low
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users.
2 rules found Severity: Medium
Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).
1 rule found Severity: Medium
All installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.
3 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
3 rules found Severity: High
Database software, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
5 rules found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be restricted to authorized users.
2 rules found Severity: Medium
MongoDB must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to MongoDB.
2 rules found Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be owned by database/DBMS principals authorized for ownership.
2 rules found Severity: Medium
Database software, applications, and configuration files must be monitored to discover unauthorized changes.
2 rules found Severity: Medium
Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.
2 rules found Severity: Medium
1 rule found Severity: Medium
Database software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).
2 rules found Severity: Medium
PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL.
2 rules found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (functions, trigger procedures, links to software external to PostgreSQL, etc.) must be restricted to authorized users.
2 rules found Severity: Medium
Database objects (including but not limited to tables, indexes, storage, trigger procedures, functions, links to software external to PostgreSQL, etc.) must be owned by database/DBMS principals authorized for ownership.
2 rules found Severity: Medium
3 rules found Severity: High
Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications.
2 rules found Severity: Medium
Software, applications, and configuration files that are part of, or related to, the Postgres Plus Advanced Server installation must be monitored to discover unauthorized changes.
1 rule found Severity: Medium
EDB Postgres Advanced Server software modules, to include stored procedures, functions, and triggers must be monitored to discover unauthorized changes.
2 rules found Severity: Medium
The EDB Postgres Advanced Server software installation account must be restricted to authorized users.
2 rules found Severity: High
Database software, including EDB Postgres Advanced Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
2 rules found Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the EDB Postgres Advanced Server, etc.) must be owned by database/EDB Postgres Advanced Server principals authorized for ownership.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the EDB Postgres Advanced Server, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
Database objects in an IDMS environment must be secured to prevent privileged actions from being performed by unauthorized users.
1 rule found Severity: Medium
The programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks.
1 rule found Severity: Medium
The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.
1 rule found Severity: Medium
Database utilities must be secured in CA IDMS and permissions given to appropriate role(s)/groups(s) in the external security manager (ESM).
1 rule found Severity: Medium
The online debugger which can change programs and storage in the CA IDMS address space must be secured.
1 rule found Severity: Medium
CA IDMS must secure the ability to create, alter, drop, grant, and revoke user and/or system profiles to users or groups.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
PostgreSQL must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to PostgreSQL.
1 rule found Severity: Medium
Database software, including PostgreSQL configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
1 rule found Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be owned by database/PostgreSQL principals authorized for ownership.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to PostgreSQL, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
The Cisco switch must be configured to limit privileges to change the software resident within software libraries.
2 rules found Severity: Medium
Software, applications, and configuration files that are part of, or related to, the EDB Postgres Advanced Server installation must be monitored to discover unauthorized changes.
1 rule found Severity: Medium
Database objects must be owned by database/EDB Postgres Advanced Server principals authorized for ownership.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure and logic modules must be restricted to authorized users.
1 rule found Severity: Medium
1 rule found Severity: Medium
AIX device files and directories must only be writable by users with a system account or as configured by the vendor.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
The Juniper EX switch must be configured to limit privileges to change the software resident within software libraries.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive.
1 rule found Severity: Medium
1 rule found Severity: Medium
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
1 rule found Severity: High
MarkLogic Server must limit privileges to change software modules, including stored procedures, functions, and triggers, and links to software external to the DBMS.
1 rule found Severity: Medium
1 rule found Severity: Medium
MarkLogic Server software, including configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
1 rule found Severity: Medium
MarkLogic Server objects (including but not limited to indexes, storage, functions, triggers, links to software external to the server, etc.) must be owned by database/MarkLogic Server principals authorized for ownership.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to indexes, storage, etc.) and logic modules (functions, triggers, links to software external to the MarkLogic Server, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to Azure SQL Database, etc.) must be owned by database/Azure SQL Database principals authorized for ownership.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to Azure SQL Database, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
1 rule found Severity: Medium
The MySQL Database Server 8.0 must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the MySQL Database Server 8.0.
1 rule found Severity: Medium
1 rule found Severity: Medium
Database software, including MySQL Database Server 8.0 configuration files, must be stored in dedicated directories, or DASD pools (remove), separate from the host OS and other applications.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the MySQL Database Server 8.0, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
Redis Enterprise DBMS must limit privileges to change software modules; to include stored procedures, functions, and triggers, and links to software external to Redis Enterprise DBMS.
1 rule found Severity: Medium
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to Redis Enterprise DBMS, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
Automation Controller must be capable of reverting to the last known good configuration in the event of failed installations and upgrades.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The application server must limit privileges to change the software resident within software libraries.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Cisco router must be configured to limit privileges to change the software resident within software libraries.
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The DBMS must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the DBMS.
1 rule found Severity: Medium
2 rules found Severity: High
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be owned by database/DBMS principals authorized for ownership.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.
1 rule found Severity: Low
1 rule found Severity: High
CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.
1 rule found Severity: High
CA-ACF2 must limit Write and Allocate access to all APF-authorized libraries to system programmers only.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
CA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only.
1 rule found Severity: Medium
1 rule found Severity: High
CA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
1 rule found Severity: Medium
CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.
1 rule found Severity: Low
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
2 rules found Severity: High
1 rule found Severity: High
IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.
1 rule found Severity: High
IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.
1 rule found Severity: Medium
1 rule found Severity: Medium
IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
1 rule found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
The Juniper router must be configured to limit privileges to change the software resident within software libraries.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.
1 rule found Severity: Low
1 rule found Severity: Medium
CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.
1 rule found Severity: Medium
CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
1 rule found Severity: Medium
1 rule found Severity: Medium
CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
The Mainframe Product must limit privileges to change the Mainframe Product installation datasets to system programmers and authorized users in accordance with applicable access control policies.
1 rule found Severity: Medium
The Mainframe Product must limit privileges to change Mainframe Product started task and job datasets to system programmers and authorized users in accordance with applicable access control policies.
1 rule found Severity: Medium
The Mainframe Product must limit privileges to change Mainframe Product user datasets to authorized individuals.
1 rule found Severity: Medium
MariaDB must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the DBMS.
1 rule found Severity: Medium
1 rule found Severity: High
Database software, including MariaDB configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
1 rule found Severity: Medium
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to MariaDB, etc.) must be owned by database/MariaDB principals authorized for ownership.
1 rule found Severity: Medium
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the MariaDB, etc.) must be restricted to authorized users.
1 rule found Severity: Medium
SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers.
1 rule found Severity: Medium
SQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server.
1 rule found Severity: Medium
SQL Server must limit privileges to change software modules and links to software external to SQL Server.
1 rule found Severity: Medium
SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.
1 rule found Severity: Medium
The configuration integrity of the container platform must be ensured and compliance policies must be configured.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
The vCenter ESX Agent Manager service must limit privileges for creating or modifying hosted application shared files.
2 rules found Severity: Medium
The vCenter Lookup service must limit privileges for creating or modifying hosted application shared files.
2 rules found Severity: Medium
The vCenter Perfcharts service must limit privileges for creating or modifying hosted application shared files.
2 rules found Severity: Medium
The vCenter STS service must limit privileges for creating or modifying hosted application shared files.
2 rules found Severity: Medium
The vCenter UI service must limit privileges for creating or modifying hosted application shared files.
2 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
NCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.
3 rules found Severity: Medium
3 rules found Severity: Medium
IBM Communications Server Simple Mail Transfer Protocol (CSSMTP) STC data sets must be properly protected.
3 rules found Severity: Medium
3 rules found Severity: Medium
ACF2/CICS parameter data sets are not protected in accordance with the proper security requirements.
1 rule found Severity: Medium
3 rules found Severity: Medium
MVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.
3 rules found Severity: Medium
WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted.
3 rules found Severity: Medium
3 rules found Severity: Medium
Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
1 rule found Severity: High