Capacity
CCI-001764
Prevent program execution in accordance with organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.
27
Rule
Severity: Medium
Add nodev Option to /dev/shm
27
Rule
Severity: Medium
Add nosuid Option to /dev/shm
17
Rule
Severity: Medium
Add noexec Option to /dev/shm
17
Rule
Severity: Medium
Add nodev Option to /tmp
16
Rule
Severity: Medium
Add noexec Option to /tmp
17
Rule
Severity: Medium
Add nosuid Option to /tmp
13
Rule
Severity: Medium
Add nodev Option to /var/log/audit
13
Rule
Severity: Medium
Add noexec Option to /var/log/audit
13
Rule
Severity: Medium
Add nosuid Option to /var/log/audit
13
Rule
Severity: Medium
Add nodev Option to /var/log
15
Rule
Severity: Medium
Add noexec Option to /var/log
15
Rule
Severity: Medium
Add nosuid Option to /var/log
17
Rule
Severity: Medium
Add nodev Option to /var/tmp
17
Rule
Severity: Medium
Add noexec Option to /var/tmp
17
Rule
Severity: Medium
Add nosuid Option to /var/tmp
8
Rule
Severity: Medium
Install fapolicyd Package
7
Rule
Severity: Medium
Enable the File Access Policy Service
6
Rule
Severity: Medium
Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
3
Rule
Severity: Medium
Ensure AppArmor is installed
3
Rule
Severity: Medium
Install the pam_apparmor Package
5
Rule
Severity: Medium
Ensure AppArmor is Active and Configured
2
Rule
Severity: Medium
The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
2
Rule
Severity: Medium
Google Android 12 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
6
Rule
Severity: Medium
Google Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
3
Rule
Severity: Medium
Pre-release versions of file formats new to Office Products must be blocked.
1
Rule
Severity: Medium
The opening of pre-release versions of file formats new to Excel 2013 through the Compatibility Pack for Office 2013 and Excel 2013 Converter must be blocked.
1
Rule
Severity: Medium
The opening of pre-release versions of file formats new to PowerPoint 2013 through the Compatibility Pack for Office 2013 and PowerPoint 2013 Converter must be blocked.
1
Rule
Severity: Medium
Nutanix AOS must be configured with nodev, nosuid, and noexec options for /dev/shm.
2
Rule
Severity: High
The configuration integrity of the container platform must be ensured and runtime policies must be configured.
2
Rule
Severity: High
Prisma Cloud Compute host compliance baseline policies must be set.
2
Rule
Severity: High
The configuration integrity of the container platform must be ensured and compliance policies must be configured.
2
Rule
Severity: High
The configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured.
4
Rule
Severity: Medium
Samsung Android must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.
5
Rule
Severity: Medium
Samsung Android's Work profile must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.
3
Rule
Severity: Medium
The Ubuntu operating system must be configured to use AppArmor.
2
Rule
Severity: Medium
The container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
5
Rule
Severity: Medium
Google Android 14 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
2
Rule
Severity: Medium
The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage.
2
Rule
Severity: Medium
AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
2
Rule
Severity: Medium
ACF2 MAINT GSO record value if specified must be restricted to production storage management user.
2
Rule
Severity: Medium
ACF2 LINKLST GSO record if specified must only contains trusted system data sets.
2
Rule
Severity: Medium
The IBM z/OS TFTP Server program must be properly protected.
4
Rule
Severity: High
Unsupported IBM z/OS system software must not be installed and/or active on the system.
2
Rule
Severity: Medium
IBM z/OS must not allow non-existent or inaccessible LINKLIST libraries.
2
Rule
Severity: Medium
IBM z/OS must not allow non-existent or inaccessible Link Pack Area (LPA) libraries.
4
Rule
Severity: Medium
The IBM z/OS TFTP server program must be properly protected.
2
Rule
Severity: High
Unsupported system software must not be installed and/ or active on the system.
4
Rule
Severity: Medium
IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries.
4
Rule
Severity: Medium
IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries.
2
Rule
Severity: Medium
IBM z/OS must specify SMF data options to ensure appropriate activation.
4
Rule
Severity: High
Autoplay must be turned off for non-volume devices.
4
Rule
Severity: High
The default autorun behavior must be configured to prevent autorun commands.
4
Rule
Severity: High
Autoplay must be disabled for all drives.
2
Rule
Severity: High
AutoPlay must be turned off for non-volume devices.
2
Rule
Severity: High
The default AutoRun behavior must be configured to prevent AutoRun commands.
2
Rule
Severity: High
AutoPlay must be disabled for all drives.
2
Rule
Severity: High
Windows Server 2019 Autoplay must be turned off for non-volume devices.
2
Rule
Severity: High
Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.
2
Rule
Severity: High
Windows Server 2019 AutoPlay must be disabled for all drives.
2
Rule
Severity: High
Windows Server 2022 Autoplay must be turned off for nonvolume devices.
2
Rule
Severity: High
Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands.
2
Rule
Severity: High
Windows Server 2022 AutoPlay must be disabled for all drives.
2
Rule
Severity: Low
The Oracle Linux operating system must mount /dev/shm with secure options.
2
Rule
Severity: Medium
OL 8 must mount "/dev/shm" with the "nodev" option.
2
Rule
Severity: Medium
OL 8 must mount "/dev/shm" with the "nosuid" option.
2
Rule
Severity: Medium
OL 8 must mount "/dev/shm" with the "noexec" option.
2
Rule
Severity: Medium
OL 8 must mount "/tmp" with the "nodev" option.
2
Rule
Severity: Medium
OL 8 must mount "/tmp" with the "nosuid" option.
2
Rule
Severity: Medium
OL 8 must mount "/tmp" with the "noexec" option.
2
Rule
Severity: Medium
OL 8 must mount "/var/log" with the "nodev" option.
2
Rule
Severity: Medium
OL 8 must mount "/var/log" with the "nosuid" option.
2
Rule
Severity: Medium
OL 8 must mount "/var/log" with the "noexec" option.
2
Rule
Severity: Medium
OL 8 must mount "/var/log/audit" with the "nodev" option.
2
Rule
Severity: Medium
OL 8 must mount "/var/log/audit" with the "nosuid" option.
2
Rule
Severity: Medium
OL 8 must mount "/var/log/audit" with the "noexec" option.
2
Rule
Severity: Medium
OL 8 must mount "/var/tmp" with the "nodev" option.
2
Rule
Severity: Medium
OL 8 must mount "/var/tmp" with the "nosuid" option.
2
Rule
Severity: Medium
OL 8 must mount "/var/tmp" with the "noexec" option.
2
Rule
Severity: Medium
The OL 8 "fapolicy" module must be installed.
2
Rule
Severity: Medium
The OL 8 "fapolicy" module must be enabled.
2
Rule
Severity: Medium
The OL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
2
Rule
Severity: Medium
Rancher RKE2 must be configured with only essential configurations.
2
Rule
Severity: Medium
OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Low
The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.
2
Rule
Severity: Medium
RHEL 8 must mount /dev/shm with the nodev option.
2
Rule
Severity: Medium
RHEL 8 must mount /dev/shm with the nosuid option.
2
Rule
Severity: Medium
RHEL 8 must mount /dev/shm with the noexec option.
2
Rule
Severity: Medium
RHEL 8 must mount /tmp with the nodev option.
2
Rule
Severity: Medium
RHEL 8 must mount /tmp with the nosuid option.
2
Rule
Severity: Medium
RHEL 8 must mount /tmp with the noexec option.
2
Rule
Severity: Medium
RHEL 8 must mount /var/log with the nodev option.
2
Rule
Severity: Medium
RHEL 8 must mount /var/log with the nosuid option.
2
Rule
Severity: Medium
RHEL 8 must mount /var/log with the noexec option.
2
Rule
Severity: Medium
RHEL 8 must mount /var/log/audit with the nodev option.
2
Rule
Severity: Medium
RHEL 8 must mount /var/log/audit with the nosuid option.
2
Rule
Severity: Medium
RHEL 8 must mount /var/log/audit with the noexec option.
2
Rule
Severity: Medium
RHEL 8 must mount /var/tmp with the nodev option.
2
Rule
Severity: Medium
RHEL 8 must mount /var/tmp with the nosuid option.
2
Rule
Severity: Medium
RHEL 8 must mount /var/tmp with the noexec option.
2
Rule
Severity: Medium
The RHEL 8 fapolicy module must be installed.
2
Rule
Severity: Medium
The RHEL 8 fapolicy module must be enabled.
2
Rule
Severity: Medium
The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
2
Rule
Severity: Medium
RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.
2
Rule
Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
2
Rule
Severity: Medium
RHEL 9 must mount /boot with the nodev option.
2
Rule
Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
2
Rule
Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
2
Rule
Severity: Medium
RHEL 9 must mount /dev/shm with the nodev option.
2
Rule
Severity: Medium
RHEL 9 must mount /dev/shm with the noexec option.
2
Rule
Severity: Medium
RHEL 9 must mount /dev/shm with the nosuid option.
2
Rule
Severity: Medium
RHEL 9 must mount /tmp with the nodev option.
2
Rule
Severity: Medium
RHEL 9 must mount /tmp with the noexec option.
2
Rule
Severity: Medium
RHEL 9 must mount /tmp with the nosuid option.
2
Rule
Severity: Medium
RHEL 9 must mount /var with the nodev option.
2
Rule
Severity: Medium
RHEL 9 must mount /var/log with the nodev option.
2
Rule
Severity: Medium
RHEL 9 must mount /var/log with the noexec option.
2
Rule
Severity: Medium
RHEL 9 must mount /var/log with the nosuid option.
2
Rule
Severity: Medium
RHEL 9 must mount /var/log/audit with the nodev option.
2
Rule
Severity: Medium
RHEL 9 must mount /var/log/audit with the noexec option.
2
Rule
Severity: Medium
RHEL 9 must mount /var/log/audit with the nosuid option.
2
Rule
Severity: Medium
RHEL 9 must mount /var/tmp with the nodev option.
2
Rule
Severity: Medium
RHEL 9 must mount /var/tmp with the noexec option.
2
Rule
Severity: Medium
RHEL 9 must mount /var/tmp with the nosuid option.
2
Rule
Severity: Medium
RHEL 9 must disable the graphical user interface autorun function unless required.
2
Rule
Severity: Medium
SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.
2
Rule
Severity: Medium
RHEL 9 fapolicy module must be installed.
2
Rule
Severity: Medium
RHEL 9 fapolicy module must be enabled.
4
Rule
Severity: Medium
The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.
1
Rule
Severity: Medium
Samsung Android must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.
1
Rule
Severity: Medium
Samsung Android's Work profile must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.
2
Rule
Severity: Medium
The VMM must prevent use of service and helper VMs not required to support proper VMM function.
2
Rule
Severity: Medium
The VMM must prevent inappropriate use of redundant guest VMs.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must have the "apparmor" package installed.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must be configured to use AppArmor.
1
Rule
Severity: Medium
For Impact Levels 4 and 5, the Mission Owner must register all cloud-based services, their CSP/CSO, and connection method in the DISA Systems/Network Approval Process (SNAP) database Cloud Module.
1
Rule
Severity: Medium
For Impact Level 6, the Mission Owner must process connection approval to the SIPRNet through the DISA classified connection approval process.
1
Rule
Severity: Medium
The Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must remove orphaned or unused virtual machine (VM) instances.
1
Rule
Severity: High
Dragos Platforms must limit privileges and not allow the ability to run shell.
2
Rule
Severity: Medium
Google Android 15 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
1
Rule
Severity: High
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules