Capacity
CCI-001812
The information system prohibits user installation of software without explicit privileged status.
29
Rule
Severity: Medium
Disable GSSAPI Authentication
29
Rule
Severity: Medium
Disable Kerberos Authentication
16
Rule
Severity: Medium
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
11
Rule
Severity: Medium
Ensure No Device Files are Unlabeled by SELinux
15
Rule
Severity: High
Uninstall tftp-server Package
2
Rule
Severity: Medium
The application must prohibit user installation of software without explicit privileged status.
2
Rule
Severity: Medium
The programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks.
2
Rule
Severity: Medium
The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1
Rule
Severity: Medium
The FortiGate device must prohibit installation of software without explicit privileged status.
2
Rule
Severity: Medium
Forescout must prohibit installation of software without explicit privileged permission by only authorized individuals.
1
Rule
Severity: Medium
DB2 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
1
Rule
Severity: Medium
The IBM z/VM Privilege command class A and Class B must be properly assigned.
2
Rule
Severity: Medium
The Juniper router must be configured to prohibit installation of software without explicit privileged status.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.
1
Rule
Severity: Medium
The Mainframe product must prohibit user installation of software without explicit privileged status.
2
Rule
Severity: Medium
Azure SQL Database must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
1
Rule
Severity: Low
URLs must be whitelisted for plugin use if used.
1
Rule
Severity: Medium
Exchange application directory must be protected from unauthorized access.
7
Rule
Severity: Medium
The Exchange application directory must be protected from unauthorized access.
3
Rule
Severity: Medium
SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
1
Rule
Severity: Medium
The network device must prohibit installation of software without explicit privileged status.
1
Rule
Severity: Medium
The SDN controller must be configured to prohibit user installation of software without explicit privileged status.
1
Rule
Severity: Medium
Tanium must prohibit user installation of software without explicit privileged status and enforce access restrictions associated with changes to application configuration.
5
Rule
Severity: Medium
The Tanium application must prohibit user installation of software without explicit privileged status.
1
Rule
Severity: Medium
The UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.
1
Rule
Severity: Medium
The UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.
2
Rule
Severity: Medium
The macOS system must prohibit user installation of software into /users/.
3
Rule
Severity: Medium
PostgreSQL must prohibit user installation of logic modules (functions, trigger procedures, views, etc.) without explicit privileged status.
1
Rule
Severity: Medium
The container platform must prohibit the installation of patches and updates without explicit privileged status.
1
Rule
Severity: High
The container platform runtime must prohibit the instantiation of container images without explicit privileged status.
1
Rule
Severity: Medium
The container platform registry must prohibit installation or modification of container images without explicit privileged status.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
1
Rule
Severity: Medium
The DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
1
Rule
Severity: Medium
The operating system must prohibit user installation of system software without explicit privileged status.
2
Rule
Severity: Medium
AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.
1
Rule
Severity: Medium
CA-ACF2 Access to SYS1.LINKLIB must be properly protected.
3
Rule
Severity: High
IBM z/OS SYS1.PARMLIB must be properly protected.
1
Rule
Severity: Medium
CA-TSS access to SYS1.LINKLIB must be properly protected.
1
Rule
Severity: Medium
IBM RACF access to SYS1.LINKLIB must be properly protected.
1
Rule
Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to prohibit installation of software without explicit privileged status.
2
Rule
Severity: Medium
MariaDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
3
Rule
Severity: Medium
MongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
8
Rule
Severity: Medium
Users must be prevented from changing installation options.
3
Rule
Severity: High
The Windows Installer Always install with elevated privileges must be disabled.
3
Rule
Severity: High
The Windows Installer feature "Always install with elevated privileges" must be disabled.
2
Rule
Severity: High
The Windows Installer Always install with elevated privileges option must be disabled.
3
Rule
Severity: Medium
Windows Server 2019 must prevent users from changing installation options.
3
Rule
Severity: High
Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option.
3
Rule
Severity: Medium
Windows Server 2022 must prevent users from changing installation options.
3
Rule
Severity: High
Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
2
Rule
Severity: Medium
Redis Enterprise DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
2
Rule
Severity: Medium
Rancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status.
2
Rule
Severity: High
OpenShift RBAC access controls must be enforced.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
1
Rule
Severity: Medium
The VMM must prohibit user installation of software without explicit privileged status.
1
Rule
Severity: Medium
PostgreSQL must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
1
Rule
Severity: High
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
1
Rule
Severity: Low
URLs must be allowlisted for plugin use if used.
1
Rule
Severity: High
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules