Catalogs
Reference Schemes
CCI: Control Correlation Identifier
CCI-001812

CCI-001812

The information system prohibits user installation of software without explicit privileged status.

Details
Associations

Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

4 rules found Severity: Medium

Ensure No Device Files are Unlabeled by SELinux

4 rules found Severity: Medium

Uninstall tftp-server Package

6 rules found Severity: High

Disable GSSAPI Authentication

7 rules found Severity: Medium

Disable Kerberos Authentication

7 rules found Severity: Medium

A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

1 rule found Severity: Medium

A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.

1 rule found Severity: Medium

The FortiGate device must prohibit installation of software without explicit privileged status.

1 rule found Severity: Medium

DB2 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

1 rule found Severity: Medium

The IBM z/VM Privilege command class A and Class B must be properly assigned.

1 rule found Severity: Medium

Exchange application directory must be protected from unauthorized access.

1 rule found Severity: Medium

The Exchange application directory must be protected from unauthorized access.

6 rules found Severity: Medium

SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

2 rules found Severity: Medium

Tanium must prohibit user installation of software without explicit privileged status and enforce access restrictions associated with changes to application configuration.

1 rule found Severity: Medium

The Tanium application must prohibit user installation of software without explicit privileged status.

4 rules found Severity: Medium

MongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

3 rules found Severity: Medium

PostgreSQL must prohibit user installation of logic modules (functions, trigger procedures, views, etc.) without explicit privileged status.

2 rules found Severity: Medium

The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.

1 rule found Severity: Medium

The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.

1 rule found Severity: Medium

The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.

1 rule found Severity: Medium

The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.

1 rule found Severity: Medium

The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.

1 rule found Severity: Medium

The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.

1 rule found Severity: Medium

The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.

1 rule found Severity: High

The EDB Postgres Advanced Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

2 rules found Severity: Medium

The programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks.

1 rule found Severity: Medium

The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.

1 rule found Severity: Medium

PostgreSQL must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

1 rule found Severity: Medium

AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.

1 rule found Severity: Medium

The Juniper EX switch must be configured to prohibit installation of software without explicit privileged status.

1 rule found Severity: Medium

Least privilege access and need to know must be required to access MKE runtime and instantiate container images.

1 rule found Severity: High

URLs must be allowlisted for plugin use if used.

1 rule found Severity: Low

Azure SQL Database must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

1 rule found Severity: Medium

Users must be prevented from changing installation options.

5 rules found Severity: Medium

The Windows Installer feature "Always install with elevated privileges" must be disabled.

2 rules found Severity: High

The Windows Installer Always install with elevated privileges option must be disabled.

1 rule found Severity: High

The MySQL Database Server 8.0 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

1 rule found Severity: Medium

Redis Enterprise DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

1 rule found Severity: Medium

The macOS system must prohibit user installation of software into /users/.

1 rule found Severity: Medium

The application must prohibit user installation of software without explicit privileged status.

1 rule found Severity: Medium

Forescout must prohibit installation of software without explicit privileged permission by only authorized individuals.

1 rule found Severity: Medium

The Juniper router must be configured to prohibit installation of software without explicit privileged status.

1 rule found Severity: Medium

The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.

1 rule found Severity: Medium

MariaDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

1 rule found Severity: Medium

The Windows Installer Always install with elevated privileges must be disabled.

2 rules found Severity: High

Windows Server 2019 must prevent users from changing installation options.

1 rule found Severity: Medium

Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option.

1 rule found Severity: High

Windows Server 2022 must prevent users from changing installation options.

1 rule found Severity: Medium

Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option.

1 rule found Severity: High

Rancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status.

1 rule found Severity: Medium

OpenShift RBAC access controls must be enforced.

1 rule found Severity: High

The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.

1 rule found Severity: High

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

1 rule found Severity: High