Capacity
CCI-002165
Enforce organization-defined discretionary access control policies over defined subjects and objects.
22
Rule
Severity: Medium
Ensure All Files Are Owned by a Group
30
Rule
Severity: Medium
Enable Kernel Parameter to Enforce DAC on Hardlinks
30
Rule
Severity: Medium
Enable Kernel Parameter to Enforce DAC on Symlinks
30
Rule
Severity: High
Ensure SELinux State is Enforcing
18
Rule
Severity: Medium
Ensure All Files Are Owned by a User
4
Rule
Severity: Medium
Confine SELinux Users To Roles That Conform To Least Privilege
4
Rule
Severity: Medium
Elevate The SELinux Context When An Administrator Calls The Sudo Command
18
Rule
Severity: Medium
Configure SELinux Policy
10
Rule
Severity: Medium
Map System Users To The Appropriate SELinux Role
13
Rule
Severity: Medium
Disable the ssh_sysadm_login SELinux Boolean
3
Rule
Severity: Medium
Ensure AppArmor is installed
3
Rule
Severity: Medium
Install the pam_apparmor Package
5
Rule
Severity: Medium
Ensure AppArmor is Active and Configured
2
Rule
Severity: Medium
The application must enforce organization-defined discretionary access control policies over defined subjects and objects.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1
Rule
Severity: Medium
If the HP FlexFabric Switch uses discretionary access control, the HP FlexFabric Switch must enforce organization-defined discretionary access control policies over defined subjects and objects.
1
Rule
Severity: Medium
If the HYCU Server or Web UI uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
1
Rule
Severity: Medium
If the DataPower Gateway uses discretionary access control, the DataPower Gateway must enforce organization-defined discretionary access control policies over defined subjects and objects.
1
Rule
Severity: Medium
The IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera Faspex private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera Shares private/secret cryptographic keys file must be owned by nobody to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera Shares private/secret cryptographic keys file must have a mode of 0400 or less permissive to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
2
Rule
Severity: Medium
The Mainframe Product must enforce organization-defined discretionary access control policies over defined subjects and objects.
2
Rule
Severity: Medium
Azure SQL Database must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
2
Rule
Severity: Medium
Changing permissions on rights managed content for users must be enforced.
2
Rule
Severity: Medium
Office must be configured to not allow read with browsers.
2
Rule
Severity: Medium
If the network device uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
1
Rule
Severity: Medium
Nutanix AOS must enforce discretionary access control on symlinks and hardlinks.
6
Rule
Severity: Medium
Control of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.
6
Rule
Severity: Medium
The ability to uninstall the Tanium Client service must be disabled on all managed clients.
6
Rule
Severity: Medium
The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.
4
Rule
Severity: Medium
The Tanium Server directory must be restricted with appropriate permissions.
2
Rule
Severity: Medium
The Tanium Server http directory and sub-directories must be restricted with appropriate permissions.
4
Rule
Severity: Medium
The permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.
4
Rule
Severity: Medium
The Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.
2
Rule
Severity: Medium
The Tanium Server http directory and subdirectories must be restricted with appropriate permissions.
1
Rule
Severity: Low
Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
The Ubuntu operating system must be configured to use AppArmor.
4
Rule
Severity: Medium
PostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
2
Rule
Severity: Medium
The EDB Postgres Advanced Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
2
Rule
Severity: Medium
The DBMS must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
2
Rule
Severity: Medium
The operating system must allow operating system admins to pass information to any other operating system admin or user.
2
Rule
Severity: Medium
The operating system must allow operating system admins to grant their privileges to other operating system admins.
2
Rule
Severity: Medium
The operating system must allow operating system admins to change security attributes on users, the operating system, or the operating systems components.
2
Rule
Severity: Medium
AIX must use Trusted Execution (TE) Check policy.
2
Rule
Severity: Medium
AIX must allow admins to send a message to all the users who logged in currently.
2
Rule
Severity: Medium
AIX must allow admins to send a message to a user who logged in currently.
2
Rule
Severity: Medium
AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.
2
Rule
Severity: Medium
MariaDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects, and objects.
2
Rule
Severity: Medium
MongoDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
2
Rule
Severity: Low
SQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
4
Rule
Severity: Medium
Permissions for system files and directories must conform to minimum requirements.
2
Rule
Severity: High
Only accounts responsible for the administration of a system must have Administrator rights on the system.
2
Rule
Severity: Medium
Only authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems.
2
Rule
Severity: Medium
Permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
2
Rule
Severity: Medium
Permissions for program file directories must conform to minimum requirements.
2
Rule
Severity: Medium
Permissions for the Windows installation directory must conform to minimum requirements.
2
Rule
Severity: Medium
Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
2
Rule
Severity: Medium
Windows Server 2019 permissions for program file directories must conform to minimum requirements.
2
Rule
Severity: Medium
Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.
2
Rule
Severity: Medium
Windows Server 2022 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
2
Rule
Severity: Medium
Windows Server 2022 permissions for program file directories must conform to minimum requirements.
2
Rule
Severity: Medium
Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements.
1
Rule
Severity: Medium
The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.
3
Rule
Severity: Medium
Databases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
3
Rule
Severity: Medium
A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
2
Rule
Severity: Medium
The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user.
2
Rule
Severity: Medium
The Oracle Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
The Oracle Linux operating system must enable SELinux.
2
Rule
Severity: Medium
The Oracle Linux operating system must enable the SELinux targeted policy.
2
Rule
Severity: Medium
The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.
2
Rule
Severity: Medium
The Oracle Linux operating system must not allow privileged accounts to utilize SSH.
2
Rule
Severity: Medium
The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.
2
Rule
Severity: Medium
OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks.
2
Rule
Severity: Medium
OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
2
Rule
Severity: Medium
Redis Enterprise DBMS must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
2
Rule
Severity: Medium
Redis Enterprise DBMS must enforce access control lists, as defined by the data owner, over defined subjects and objects.
2
Rule
Severity: Medium
RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.
2
Rule
Severity: Medium
RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must enable SELinux.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.
2
Rule
Severity: Medium
RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
2
Rule
Severity: Medium
RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
2
Rule
Severity: Medium
The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.
2
Rule
Severity: Medium
All SUSE operating system files and directories must have a valid owner.
2
Rule
Severity: Medium
All SUSE operating system files and directories must have a valid group owner.
2
Rule
Severity: Medium
SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.
2
Rule
Severity: Medium
RHEL 9 must restrict the use of the "su" command.
2
Rule
Severity: Medium
The VMM must implement discretionary access controls to allow VMM admins to pass information to any other VMM admin, user, or guest VM.
2
Rule
Severity: Medium
The VMM must implement discretionary access controls to allow VMM admins to grant their privileges to other VMM admins.
2
Rule
Severity: Medium
The VMM must implement discretionary access controls to allow VMM admins to change security attributes on users, guest VMs, the VMM, or the VMMs components.
2
Rule
Severity: Medium
The VMM must implement discretionary access controls to allow VMM admins to choose the security attributes to be associated with newly created or revised guest VMs.
1
Rule
Severity: Medium
EDB Postgres Advanced Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must have the "apparmor" package installed.
1
Rule
Severity: Medium
MongoDB must enforce discretionary access control (DAC) policies, as defined by the data owner, over defined subjects and objects.
1
Rule
Severity: High
SLEM 5 must use a Linux Security Module configured to enforce limits on system services.
1
Rule
Severity: Medium
TOSS must enable kernel parameters to enforce discretionary access control on symlinks.
1
Rule
Severity: Medium
TOSS must enable kernel parameters to enforce discretionary access control on hardlinks.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules