CCI-002233

Record Events When Privileged Executables Are Run

Install the pam_apparmor Package

Ensure AppArmor is Active and Configured

Apple iOS/iPadOS 15 must not allow non-DoD applications to access DoD data.

The application must execute without excessive account permissions.

IDMS must restrict the use of code that provides elevated privileges to specific instances.

A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.

Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.

Google Android 12 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

Google Android 13 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

The Mainframe Product must prevent software as identified in the site security plan from executing at higher privilege levels than users executing the software.

Microsoft Android 11 must be configured to disable exceptions to the access control policy that prevent application processes from accessing all data stored by other application processes.

Azure SQL Database must restrict execution of stored procedures and functions that utilize [execute as] to necessary cases only.

Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.

Prisma Cloud Compute must prevent unauthorized and unintended information transfer.

Samsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes.

Apple iOS/iPadOS 16 must not allow non-DOD applications to access DOD data.

Apple iOS/iPadOS 16 must not allow DOD applications to access non-DOD data.

Apple iOS/iPadOS 17 must not allow non-DOD applications to access DOD data.

Apple iOS/iPadOS 16 must not allow non-DoD applications to access DoD data.

The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.

Execution of software modules (to include functions and trigger procedures) with elevated privileges must be restricted to necessary cases only.

Container images instantiated by the container platform must execute using least privileges.

Google Android 14 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

The operating system must prevent all software from executing at higher privilege levels than users executing the software.

NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs.

IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.

IBM z/OS UNIX resources must be protected in accordance with security requirements.

IBM RACF batch jobs must be properly secured.

IBM RACF batch jobs must be protected with propagation control.

The IBM RACF JES(BATCHALLRACF) SETROPTS value must be set to JES(BATCHALLRACF).

The IBM z/OS JES(XBMALLRACF) SETROPTS value must be set to JES(XBMALLRACF).

The CA-TSS SUBACID Control Option must be set to U,8.

CA-TSS must use propagation control to eliminate ACID inheritance.

IBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID.

IBM z/OS surrogate users must be controlled in accordance with proper security requirements.

The IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE.

Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only.

Use of credentials and proxies must be restricted to necessary cases only.

Execution of startup stored procedures must be restricted to necessary cases only.

The OL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.

Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Container images instantiated by OpenShift must execute using least privileges.

The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.

The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.

SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.

RHEL 9 must audit uses of the "execve" system call.

Samsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.

The VMM must prevent all software from executing at higher privilege levels than users executing the software.

The Photon operating system must be configured to audit the execution of privileged functions.

Apple iOS/iPadOS 17 must not allow DOD applications to access non-DOD data.

Ubuntu 22.04 LTS must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.

Dragos Platforms must limit privileges and not allow the ability to run shell.

Google Android 15 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

The zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and audited.

All containers must be restricted from acquiring additional privileges.

All containers must be restricted to mounting the root filesystem as read only.

The default seccomp profile must not be disabled.

Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.

MKE users must not have permissions to create containers or pods that share the host user namespace.

Use of privileged Linux containers must be limited to system containers.

SLEM 5 must use a Linux Security Module configured to enforce limits on system services.

The TOSS audit system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.

Apple iOS/iPadOS 18 must not allow non-DOD applications to access DOD data.