CCI-002233

Prevent the organization-defined software from executing at higher privilege levels than users executing the software.

18 rules found Severity: Medium

8 rules found Severity: Medium

10 rules found Severity: Medium

1 rule found Severity: Medium

11 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

CCI-002233

Record Events When Privileged Executables Are Run

Install the pam_apparmor Package

Ensure AppArmor is Active and Configured

Apple iOS/iPadOS 15 must not allow non-DoD applications to access DoD data.

A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.

Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.

Google Android 12 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

Microsoft Android 11 must be configured to disable exceptions to the access control policy that prevent application processes from accessing all data stored by other application processes.

Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.

Apple iOS/iPadOS 16 must not allow non-DOD applications to access DOD data.

Apple iOS/iPadOS 16 must not allow DOD applications to access non-DOD data.

The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.

Execution of software modules (to include functions and trigger procedures) with elevated privileges must be restricted to necessary cases only.

Samsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes.

Apple iOS/iPadOS 17 must not allow non-DOD applications to access DOD data.

Apple iOS/iPadOS 17 must not allow DOD applications to access non-DOD data.

Apple iOS/iPadOS 16 must not allow non-DoD applications to access DoD data.

IDMS must restrict the use of code that provides elevated privileges to specific instances.

Google Android 14 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

Google Android 13 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs.

All containers must be restricted from acquiring additional privileges.

All containers must be restricted to mounting the root filesystem as read only.

The default seccomp profile must not be disabled.

Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.

MKE users must not have permissions to create containers or pods that share the host user namespace.

Use of privileged Linux containers must be limited to system containers.

Azure SQL Database must restrict execution of stored procedures and functions that utilize [execute as] to necessary cases only.

SLEM 5 must use a Linux Security Module configured to enforce limits on system services.

Samsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.

The TOSS audit system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.

NixOS must prevent all software from executing at higher privilege levels than users executing the software.

Apple iOS/iPadOS 18 must not allow non-DOD applications to access DOD data.

The application must execute without excessive account permissions.

Ubuntu 22.04 LTS must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.

AlmaLinux OS 9 must audit uses of the "execve" system call.

Container images instantiated by the container platform must execute using least privileges.

Dragos Platforms must limit privileges and not allow the ability to run shell.

Google Android 15 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

The operating system must prevent all software from executing at higher privilege levels than users executing the software.

The IBM Security zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and must be audited.

IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.

IBM RACF batch jobs must be properly secured.

IBM RACF batch jobs must be protected with propagation control.

The IBM RACF JES(BATCHALLRACF) SETROPTS value must be set to JES(BATCHALLRACF).

The IBM z/OS JES(XBMALLRACF) SETROPTS value must be set to JES(XBMALLRACF).

IBM z/OS UNIX resources must be protected in accordance with security requirements.

IBM z/OS surrogate users must be controlled in accordance with proper security requirements.

The IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE.

The CA-TSS SUBACID Control Option must be set to U,8.

CA-TSS must use propagation control to eliminate ACID inheritance.

IBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID.

The Mainframe Product must prevent software as identified in the site security plan from executing at higher privilege levels than users executing the software.

Execution of stored procedures and functions that utilize execute as must be restricted to necessary cases only.

Use of credentials and proxies must be restricted to necessary cases only.

Execution of startup stored procedures must be restricted to necessary cases only.

Prisma Cloud Compute must prevent unauthorized and unintended information transfer.

The OL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.

Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Container images instantiated by OpenShift must execute using least privileges.

The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.

The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.

RHEL 9 must audit uses of the "execve" system call.

SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.

The VMM must prevent all software from executing at higher privilege levels than users executing the software.

The Photon operating system must be configured to audit the execution of privileged functions.

Zebra Android 13 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].