Capacity
CCI-002235
Prevent non-privileged users from executing privileged functions.
4
Rule
Severity: Medium
Confine SELinux Users To Roles That Conform To Least Privilege
4
Rule
Severity: Medium
Elevate The SELinux Context When An Administrator Calls The Sudo Command
10
Rule
Severity: Medium
Map System Users To The Appropriate SELinux Role
13
Rule
Severity: Medium
Disable the ssh_sysadm_login SELinux Boolean
3
Rule
Severity: Medium
Ensure AppArmor is installed
3
Rule
Severity: Medium
Install the pam_apparmor Package
5
Rule
Severity: Medium
Ensure AppArmor is Active and Configured
2
Rule
Severity: High
Update access to the directory schema must be restricted to appropriate accounts.
6
Rule
Severity: Medium
Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.
4
Rule
Severity: Medium
The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
IDMS must prevent users without the appropriate access from executing privileged functions or tasks within the IDMS environment.
2
Rule
Severity: Medium
IDMS must prevent unauthorized users from executing certain privileged commands that can be used to change the runtime IDMS environment.
2
Rule
Severity: Medium
IDMS must protect its user catalogs and system dictionaries to prevent unauthorized users from bypassing or updating security settings.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
4
Rule
Severity: Medium
Google Android 13 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
2
Rule
Severity: Medium
Google Android 12 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
2
Rule
Severity: Medium
Users in a reader-role must be authorized.
1
Rule
Severity: High
DB2 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
Sign-on to the ESCD Application Console must be restricted to only authorized personnel.
2
Rule
Severity: Medium
The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.
2
Rule
Severity: Medium
Access to the Hardware Management Console must be restricted to only authorized personnel.
2
Rule
Severity: Medium
Automatic Call Answering to the Hardware Management Console must be disabled.
1
Rule
Severity: Medium
The WebSphere Application Server users in the admin role must be authorized.
1
Rule
Severity: Medium
The WebSphere Application Server users in a LDAP user registry group must be authorized for that group.
1
Rule
Severity: Medium
The IBM z/VM CP Privilege Class A, B, and D must be restricted to appropriate system operators.
1
Rule
Severity: Medium
The IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators.
1
Rule
Severity: Medium
The IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only.
1
Rule
Severity: Medium
The IBM z/VM ANY Privilege Class must not be listed for privilege commands.
2
Rule
Severity: Medium
The Mainframe Product must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: High
Microsoft Android 11 must be configured to enable encryption for data at rest on removable storage media or alternately, the use of removable storage media must be disabled.
2
Rule
Severity: Low
The mobile operating system must allow only the Administrator (MDM) to perform the following management function: Enable/disable location services.
2
Rule
Severity: Medium
Azure SQL Database must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
4
Rule
Severity: Medium
Connection verification of permissions must be enforced.
1
Rule
Severity: High
SharePoint must prevent non-privileged users from circumventing malicious code protection capabilities.
1
Rule
Severity: Medium
SQL Server must prevent non-privileged users from executing privileged functionality, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: High
ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: High
The network device must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
1
Rule
Severity: Medium
Nutanix AOS must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
1
Rule
Severity: Medium
Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account.
2
Rule
Severity: Medium
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.
10
Rule
Severity: High
Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.
2
Rule
Severity: Medium
All Active Directory accounts synchronized with Tanium for non-privileged functions must be non-privileged domain accounts.
2
Rule
Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
2
Rule
Severity: Medium
$CATALINA_HOME/bin folder permissions must be set to 750.
2
Rule
Severity: Medium
Tomcat user account must be set to nologin.
2
Rule
Severity: Medium
Tomcat user account must be a non-privileged user.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must be configured to disable Auto Unlock of the iPhone by an Apple Watch.
3
Rule
Severity: Medium
The macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: High
The macOS system must require administrator privileges to modify systemwide settings.
1
Rule
Severity: Low
Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
The Ubuntu operating system must be configured to use AppArmor.
3
Rule
Severity: High
PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: High
The Cisco ISE must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
The container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
The EDB Postgres Advanced Server must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
The DBMS must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
4
Rule
Severity: Medium
Google Android 14 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
2
Rule
Severity: High
The operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
CA-ACF2 must limit access to SYS(x).TRACE to system programmers only.
2
Rule
Severity: Medium
CA-ACF2 allocate access to system user catalogs must be properly protected.
6
Rule
Severity: High
IBM z/OS must protect dynamic lists in accordance with proper security requirements.
2
Rule
Severity: High
IBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
2
Rule
Severity: High
CA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users.
6
Rule
Severity: Medium
IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write and Allocate access to all APF-authorized libraries to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only.
2
Rule
Severity: Medium
CA-ACF2 must limit Write and Allocate access to LINKLIST libraries to system programmers only.
2
Rule
Severity: Medium
CA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only.
2
Rule
Severity: High
CA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only.
2
Rule
Severity: Medium
CA-ACF2 Access to SYS1.LINKLIB must be properly protected.
2
Rule
Severity: Medium
CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: High
CA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
2
Rule
Severity: Medium
IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
2
Rule
Severity: Medium
CA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.
2
Rule
Severity: Medium
ACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users.
6
Rule
Severity: High
IBM z/OS SYS1.PARMLIB must be properly protected.
2
Rule
Severity: Medium
CA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
2
Rule
Severity: Low
CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.
4
Rule
Severity: Medium
IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only.
2
Rule
Severity: High
CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
4
Rule
Severity: High
IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to all LPA libraries to system programmers only.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
2
Rule
Severity: Low
CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.
2
Rule
Severity: Medium
CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only.
2
Rule
Severity: High
CA-TSS security data sets and/or databases must be properly protected.
2
Rule
Severity: High
CA-TSS must limit access to the System Master Catalog to appropriate authorized users.
2
Rule
Severity: Medium
CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.
2
Rule
Severity: Medium
CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
2
Rule
Severity: High
CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel.
2
Rule
Severity: Medium
CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: Medium
CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only.
2
Rule
Severity: High
ACF2 security data sets and/or databases must be properly protected.
2
Rule
Severity: Medium
IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
6
Rule
Severity: Medium
IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
6
Rule
Severity: Medium
IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
2
Rule
Severity: Low
IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.
2
Rule
Severity: High
IBM RACF access to the System Master Catalog must be properly protected.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.
2
Rule
Severity: Medium
IBM RACF allocate access to system user catalogs must be properly protected.
2
Rule
Severity: Medium
IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.
2
Rule
Severity: Medium
IBM RACF must limit access to SYS(x).TRACE to system programmers only.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only.
2
Rule
Severity: High
IBM RACF must limit write or greater access to all LPA libraries to system programmers only.
2
Rule
Severity: High
IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.
2
Rule
Severity: Medium
IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.
2
Rule
Severity: Medium
IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only.
2
Rule
Severity: High
IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
2
Rule
Severity: Medium
IBM RACF access to SYS1.LINKLIB must be properly protected.
2
Rule
Severity: High
IBM RACF security data sets and/or databases must be properly protected.
2
Rule
Severity: Medium
IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
2
Rule
Severity: High
IBM RACF must limit all system PROCLIB data sets to system programmers only.
2
Rule
Severity: Medium
IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
2
Rule
Severity: Medium
IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
4
Rule
Severity: Medium
The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
2
Rule
Severity: Medium
CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups.
2
Rule
Severity: Medium
CA-TSS must limit access to SYS(x).TRACE to system programmers only.
2
Rule
Severity: Medium
CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only.
2
Rule
Severity: High
CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.
2
Rule
Severity: High
CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users.
2
Rule
Severity: Medium
CA-TSS Default ACID must be properly defined.
2
Rule
Severity: High
The CA-TSS BYPASS attribute must be limited to trusted STCs only.
2
Rule
Severity: Medium
CA-TSS MSCA ACID must perform security administration only.
2
Rule
Severity: High
CA-TSS ACIDs granted the CONSOLE attribute must be justified.
2
Rule
Severity: Medium
CA-TSS ACIDs defined as security administrators must have the NOATS attribute.
2
Rule
Severity: High
CA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
2
Rule
Severity: High
IBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
2
Rule
Severity: Medium
IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only.
2
Rule
Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
2
Rule
Severity: High
The Juniper EX switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
MarkLogic Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
MariaDB must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
MongoDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
4
Rule
Severity: Medium
Role-Based Access Control must be defined for privileged and nonprivileged users.
3
Rule
Severity: Medium
Users must be prevented from creating new trusted locations in the Trust Center.
2
Rule
Severity: Medium
IIS 10.0 web server system files must conform to minimum file permission requirements.
2
Rule
Severity: High
Only accounts responsible for the administration of a system must have Administrator rights on the system.
3
Rule
Severity: Medium
Outlook must be configured to prevent users overriding attachment security settings.
2
Rule
Severity: Medium
SQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
6
Rule
Severity: Medium
Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
6
Rule
Severity: Medium
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
4
Rule
Severity: Medium
The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
4
Rule
Severity: High
The Act as part of the operating system user right must not be assigned to any groups or accounts.
4
Rule
Severity: Medium
The Back up files and directories user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.
4
Rule
Severity: Medium
The Create a pagefile user right must only be assigned to the Administrators group.
4
Rule
Severity: High
The Create a token object user right must not be assigned to any groups or accounts.
4
Rule
Severity: Medium
The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
4
Rule
Severity: Medium
The Create permanent shared objects user right must not be assigned to any groups or accounts.
4
Rule
Severity: Medium
The Create symbolic links user right must only be assigned to the Administrators group.
4
Rule
Severity: High
The Debug programs user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
4
Rule
Severity: Medium
The Force shutdown from a remote system user right must only be assigned to the Administrators group.
4
Rule
Severity: Medium
The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
4
Rule
Severity: Medium
The Load and unload device drivers user right must only be assigned to the Administrators group.
4
Rule
Severity: Medium
The Lock pages in memory user right must not be assigned to any groups or accounts.
4
Rule
Severity: Medium
The Modify firmware environment values user right must only be assigned to the Administrators group.
4
Rule
Severity: Medium
The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
4
Rule
Severity: Medium
The Profile single process user right must only be assigned to the Administrators group.
4
Rule
Severity: Medium
The Restore files and directories user right must only be assigned to the Administrators group.
4
Rule
Severity: Medium
The Take ownership of files or other objects user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.
2
Rule
Severity: High
The "Act as part of the operating system" user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
The "Back up files and directories" user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The "Change the system time" user right must only be assigned to Administrators and Local Service.
2
Rule
Severity: Medium
The "Create a pagefile" user right must only be assigned to the Administrators group.
2
Rule
Severity: High
The "Create a token object" user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
2
Rule
Severity: Medium
The "Create permanent shared objects" user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
The "Create symbolic links" user right must only be assigned to the Administrators group.
2
Rule
Severity: High
The "Debug programs" user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
The "Force shutdown from a remote system" user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
2
Rule
Severity: Medium
The "Load and unload device drivers" user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The "Lock pages in memory" user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
The "Modify firmware environment values" user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The "Profile single process" user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The "Restore files and directories" user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The "Take ownership of files or other objects" user right must only be assigned to the Administrators group.
2
Rule
Severity: High
Only administrators responsible for the domain controller must have Administrator rights on the system.
2
Rule
Severity: High
Permissions on the Active Directory data files must only allow System and Administrators access.
2
Rule
Severity: High
The Active Directory SYSVOL directory must have the proper access control permissions.
2
Rule
Severity: High
Active Directory Group Policy objects must have proper access control permissions.
2
Rule
Severity: High
The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
2
Rule
Severity: High
Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
2
Rule
Severity: Medium
The Add workstations to domain user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
2
Rule
Severity: High
Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system.
2
Rule
Severity: Medium
The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on member servers.
2
Rule
Severity: Medium
The Generate security audits user right must only be assigned to Local Service and Network Service.
2
Rule
Severity: Medium
The Increase scheduling priority user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
2
Rule
Severity: High
Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
2
Rule
Severity: High
Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
2
Rule
Severity: High
Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
2
Rule
Severity: High
Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
2
Rule
Severity: High
Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
2
Rule
Severity: High
Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
2
Rule
Severity: Medium
Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
2
Rule
Severity: Medium
Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
2
Rule
Severity: High
Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
2
Rule
Severity: Medium
Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
2
Rule
Severity: Medium
Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
2
Rule
Severity: Medium
Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
2
Rule
Severity: High
Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
2
Rule
Severity: High
Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
2
Rule
Severity: Medium
Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
2
Rule
Severity: High
Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
2
Rule
Severity: Medium
Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
2
Rule
Severity: Medium
Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 Profile single process user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
2
Rule
Severity: High
Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
2
Rule
Severity: High
Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.
2
Rule
Severity: High
Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions.
2
Rule
Severity: High
Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions.
2
Rule
Severity: High
Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
2
Rule
Severity: High
Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
2
Rule
Severity: Medium
Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
2
Rule
Severity: Medium
Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
2
Rule
Severity: High
Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
2
Rule
Severity: Medium
Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
2
Rule
Severity: Medium
Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
2
Rule
Severity: Medium
Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
2
Rule
Severity: High
Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group.
2
Rule
Severity: High
Windows Server 2022 create a token object user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
2
Rule
Severity: Medium
Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group.
2
Rule
Severity: High
Windows Server 2022 debug programs user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service.
2
Rule
Severity: Medium
Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
2
Rule
Severity: Medium
Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts.
2
Rule
Severity: Medium
Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 profile single process user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group.
2
Rule
Severity: Medium
The Oracle Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.
2
Rule
Severity: Medium
The Oracle Linux operating system must not allow privileged accounts to utilize SSH.
2
Rule
Severity: Medium
The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.
2
Rule
Severity: Medium
OL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
Redis Enterprise DBMS must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: Medium
Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: High
OpenShift RBAC access controls must be enforced.
2
Rule
Severity: Medium
Nonprivileged accounts on the hosting system must only access Automation Controller NGINX web server security-relevant information and functions through a distinct administrative account.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.
2
Rule
Severity: High
The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
2
Rule
Severity: High
The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.
2
Rule
Severity: Medium
RHEL 9 debug-shell systemd service must be disabled.
2
Rule
Severity: Medium
RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
2
Rule
Severity: Medium
RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
2
Rule
Severity: Medium
The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.
2
Rule
Severity: Medium
SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.
1
Rule
Severity: Low
RHEL 9 must prevent users from disabling session control mechanisms.
2
Rule
Severity: Medium
RHEL 9 must have the sudo package installed.
4
Rule
Severity: Medium
The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.
2
Rule
Severity: Medium
The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.
4
Rule
Severity: Medium
The Samsung Android device must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
2
Rule
Severity: Medium
The VMM must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
3
Rule
Severity: High
The Photon operating system must enable symlink access control protection in the kernel.
2
Rule
Severity: Medium
Non-privileged accounts on the hosting system must only access web server security-relevant information and functions through a distinct administrative account.
2
Rule
Severity: Medium
Sensitive CICS transactions are not protected in accordance with the proper security requirements.
1
Rule
Severity: Medium
The EDB Postgres Advanced Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
1
Rule
Severity: High
The macOS system must require an administrator password to modify systemwide preferences.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must be configured to use AppArmor.
1
Rule
Severity: Medium
PostgreSQL must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
1
Rule
Severity: High
Dragos Platforms must limit privileges and not allow the ability to run shell.
2
Rule
Severity: Medium
Google Android 15 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
1
Rule
Severity: High
Product engineering access to the Hardware Management Console must be disabled.
1
Rule
Severity: Medium
zSecure must prevent nonprivileged users from executing privileged zSecure functions.
1
Rule
Severity: Medium
MongoDB must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
1
Rule
Severity: High
SLEM 5 must use a Linux Security Module configured to enforce limits on system services.
1
Rule
Severity: High
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
1
Rule
Severity: Medium
TOSS must enable kernel parameters to enforce discretionary access control on symlinks.
1
Rule
Severity: Medium
TOSS must enable kernel parameters to enforce discretionary access control on hardlinks.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules