Skip to content
Log In

CCI-002235

Prevent non-privileged users from executing privileged functions.

Confine SELinux Users To Roles That Conform To Least Privilege

4 rules found Severity: Medium

Logo

Elevate The SELinux Context When An Administrator Calls The Sudo Command

4 rules found Severity: Medium

Logo

Map System Users To The Appropriate SELinux Role

11 rules found Severity: Medium

Logo

Disable the ssh_sysadm_login SELinux Boolean

16 rules found Severity: Medium

Logo

Ensure AppArmor is installed

10 rules found Severity: Medium

Logo

Install the pam_apparmor Package

8 rules found Severity: Medium

Logo

Ensure AppArmor is Active and Configured

10 rules found Severity: Medium

Logo

A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

1 rule found Severity: Medium

Logo

A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.

1 rule found Severity: Medium

Logo

Google Android 12 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].

2 rules found Severity: Medium

Logo

DB2 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: High

Logo

The WebSphere Application Server users in the admin role must be authorized.

1 rule found Severity: Medium

Logo

The WebSphere Application Server users in a LDAP user registry group must be authorized for that group.

1 rule found Severity: Medium

Logo

The IBM z/VM CP Privilege Class A, B, and D must be restricted to appropriate system operators.

1 rule found Severity: Medium

Logo

The IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators.

1 rule found Severity: Medium

Logo

The IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only.

1 rule found Severity: Medium

Logo

The IBM z/VM ANY Privilege Class must not be listed for privilege commands.

1 rule found Severity: Medium

Logo

Microsoft Android 11 must be configured to enable encryption for data at rest on removable storage media or alternately, the use of removable storage media must be disabled.

2 rules found Severity: High

Logo

The mobile operating system must allow only the Administrator (MDM) to perform the following management function: Enable/disable location services.

2 rules found Severity: Low

Logo

Connection verification of permissions must be enforced.

3 rules found Severity: Medium

Logo

SQL Server must prevent non-privileged users from executing privileged functionality, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Nutanix AOS must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Non-privileged accounts on the hosting system must only access OHS security-relevant information and functions through a distinct administrative account.

1 rule found Severity: Medium

Logo

All Active Directory accounts synchronized with Tanium for non-privileged functions must be non-privileged domain accounts.

2 rules found Severity: Medium

Logo

The macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

2 rules found Severity: Medium

Logo

Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Low

Logo

MongoDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.

2 rules found Severity: Medium

Logo

PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

2 rules found Severity: High

Logo

The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.

1 rule found Severity: High

Logo

The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.

1 rule found Severity: Medium

Logo

Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.

8 rules found Severity: High

Logo

The EDB Postgres Advanced Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

$CATALINA_HOME/bin folder permissions must be set to 750.

1 rule found Severity: Medium

Logo

Tomcat user account must be set to nologin.

1 rule found Severity: Medium

Logo

Tomcat user account must be a non-privileged user.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 16 must be configured to disable Auto Unlock of the iPhone by an Apple Watch.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 17 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.

1 rule found Severity: Medium

Logo

IDMS must prevent users without the appropriate access from executing privileged functions or tasks within the IDMS environment.

1 rule found Severity: Medium

Logo

IDMS must prevent unauthorized users from executing certain privileged commands that can be used to change the runtime IDMS environment.

1 rule found Severity: Medium

Logo

IDMS must protect its user catalogs and system dictionaries to prevent unauthorized users from bypassing or updating security settings.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must be configured to use AppArmor.

1 rule found Severity: Medium

Logo

PostgreSQL must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

The Cisco ISE must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: High

Logo

The EDB Postgres Advanced Server must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Sign-on to the ESCD Application Console must be restricted to only authorized personnel.

1 rule found Severity: Medium

Logo

The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.

1 rule found Severity: Medium

Logo

Access to the Hardware Management Console must be restricted to only authorized personnel.

1 rule found Severity: Medium

Logo

Automatic Call Answering to the Hardware Management Console must be disabled.

1 rule found Severity: Medium

Logo

Product engineering access to the Hardware Management Console must be disabled.

1 rule found Severity: High

Logo

Users in a reader-role must be authorized.

1 rule found Severity: Medium

Logo

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

1 rule found Severity: High

Logo

The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

2 rules found Severity: Medium

Logo

The Juniper EX switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: High

Logo

MarkLogic Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

MongoDB must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Azure SQL Database must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

IIS 10.0 web server system files must conform to minimum file permission requirements.

1 rule found Severity: Medium

Logo

Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.

3 rules found Severity: Medium

Logo

Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.

3 rules found Severity: Medium

Logo

The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

The "Act as part of the operating system" user right must not be assigned to any groups or accounts.

1 rule found Severity: High

Logo

The "Back up files and directories" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The "Change the system time" user right must only be assigned to Administrators and Local Service.

1 rule found Severity: Medium

Logo

The "Create a pagefile" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The "Create a token object" user right must not be assigned to any groups or accounts.

1 rule found Severity: High

Logo

The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.

1 rule found Severity: Medium

Logo

The "Create permanent shared objects" user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

The "Create symbolic links" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The "Debug programs" user right must only be assigned to the Administrators group.

1 rule found Severity: High

Logo

The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

The "Force shutdown from a remote system" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.

1 rule found Severity: Medium

Logo

The "Load and unload device drivers" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The "Lock pages in memory" user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

The "Modify firmware environment values" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The "Profile single process" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The "Restore files and directories" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The "Take ownership of files or other objects" user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Only administrators responsible for the domain controller must have Administrator rights on the system.

1 rule found Severity: High

Logo

Permissions on the Active Directory data files must only allow System and Administrators access.

1 rule found Severity: High

Logo

The Active Directory SYSVOL directory must have the proper access control permissions.

1 rule found Severity: High

Logo

Active Directory Group Policy objects must have proper access control permissions.

1 rule found Severity: High

Logo

The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.

1 rule found Severity: High

Logo

Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.

1 rule found Severity: High

Logo

The Add workstations to domain user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.

1 rule found Severity: Medium

Logo

Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system.

1 rule found Severity: High

Logo

The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on member servers.

1 rule found Severity: Medium

Logo

The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.

2 rules found Severity: Medium

Logo

The Act as part of the operating system user right must not be assigned to any groups or accounts.

2 rules found Severity: High

Logo

The Back up files and directories user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The Create a pagefile user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.

2 rules found Severity: Medium

Logo

The Create permanent shared objects user right must not be assigned to any groups or accounts.

2 rules found Severity: Medium

Logo

The Create symbolic links user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The Debug programs user right must only be assigned to the Administrators group.

2 rules found Severity: High

Logo

The Force shutdown from a remote system user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The Generate security audits user right must only be assigned to Local Service and Network Service.

1 rule found Severity: Medium

Logo

The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.

2 rules found Severity: Medium

Logo

The Increase scheduling priority user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The Load and unload device drivers user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The Lock pages in memory user right must not be assigned to any groups or accounts.

2 rules found Severity: Medium

Logo

The Modify firmware environment values user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The Perform volume maintenance tasks user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The Profile single process user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The Create a token object user right must not be assigned to any groups or accounts.

2 rules found Severity: High

Logo

The Restore files and directories user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The Take ownership of files or other objects user right must only be assigned to the Administrators group.

2 rules found Severity: Medium

Logo

The network device must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: High

Logo

ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: High

Logo

The Oracle Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must not allow privileged accounts to utilize SSH.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.

1 rule found Severity: Medium

Logo

The MySQL Database Server 8.0 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Redis Enterprise DBMS must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Nonprivileged accounts on the hosting system must only access Automation Controller NGINX web server security-relevant information and functions through a distinct administrative account.

1 rule found Severity: Medium

Logo

SLEM 5 must use a Linux Security Module configured to enforce limits on system services.

1 rule found Severity: High

Logo

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

1 rule found Severity: High

Logo

TOSS must enable kernel parameters to enforce discretionary access control on symlinks.

1 rule found Severity: Medium

Logo

TOSS must enable kernel parameters to enforce discretionary access control on hardlinks.

1 rule found Severity: Medium

Logo

Non-privileged accounts on the hosting system must only access web server security-relevant information and functions through a distinct administrative account.

1 rule found Severity: Medium

Logo

Update access to the directory schema must be restricted to appropriate accounts.

1 rule found Severity: High

Logo

Install sudo Package

18 rules found Severity: Medium

Logo

Enable Kernel Parameter to Enforce DAC on Hardlinks

25 rules found Severity: Medium

Logo

Enable Kernel Parameter to Enforce DAC on Symlinks

25 rules found Severity: Medium

Logo

Disable debug-shell SystemD Service

12 rules found Severity: Medium

Logo

Disable Ctrl-Alt-Del Burst Action

13 rules found Severity: High

Logo

Disable Ctrl-Alt-Del Reboot Activation

16 rules found Severity: High

Logo

Prevent user from disabling the screen lock

9 rules found Severity: Low

Logo

Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.

3 rules found Severity: Medium

Logo

Apple iOS/iPadOS 18 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.

1 rule found Severity: Medium

Logo

The macOS system must require administrator privileges to modify systemwide settings.

1 rule found Severity: High

Logo

The macOS system must require an administrator password to modify systemwide preferences.

1 rule found Severity: High

Logo

The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must be configured to use AppArmor.

1 rule found Severity: Medium

Logo

The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.

1 rule found Severity: High

Logo

The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.

1 rule found Severity: High

Logo

AlmaLinux OS 9 must have the sudo package installed.

1 rule found Severity: Medium

Logo

The AlmaLinux OS 9 debug-shell systemd service must be disabled.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.

1 rule found Severity: Medium

Logo

The container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

The DBMS must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Dragos Platforms must limit privileges and not allow the ability to run shell.

1 rule found Severity: High

Logo

The Dell OS10 Switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: High

Logo

Google Android 13 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].

2 rules found Severity: Medium

Logo

Google Android 14 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].

2 rules found Severity: Medium

Logo

Google Android 15 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].

2 rules found Severity: Medium

Logo

The operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: High

Logo

CA-ACF2 must limit access to SYS(x).TRACE to system programmers only.

1 rule found Severity: Medium

Logo

CA-ACF2 allocate access to system user catalogs must be properly protected.

1 rule found Severity: Medium

Logo

IBM z/OS must protect dynamic lists in accordance with proper security requirements.

3 rules found Severity: High

Logo

IBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected.

1 rule found Severity: High

Logo

CA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.

1 rule found Severity: High

Logo

CA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users.

1 rule found Severity: High

Logo

IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.

3 rules found Severity: Medium

Logo

CA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.

1 rule found Severity: High

Logo

IBM Security zSecure must prevent nonprivileged users from executing privileged zSecure functions.

1 rule found Severity: Medium

Logo

IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.

1 rule found Severity: High

Logo

IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.

1 rule found Severity: Low

Logo

IBM RACF access to the System Master Catalog must be properly protected.

1 rule found Severity: High

Logo

IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.

1 rule found Severity: High

Logo

IBM RACF allocate access to system user catalogs must be properly protected.

1 rule found Severity: Medium

Logo

IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.

1 rule found Severity: Medium

Logo

CA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.

1 rule found Severity: High

Logo

CA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.

1 rule found Severity: High

Logo

CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.

1 rule found Severity: High

Logo

CA-ACF2 must limit Write and Allocate access to all APF-authorized libraries to system programmers only.

1 rule found Severity: High

Logo

CA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only.

1 rule found Severity: High

Logo

CA-ACF2 must limit Write and Allocate access to LINKLIST libraries to system programmers only.

1 rule found Severity: Medium

Logo

CA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only.

1 rule found Severity: Medium

Logo

CA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only.

1 rule found Severity: High

Logo

CA-ACF2 Access to SYS1.LINKLIB must be properly protected.

1 rule found Severity: Medium

Logo

CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.

1 rule found Severity: Medium

Logo

CA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use.

1 rule found Severity: High

Logo

IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.

1 rule found Severity: Medium

Logo

CA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.

1 rule found Severity: Medium

Logo

ACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users.

1 rule found Severity: Medium

Logo

IBM z/OS SYS1.PARMLIB must be properly protected.

3 rules found Severity: High

Logo

CA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.

1 rule found Severity: Medium

Logo

CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.

1 rule found Severity: Low

Logo

ACF2 security data sets and/or databases must be properly protected.

1 rule found Severity: High

Logo

IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.

1 rule found Severity: Medium

Logo

IBM RACF must limit access to SYS(x).TRACE to system programmers only.

1 rule found Severity: Medium

Logo

IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users.

1 rule found Severity: High

Logo

IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only.

1 rule found Severity: High

Logo

IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.

2 rules found Severity: High

Logo

IBM RACF must limit write or greater access to all LPA libraries to system programmers only.

1 rule found Severity: High

Logo

IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.

1 rule found Severity: High

Logo

IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.

1 rule found Severity: Medium

Logo

IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only.

1 rule found Severity: Medium

Logo

IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.

1 rule found Severity: High

Logo

IBM RACF access to SYS1.LINKLIB must be properly protected.

1 rule found Severity: Medium

Logo

IBM RACF security data sets and/or databases must be properly protected.

1 rule found Severity: High

Logo

IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.

1 rule found Severity: Medium

Logo

IBM RACF must limit all system PROCLIB data sets to system programmers only.

1 rule found Severity: High

Logo

IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.

1 rule found Severity: Medium

Logo

IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.

1 rule found Severity: Medium

Logo

The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.

2 rules found Severity: Medium

Logo

IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.

2 rules found Severity: Medium

Logo

IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.

3 rules found Severity: Medium

Logo

IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.

3 rules found Severity: Medium

Logo

IBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use.

1 rule found Severity: High

Logo

IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only.

1 rule found Severity: Medium

Logo

CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only.

1 rule found Severity: High

Logo

CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only.

1 rule found Severity: High

Logo

CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only.

1 rule found Severity: High

Logo

CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.

1 rule found Severity: High

Logo

CA-TSS must limit Write or greater access to all LPA libraries to system programmers only.

1 rule found Severity: High

Logo

CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only.

1 rule found Severity: High

Logo

CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.

1 rule found Severity: Low

Logo

CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only.

1 rule found Severity: Medium

Logo

CA-TSS security data sets and/or databases must be properly protected.

1 rule found Severity: High

Logo

CA-TSS must limit access to the System Master Catalog to appropriate authorized users.

1 rule found Severity: High

Logo

CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.

1 rule found Severity: Medium

Logo

CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.

1 rule found Severity: Medium

Logo

CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel.

1 rule found Severity: High

Logo

CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.

1 rule found Severity: Medium

Logo

CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only.

1 rule found Severity: Medium

Logo

CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups.

1 rule found Severity: Medium

Logo

CA-TSS must limit access to SYS(x).TRACE to system programmers only.

1 rule found Severity: Medium

Logo

CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only.

1 rule found Severity: Medium

Logo

CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.

1 rule found Severity: High

Logo

CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users.

1 rule found Severity: High

Logo

CA-TSS Default ACID must be properly defined.

1 rule found Severity: Medium

Logo

The CA-TSS BYPASS attribute must be limited to trusted STCs only.

1 rule found Severity: High

Logo

CA-TSS MSCA ACID must perform security administration only.

1 rule found Severity: Medium

Logo

CA-TSS ACIDs granted the CONSOLE attribute must be justified.

1 rule found Severity: High

Logo

CA-TSS ACIDs defined as security administrators must have the NOATS attribute.

1 rule found Severity: Medium

Logo

CA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use.

1 rule found Severity: High

Logo

The Mainframe Product must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

MariaDB must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Role-Based Access Control must be defined for privileged and nonprivileged users.

2 rules found Severity: Medium

Logo

Users must be prevented from creating new trusted locations in the Trust Center.

1 rule found Severity: Medium

Logo

Outlook must be configured to prevent users overriding attachment security settings.

1 rule found Severity: Medium

Logo

SharePoint must prevent non-privileged users from circumventing malicious code protection capabilities.

1 rule found Severity: High

Logo

SQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

Only accounts responsible for the administration of a system must have Administrator rights on the system.

1 rule found Severity: High

Logo

Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.

1 rule found Severity: Medium

Logo

Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.

1 rule found Severity: High

Logo

Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.

1 rule found Severity: High

Logo

Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.

1 rule found Severity: High

Logo

Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions.

1 rule found Severity: High

Logo

Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.

1 rule found Severity: High

Logo

Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.

1 rule found Severity: High

Logo

Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.

1 rule found Severity: Medium

Logo

Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.

1 rule found Severity: Medium

Logo

Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.

1 rule found Severity: High

Logo

Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.

1 rule found Severity: Medium

Logo

Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.

1 rule found Severity: Medium

Logo

Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.

1 rule found Severity: High

Logo

Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.

1 rule found Severity: High

Logo

Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.

1 rule found Severity: Medium

Logo

The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.

1 rule found Severity: Medium

Logo

Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.

1 rule found Severity: High

Logo

Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.

1 rule found Severity: Medium

Logo

Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.

1 rule found Severity: Medium

Logo

Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Profile single process user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.

1 rule found Severity: Medium

Logo

Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system.

1 rule found Severity: High

Logo

Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.

1 rule found Severity: High

Logo

Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions.

1 rule found Severity: High

Logo

Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions.

1 rule found Severity: High

Logo

Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.

1 rule found Severity: High

Logo

Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.

1 rule found Severity: High

Logo

Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.

1 rule found Severity: Medium

Logo

Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.

1 rule found Severity: Medium

Logo

Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.

1 rule found Severity: High

Logo

Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.

1 rule found Severity: Medium

Logo

Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.

1 rule found Severity: Medium

Logo

Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts.

1 rule found Severity: High

Logo

Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 create a token object user right must not be assigned to any groups or accounts.

1 rule found Severity: High

Logo

Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.

1 rule found Severity: Medium

Logo

Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 debug programs user right must only be assigned to the Administrators group.

1 rule found Severity: High

Logo

Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service.

1 rule found Severity: Medium

Logo

Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.

1 rule found Severity: Medium

Logo

Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts.

1 rule found Severity: Medium

Logo

Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 profile single process user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group.

1 rule found Severity: Medium

Logo

Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.

1 rule found Severity: Medium

Logo

Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

OpenShift RBAC access controls must be enforced.

1 rule found Severity: High

Logo

OL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.

1 rule found Severity: High

Logo

The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.

1 rule found Severity: High

Logo

RHEL 9 debug-shell systemd service must be disabled.

1 rule found Severity: Medium

Logo

RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.

1 rule found Severity: Medium

Logo

RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.

1 rule found Severity: Medium

Logo

RHEL 9 must have the sudo package installed.

1 rule found Severity: Medium

Logo

The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.

1 rule found Severity: Medium

Logo

SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.

1 rule found Severity: Medium

Logo

The operating system must prevent non-privileged users from circumventing malicious code protection capabilities.

2 rules found Severity: Medium

Logo

The Samsung Android device must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].

4 rules found Severity: Medium

Logo

The system must restrict the ability of users to assume excessive privileges to members of a defined group and prevent unauthorized users from accessing administrative tools.

1 rule found Severity: Medium

Logo

The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.

1 rule found Severity: High

Logo

The VMM must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

1 rule found Severity: Medium

Logo

The Photon operating system must enable symlink access control protection in the kernel.

2 rules found Severity: High

Logo

Zebra Android 13 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].

2 rules found Severity: Medium

Logo

Sensitive CICS transactions are not protected in accordance with the proper security requirements.

1 rule found Severity: Medium

Logo

NSX-T Manager must restrict the use of configuration, administration, and the execution of privileged commands to authorized personnel based on organization-defined roles.

1 rule found Severity: High

Logo

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

1 rule found Severity: High

Logo