CCI-003980

The macOS system must prohibit user installation of software into /users/.

The application must prohibit user installation of software without explicit privileged status.

PostgreSQL must prohibit user installation of logic modules (functions, trigger procedures, views, etc.) without explicit privileged status.

The container platform must prohibit the installation of patches and updates without explicit privileged status.

The container platform runtime must prohibit the instantiation of container images without explicit privileged status.

The container platform registry must prohibit installation or modification of container images without explicit privileged status.

The DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

The EDB Postgres Advanced Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

Forescout must prohibit installation of software without explicit privileged permission by only authorized individuals.

The operating system must prohibit user installation of system software without explicit privileged status.

CA-ACF2 Access to SYS1.LINKLIB must be properly protected.

IBM z/OS SYS1.PARMLIB must be properly protected.

AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.

CA-TSS access to SYS1.LINKLIB must be properly protected.

IBM RACF access to SYS1.LINKLIB must be properly protected.

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

The Juniper EX switch must be configured to prohibit installation of software without explicit privileged status.

The Juniper router must be configured to prohibit installation of software without explicit privileged status.

The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.

The Mainframe product must prohibit user installation of software without explicit privileged status.

MariaDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

Least privilege access and need to know must be required to access MKE runtime and instantiate container images.

URLs must be allowlisted for plugin use if used.

Azure SQL Database must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

The Exchange application directory must be protected from unauthorized access.

SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

Users must be prevented from changing installation options.

The Windows Installer Always install with elevated privileges must be disabled.

The Windows Installer feature "Always install with elevated privileges" must be disabled.

Windows Server 2019 must prevent users from changing installation options.

Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option.

Windows Server 2022 must prevent users from changing installation options.

Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option.

The network device must prohibit installation of software without explicit privileged status.

The MySQL Database Server 8.0 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

Redis Enterprise DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

Rancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status.

OpenShift RBAC access controls must be enforced.

The SDN controller must be configured to prohibit user installation of software without explicit privileged status.

The Tanium application must prohibit user installation of software without explicit privileged status.

The VMM must prohibit user installation of software without explicit privileged status.

The UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.

The UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.