800-53|AC-6(1)

Title

AUTHORIZE ACCESS TO SECURITY FUNCTIONS

Description

The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].

Supplemental

Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-17,AC-18,AC-19

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.3.17.4 Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent'	Windows	CIS Windows 8 L1 v1.0.0
1.2 Ensure Snowflake SCIM integration is configured to automatically provision and deprovision users and groups (i.e. roles)	Snowflake	CIS Snowflake Foundations v1.0.0 L2
1.2.8 Ensure that the --authorization-mode argument includes RBAC	Unix	CIS Kubernetes v1.10.0 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBAC	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBAC	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBAC	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.8 Verify that RBAC is enabled	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.19 Ensure that the healthz endpoint is protected by RBAC	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.1 Ensure that controller manager healthz endpoints are protected by RBAC	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.3 Ensure that the --use-service-account-credentials argument is set to true	Unix	CIS Kubernetes v1.10.0 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to true	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to true	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to true	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.4 Ensure 'application pool identity' is configured for all application pools	Windows	CIS IIS 10 v1.2.1 Level 1
1.4.1 Ensure that the healthz endpoints for the scheduler are protected by RBAC	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.7.8 - Miscellaneous Enhancements - disable core dumps - 'fullcore false'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
1.15 Ensure IAM Users Receive Permissions Only Through Groups	amazon_aws	CIS Amazon Web Services Foundations L1 3.0.0
1.18 Ensure IAM instance roles are used for AWS resource access from instances	amazon_aws	CIS Amazon Web Services Foundations L2 3.0.0
2.1 Ensure that IP addresses are mapped to usernames	Palo_Alto	CIS Palo Alto Firewall 10 v1.2.0 L2
2.1 Ensure that IP addresses are mapped to usernames	Palo_Alto	CIS Palo Alto Firewall 11 v1.1.0 L2
2.1 Ensure that IP addresses are mapped to usernames - User ID Agents	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L2
2.1 Ensure that IP addresses are mapped to usernames - Zones	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L2
2.1.3 Ensure 'ADMIN_RESTRICTIONS_<listener_name>' Is Set to 'ON'	Unix	CIS Oracle Server 11g R2 Unix v2.2.0
2.1.3 Ensure 'ADMIN_RESTRICTIONS_<listener_name>' Is Set to 'ON'	Windows	CIS Oracle Server 11g R2 Windows v2.2.0
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 L1 + BL
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows Server 2019 Stand-alone v2.0.0 L1 MS
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL + NG
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows 11 Stand-alone v3.0.0 L1
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows 11 Enterprise v3.0.0 L1
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Domain Controller
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 DC
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 MS
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 MS
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows 10 Enterprise v3.0.0 L1
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'	Windows	CIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL
2.12.1 Ensure Guest Account Is Disabled	Unix	CIS Apple macOS 13.0 Ventura v2.1.0 L1
2.12.1 Ensure Guest Account Is Disabled	Unix	CIS Apple macOS 14.0 Sonoma v1.1.0 L1
2.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L1
2.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L2
2.17 Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L1
2.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L2
2.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L2
10.3 Restrict access to power management functions - CPRCHANGEPERM	Unix	CIS Solaris 10 L2 v5.2
10.3 Restrict access to power management functions - PMCHANGEPERM	Unix	CIS Solaris 10 L2 v5.2
10.4 Restrict access to sys-suspend feature	Unix	CIS Solaris 10 L2 v5.2
11.1 Ensure SELinux Is Enabled in Enforcing Mode - config	Unix	CIS Apache HTTP Server 2.4 L2 v2.1.0
11.1 Ensure SELinux Is Enabled in Enforcing Mode - config	Unix	CIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
11.1 Ensure SELinux Is Enabled in Enforcing Mode - current	Unix	CIS Apache HTTP Server 2.4 L2 v2.1.0
11.1 Ensure SELinux Is Enabled in Enforcing Mode - current	Unix	CIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware

Detections

Analytics