800-53|AC-6(2)

Title

NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

Description

The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions.

Supplemental

This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: PL-4

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.2 Ensure that the API server pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.2 Ensure that the API server pod specification file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.2 Ensure that the API server pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.3.17.1 Set 'User Account Control: Admin Approval Mode for the Built-in Administrator account' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.14 Ensure that the admin.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.14 Ensure that the admin.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.14 Ensure that the admin.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.14 Ensure that the kubeconfig file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.16 Ensure that the Scheduler kubeconfig file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.18 Ensure that the Controller Manager kubeconfig file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctly	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
1.5 Ensure Interactive Login is Disabled	Unix	CIS MySQL 8.0 Community Linux OS L2 v1.0.0
1.5 Ensure Interactive Login is Disabled	Unix	CIS MySQL 8.0 Enterprise Linux OS L2 v1.3.0
1.5 Ensure Interactive Login is Disabled	Windows	CIS MySQL 5.6 Community Windows OS L2 v2.0.0
1.5 Ensure Interactive Login is Disabled	Windows	CIS MySQL 5.7 Enterprise Windows OS L2 v2.0.0
1.5 Ensure Interactive Login is Disabled	Unix	CIS MariaDB 10.6 on Linux L2 v1.1.0
1.5 Ensure Interactive Login is Disabled	Unix	CIS MySQL 5.6 Enterprise Linux OS L2 v2.0.0
1.5 Ensure Interactive Login is Disabled	Unix	CIS MySQL 5.7 Enterprise Linux OS L2 v2.0.0
1.5 Ensure Interactive Login is Disabled	Unix	CIS MySQL 5.6 Community Linux OS L2 v2.0.0
1.5 Ensure Interactive Login is Disabled	Windows	CIS MySQL 5.7 Community Windows OS L2 v2.0.0
1.5 Ensure Interactive Login is Disabled	Unix	CIS MySQL 5.7 Community Linux OS L2 v2.0.0

Detections

Analytics