800-53|AC-6(4)

Title

SEPARATE PROCESSING DOMAINS

Description

The information system provides separate processing domains to enable finer-grained allocation of user privileges.

Supplemental

Providing separate processing domains for finer-grained allocation of user privileges includes, for example: (i) using virtualization techniques to allow additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine; (ii) employing hardware and/or software domain separation mechanisms; and (iii) implementing separate physical domains.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-4,SC-3,SC-30,SC-32

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
2.1 Enable Secure Admin Access - 'telnet.distinct.enable = on'	NetApp	TNS NetApp Data ONTAP 7G
2.13 Ensure 'Enable Site Isolation for every site' is set to 'Enabled'	Windows	CIS Google Chrome L1 v2.0.0
2.13 Ensure 'Enable Site Isolation for every site' is set to 'Enabled'	Windows	CIS Google Chrome L1 v2.1.0
5.3 Ensure Linux Kernel Capabilities are restricted within containers	Unix	CIS Docker Community Edition v1.1.0 L1 Docker
5.3 Ensure that Linux kernel capabilities are restricted within containers	Unix	CIS Docker v1.2.0 L1 Docker Linux
5.3 Restrict Linux Kernel Capabilities within containers	Unix	CIS Docker 1.12.0 v1.0.0 L1 Docker
5.3 Restrict Linux Kernel Capabilities within containers	Unix	CIS Docker 1.13.0 v1.0.0 L1 Docker
5.3 Restrict Linux Kernel Capabilities within containers	Unix	CIS Docker 1.11.0 v1.0.0 L1 Docker
5.4 Do not use privileged containers	Unix	CIS Docker 1.12.0 v1.0.0 L1 Docker
5.4 Do not use privileged containers	Unix	CIS Docker 1.11.0 v1.0.0 L1 Docker
5.4 Do not use privileged containers	Unix	CIS Docker 1.13.0 v1.0.0 L1 Docker
5.4 Ensure privileged containers are not used	Unix	CIS Docker Community Edition v1.1.0 L1 Docker
5.4 Ensure that privileged containers are not used	Unix	CIS Docker v1.2.0 L1 Docker Linux
5.4 Restrict Linux Kernel Capabilities within containers	Unix	CIS Docker 1.6 v1.0.0 L1 Docker
5.22 Ensure that docker exec commands are not used with the privileged option	Unix	CIS Docker v1.2.0 L2 Docker Linux
DKER-EE-001960 - Privileged Linux containers must not be used for Docker Enterprise.	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix v1r1
GEN000000-SOL00620 - The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.	Unix	DISA STIG Solaris 10 X86 v2r2
GEN000000-SOL00620 - The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.	Unix	DISA STIG Solaris 10 X86 v2r1
GEN000000-SOL00620 - The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.	Unix	DISA STIG Solaris 10 SPARC v2r1
GEN000000-SOL00620 - The inherit-pkg-dir zone option must be set to none or the system default list defined for sparse root zones.	Unix	DISA STIG Solaris 10 SPARC v2r2
GEN000000-SOL00640 - The limitpriv zone option must be set to the vendor default or less permissive.	Unix	DISA STIG Solaris 10 SPARC v2r2
GEN000000-SOL00640 - The limitpriv zone option must be set to the vendor default or less permissive.	Unix	DISA STIG Solaris 10 SPARC v2r1
GEN000000-SOL00640 - The limitpriv zone option must be set to the vendor default or less permissive.	Unix	DISA STIG Solaris 10 X86 v2r2
GEN000000-SOL00640 - The limitpriv zone option must be set to the vendor default or less permissive.	Unix	DISA STIG Solaris 10 X86 v2r1
GEN000000-SOL00660 - The physical devices must not be assigned to non-global zones.	Unix	DISA STIG Solaris 10 X86 v2r2
GEN000000-SOL00660 - The physical devices must not be assigned to non-global zones.	Unix	DISA STIG Solaris 10 SPARC v2r1
GEN000000-SOL00660 - The physical devices must not be assigned to non-global zones.	Unix	DISA STIG Solaris 10 X86 v2r1
GEN000000-SOL00660 - The physical devices must not be assigned to non-global zones.	Unix	DISA STIG Solaris 10 SPARC v2r2
IIST-SV-000132 - The IIS 10.0 web server must separate the hosted applications from hosted web server management functionality.	Windows	DISA IIS 10.0 Server v2r1
IISW-SV-000132 - The IIS 8.5 web server must separate the hosted applications from hosted web server management functionality.	Windows	DISA IIS 8.5 Server v2r1
IISW-SV-000132 - The IIS 8.5 web server must separate the hosted applications from hosted web server management functionality.	Windows	DISA IIS 8.5 Server v1r9
JBOS-AS-000355 - The JBoss server must separate hosted application functionality from application server management functionality.	Unix	DISA RedHat JBoss EAP 6.3 STIG v2r2
JBOS-AS-000355 - The JBoss server must separate hosted application functionality from application server management functionality.	Unix	DISA RedHat JBoss EAP 6.3 STIG v1r4
SOL-11.1-100020 - The limitpriv zone option must be set to the vendor default or less permissive.	Unix	DISA STIG Solaris 11 X86 v2r4
SOL-11.1-100020 - The limitpriv zone option must be set to the vendor default or less permissive.	Unix	DISA STIG Solaris 11 SPARC v2r2
SOL-11.1-100020 - The limitpriv zone option must be set to the vendor default or less permissive.	Unix	DISA STIG Solaris 11 SPARC v2r4
SOL-11.1-100030 - The systems physical devices must not be assigned to non-global zones.	Unix	DISA STIG Solaris 11 X86 v2r4
SOL-11.1-100030 - The systems physical devices must not be assigned to non-global zones.	Unix	DISA STIG Solaris 11 SPARC v2r2
SOL-11.1-100030 - The systems physical devices must not be assigned to non-global zones.	Unix	DISA STIG Solaris 11 SPARC v2r4
TEM Client Locking - '__LockState value = false'	Unix	TNS IBM Tivoli Enterprise Client Linux Best Practices

Detections

Analytics