800-53|AC-6(5)

Title

PRIVILEGED ACCOUNTS

Description

The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].

Supplemental

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: CM-6

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1 Ensure Administrative accounts are separate and cloud-only	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
1.1.2 Ensure that the API server pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.2 Ensure that the API server pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.2 Ensure that the API server pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.2 Ensure that the API server pod specification file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.2 Ensure that the API server pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.3.17.1 Set 'User Account Control: Admin Approval Mode for the Built-in Administrator account' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.7 Set 'aaa accounting' to log all privileged use commands using 'commands 15'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.14 Ensure that the admin.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.14 Ensure that the admin.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.14 Ensure that the admin.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.14 Ensure that the default administrative credential file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.14 Ensure that the kubeconfig file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.16 Ensure that the Scheduler kubeconfig file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.18 Ensure that the Controller Manager kubeconfig file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.1.19 Ensure that the OpenShift PKI directory and file ownership is set to root:root	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive	Unix	CIS Kubernetes v1.10.0 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.11 Do not setup access keys during initial user setup for all IAM users that have a console password	amazon_aws	CIS Amazon Web Services Foundations L1 3.0.0

Detections

Analytics