800-53|CM-11(2)

Title

PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS

Description

The information system prohibits user installation of software without explicit privileged status.

Supplemental

Privileged status can be obtained, for example, by serving in the role of system administrator.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-6

Category: CONFIGURATION MANAGEMENT

Parent Title: USER-INSTALLED SOFTWARE

Family: CONFIGURATION MANAGEMENT

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.4.4 Ensure boot loader does not allow removable media	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6.1.10 Ensure system device files are labeled - device_t	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6.1.10 Ensure system device files are labeled - unlabeled_t	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
2.2.21 Ensure the TFTP server has not been installed - TFTP server package installed if not required for operational support.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
3.029 - Print driver installation privilege is not restricted to administrators.	Windows	DISA Windows Vista STIG v6r41
3.1010 - The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation.	Unix	Tenable Fedora Linux Best Practices v2.0.0
4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.2.6 Ensure rsyslog imudp and imrelp aren't loaded.	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
5.3.30 Ensure SSH does not permit GSSAPI - GSSAPI authentication unless needed.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3.31 Ensure SSH does not permit Kerberos authentication	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.5.9 Ensure local interactive user accounts umask is 077	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.060 - Media Player must be configured to prevent automatic checking for updates.	Windows	DISA Windows Vista STIG v6r41
5.128 - Search Companion prevented from automatically downloading content updates.	Windows	DISA Windows Vista STIG v6r41
5.131 - Windows is prevented from using Windows Update to search for drivers.	Windows	DISA Windows Vista STIG v6r41
5.211 - Driver Install - Device Driver Search Prompt	Windows	DISA Windows Vista STIG v6r41
5.242 - Windows Installer - User Control	Windows	DISA Windows Vista STIG v6r41
5.243 - Windows Installer - Vendor Signed Updates	Windows	DISA Windows Vista STIG v6r41
5.250 - Unsigned gadgets must not be installed.	Windows	DISA Windows 7 STIG v1r32
5.250 - Unsigned gadgets must not be installed. - TurnOffUnsignedGadgets	Windows	DISA Windows Vista STIG v6r41
5.251 - The More Gadgets link must be disabled.	Windows	DISA Windows 7 STIG v1r32
5.251 - The More Gadgets link must be disabled.	Windows	DISA Windows Vista STIG v6r41
5.252 - User-installed gadgets must be turned off.	Windows	DISA Windows Vista STIG v6r41
5.252 - User-installed gadgets must be turned off.	Windows	DISA Windows 7 STIG v1r32
18.9.18.1 Ensure 'Turn off desktop gadgets' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
18.9.18.1 Ensure 'Turn off desktop gadgets' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
18.9.18.1 Ensure 'Turn off desktop gadgets' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.18.1 Ensure 'Turn off desktop gadgets' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.18.1 Ensure 'Turn off desktop gadgets' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
18.9.18.1 Ensure 'Turn off desktop gadgets' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.1.0
18.9.18.1 Ensure 'Turn off desktop gadgets' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
18.9.18.1 Ensure 'Turn off desktop gadgets' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
18.9.18.2 Ensure 'Turn Off user-installed desktop gadgets' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
18.9.18.2 Ensure 'Turn Off user-installed desktop gadgets' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
18.9.18.2 Ensure 'Turn Off user-installed desktop gadgets' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
18.9.18.2 Ensure 'Turn Off user-installed desktop gadgets' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
18.9.18.2 Ensure 'Turn Off user-installed desktop gadgets' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
18.9.18.2 Ensure 'Turn Off user-installed desktop gadgets' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.18.2 Ensure 'Turn Off user-installed desktop gadgets' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.1.0
18.9.18.2 Ensure 'Turn Off user-installed desktop gadgets' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
AOSX-13-362149 - The macOS system must prohibit user installation of software without explicit privileged status.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-002067 - The macOS system must prohibit user installation of software without explicit privileged status.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-002067 - The macOS system must prohibit user installation of software without explicit privileged status.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-002067 - The macOS system must prohibit user installation of software without explicit privileged status.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-002067 - The macOS system must prohibit user installation of software without explicit privileged status.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-14-005080 - The macOS system must prohibit user installation of software into /users/.	Unix	DISA Apple macOS 14 (Sonoma) STIG v1r2
Big Sur - Enable Parental Controls	Unix	NIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enable Parental Controls	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enable Parental Controls	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Enable Parental Controls	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enable Parental Controls	Unix	NIST macOS Big Sur v1.4.0 - All Profiles

Detections

Analytics