Detections
Analytics

800-53|CM-5

Title

ACCESS RESTRICTIONS FOR CHANGE

Description

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Supplemental

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Reference Item Details

Related: AC-3,AC-6,PE-3

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2 Set permissions on local-settings.jsUnixCIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3 Protect Firefox BinariesUnixCIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.4 Set permissions on local-settings.jsUnixCIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.4 Set permissions on local-settings.js - AdministratorsWindowsCIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.4 Set permissions on local-settings.js - UsersWindowsCIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.4 Set permissions on mozilla.cfgUnixCIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
1.5 Protect Firefox BinariesUnixCIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
1.5 Set permissions on mozilla.cfgUnixCIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.5 Set permissions on mozilla.cfg - AdministratorsWindowsCIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.5 Set permissions on mozilla.cfg - UsersWindowsCIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
2.2.21 Ensure the TFTP server has not been installed - TFTP server package installed if not required for operational support.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
6.1.1 Audit system file permissionsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'WindowsCIS IE 10 v1.1.0
8.13 Set 'Security Zones: Use only machine settings' to 'Enabled'WindowsCIS IE 10 v1.1.0
ADBP-XI-000840 - Adobe Acrobat Pro XI privileged file and folder locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001280 - Adobe Acrobat Pro XI Default Handler changes must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001325 - Adobe Acrobat Pro XI privileged site locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001330 - Adobe Acrobat Pro XI privileged host locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001335 - Adobe Acrobat Pro XI certified document trust must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account.UnixDISA STIG AIX 7.x v3r1
AIX7-00-001019 - AIX device files and directories must only be writable by users with a system account or as configured by the vendor.UnixDISA STIG AIX 7.x v3r1
AIX7-00-002072 - AIX system files, programs, and directories must be group-owned by a system group.UnixDISA STIG AIX 7.x v3r1
AIX7-00-002088 - AIX library files must have mode 0755 or less permissive.UnixDISA STIG AIX 7.x v3r1
AIX7-00-002107 - AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions.UnixDISA STIG AIX 7.x v3r1
AIX7-00-003009 - All system command files must not have extended ACLs.UnixDISA STIG AIX 7.x v3r1
AIX7-00-003010 - All library files must not have extended ACLs.UnixDISA STIG AIX 7.x v3r1
AIX7-00-003022 - AIX must disable trivial file transfer protocol.UnixDISA STIG AIX 7.x v3r1
AOSX-13-000240 - The macOS system must enable System Integrity Protection.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000430 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000554 - The macOS system must not have a guest account - Guest accountUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000554 - The macOS system must not have a guest account - Guest fdesetupUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - AllowIdentifiedDevelopersUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - EnableAssessmentUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - SPApplicationsDataTypeUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-002063 - The macOS system must disable the guest account.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-005001 - The macOS system must enable System Integrity Protection.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-002063 - The macOS system must enforce access restrictions.UnixDISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-005001 - The macOS system must enable System Integrity Protection.UnixDISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-002063 - The macOS system must enforce access restrictions.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-002063 - The macOS system must enforce access restrictions.UnixDISA STIG Apple macOS 11 v1r8
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple macOS 11 v1r8
APPL-11-005001 - The macOS system must enable System Integrity Protection.UnixDISA STIG Apple macOS 11 v1r8
APPL-11-005001 - The macOS system must enable System Integrity Protection.UnixDISA STIG Apple macOS 11 v1r5
APPL-12-002063 - The macOS system must enforce access restrictions.UnixDISA STIG Apple macOS 12 v1r9
APPL-12-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple macOS 12 v1r9