800-53|CM-5

Title

ACCESS RESTRICTIONS FOR CHANGE

Description

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Supplemental

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Reference Item Details

Related: AC-3,AC-6,PE-3

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2 Set permissions on local-settings.jsUnixCIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3 Protect Firefox BinariesUnixCIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.4 Set permissions on local-settings.jsUnixCIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.4 Set permissions on local-settings.js - AdministratorsWindowsCIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.4 Set permissions on local-settings.js - UsersWindowsCIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.4 Set permissions on mozilla.cfgUnixCIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
1.4.4 Ensure boot loader does not allow removable mediaUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5 Protect Firefox BinariesUnixCIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
1.5 Set permissions on mozilla.cfgUnixCIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.5 Set permissions on mozilla.cfg - AdministratorsWindowsCIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.5 Set permissions on mozilla.cfg - UsersWindowsCIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.6.1.10 Ensure system device files are labeled - device_tUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6.1.10 Ensure system device files are labeled - unlabeled_tUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
2.2.21 Ensure the TFTP server has not been installed - TFTP server package installed if not required for operational support.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.2.6 Ensure rsyslog imudp and imrelp aren't loaded.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 11 v1.0.0
5.3.30 Ensure SSH does not permit GSSAPI - GSSAPI authentication unless needed.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3.31 Ensure SSH does not permit Kerberos authenticationUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.5 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 9 v1.0.0
5.5.9 Ensure local interactive user accounts umask is 077UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
6.1.1 Audit system file permissionsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
8.10 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'WindowsCIS IE 9 v1.0.0
8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'WindowsCIS IE 11 v1.0.0
8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'WindowsCIS IE 10 v1.1.0
8.11 Set 'Security Zones: Use only machine settings' to 'Enabled'WindowsCIS IE 9 v1.0.0
8.13 Set 'Security Zones: Use only machine settings' to 'Enabled'WindowsCIS IE 10 v1.1.0
8.13 Set 'Security Zones: Use only machine settings' to 'Enabled'WindowsCIS IE 11 v1.0.0
AADC-CL-000840 - Adobe Acrobat Pro DC Classic privileged file and folder locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001280 - Adobe Acrobat Pro DC Classic Default Handler changes must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001325 - Adobe Acrobat Pro DC Classic privileged host locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CN-000840 - Adobe Acrobat Pro DC Continuous privileged file and folder locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001280 - Adobe Acrobat Pro DC Continuous Default Handler changes must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001325 - Adobe Acrobat Pro DC Continuous privileged host locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
ADBP-XI-000840 - Adobe Acrobat Pro XI privileged file and folder locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001280 - Adobe Acrobat Pro XI Default Handler changes must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001325 - Adobe Acrobat Pro XI privileged site locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001330 - Adobe Acrobat Pro XI privileged host locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001335 - Adobe Acrobat Pro XI certified document trust must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account.UnixDISA STIG AIX 7.x v2r9
AIX7-00-001019 - AIX device files and directories must only be writable by users with a system account or as configured by the vendor.UnixDISA STIG AIX 7.x v2r9
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events.UnixDISA STIG AIX 7.x v2r9
AIX7-00-002072 - AIX system files, programs, and directories must be group-owned by a system group.UnixDISA STIG AIX 7.x v2r9
AIX7-00-002088 - AIX library files must have mode 0755 or less permissive.UnixDISA STIG AIX 7.x v2r9
AIX7-00-002107 - AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions.UnixDISA STIG AIX 7.x v2r9
AIX7-00-002133 - AIX must be configured to use syslogd to log events by TCPD.UnixDISA STIG AIX 7.x v2r9
AIX7-00-003009 - All system command files must not have extended ACLs.UnixDISA STIG AIX 7.x v2r9