800-53|CM-7

Title

LEAST FUNCTIONALITY

Description

The organization:

Supplemental

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-6,CM-2,RA-5,SA-5,SC-7

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 (L1) Ensure 'Allow Cortana Above Lock' is set to 'Block'	Windows	CIS Microsoft Intune for Windows 11 v3.0.1 L1
1.1 (L1) Ensure 'Allow Cortana Above Lock' is set to 'Block'	Windows	CIS Microsoft Intune for Windows 10 v3.0.1 L1
1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented	Unix	CIS Apache HTTP Server 2.4 L1 v2.1.0
1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented	Unix	CIS Apache HTTP Server 2.4 L1 v2.1.0 Middleware
1.1 Remove extraneous files and directories	Unix	CIS Apache Tomcat 10.1 v1.0.0 L2
1.1.1.1 Ensure mounting of cramfs filesystems is disabled - lsmod	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server
1.1.1.1 Ensure mounting of cramfs filesystems is disabled - lsmod	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
1.1.1.1 Ensure mounting of cramfs filesystems is disabled - lsmod	Unix	CIS Debian 8 Server L1 v2.0.2
1.1.1.1 Ensure mounting of cramfs filesystems is disabled - lsmod	Unix	CIS Debian 8 Workstation L1 v2.0.2
1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server
1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe	Unix	CIS Debian 8 Workstation L1 v2.0.2
1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe	Unix	CIS Debian 8 Server L1 v2.0.2
1.1.1.1 Ensure mounting of UDF filesystems is disabled	Unix	CIS Bottlerocket L2
1.1.1.1 Ensure mounting of udf filesystems is disabled	Unix	CIS Google Container-Optimized OS v1.2.0 L2 Server
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled - lsmod	Unix	CIS Debian 8 Server L1 v2.0.2
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled - lsmod	Unix	CIS Debian 8 Workstation L1 v2.0.2
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled - modprobe	Unix	CIS Debian 8 Server L1 v2.0.2
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled - modprobe	Unix	CIS Debian 8 Workstation L1 v2.0.2
1.1.1.2 Ensure mounting of squashfs filesystems is disabled - lsmod	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L2 Workstation
1.1.1.2 Ensure mounting of squashfs filesystems is disabled - lsmod	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L2 Server
1.1.1.2 Ensure mounting of squashfs filesystems is disabled - modprobe	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L2 Workstation
1.1.1.2 Ensure mounting of squashfs filesystems is disabled - modprobe	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L2 Server
1.1.1.2 Ensure mounting of udf filesystems is disabled	Unix	CIS SUSE Linux Enterprise 15 Server L1 v1.1.1
1.1.1.2 Ensure mounting of udf filesystems is disabled	Unix	CIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1
1.1.1.2 Ensure mounting of udf filesystems is disabled	Unix	CIS SUSE Linux Enterprise 12 v3.2.0 L1 Server
1.1.1.2 Ensure mounting of udf filesystems is disabled	Unix	CIS SUSE Linux Enterprise 12 v3.2.0 L1 Workstation
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Debian Linux 11 v2.0.0 L1 Workstation
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Ubuntu Linux 24.04 LTS v1.0.0 L1 Server
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Ubuntu Linux 22.04 LTS v2.0.0 L1 Workstation
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Oracle Linux 8 Server L1 v3.0.0
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Red Hat EL8 Workstation L1 v3.0.0
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Rocky Linux 8 Server L1 v2.0.0
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Rocky Linux 8 Workstation L1 v2.0.0
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Rocky Linux 9 v2.0.0 L1 Server
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Rocky Linux 9 v2.0.0 L1 Workstation
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Debian Linux 12 v1.1.0 L1 Workstation
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Debian Linux 12 v1.1.0 L1 Server
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Ubuntu Linux 22.04 LTS v2.0.0 L1 Server
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS AlmaLinux OS 8 Server L1 v3.0.0
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Red Hat EL8 Server L1 v3.0.0
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Red Hat Enterprise Linux 9 v2.0.0 L1 Workstation
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Amazon Linux 2 v3.0.0 L1
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS AlmaLinux OS 9 v2.0.0 L1 Workstation
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Oracle Linux 9 v2.0.0 L1 Server
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Oracle Linux 7 v4.0.0 L1 Server
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS CentOS Linux 7 v4.0.0 L1 Server
1.1.1.3 Ensure hfs kernel module is not available	Unix	CIS Debian Linux 11 v2.0.0 L1 Server

Detections

Analytics