800-53|SC-3

Title

SECURITY FUNCTION ISOLATION

Description

The information system isolates security functions from nonsecurity functions.

Supplemental

The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception.

Reference Item Details

Related: AC-3,AC-6,SA-13,SA-4,SA-5,SA-8,SC-2,SC-39,SC-7

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Place Databases on Non-System PartitionsMySQLDBCIS MySQL 8.0 Community Database L1 v1.0.0
1.1 Place Databases on Non-System PartitionsMySQLDBCIS MySQL 8.0 Enterprise Database L1 v1.3.0
1.1 Set 'Turn on Enhanced Protected Mode' to 'Enabled'WindowsCIS IE 10 v1.1.0
1.1 Set 'Turn on Enhanced Protected Mode' to 'Enabled'WindowsCIS IE 11 v1.0.0
1.2 Ensure Single-Function Member Servers are UsedMS_SQLDBCIS SQL Server 2008 R2 DB Engine L1 v1.7.0
1.2 Ensure Single-Function Member Servers are UsedWindowsCIS SQL Server 2012 Database L1 OS v1.6.0
1.2 Ensure Single-Function Member Servers are UsedMS_SQLDBCIS SQL Server 2014 Database L1 AWS RDS v1.5.0
1.2 Ensure Single-Function Member Servers are UsedMS_SQLDBCIS SQL Server 2014 Database L1 DB v1.5.0
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.2 L1 v3.6.0
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.2 L2 v3.6.0
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP addressCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP addressCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.6.2 Ensure 'SSH version 2' is enabledCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.6.2 Ensure 'SSH version 2' is enabledCiscoCIS Cisco Firewall v8.x L1 v4.2.0
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.10 Ensure 'Create a pagefile' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.11 Ensure 'Create a token object' is set to 'No One'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.12 Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.14 (L1) Configure 'Create symbolic links'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.14 Configure 'Create symbolic links'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.15 Ensure 'Debug programs' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.21 Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.22 Ensure 'Force shutdown from a remote system' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.24 Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' - Window Manager\Window Manager Group'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.25 Ensure 'Increase scheduling priority' is set to 'Administrators' - AdministratorsWindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.25 Ensure 'Increase scheduling priority' is set to 'Administrators' - Window Manager\Window Manager Group'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.26 Ensure 'Load and unload device drivers' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 8 L1 v1.1.0 Middleware
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 8 L1 v1.1.0
18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.85.1 Ensure 'Allow user control over installs' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.85.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
19.7.41.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
19.7.41.1 Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1