800-53|SC-39

Title

PROCESS ISOLATION

Description

The information system maintains a separate execution domain for each executing process.

Supplemental

Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AC-4,AC-6,SA-4,SA-5,SA-8,SC-2,SC-3

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.5.1 Ensure XD/NX support is enabled	Unix	CIS Ubuntu Linux 16.04 LTS Server L1 v2.0.0
1.5.1 Ensure XD/NX support is enabled	Unix	CIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0
1.5.3 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Debian 9 Server L1 v1.0.1
1.5.3 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Distribution Independent Linux Server L1 v2.0.0
1.5.3 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Distribution Independent Linux Workstation L1 v2.0.0
1.5.3 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Debian 9 Workstation L1 v1.0.1
1.5.3 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Debian 9 Workstation L1 v1.0.1
1.5.3 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Debian 9 Server L1 v1.0.1
1.6.1 Ensure XD/NX support is enabled	Unix	CIS Debian Family Workstation L1 v1.0.0
1.6.1 Ensure XD/NX support is enabled	Unix	CIS Debian Family Server L1 v1.0.0
1.6.2 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Debian Family Workstation L1 v1.0.0
1.6.2 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Debian Family Server L1 v1.0.0
1.6.2 Ensure address space layout randomization (ASLR) is enabled - config	Unix	CIS Ubuntu Linux 18.04 LXD Host L1 Workstation v1.0.0
1.6.2 Ensure address space layout randomization (ASLR) is enabled - config	Unix	CIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
1.6.2 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Ubuntu Linux 18.04 LXD Host L1 Workstation v1.0.0
1.6.2 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Debian Family Workstation L1 v1.0.0
1.6.2 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Debian Family Server L1 v1.0.0
1.6.2 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
1.6.2 Ensure XD/NX support is enabled	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.6.2 Ensure XD/NX support is enabled	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.6.3 Enable Randomized Virtual Memory Region Placement - kernel.randomize_va_space = 2	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.6.3 Ensure address space layout randomization (ASLR) is enabled - /etc/sysctl.d/*	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.6.3 Ensure address space layout randomization (ASLR) is enabled - /etc/sysctl.d/*	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.6.3 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.6.3 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.6.4 Enable XD/NX Support on 32-bit x86 Systems - cpuinfo	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.6.4 Enable XD/NX Support on 32-bit x86 Systems - kernel-PAE	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
2.9 Confirm default cgroup usage	Unix	CIS Docker 1.11.0 v1.0.0 L2 Docker
2.9 Confirm default cgroup usage	Unix	CIS Docker 1.12.0 v1.0.0 L2 Docker
5.9 Do not share the host's network namespace	Unix	CIS Docker 1.13.0 v1.0.0 L1 Docker
5.9 Do not share the host's network namespace	Unix	CIS Docker 1.11.0 v1.0.0 L1 Docker
5.9 Do not share the host's network namespace	Unix	CIS Docker 1.12.0 v1.0.0 L1 Docker
5.9 Ensure the host's network namespace is not shared	Unix	CIS Docker Community Edition v1.1.0 L1 Docker
5.15 Do not share the host's process namespace	Unix	CIS Docker 1.11.0 v1.0.0 L1 Docker
5.15 Do not share the host's process namespace	Unix	CIS Docker 1.12.0 v1.0.0 L1 Docker
5.16 Do not share the host's IPC namespace	Unix	CIS Docker 1.11.0 v1.0.0 L1 Docker
5.16 Do not share the host's IPC namespace	Unix	CIS Docker 1.12.0 v1.0.0 L1 Docker
5.20 Do not share the host's UTS namespace	Unix	CIS Docker 1.12.0 v1.0.0 L1 Docker
5.20 Do not share the host's UTS namespace	Unix	CIS Docker 1.11.0 v1.0.0 L1 Docker
5.24 Confirm cgroup usage	Unix	CIS Docker 1.11.0 v1.0.0 L1 Docker
5.24 Confirm cgroup usage	Unix	CIS Docker 1.12.0 v1.0.0 L1 Docker
5.24 Confirm cgroup usage	Unix	CIS Docker 1.13.0 v1.0.0 L1 Docker
5.24 Ensure cgroup usage is confirmed	Unix	CIS Docker Community Edition v1.1.0 L1 Docker
5.25 Restrict container from acquiring additional privileges	Unix	CIS Docker 1.11.0 v1.0.0 L1 Docker
5.25 Restrict container from acquiring additional privileges	Unix	CIS Docker 1.12.0 v1.0.0 L1 Docker
18.9.24.1 (L1) Ensure 'EMET 5.52' or higher is installed	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.24.1 Ensure 'EMET 5.52' or higher is installed	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.24.1 Ensure 'EMET 5.52' or higher is installed	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.24.1 Ensure 'EMET 5.52' or higher is installed	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
ADBP-XI-000205 - Adobe Acrobat Pro XI Enhanced Security for standalone mode must be enabled.	Windows	DISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2

Detections

Analytics