800-53|SC-4

Title

INFORMATION IN SHARED RESOURCES

Description

The information system prevents unauthorized and unintended information transfer via shared system resources.

Supplemental

This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AC-4,MP-6

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Create a separate partition for containers	Unix	CIS Docker 1.11.0 v1.0.0 L1 Linux
1.1 Create a separate partition for containers	Unix	CIS Docker 1.12.0 v1.0.0 L1 Linux
1.1 Create a separate partition for containers	Unix	CIS Docker 1.6 v1.0.0 L1 Linux
1.1.1 Ensure a separate partition for containers has been created	Unix	CIS Docker v1.7.0 L1 Docker - Linux
1.2 Ensure Single-Function Member Servers are Used	MS_SQLDB	CIS SQL Server 2022 Database L1 AWS RDS v1.1.0
1.2 Ensure Single-Function Member Servers are Used	MS_SQLDB	CIS SQL Server 2022 Database L1 DB v1.1.0
1.2 Ensure Single-Function Member Servers are Used	Windows	CIS SQL Server 2017 Database L1 OS v1.3.0
1.2 Ensure Single-Function Member Servers are Used	Windows	CIS SQL Server 2016 Database L1 OS v1.4.0
2.2 Dedicate the Machine Running MariaDB	MySQLDB	CIS MariaDB 10.6 Database L1 v1.1.0
2.2 Dedicate the Machine Running MySQL	MySQLDB	CIS MySQL 5.6 Community Database L1 v2.0.0
2.2 Dedicate the Machine Running MySQL	Unix	CIS MySQL 5.6 Enterprise Linux OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQL	Unix	CIS MySQL 5.7 Community Linux OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQL	Windows	CIS MySQL 5.6 Community Windows OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQL	Windows	CIS MySQL 5.7 Community Windows OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQL	MySQLDB	CIS MySQL 5.6 Enterprise Database L1 v2.0.0
2.2 Dedicate the Machine Running MySQL	Windows	CIS MySQL 5.6 Enterprise Windows OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQL	Unix	CIS MySQL 5.6 Community Linux OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQL	Unix	CIS MySQL 5.7 Enterprise Linux OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQL	Windows	CIS MySQL 5.7 Enterprise Windows OS L1 v2.0.0
2.3 Dedicate the Machine Running MySQL	Unix	CIS MySQL 8.0 Enterprise Linux OS L1 v1.3.0
2.3 Dedicate the Machine Running MySQL	Unix	CIS MySQL 8.0 Community Linux OS L1 v1.0.0
2.015 - File share ACLs have not been reconfigured to remove the Everyone group.	Windows	DISA Windows Vista STIG v6r41
3.018 - Anonymous shares are not restricted. - RestrictAnonymous	Windows	DISA Windows Vista STIG v6r41
3.018 - Anonymous shares are not restricted. - RestrictAnonymousSAM	Windows	DISA Windows Vista STIG v6r41
3.063 - Unauthorized named pipes are accessible with anonymous credentials.	Windows	DISA Windows Vista STIG v6r41
3.064 - Unauthorized registry paths are remotely accessible.	Windows	DISA Windows Vista STIG v6r41
3.065 - Unauthorized shares can be accessed anonymously.	Windows	DISA Windows Vista STIG v6r41
3.068 - Solicited Remote Assistance is allowed.	Windows	DISA Windows Vista STIG v6r41
3.072 - The system is not configured to use the Classic security model.	Windows	DISA Windows Vista STIG v6r41
3.082 - The system is configured to allow unsolicited remote assistance offers.	Windows	DISA Windows Vista STIG v6r41
3.108 - Unauthorized registry paths and sub-paths are remotely accessible.	Windows	DISA Windows Vista STIG v6r41
3.116 - Named Pipes and Shares can be accessed anonymously.	Windows	DISA Windows Vista STIG v6r41
4.8 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end user-owned devices	MDM	AirWatch - CIS Apple iPadOS 17 v1.1.0 End User Owned L1
4.8 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end user-owned devices	MDM	AirWatch - CIS Apple iPadOS 18 v1.0.0 L1 End User Owned
4.8 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end user-owned devices	MDM	MobileIron - CIS Apple iPadOS 17 v1.1.0 End User Owned L1
4.8 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end user-owned devices	MDM	AirWatch - CIS Apple iOS 17 Benchmark v1.1.0 End User Owned L1
4.8 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end user-owned devices	MDM	MobileIron - CIS Apple iOS 17 v1.1.0 End User Owned L1
4.8 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end user-owned devices	MDM	AirWatch - CIS Apple iOS 18 Benchmark v1.0.0 L1 End User Owned
4.8 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end user-owned devices	MDM	MobileIron - CIS Apple iOS 18 v1.0.0 L1 End User Owned
4.8 Ensure 'Find My iPhone/iPad' is set to 'Enabled' on end user-owned devices	MDM	MobileIron - CIS Apple iPadOS 18 v1.0.0 L1 End User Owned
5.2.3 Minimize the admission of containers wishing to share the host IPC namespace	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.2.4 Minimize the admission of containers wishing to share the host IPC namespace	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.2.4 Minimize the admission of containers wishing to share the host IPC namespace	Unix	CIS Kubernetes v1.10.0 L1 Master
5.17 Do not directly expose host devices to containers	Unix	CIS Docker 1.11.0 v1.0.0 L1 Docker
5.17 Do not directly expose host devices to containers	Unix	CIS Docker 1.12.0 v1.0.0 L1 Docker
5.118 - Terminal Services / Remote Desktop Services - Local drives prevented from sharing with Terminal Servers.	Windows	DISA Windows Vista STIG v6r41
20.15 Ensure 'Data files owned by users must be on a different logical partition from the directory server data files' (STIG DC only)	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.15 Ensure 'Data files owned by users must be on a different logical partition from the directory server data files' (STIG DC only)	Windows	CIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.15 Ensure 'Data files owned by users must be on a different logical partition from the directory server data files' (STIG DC only)	Windows	CIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
20.15 Ensure 'Data files owned by users must be on a different logical partition from the directory server data files' (STIG DC only)	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC

Detections

Analytics