Detections
Analytics

800-53|SI-16

Title

MEMORY PROTECTION

Description

The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.

Supplemental

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.

Reference Item Details

Related: AC-25,SC-3

Category: SYSTEM AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.17.1 (L1) Ensure 'Block pop-ups from websites' is set to 'Enabled'WindowsCIS Mozilla Firefox ESR GPO v1.0.0 L1
1.1.18.1 (L1) Ensure 'browser.safebrowsing.malware.enabled' is set to 'Enabled'WindowsCIS Mozilla Firefox ESR GPO v1.0.0 L1
1.1.18.2 (L1) Ensure 'browser.safebrowsing.phishing.enabled' is set to 'Enabled'WindowsCIS Mozilla Firefox ESR GPO v1.0.0 L1
1.1.18.9 (L2) Ensure 'network.IDN_show_punycode' is set to 'Enabled'WindowsCIS Mozilla Firefox ESR GPO v1.0.0 L2
1.1.36 Ensure that the admission control plugin EventRateLimit is setUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriateUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriateUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriateUnixCIS Kubernetes v1.12.0 L1 Master Node
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.1.4 Ensure apparmor_restrict_unprivileged_unconfined is enabledUnixCIS Debian Linux 13 v1.0.0 L1 Server
1.3.1.4 Ensure apparmor_restrict_unprivileged_unconfined is enabledUnixCIS Debian Linux 13 v1.0.0 L1 Workstation
1.18 RHEL-09-212045UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.19 RHEL-09-212050UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT III
1.24 RHEL-09-213025UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.31 WN10-00-000145WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT I
1.31.1 (L1) Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.31.1 (L1) Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'WindowsCIS Microsoft Edge v4.0.0 L1
1.31.2 (L1) Ensure 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is set to 'Enabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.31.2 (L1) Ensure 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is set to 'Enabled'WindowsCIS Microsoft Edge v4.0.0 L1
1.31.3 (L1) Ensure 'Enable Microsoft Defender SmartScreen DNS requests' is set to 'Enabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.31.3 (L1) Ensure 'Enable Microsoft Defender SmartScreen DNS requests' is set to 'Enabled'WindowsCIS Microsoft Edge v4.0.0 L1
1.31.4 (L1) Ensure 'Force Microsoft Defender SmartScreen checks on downloads from trusted sources' is set to 'Enabled'WindowsCIS Microsoft Edge v4.0.0 L1
1.31.4 (L1) Ensure 'Force Microsoft Defender SmartScreen checks on downloads from trusted sources' is set to 'Enabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.31.5 (L1) Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.31.5 (L1) Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'WindowsCIS Microsoft Edge v4.0.0 L1
1.31.6 (L1) Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'WindowsCIS Microsoft Edge v4.0.0 L1
1.31.6 (L1) Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.32 WN10-00-000150WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT I
1.33 (L1) Ensure 'Ads setting for sites with intrusive ads' is set to 'Enabled: Block ads on sites with intrusive ads.'WindowsCIS Microsoft Edge v4.0.0 L1
1.33 (L1) Ensure 'Ads setting for sites with intrusive ads' is set to 'Enabled: Block ads on sites with intrusive ads.'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.33 RHEL-09-213070UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.34 (L1) Ensure 'Allow download restrictions' is set to 'Enabled: Block malicious downloads'WindowsCIS Microsoft Edge v4.0.0 L1
1.34 (L1) Ensure 'Allow download restrictions' is set to 'Enabled: Block malicious downloads'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.103 (L1) Ensure 'Enable site isolation for every site' is set to 'Enabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.104 (L1) Ensure 'Enable site isolation for every site' is set to 'Enabled'WindowsCIS Microsoft Edge v4.0.0 L1
1.109 (L1) Ensure 'Enable warnings for insecure forms' is set to 'Enabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.110 (L1) Ensure 'Enable warnings for insecure forms' is set to 'Enabled'WindowsCIS Microsoft Edge v4.0.0 L1
1.111 (L1) Ensure 'Enables DALL-E themes generation' is set to 'Disabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.112 (L1) Ensure 'Enables DALL-E themes generation' is set to 'Disabled'WindowsCIS Microsoft Edge v4.0.0 L1
1.114 (L1) Ensure 'Enhance the security state in Microsoft Edge' is set to 'Enabled: Balanced mode' or higherWindowsCIS Microsoft Intune for Edge v1.0.0 L1
1.115 (L1) Ensure 'Enhance the security state in Microsoft Edge' is set to 'Enabled: Balanced mode' or higherWindowsCIS Microsoft Edge v4.0.0 L1
1.115 (L2) Ensure 'Enhanced Security Mode configuration for Intranet zone sites' is set to 'Disabled'WindowsCIS Microsoft Intune for Edge v1.0.0 L2
1.116 (L2) Ensure 'Enhanced Security Mode configuration for Intranet zone sites' is set to 'Disabled'WindowsCIS Microsoft Edge v4.0.0 L2
1.124 WN22-CC-000310WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.124 WN22-CC-000310WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.128 UBTU-24-700300UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.129 UBTU-24-700310UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.145 WN10-CC-000215WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.269 WN22-UR-000160WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.269 WN22-UR-000160WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II