800-53|SI-16

Title

MEMORY PROTECTION

Description

The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.

Supplemental

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.

Reference Item Details

Related: AC-25,SC-3

Category: SYSTEM AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.36 Ensure that the admission control plugin EventRateLimit is setUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriateUnixCIS Kubernetes v1.10.0 L1 Master
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriateUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriateUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS CentOS Linux 7 v4.0.0 L1 Server
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS AlmaLinux OS 8 Server L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Amazon Linux 2 v3.0.0 L1
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Oracle Linux 7 v4.0.0 L1 Server
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS AlmaLinux OS 8 Workstation L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Red Hat EL8 Workstation L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Rocky Linux 8 Server L1 v2.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Rocky Linux 8 Workstation L1 v2.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Oracle Linux 8 Server L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Oracle Linux 8 Workstation L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS CentOS Linux 7 v4.0.0 L1 Workstation
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Red Hat EL8 Server L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Oracle Linux 7 v4.0.0 L1 Workstation
1.4.2 Ensure XD/NX support is enabledUnixCIS Google Container-Optimized OS v1.2.0 L1 Server
1.4.3 Ensure address space layout randomization (ASLR) is enabledUnixCIS Google Container-Optimized OS v1.2.0 L1 Server
1.5.1 (L1) Ensure 'Configure Edge Website Typo Protection' is set to 'Enabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.5.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Amazon Linux 2023 Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Debian 10 Server L1 v2.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabledUnixCIS Debian 10 Workstation L1 v2.0.0
1.5.1 Ensure address space layout randomization is enabledUnixCIS AlmaLinux OS 9 v2.0.0 L1 Workstation
1.5.1 Ensure address space layout randomization is enabledUnixCIS Debian Linux 12 v1.1.0 L1 Server
1.5.1 Ensure address space layout randomization is enabledUnixCIS Debian Linux 12 v1.1.0 L1 Workstation
1.5.1 Ensure address space layout randomization is enabledUnixCIS AlmaLinux OS 9 v2.0.0 L1 Server
1.5.1 Ensure address space layout randomization is enabledUnixCIS Oracle Linux 9 v2.0.0 L1 Workstation
1.5.1 Ensure address space layout randomization is enabledUnixCIS Rocky Linux 9 v2.0.0 L1 Server
1.5.1 Ensure address space layout randomization is enabledUnixCIS Debian Linux 11 v2.0.0 L1 Workstation
1.5.1 Ensure address space layout randomization is enabledUnixCIS Debian Linux 11 v2.0.0 L1 Server
1.5.1 Ensure address space layout randomization is enabledUnixCIS Ubuntu Linux 24.04 LTS v1.0.0 L1 Server
1.5.1 Ensure XD/NX support is enabledUnixCIS Ubuntu Linux 16.04 LTS Server L1 v2.0.0
1.5.1 Ensure XD/NX support is enabledUnixCIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0
1.25.1 (L1) Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.25.2 (L1) Ensure 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is set to 'Enabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.25.3 (L1) Ensure 'Enable Microsoft Defender SmartScreen DNS requests' is set to 'Disabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.25.4 (L1) Ensure 'Force Microsoft Defender SmartScreen checks on downloads from trusted sources' is set to 'Enabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.25.5 (L1) Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.25.6 (L1) Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.27 (L1) Ensure 'Ads setting for sites with intrusive ads' is set to 'Enabled: Block ads on sites with intrusive ads.'WindowsCIS Microsoft Edge v3.0.0 L1
1.28 (L1) Ensure 'Allow download restrictions' is set to 'Enabled: Block malicious downloads'WindowsCIS Microsoft Edge v3.0.0 L1
1.100 (L1) Ensure 'Enable site isolation for every site' is set to 'Enabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.106 (L1) Ensure 'Enable warnings for insecure forms' is set to 'Enabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.107 (L1) Ensure 'Enables DALL-E themes generation' is set to 'Disabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.110 (L1) Ensure 'Enhance the security state in Microsoft Edge' is set to 'Enabled: Balanced mode' or higherWindowsCIS Microsoft Edge v3.0.0 L1
1.111 (L2) Ensure 'Enhanced Security Mode configuration for Intranet zone sites' is set to 'Disabled'WindowsCIS Microsoft Edge v3.0.0 L2