800-53|AC-3(3)

Title

MANDATORY ACCESS CONTROL

Description

The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy:

Supplemental

Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3(4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3(4), but policies governed by this control take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3(4) permits the subject to pass the information to any subject with the same sensitivity label as the subject.

Reference Item Details

Related: AC-25,SC-11

Category: ACCESS CONTROL

Parent Title: ACCESS ENFORCEMENT

Family: ACCESS CONTROL

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.18 Ensure sticky bit is set on all world-writable directoriesUnixCIS Amazon Linux v2.1.0 L1
1.1.20 Ensure sticky bit is set on all world-writable directoriesUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.1.20 Ensure sticky bit is set on all world-writable directoriesUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.1.22 Ensure sticky bit is set on all world-writable directoriesUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.1.22 Ensure sticky bit is set on all world-writable directoriesUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.6.1.1 Ensure AppArmor is installedUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.6.1.1 Ensure AppArmor is installedUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configurationUnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configurationUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration - enforcing = 0UnixCIS Amazon Linux v2.1.0 L2
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration - selinux = 0UnixCIS Amazon Linux v2.1.0 L2
1.6.1.2 Ensure the SELinux state is enforcingUnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.2 Ensure the SELinux state is enforcingUnixCIS Amazon Linux v2.1.0 L2
1.6.1.2 Ensure the SELinux state is enforcingUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.2 Ensure the SELinux state is enforcing - 'Current mode'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.2 Ensure the SELinux state is enforcing - 'Current mode'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.2 Ensure the SELinux state is enforcing - 'Mode from config file'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.2 Ensure the SELinux state is enforcing - 'Mode from config file'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.2 Ensure the SELinux state is enforcing - 'SELinux status'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.2 Ensure the SELinux state is enforcing - 'SELinux status'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.2 Ensure the SELinux state is enforcing - 'SELINUX'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.2 Ensure the SELinux state is enforcing - 'SELINUX'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - loadedUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - loadedUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - unconfinedUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - unconfinedUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.6.1.3 Ensure SELinux policy is configuredUnixCIS Amazon Linux v2.1.0 L2
1.6.1.3 Ensure SELinux policy is configured - 'Policy from config file'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.3 Ensure SELinux policy is configured - 'Policy from config file'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.3 Ensure SELinux policy is configured - 'SELINUXTYPE'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.3 Ensure SELinux policy is configured - 'SELINUXTYPE'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.4 Ensure all AppArmor Profiles are enforcing - complainUnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
1.6.1.4 Ensure all AppArmor Profiles are enforcing - complainUnixCIS Ubuntu Linux 18.04 LTS Server L2 v2.1.0
1.6.1.4 Ensure all AppArmor Profiles are enforcing - loadedUnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
1.6.1.4 Ensure all AppArmor Profiles are enforcing - loadedUnixCIS Ubuntu Linux 18.04 LTS Server L2 v2.1.0
1.6.1.4 Ensure all AppArmor Profiles are enforcing - unconfinedUnixCIS Ubuntu Linux 18.04 LTS Server L2 v2.1.0
1.6.1.4 Ensure all AppArmor Profiles are enforcing - unconfinedUnixCIS Ubuntu Linux 18.04 LTS Workstation L2 v2.1.0
1.6.1.4 Ensure no unconfined daemons existUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.4 Ensure no unconfined daemons existUnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.6 Ensure no unconfined daemons existUnixCIS Amazon Linux v2.1.0 L2
1.6.2 Ensure SELinux is installedUnixCIS Amazon Linux v2.1.0 L2
1.6.2.1 Ensure SELinux is not disabled in bootloader configuration - enforcing=0UnixCIS Distribution Independent Linux Server L2 v2.0.0
1.6.2.1 Ensure SELinux is not disabled in bootloader configuration - enforcing=0UnixCIS Distribution Independent Linux Workstation L2 v2.0.0
1.6.2.1 Ensure SELinux is not disabled in bootloader configuration - selinux=0UnixCIS Distribution Independent Linux Workstation L2 v2.0.0
1.6.2.1 Ensure SELinux is not disabled in bootloader configuration - selinux=0UnixCIS Distribution Independent Linux Server L2 v2.0.0
1.6.2.2 Ensure all AppArmor Profiles are enforcingUnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.2.2 Ensure all AppArmor Profiles are enforcingUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.2.2 Ensure all AppArmor Profiles are enforcing - 'complian mode'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.2.2 Ensure all AppArmor Profiles are enforcing - 'complian mode'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.2.2 Ensure all AppArmor Profiles are enforcing - 'profiles loaded'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0