800-53|AC-6(1)

Title

AUTHORIZE ACCESS TO SECURITY FUNCTIONS

Description

The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].

Supplemental

Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.

Reference Item Details

Related: AC-17,AC-18,AC-19

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.17.4 Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent'WindowsCIS Windows 8 L1 v1.0.0
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
1.2.8 Verify that RBAC is enabledOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.19 Ensure that the healthz endpoint is protected by RBACOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.3.1 Ensure that controller manager healthz endpoints are protected by RBACOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
1.3.10 Ensure 'Password Profiles' do not existPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
1.4 Ensure 'application pool identity' is configured for all application poolsWindowsCIS IIS 10 v1.2.1 Level 1
1.4 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Managementmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.4.1 Ensure that the healthz endpoints for the scheduler are protected by RBACOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.5 Ensure Guest Users Are Reviewed on a Regular Basismicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.7.8 - Miscellaneous Enhancements - disable core dumps - 'fullcore false'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.15 Ensure IAM Users Receive Permissions Only Through Groupsamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.18 Ensure IAM instance roles are used for AWS resource access from instancesamazon_awsCIS Amazon Web Services Foundations L2 2.0.0
1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.23 Ensure That No Custom Subscription Administrator Roles Existmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locksmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
2.1 Ensure that IP addresses are mapped to usernamesPalo_AltoCIS Palo Alto Firewall 11 v1.0.0 L2
2.1 Ensure that IP addresses are mapped to usernames - User ID AgentsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
2.1 Ensure that IP addresses are mapped to usernames - User ID AgentsPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L2
2.1 Ensure that IP addresses are mapped to usernames - ZonesPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
2.1 Ensure that IP addresses are mapped to usernames - ZonesPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L2
2.1.3 Ensure 'ADMIN_RESTRICTIONS_<listener_name>' Is Set to 'ON'UnixCIS Oracle Server 11g R2 Unix v2.2.0
2.1.3 Ensure 'ADMIN_RESTRICTIONS_<listener_name>' Is Set to 'ON'WindowsCIS Oracle Server 11g R2 Windows v2.2.0
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L1
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
2.12.1 Ensure Guest Account Is DisabledUnixCIS Apple macOS 14.0 Sonoma v1.0.0 L1
2.12.1 Ensure Guest Account Is DisabledUnixCIS Apple macOS 13.0 Ventura v2.0.0 L1
10.3 Restrict access to power management functions - CPRCHANGEPERMUnixCIS Solaris 10 L2 v5.2
10.3 Restrict access to power management functions - PMCHANGEPERMUnixCIS Solaris 10 L2 v5.2
10.4 Restrict access to sys-suspend featureUnixCIS Solaris 10 L2 v5.2
11.1 Ensure SELinux Is Enabled in Enforcing Mode - configUnixCIS Apache HTTP Server 2.4 L2 v2.1.0
11.1 Ensure SELinux Is Enabled in Enforcing Mode - configUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
11.1 Ensure SELinux Is Enabled in Enforcing Mode - currentUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
11.1 Ensure SELinux Is Enabled in Enforcing Mode - currentUnixCIS Apache HTTP Server 2.4 L2 v2.1.0