800-53|AU-9(4)

Title

ACCESS BY SUBSET OF PRIVILEGED USERS

Description

The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].

Supplemental

Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.

Reference Item Details

Related: AC-5

Category: AUDIT AND ACCOUNTABILITY

Parent Title: PROTECTION OF AUDIT INFORMATION

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.8 Ensure that the --authorization-mode argument includes RBACUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.9 Verify that RBAC is enabledOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.2.21 Ensure that the healthz endpoint is protected by RBACOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.3 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Managementmicrosoft_azureCIS Microsoft Azure Foundations v1.5.0 L2
1.3.2 Ensure that controller manager healthz endpoints are protected by RBACOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.3 Ensure that the --use-service-account-credentials argument is set to trueUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4 Ensure Guest Users Are Reviewed on a Regular Basismicrosoft_azureCIS Microsoft Azure Foundations v1.5.0 L1
1.4.1 Ensure that the healthz endpoints for the scheduler are protected by RBACOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.15 Ensure IAM Users Receive Permissions Only Through Groupsamazon_awsCIS Amazon Web Services Foundations L1 1.5.0
1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L1
1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L2
1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L1
1.18 Ensure IAM instance roles are used for AWS resource access from instancesamazon_awsCIS Amazon Web Services Foundations L2 1.5.0
1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L2
1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L2
1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L2
1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L2
1.23 Ensure That No Custom Subscription Owner Roles Are Createdmicrosoft_azureCIS Microsoft Azure Foundations v1.5.0 L1
1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locksmicrosoft_azureCIS Microsoft Azure Foundations v1.5.0 L2
2.1 Ensure that IP addresses are mapped to usernames - User ID AgentsPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
2.1 Ensure that IP addresses are mapped to usernames - User ID AgentsPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
2.1 Ensure that IP addresses are mapped to usernames - ZonesPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
2.1 Ensure that IP addresses are mapped to usernames - ZonesPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 MS
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + NG
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL + NG
2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 MS
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0