800-53|CM-5

Title

ACCESS RESTRICTIONS FOR CHANGE

Description

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Supplemental

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Reference Item Details

Related: AC-3,AC-6,PE-3

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.4.4 Ensure boot loader does not allow removable mediaUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6.1.10 Ensure system device files are labeled - device_tUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6.1.10 Ensure system device files are labeled - unlabeled_tUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
2.2.21 Ensure the TFTP server has not been installed - TFTP server package installed if not required for operational support.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.2.6 Ensure rsyslog imudp and imrelp aren't loaded.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 11 v1.0.0
5.3.30 Ensure SSH does not permit GSSAPI - GSSAPI authentication unless needed.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3.31 Ensure SSH does not permit Kerberos authenticationUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.5.9 Ensure local interactive user accounts umask is 077UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
6.1.1 Audit system file permissionsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
8.10 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'WindowsCIS IE 9 v1.0.0
8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'WindowsCIS IE 10 v1.1.0
8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'WindowsCIS IE 11 v1.0.0
8.11 Set 'Security Zones: Use only machine settings' to 'Enabled'WindowsCIS IE 9 v1.0.0
8.13 Set 'Security Zones: Use only machine settings' to 'Enabled'WindowsCIS IE 10 v1.1.0
8.13 Set 'Security Zones: Use only machine settings' to 'Enabled'WindowsCIS IE 11 v1.0.0
AADC-CL-000840 - Adobe Acrobat Pro DC Classic privileged file and folder locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001280 - Adobe Acrobat Pro DC Classic Default Handler changes must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001325 - Adobe Acrobat Pro DC Classic privileged host locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CN-000840 - Adobe Acrobat Pro DC Continuous privileged file and folder locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001280 - Adobe Acrobat Pro DC Continuous Default Handler changes must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001325 - Adobe Acrobat Pro DC Continuous privileged host locations must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
ADBP-XI-000840 - Adobe Acrobat Pro XI privileged file and folder locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001280 - Adobe Acrobat Pro XI Default Handler changes must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001325 - Adobe Acrobat Pro XI privileged site locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001330 - Adobe Acrobat Pro XI privileged host locations must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001335 - Adobe Acrobat Pro XI certified document trust must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /binUnixDISA STIG AIX 7.x v2r5
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /etcUnixDISA STIG AIX 7.x v2r5
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /sbinUnixDISA STIG AIX 7.x v2r5
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /usr/binUnixDISA STIG AIX 7.x v2r5
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /usr/lbinUnixDISA STIG AIX 7.x v2r5
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /usr/sbinUnixDISA STIG AIX 7.x v2r5
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /usr/ucbUnixDISA STIG AIX 7.x v2r5
AIX7-00-001019 - AIX device files and directories must only be writable by users with a system account or as configured by the vendor - Type BUnixDISA STIG AIX 7.x v2r5
AIX7-00-001019 - AIX device files and directories must only be writable by users with a system account or as configured by the vendor - Type CUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/groupUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/audit/configUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/environUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/groupUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/limitsUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/login.cfgUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/passwd readUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/passwd writeUnixDISA STIG AIX 7.x v2r5
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events - /etc/security/userUnixDISA STIG AIX 7.x v2r5
AIX7-00-002072 - AIX system files, programs, and directories must be group-owned by a system group - /binUnixDISA STIG AIX 7.x v2r5