800-53|CM-5

Title

ACCESS RESTRICTIONS FOR CHANGE

Description

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Supplemental

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AC-6,PE-3

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3 Protect Firefox Binaries	Unix	CIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.4 Set permissions on local-settings.js	Unix	CIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.4 Set permissions on local-settings.js - Administrators	Windows	CIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.4 Set permissions on local-settings.js - Users	Windows	CIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.4.4 Ensure boot loader does not allow removable media	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5 Set permissions on mozilla.cfg	Unix	CIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.5 Set permissions on mozilla.cfg - Administrators	Windows	CIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.5 Set permissions on mozilla.cfg - Users	Windows	CIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.6.1.10 Ensure system device files are labeled - device_t	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6.1.10 Ensure system device files are labeled - unlabeled_t	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
2.2.21 Ensure the TFTP server has not been installed - TFTP server package installed if not required for operational support.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.2.6 Ensure rsyslog imudp and imrelp aren't loaded.	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 10 v1.1.0
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 11 v1.0.0
5.3.30 Ensure SSH does not permit GSSAPI - GSSAPI authentication unless needed.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3.31 Ensure SSH does not permit Kerberos authentication	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.5 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 9 v1.0.0
5.5.9 Ensure local interactive user accounts umask is 077	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
6.1.1 Audit system file permissions	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
8.10 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'	Windows	CIS IE 9 v1.0.0
8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'	Windows	CIS IE 11 v1.0.0
8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'	Windows	CIS IE 10 v1.1.0
8.11 Set 'Security Zones: Use only machine settings' to 'Enabled'	Windows	CIS IE 9 v1.0.0
8.13 Set 'Security Zones: Use only machine settings' to 'Enabled'	Windows	CIS IE 11 v1.0.0
8.13 Set 'Security Zones: Use only machine settings' to 'Enabled'	Windows	CIS IE 10 v1.1.0
AADC-CL-000840 - Adobe Acrobat Pro DC Classic privileged file and folder locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001280 - Adobe Acrobat Pro DC Classic Default Handler changes must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001325 - Adobe Acrobat Pro DC Classic privileged host locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CN-000840 - Adobe Acrobat Pro DC Continuous privileged file and folder locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001280 - Adobe Acrobat Pro DC Continuous Default Handler changes must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001325 - Adobe Acrobat Pro DC Continuous privileged host locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
ADBP-XI-000840 - Adobe Acrobat Pro XI privileged file and folder locations must be disabled.	Windows	DISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001280 - Adobe Acrobat Pro XI Default Handler changes must be disabled.	Windows	DISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001325 - Adobe Acrobat Pro XI privileged site locations must be disabled.	Windows	DISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001330 - Adobe Acrobat Pro XI privileged host locations must be disabled.	Windows	DISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001335 - Adobe Acrobat Pro XI certified document trust must be disabled.	Windows	DISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
AIX7-00-001018 - All system files, programs, and directories must be owned by a system account.	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-001019 - AIX device files and directories must only be writable by users with a system account or as configured by the vendor.	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-002016 - AIX must provide audit record generation functionality for DoD-defined auditable events.	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-002072 - AIX system files, programs, and directories must be group-owned by a system group.	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-002088 - AIX library files must have mode 0755 or less permissive.	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-002107 - AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions.	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-002133 - AIX must be configured to use syslogd to log events by TCPD.	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-003009 - All system command files must not have extended ACLs.	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-003010 - All library files must not have extended ACLs.	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-003022 - AIX must disable trivial file transfer protocol.	Unix	DISA STIG AIX 7.x v2r9
AOSX-13-000240 - The macOS system must enable System Integrity Protection.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5

Detections

Analytics