Detections
Analytics

800-53|MA-3

Title

MAINTENANCE TOOLS

Description

The organization approves, controls, and monitors information system maintenance tools.

Supplemental

This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing 'ping', 'ls', 'ipconfig', or the hardware and software implementing the monitoring port of an Ethernet switch.

Reference Item Details

Related: MA-2,MA-5,MP-6

Category: MAINTENANCE

Family: MAINTENANCE

Priority: P3

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure packages are obtained from authorized repositoriesUnixCIS PostgreSQL 13 OS v1.1.0
1.1 Ensure packages are obtained from authorized repositoriesUnixCIS PostgreSQL 12 OS v1.1.0
1.1 Ensure packages are obtained from authorized repositoriesUnixCIS PostgreSQL 16 OS v1.0.0
1.1 Ensure packages are obtained from authorized repositoriesUnixCIS PostgreSQL 15 OS v1.1.0
1.1 Ensure packages are obtained from authorized repositoriesUnixCIS PostgreSQL 14 OS v 1.2.0
1.1 Ensure packages are obtained from authorized repositoriesUnixCIS PostgreSQL 13 OS v1.2.0
3.7 Audit Software InventoryUnixCIS Apple macOS 10.14 v2.0.0 L2
3.7 Audit Software InventoryUnixCIS Apple macOS 12.0 Monterey v3.0.0 L2
3.7 Audit Software InventoryUnixCIS Apple macOS 10.15 Catalina v3.0.0 L2
3.7 Audit Software InventoryUnixCIS Apple macOS 10.15 v2.1.0 L2
3.7 Audit Software InventoryUnixCIS Apple macOS 14.0 Sonoma v1.0.0 L2
3.7 Audit Software InventoryUnixCIS Apple macOS 13.0 Ventura v2.0.0 L2
3.7 Audit Software InventoryUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L2
7.5 Ensure that Only Approved Extensions Are Installedmicrosoft_azureCIS Microsoft Azure Foundations v2.1.0 L1
18.9.102.1.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
18.9.102.1.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
18.9.103.1.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'WindowsCIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
18.9.103.1.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'WindowsCIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
DTAVSEL-200 - The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use.UnixMcAfee Virus Scan Enterprise for Linux 1.9x/2.0x Local Client v1r6
DTAVSEL-200 - The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use.UnixMcAfee Virus Scan Enterprise for Linux 1.9x/2.0x Managed Client v1r5
EDGE-00-000002 - Bypassing Microsoft Defender SmartScreen prompts for sites must be disabled.WindowsDISA STIG Edge v1r7
EDGE-00-000003 - Bypassing of Microsoft Defender SmartScreen warnings about downloads must be disabled.WindowsDISA STIG Edge v1r7
EDGE-00-000004 - The list of domains for which Microsoft Defender SmartScreen will not trigger warnings must be allowlisted if used.WindowsDISA STIG Edge v1r7
FGFW-ND-000190 - FortiGate devices performing maintenance functions must restrict use of these functions to authorized personnel only.FortiGateDISA Fortigate Firewall NDM STIG v1r4
WNDF-AV-000025 - Microsoft Defender AV must be configured to scan removable drives.WindowsDISA STIG Microsoft Defender Antivirus v2r4