Detections
Analytics

800-53|SC-3

Title

SECURITY FUNCTION ISOLATION

Description

The information system isolates security functions from nonsecurity functions.

Supplemental

The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception.

Reference Item Details

Related: AC-3,AC-6,SA-13,SA-4,SA-5,SA-8,SC-2,SC-39,SC-7

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Set 'Turn on Enhanced Protected Mode' to 'Enabled'WindowsCIS IE 11 v1.0.0
1.1 Set 'Turn on Enhanced Protected Mode' to 'Enabled'WindowsCIS IE 10 v1.1.0
1.2 Ensure Single-Function Member Servers are UsedMS_SQLDBCIS SQL Server 2008 R2 DB Engine L1 v1.7.0
1.2 Ensure Single-Function Member Servers are UsedMS_SQLDBCIS SQL Server 2014 Database L1 AWS RDS v1.5.0
1.2 Ensure Single-Function Member Servers are UsedWindowsCIS SQL Server 2012 Database L1 OS v1.6.0
1.2 Ensure Single-Function Member Servers are UsedMS_SQLDBCIS SQL Server 2014 Database L1 DB v1.5.0
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.2 L2 v3.6.0
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.2 L1 v3.6.0
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS AlmaLinux OS 8 v4.0.0 L1 Workstation
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS Red Hat Enterprise Linux 10 v1.0.1 L1 Workstation
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS Red Hat Enterprise Linux 8 v4.0.0 L1 Server
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS Rocky Linux 10 v1.0.0 L1 Server
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS Rocky Linux 8 v3.0.0 L1 Server
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS AlmaLinux OS 10 v1.0.0 L1 Server
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS Oracle Linux 10 v1.0.0 L1 Workstation
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS Red Hat Enterprise Linux 10 v1.0.1 L1 Server
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS Red Hat Enterprise Linux 8 v4.0.0 L1 Workstation
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS Oracle Linux 10 v1.0.0 L1 Server
1.3.1.4 Ensure the SELinux mode is not disabledUnixCIS Oracle Linux 8 v4.0.0 L1 Server
1.16 RHEL-09-212035UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.17 RHEL-09-212040UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.18 RHEL-09-212045UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.28 OL08-00-010170UnixCIS Oracle Linux 8 STIG v1.0.0 CAT II
1.29 OL08-00-010171UnixCIS Oracle Linux 8 STIG v1.0.0 CAT III
1.105 UBTU-24-600130UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT I
1.105 WN10-CC-000037WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.117 WN22-CC-000240WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.117 WN22-CC-000240WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.140 WN10-CC-000200WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.192 WN22-MS-000020WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.224 WN10-SO-000250WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.227 WN10-SO-000260WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.228 WN10-SO-000265WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.230 WN10-SO-000275WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.246 WN22-SO-000390WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.246 WN22-SO-000390WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.247 WN22-SO-000400WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.247 WN22-SO-000400WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.249 WN22-SO-000420WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.249 WN22-SO-000420WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.250 WN22-SO-000430WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.250 WN22-SO-000430WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.252 WN22-SO-000450WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.252 WN22-SO-000450WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.298 RHEL-09-431010UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT I