800-53|SC-3

Title

SECURITY FUNCTION ISOLATION

Description

The information system isolates security functions from nonsecurity functions.

Supplemental

The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AC-6,SA-13,SA-4,SA-5,SA-8,SC-2,SC-39,SC-7

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Place Databases on Non-System Partitions	MySQLDB	CIS MySQL 8.0 Enterprise Database L1 v1.3.0
1.1 Place Databases on Non-System Partitions	MySQLDB	CIS MySQL 8.0 Community Database L1 v1.0.0
1.1 Set 'Turn on Enhanced Protected Mode' to 'Enabled'	Windows	CIS IE 10 v1.1.0
1.1 Set 'Turn on Enhanced Protected Mode' to 'Enabled'	Windows	CIS IE 11 v1.0.0
1.2 Ensure Single-Function Member Servers are Used	Windows	CIS SQL Server 2012 Database L1 OS v1.6.0
1.2 Ensure Single-Function Member Servers are Used	MS_SQLDB	CIS SQL Server 2008 R2 DB Engine L1 v1.7.0
1.2 Ensure Single-Function Member Servers are Used	MS_SQLDB	CIS SQL Server 2014 Database L1 AWS RDS v1.5.0
1.2 Ensure Single-Function Member Servers are Used	MS_SQLDB	CIS SQL Server 2014 Database L1 DB v1.5.0
1.2 Ensure the Server Is Not a Multi-Use System	Unix	CIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware
1.2 Ensure the Server Is Not a Multi-Use System	Unix	CIS Apache HTTP Server 2.2 L2 v3.6.0
1.2 Ensure the Server Is Not a Multi-Use System	Unix	CIS Apache HTTP Server 2.2 L1 v3.6.0
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - line vty access-class	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.2.2 Restrict Access to VTY Sessions - line vty access-class	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - VTY ACL	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - VTY ACL	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.4.2 If SNMPv2 is in use, set Restrictions on Access - ACL	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-server	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP address	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP address	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.0.0
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP address	Cisco	CIS Cisco Firewall ASA 9 L1 v4.1.0
1.6.2 Ensure 'SSH version 2' is enabled	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.0.0
1.6.2 Ensure 'SSH version 2' is enabled	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.6.2 Ensure 'SSH version 2' is enabled	Cisco	CIS Cisco Firewall ASA 9 L1 v4.1.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs	Cisco	CIS Cisco NX-OS L2 v1.0.0
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.2.10 Ensure 'Create a pagefile' is set to 'Administrators'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.11 Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.11 Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory	Unix	CIS Apache Tomcat 8 L1 v1.1.0 Middleware
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory	Unix	CIS Apache Tomcat 8 L1 v1.1.0
18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.85.1 Ensure 'Allow user control over installs' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.85.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
19.7.41.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
19.7.41.1 Ensure 'Always install with elevated privileges' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1

Detections

Analytics