800-53|SC-3

Title

SECURITY FUNCTION ISOLATION

Description

The information system isolates security functions from nonsecurity functions.

Supplemental

The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception.

Reference Item Details

Related: AC-3,AC-6,SA-13,SA-4,SA-5,SA-8,SC-2,SC-39,SC-7

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Set 'Turn on Enhanced Protected Mode' to 'Enabled'WindowsCIS IE 11 v1.0.0
1.1 Set 'Turn on Enhanced Protected Mode' to 'Enabled'WindowsCIS IE 10 v1.1.0
1.2 Ensure Single-Function Member Servers are UsedWindowsCIS SQL Server 2012 Database L1 OS v1.6.0
1.2 Ensure Single-Function Member Servers are UsedWindowsCIS SQL Server 2017 Database L1 OS v1.2.0
1.2 Ensure Single-Function Member Servers are UsedWindowsCIS SQL Server 2016 Database L1 OS v1.3.0
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.2 L2 v3.6.0
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.2 L1 v3.6.0
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.4 L1 v2.0.0
1.2 Ensure the Server Is Not a Multi-Use SystemUnixCIS Apache HTTP Server 2.4 L1 v2.0.0 Middleware
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - line vty access-classCiscoCIS Cisco NX-OS L2 v1.0.0
1.2.2 Restrict Access to VTY Sessions - line vty access-classCiscoCIS Cisco NX-OS L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - VTY ACLCiscoCIS Cisco NX-OS L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - VTY ACLCiscoCIS Cisco NX-OS L2 v1.0.0
1.4.2 If SNMPv2 is in use, set Restrictions on Access - ACLCiscoCIS Cisco NX-OS L1 v1.0.0
1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-serverCiscoCIS Cisco NX-OS L1 v1.0.0
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP addressCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP addressCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP addressCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.6.2 Ensure 'SSH version 2' is enabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.6.2 Ensure 'SSH version 2' is enabledCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.6.2 Ensure 'SSH version 2' is enabledCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - loggingCiscoCIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - loggingCiscoCIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntpCiscoCIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntpCiscoCIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server hostCiscoCIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server hostCiscoCIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informsCiscoCIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informsCiscoCIS Cisco NX-OS L2 v1.0.0
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.0
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.0
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
2.13 Ensure 'Enable Site Isolation for every site' is set to 'Enabled'WindowsCIS Google Chrome L1 v2.1.0
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 8 L1 v1.1.0 Middleware
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 8 L1 v1.1.0
18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
19.7.41.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
19.7.41.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1