800-53|SC-4

Title

INFORMATION IN SHARED RESOURCES

Description

The information system prevents unauthorized and unintended information transfer via shared system resources.

Supplemental

This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles.

Reference Item Details

Related: AC-3,AC-4,MP-6

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Place Databases on Non-System PartitionsUnixCIS MySQL 8.0 Enterprise Linux OS L1 v1.2.0
1.1 Place Databases on Non-System PartitionsWindowsCIS MySQL 5.6 Community Windows OS L1 v2.0.0
1.1 Place Databases on Non-System PartitionsWindowsCIS MySQL 5.7 Community Windows OS L1 v2.0.0
1.1 Place Databases on Non-System PartitionsUnixCIS MySQL 5.7 Community Linux OS L1 v2.0.0
1.1 Place Databases on Non-System PartitionsWindowsCIS MySQL 5.7 Enterprise Windows OS L1 v2.0.0
1.1 Place Databases on Non-System PartitionsUnixCIS MySQL 5.6 Enterprise Linux OS L1 v2.0.0
1.1 Place Databases on Non-System PartitionsUnixCIS MySQL 5.6 Community Linux OS L1 v2.0.0
1.1 Place Databases on Non-System PartitionsWindowsCIS MySQL 5.6 Enterprise Windows OS L1 v2.0.0
1.1 Place Databases on Non-System PartitionsUnixCIS MySQL 5.7 Enterprise Linux OS L1 v2.0.0
1.1.1 Ensure a separate partition for containers has been createdUnixCIS Docker v1.3.1 L1 Linux Host OS
1.7 Ensure MySQL is Run Under a Sandbox EnvironmentUnixCIS MySQL 8.0 Enterprise Linux OS L2 v1.2.0
1.9 Ensure appropriate DefaultDS is enabledUnixRedhat JBoss EAP 5.x
1.12 Ensure HSQLDB Security Domain is removed - 'HsqlDbRealm = false'UnixRedhat JBoss EAP 5.x
2.2 Dedicate the Machine Running MySQLWindowsCIS MySQL 5.7 Enterprise Windows OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQLWindowsCIS MySQL 5.6 Community Windows OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQLUnixCIS MySQL 5.6 Enterprise Linux OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQLUnixCIS MySQL 5.6 Community Linux OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQLWindowsCIS MySQL 5.6 Enterprise Windows OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQLUnixCIS MySQL 5.7 Enterprise Linux OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQLWindowsCIS MySQL 5.7 Community Windows OS L1 v2.0.0
2.2 Dedicate the Machine Running MySQLUnixCIS MySQL 5.7 Community Linux OS L1 v2.0.0
2.3 Dedicate the Machine Running MySQLUnixCIS MySQL 8.0 Enterprise Linux OS L1 v1.2.0
2.015 - File share ACLs have not been reconfigured to remove the Everyone group.WindowsDISA Windows Vista STIG v6r41
3.1 Ensure the customer lockbox feature is enabledmicrosoft_azureCIS Microsoft 365 Foundations E5 L2 v1.4.0
3.4 Ensure DLP policies are enabledmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
3.5 Ensure DLP policies are enabled for Microsoft Teamsmicrosoft_azureCIS Microsoft 365 Foundations E5 L1 v1.4.0
3.7 Ensure external file sharing in Teams is enabled for only approved cloud storage servicesmicrosoft_azureCIS Microsoft 365 Foundations E3 L2 v1.4.0
3.018 - Anonymous shares are not restricted. - RestrictAnonymousWindowsDISA Windows Vista STIG v6r41
3.018 - Anonymous shares are not restricted. - RestrictAnonymousSAMWindowsDISA Windows Vista STIG v6r41
3.063 - Unauthorized named pipes are accessible with anonymous credentials.WindowsDISA Windows Vista STIG v6r41
3.064 - Unauthorized registry paths are remotely accessible.WindowsDISA Windows Vista STIG v6r41
3.065 - Unauthorized shares can be accessed anonymously.WindowsDISA Windows Vista STIG v6r41
3.068 - Solicited Remote Assistance is allowed.WindowsDISA Windows Vista STIG v6r41
3.072 - The system is not configured to use the Classic security model.WindowsDISA Windows Vista STIG v6r41
3.082 - The system is configured to allow unsolicited remote assistance offers.WindowsDISA Windows Vista STIG v6r41
3.108 - Unauthorized registry paths and sub-paths are remotely accessible.WindowsDISA Windows Vista STIG v6r41
3.116 - Named Pipes and Shares can be accessed anonymously.WindowsDISA Windows Vista STIG v6r41
5.2.3 Minimize the admission of containers wishing to share the host IPC namespaceUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.2.4 Minimize the admission of containers wishing to share the host IPC namespaceUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.2.4 Minimize the admission of containers wishing to share the host IPC namespaceUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.10 Ensure that the memory usage for containers is limitedUnixCIS Docker v1.3.1 L1 Docker Linux
5.11 Ensure that CPU priority is set appropriately on containersUnixCIS Docker v1.3.1 L1 Docker Linux
5.15 Ensure that the host's process namespace is not sharedUnixCIS Docker v1.3.1 L1 Docker Linux
5.16 Ensure that the host's IPC namespace is not sharedUnixCIS Docker v1.3.1 L1 Docker Linux
5.17 Do not directly expose host devices to containersUnixCIS Docker 1.12.0 v1.0.0 L1 Docker
5.17 Do not directly expose host devices to containersUnixCIS Docker 1.13.0 v1.0.0 L1 Docker
5.17 Do not directly expose host devices to containersUnixCIS Docker 1.11.0 v1.0.0 L1 Docker
5.17 Ensure host devices are not directly exposed to containersUnixCIS Docker Community Edition v1.1.0 L1 Docker
5.18 Ensure that the default ulimit is overwritten at runtime if neededUnixCIS Docker v1.3.1 L1 Docker Linux
5.118 - Terminal Services / Remote Desktop Services - Local drives prevented from sharing with Terminal Servers.WindowsDISA Windows Vista STIG v6r41