800-53|SC-7(10)

Title

PREVENT UNAUTHORIZED EXFILTRATION

Description

The organization prevents the unauthorized exfiltration of information across managed interfaces.

Supplemental

Safeguards implemented by organizations to prevent unauthorized exfiltration of information from information systems include, for example: (i) strict adherence to protocol formats; (ii) monitoring for beaconing from information systems; (iii) monitoring for steganography; (iv) disconnecting external network interfaces except when explicitly needed; (v) disassembling and reassembling packet headers; and (vi) employing traffic profile analysis to detect deviations from the volume/types of traffic expected within organizations or call backs to command and control centers. Devices enforcing strict adherence to protocol formats include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to protocol formats and specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network or transport layers. This control enhancement is closely associated with cross-domain solutions and system guards enforcing information flow requirements.

Reference Item Details

Related: SI-3

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1 Create Separate Partition for /tmpUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.1.3 Ensure separate file system for /tmpUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.1.3 Set nosuid option for /tmp PartitionUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.5 Create Separate Partition for /varUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.5 Ensure nosuid option set on /tmp partitionUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.5 Ensure nosuid option set on /tmp partitionUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.6 Ensure /dev/shm is configuredUnixCIS Ubuntu Linux 20.04 LTS Server L1 v1.1.0
1.1.6 Ensure /dev/shm is configuredUnixCIS Ubuntu Linux 16.04 LTS Server L1 v2.0.0
1.1.6 Ensure /dev/shm is configuredUnixCIS Ubuntu Linux 20.04 LTS Workstation L1 v1.1.0
1.1.6 Ensure /dev/shm is configuredUnixCIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0
1.1.6 Ensure /dev/shm is configured - /etc/fstabUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.6 Ensure /dev/shm is configured - /etc/fstabUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.6 Ensure /dev/shm is configured - mountUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.6 Ensure /dev/shm is configured - mountUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.7 Ensure noexec option set on /dev/shm partitionUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.7 Ensure noexec option set on /dev/shm partitionUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.10 Add nodev Option to /homeUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.11 Add nodev Option to Removable Media PartitionsUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.11 Ensure separate partition exists for /var/tmpUnixCIS Fedora 19 Family Linux Server L2 v1.0.0
1.1.11 Ensure separate partition exists for /var/tmpUnixCIS Fedora 19 Family Linux Workstation L2 v1.0.0
1.1.12 Add noexec Option to Removable Media PartitionsUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.13 Add nosuid Option to Removable Media PartitionsUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.13 Ensure nodev option set on /var/tmp partitionUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.13 Ensure nodev option set on /var/tmp partitionUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.13 Ensure separate partition exists for /homeUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.1.13 Ensure separate partition exists for /homeUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.1.14 Add nodev Option to /dev/shm PartitionUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.14 Ensure nosuid option set on /var/tmp partitionUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.14 Ensure nosuid option set on /var/tmp partitionUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.15 Add nosuid Option to /dev/shm PartitionUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.16 Add noexec Option to /dev/shm PartitionUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.17 Ensure separate partition exists for /homeUnixCIS Fedora 19 Family Linux Server L2 v1.0.0
1.1.17 Ensure separate partition exists for /homeUnixCIS Fedora 19 Family Linux Workstation L2 v1.0.0
1.1.17 Set Sticky Bit on All World-Writable DirectoriesUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.18 Ensure nodev option set on /home partitionUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.18 Ensure nodev option set on /home partitionUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.19 Ensure noexec option set on removable media partitionsUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.19 Ensure noexec option set on removable media partitionsUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.20 Ensure nodev option set on removable media partitionsUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.20 Ensure nodev option set on removable media partitionsUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.21 Ensure nosuid option set on removable media partitionsUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.21 Ensure nosuid option set on removable media partitionsUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.21 Ensure sticky bit is set on all world-writable directoriesUnixCIS Debian 9 Workstation L1 v1.0.1
1.1.21 Ensure sticky bit is set on all world-writable directoriesUnixCIS Debian 9 Server L1 v1.0.1
1.1.22 Ensure sticky bit is set on all world-writable directoriesUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.22 Ensure sticky bit is set on all world-writable directoriesUnixCIS Fedora 19 Family Linux Server L1 v1.0.0