800-53|SI-16

Title

MEMORY PROTECTION

Description

The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.

Supplemental

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-25,SC-3

Category: SYSTEM AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.36 Ensure that the admission control plugin EventRateLimit is set	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate	Unix	CIS Kubernetes Benchmark v1.8.0 L1 Master
1.3.10 Ensure 'Password Profiles' do not exist	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS CentOS Linux 7 v4.0.0 L1 Workstation
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Oracle Linux 7 v4.0.0 L1 Server
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Amazon Linux 2 v3.0.0 L1
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS CentOS Linux 7 v4.0.0 L1 Server
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Oracle Linux 7 v4.0.0 L1 Workstation
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Red Hat EL8 Workstation L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Oracle Linux 8 Workstation L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Rocky Linux 8 Workstation L1 v2.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Red Hat EL8 Server L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS AlmaLinux OS 8 Server L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Oracle Linux 8 Server L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS AlmaLinux OS 8 Workstation L1 v3.0.0
1.4.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Rocky Linux 8 Server L1 v2.0.0
1.4.2 Ensure XD/NX support is enabled	Unix	CIS Google Container-Optimized OS L1 Server v1.1.0
1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Google Container-Optimized OS L1 Server v1.1.0
1.4.3 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d	Unix	CIS Google Container-Optimized OS L1 Server v1.1.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Debian 10 Server L1 v2.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Debian 10 Workstation L1 v2.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled	Unix	CIS Amazon Linux 2023 Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - config	Unix	CIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - config	Unix	CIS Debian Linux 11 Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - config	Unix	CIS Debian Linux 11 Workstation L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - config	Unix	CIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Debian Linux 11 Server L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Debian Linux 11 Workstation L1 v1.0.0
1.5.1 Ensure address space layout randomization (ASLR) is enabled - sysctl	Unix	CIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
1.5.1 Ensure XD/NX support is enabled	Unix	CIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0
1.5.1 Ensure XD/NX support is enabled	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.5.1 Ensure XD/NX support is enabled	Unix	CIS Ubuntu Linux 16.04 LTS Server L1 v2.0.0
1.5.1 Ensure XD/NX support is enabled	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.5.2 Ensure XD/NX support is enabled	Unix	CIS Amazon Linux v2.1.0 L1
1.5.2 Ensure XD/NX support is enabled	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
1.20.1 Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'	Windows	CIS Microsoft Edge L1 v2.0.0
1.20.2 Ensure 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is set to 'Enabled'	Windows	CIS Microsoft Edge L1 v2.0.0
1.20.3 Ensure 'Enable Microsoft Defender SmartScreen DNS requests' is set to 'Disabled'	Windows	CIS Microsoft Edge L1 v2.0.0
1.20.4 Ensure 'Force Microsoft Defender SmartScreen checks on downloads from trusted sources' is set to 'Enabled'	Windows	CIS Microsoft Edge L1 v2.0.0
1.20.5 Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'	Windows	CIS Microsoft Edge L1 v2.0.0
1.20.6 Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'	Windows	CIS Microsoft Edge L1 v2.0.0
1.22.1 Ensure 'Configure Edge TyposquattingChecker' is set to 'Enabled'	Windows	CIS Microsoft Edge L1 v2.0.0
1.23 Ensure 'Ads setting for sites with intrusive ads' is set to 'Enabled: Block ads on sites with intrusive ads'	Windows	CIS Microsoft Edge L1 v2.0.0
1.24 Ensure 'Allow download restrictions' is set to 'Enabled: Block malicious downloads'	Windows	CIS Microsoft Edge L1 v2.0.0

Detections

Analytics