STIGhub
Libraries
Tools
← AC-6 (10) — Least Privilege
CCI-002235
Definition
Prevent non-privileged users from executing privileged functions.
Parent Control
AC-6 (10)
Least Privilege
Access Control
Linked STIG Checks (200)
V-243506
CAT I
Update access to the directory schema must be restricted to appropriate accounts.
Active Directory Forest Security Technical Implementation Guide
V-274012
CAT II
Amazon Linux 2023 must have the sudo package installed.
Amazon Linux 2023 Security Technical Implementation Guide
V-274169
CAT II
Amazon Linux 2023 must enable discretionary access control on hardlinks.
Amazon Linux 2023 Security Technical Implementation Guide
V-274170
CAT II
Amazon Linux 2023 must enable kernel parameters to enforce discretionary access control on symlinks.
Amazon Linux 2023 Security Technical Implementation Guide
V-274173
CAT II
Amazon Linux 2023 debug-shell systemd service must be disabled.
Amazon Linux 2023 Security Technical Implementation Guide
V-214261
CAT II
Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.
Apache Server 2.4 UNIX Server Security Technical Implementation Guide
V-214345
CAT II
Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.
Apache Server 2.4 Windows Server Security Technical Implementation Guide
V-214389
CAT II
Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.
Apache Server 2.4 Windows Site Security Technical Implementation Guide
V-222948
CAT II
$CATALINA_HOME/bin folder permissions must be set to 750.
Apache Tomcat Application Server 9 Security Technical Implementation Guide
V-222983
CAT II
Tomcat user account must be set to nologin.
Apache Tomcat Application Server 9 Security Technical Implementation Guide
V-222984
CAT II
Tomcat user account must be a non-privileged user.
Apache Tomcat Application Server 9 Security Technical Implementation Guide
V-254641
CAT II
Apple iOS/iPadOS 16 must be configured to disable Auto Unlock of the iPhone by an Apple Watch.
Apple iOS-iPadOS 16 Security Technical Implementation Guide
V-258376
CAT II
Apple iOS/iPadOS 17 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.
Apple iOS/iPadOS 17 Security Technical Implementation Guide
V-268064
CAT II
Apple iOS/iPadOS 18 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.
Apple iOS/iPadOS 18 Security Technical Implementation Guide
V-278823
CAT II
Apple iOS/iPadOS 26 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.
Apple iOS/iPadOS 26 Security Technical Implementation Guide
V-257772
CAT II
The macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Apple macOS 12 (Monterey) Security Technical Implementation Guide
V-257776
CAT II
The macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Apple macOS 13 (Ventura) Security Technical Implementation Guide
V-259515
CAT I
The macOS system must require administrator privileges to modify systemwide settings.
Apple macOS 14 (Sonoma) Security Technical Implementation Guide
V-268514
CAT I
The macOS system must require an administrator password to modify systemwide preferences.
Apple macOS 15 (Sequoia) Security Technical Implementation Guide
V-277123
CAT I
The macOS system must require an administrator password to modify systemwide preferences.
Apple macOS 26 (Tahoe) Security Technical Implementation Guide
V-274643
CAT II
Access to API privileged features and functions must be restricted.
Application Programming Interface (API) Security Requirements Guide
V-222429
CAT II
The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Application Security and Development Security Technical Implementation Guide
V-204784
CAT II
The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Application Server Security Requirements Guide
V-272636
CAT II
CylanceON-PREM must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
Arctic Wolf CylanceON-PREM Security Technical Implementation Guide
V-276005
CAT II
Ax-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Axonius Federal Systems Ax-OS Security Technical Implementation Guide
V-251636
CAT II
IDMS must prevent users without the appropriate access from executing privileged functions or tasks within the IDMS environment.
CA IDMS Security Technical Implementation Guide
V-251637
CAT II
IDMS must prevent unauthorized users from executing certain privileged commands that can be used to change the runtime IDMS environment.
CA IDMS Security Technical Implementation Guide
V-251638
CAT II
IDMS must protect its user catalogs and system dictionaries to prevent unauthorized users from bypassing or updating security settings.
CA IDMS Security Technical Implementation Guide
V-219322
CAT III
Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide
V-238360
CAT II
The Ubuntu operating system must be configured to use AppArmor.
Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
V-260557
CAT II
Ubuntu 22.04 LTS must be configured to use AppArmor.
Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide
V-270660
CAT II
Ubuntu 24.04 LTS must be configured to use AppArmor.
Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide
V-242615
CAT I
The Cisco ISE must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Cisco ISE NDM Security Technical Implementation Guide
V-269140
CAT I
The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269141
CAT I
The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269142
CAT II
AlmaLinux OS 9 must have the sudo package installed.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269143
CAT II
The AlmaLinux OS 9 debug-shell systemd service must be disabled.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269144
CAT II
AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269145
CAT II
AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-233162
CAT II
The container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Container Platform Security Requirements Guide
V-233614
CAT I
PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Crunchy Data PostgreSQL Security Technical Implementation Guide
V-261915
CAT II
PostgreSQL must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Crunchy Data Postgres 16 Security Technical Implementation Guide
V-206586
CAT II
The DBMS must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Database Security Requirements Guide
V-269790
CAT I
The Dell OS10 Switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Dell OS10 Switch NDM Security Technical Implementation Guide
V-235781
CAT II
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide
V-235782
CAT II
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide
V-279961
CAT II
The DNS Name Server software must run with restricted privileges.
Domain Name System (DNS) Security Requirements Guide
V-270947
CAT I
Dragos Platforms must limit privileges and not allow the ability to run shell.
Dragos Platform 2.x Security Technical Implementation Guide
V-224192
CAT II
The EDB Postgres Advanced Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide
V-213617
CAT II
The EDB Postgres Advanced Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide
V-259273
CAT II
The EDB Postgres Advanced Server must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide
V-203695
CAT I
The operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
General Purpose Operating System Security Requirements Guide
V-254797
CAT II
Google Android 13 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Google Android 13 COPE Security Technical Implementation Guide
V-258405
CAT II
Google Android 14 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Google Android 14 COBO Security Technical Implementation Guide
V-258441
CAT II
Google Android 14 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Google Android 14 COPE Security Technical Implementation Guide
V-267462
CAT II
Google Android 15 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Google Android 15 COBO Security Technical Implementation Guide
V-267560
CAT II
Google Android 15 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Google Android 15 COPE Security Technical Implementation Guide
V-276780
CAT II
Google Android 16 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Google Android 16 COBO Security Technical Implementation Guide
V-276885
CAT II
Google Android 16 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Google Android 16 COPE Security Technical Implementation Guide
V-284733
CAT II
Google Android 17 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Google Android 17 COBO Security Technical Implementation Guide
V-284841
CAT II
Google Android 17 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Google Android 17 COPE Security Technical Implementation Guide
V-255248
CAT II
SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
HPE 3PAR SSMC Operating System Security Technical Implementation Guide
V-274328
CAT II
Honeywell Android 13 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Honeywell Android 13 COBO Security Technical Implementation Guide
V-274427
CAT II
Honeywell Android 13 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
Honeywell Android 13 COPE Security Technical Implementation Guide
V-213718
CAT I
DB2 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
IBM DB2 V10.5 LUW Security Technical Implementation Guide
V-256858
CAT II
Sign-on to the ESCD Application Console must be restricted to only authorized personnel.
IBM Hardware Management Console (HMC) Security Technical Implementation Guide
V-256860
CAT II
The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.
IBM Hardware Management Console (HMC) Security Technical Implementation Guide
V-256871
CAT II
Access to the Hardware Management Console must be restricted to only authorized personnel.
IBM Hardware Management Console (HMC) Security Technical Implementation Guide
V-256873
CAT II
Automatic Call Answering to the Hardware Management Console must be disabled.
IBM Hardware Management Console (HMC) Security Technical Implementation Guide
V-256889
CAT I
Product engineering access to the Hardware Management Console must be disabled.
IBM Hardware Management Console (HMC) Security Technical Implementation Guide
V-250342
CAT II
Users in a reader-role must be authorized.
IBM WebSphere Liberty Server Security Technical Implementation Guide
V-255835
CAT II
The WebSphere Application Server users in the admin role must be authorized.
IBM WebSphere Traditional V9.x Security Technical Implementation Guide
V-255837
CAT II
The WebSphere Application Server users in a LDAP user registry group must be authorized for that group.
IBM WebSphere Traditional V9.x Security Technical Implementation Guide
V-223434
CAT II
CA-ACF2 must limit access to SYS(x).TRACE to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223435
CAT II
CA-ACF2 allocate access to system user catalogs must be properly protected.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223439
CAT I
IBM z/OS must protect dynamic lists in accordance with proper security requirements.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223440
CAT I
IBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223441
CAT I
CA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223442
CAT I
CA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223444
CAT II
IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223445
CAT I
CA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223446
CAT I
CA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223447
CAT I
CA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223448
CAT I
CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223449
CAT I
CA-ACF2 must limit Write and Allocate access to all APF-authorized libraries to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223450
CAT I
CA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223451
CAT II
CA-ACF2 must limit Write and Allocate access to LINKLIST libraries to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223452
CAT II
CA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223453
CAT I
CA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223454
CAT II
CA-ACF2 Access to SYS1.LINKLIB must be properly protected.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223455
CAT II
CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223456
CAT I
CA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223457
CAT II
IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223458
CAT II
CA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223459
CAT II
ACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223463
CAT I
IBM z/OS SYS1.PARMLIB must be properly protected.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223465
CAT II
CA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223466
CAT III
CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223514
CAT I
ACF2 security data sets and/or databases must be properly protected.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223554
CAT II
IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223597
CAT II
IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223626
CAT II
IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223649
CAT I
IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223650
CAT III
IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223666
CAT I
IBM RACF access to the System Master Catalog must be properly protected.
IBM z/OS RACF Security Technical Implementation Guide
V-223667
CAT I
IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.
IBM z/OS RACF Security Technical Implementation Guide
V-223668
CAT I
IBM z/OS must protect dynamic lists in accordance with proper security requirements.
IBM z/OS RACF Security Technical Implementation Guide
V-223669
CAT II
IBM RACF allocate access to system user catalogs must be properly protected.
IBM z/OS RACF Security Technical Implementation Guide
V-223670
CAT II
IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.
IBM z/OS RACF Security Technical Implementation Guide
V-223671
CAT II
IBM RACF must limit access to SYS(x).TRACE to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223675
CAT I
IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users.
IBM z/OS RACF Security Technical Implementation Guide
V-223676
CAT I
IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223677
CAT I
IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.
IBM z/OS RACF Security Technical Implementation Guide
V-223678
CAT I
IBM RACF must limit write or greater access to all LPA libraries to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223679
CAT I
IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223680
CAT II
IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.
IBM z/OS RACF Security Technical Implementation Guide
V-223681
CAT II
IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223682
CAT I
IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223683
CAT II
IBM RACF access to SYS1.LINKLIB must be properly protected.
IBM z/OS RACF Security Technical Implementation Guide
V-223685
CAT I
IBM RACF security data sets and/or databases must be properly protected.
IBM z/OS RACF Security Technical Implementation Guide
V-223686
CAT II
IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
IBM z/OS RACF Security Technical Implementation Guide
V-223687
CAT I
IBM RACF must limit all system PROCLIB data sets to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223688
CAT II
IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
IBM z/OS RACF Security Technical Implementation Guide
V-223689
CAT II
IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
IBM z/OS RACF Security Technical Implementation Guide
V-223690
CAT II
IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223691
CAT II
The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
IBM z/OS RACF Security Technical Implementation Guide
V-223697
CAT I
IBM z/OS SYS1.PARMLIB must be properly protected.
IBM z/OS RACF Security Technical Implementation Guide
V-223701
CAT II
IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
IBM z/OS RACF Security Technical Implementation Guide
V-223818
CAT II
IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
IBM z/OS RACF Security Technical Implementation Guide
V-223837
CAT I
IBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
IBM z/OS RACF Security Technical Implementation Guide
V-223849
CAT II
IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
IBM z/OS RACF Security Technical Implementation Guide
V-235033
CAT II
IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only.
IBM z/OS RACF Security Technical Implementation Guide
V-223881
CAT II
IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
IBM z/OS TSS Security Technical Implementation Guide
V-223882
CAT I
IBM z/OS SYS1.PARMLIB must be properly protected.
IBM z/OS TSS Security Technical Implementation Guide
V-223894
CAT I
CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223895
CAT I
CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223896
CAT I
CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223897
CAT I
CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223898
CAT I
IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.
IBM z/OS TSS Security Technical Implementation Guide
V-223899
CAT I
CA-TSS must limit Write or greater access to all LPA libraries to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223900
CAT I
CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223901
CAT III
CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223902
CAT II
CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223903
CAT I
CA-TSS security data sets and/or databases must be properly protected.
IBM z/OS TSS Security Technical Implementation Guide
V-223904
CAT I
CA-TSS must limit access to the System Master Catalog to appropriate authorized users.
IBM z/OS TSS Security Technical Implementation Guide
V-223906
CAT II
CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223907
CAT II
CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223908
CAT I
CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel.
IBM z/OS TSS Security Technical Implementation Guide
V-223909
CAT II
CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
IBM z/OS TSS Security Technical Implementation Guide
V-223910
CAT II
CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223911
CAT II
CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups.
IBM z/OS TSS Security Technical Implementation Guide
V-223912
CAT II
CA-TSS must limit access to SYS(x).TRACE to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223913
CAT II
CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223914
CAT I
CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.
IBM z/OS TSS Security Technical Implementation Guide
V-223915
CAT I
CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users.
IBM z/OS TSS Security Technical Implementation Guide
V-223917
CAT I
IBM z/OS must protect dynamic lists in accordance with proper security requirements.
IBM z/OS TSS Security Technical Implementation Guide
V-223919
CAT II
IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
IBM z/OS TSS Security Technical Implementation Guide
V-223965
CAT II
The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
IBM z/OS TSS Security Technical Implementation Guide
V-223966
CAT II
CA-TSS Default ACID must be properly defined.
IBM z/OS TSS Security Technical Implementation Guide
V-223967
CAT I
The CA-TSS BYPASS attribute must be limited to trusted STCs only.
IBM z/OS TSS Security Technical Implementation Guide
V-223968
CAT II
CA-TSS MSCA ACID must perform security administration only.
IBM z/OS TSS Security Technical Implementation Guide
V-223969
CAT I
CA-TSS ACIDs granted the CONSOLE attribute must be justified.
IBM z/OS TSS Security Technical Implementation Guide
V-223970
CAT II
CA-TSS ACIDs defined as security administrators must have the NOATS attribute.
IBM z/OS TSS Security Technical Implementation Guide
V-224049
CAT II
IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
IBM z/OS TSS Security Technical Implementation Guide
V-224073
CAT I
CA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
IBM z/OS TSS Security Technical Implementation Guide
V-224081
CAT II
IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
IBM z/OS TSS Security Technical Implementation Guide
V-259733
CAT II
IBM Security zSecure must prevent nonprivileged users from executing privileged zSecure functions.
IBM zSecure Suite Security Technical Implementation Guide
V-237943
CAT II
The IBM z/VM CP Privilege Class A, B, and D must be restricted to appropriate system operators.
IBM zVM Using CA VM:Secure Security Technical Implementation Guide
V-237954
CAT II
The IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators.
IBM zVM Using CA VM:Secure Security Technical Implementation Guide
V-237955
CAT II
The IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only.
IBM zVM Using CA VM:Secure Security Technical Implementation Guide
V-237956
CAT II
The IBM z/VM ANY Privilege Class must not be listed for privilege commands.
IBM zVM Using CA VM:Secure Security Technical Implementation Guide
V-258600
CAT I
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
Ivanti Connect Secure NDM Security Technical Implementation Guide
V-284531
CAT I
The Ivanti Policy Secure must be configured to prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Ivanti Policy Secure NDM Security Technical Implementation Guide
V-213539
CAT II
The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide
V-253947
CAT I
The Juniper EX switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Juniper EX Series Switches Network Device Management Security Technical Implementation Guide
V-213865
CAT II
SQL Server must prevent non-privileged users from executing privileged functionality, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
MS SQL Server 2014 Instance Security Technical Implementation Guide
V-213979
CAT II
SQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
MS SQL Server 2016 Instance Security Technical Implementation Guide
V-205544
CAT II
The Mainframe Product must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Mainframe Product Security Requirements Guide
V-253723
CAT II
MariaDB must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
MariaDB Enterprise 10.x Security Technical Implementation Guide
V-220377
CAT II
MarkLogic Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
MarkLogic Server v9 Security Technical Implementation Guide
V-255341
CAT II
Azure SQL Database must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Microsoft Azure SQL Database Security Technical Implementation Guide
V-276307
CAT II
Azure SQL Managed Instance must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Microsoft Azure SQL Managed Instance Security Technical Implementation Guide
V-259631
CAT II
Role-Based Access Control must be defined for privileged and nonprivileged users.
Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide
V-259698
CAT II
Role-Based Access Control must be defined for privileged and nonprivileged users.
Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide
V-218814
CAT II
IIS 10.0 web server system files must conform to minimum file permission requirements.
Microsoft IIS 10.0 Server Security Technical Implementation Guide
V-223293
CAT II
Users must be prevented from creating new trusted locations in the Trust Center.
Microsoft Office 365 ProPlus Security Technical Implementation Guide
V-223353
CAT II
Outlook must be configured to prevent users overriding attachment security settings.
Microsoft Office 365 ProPlus Security Technical Implementation Guide
V-238035
CAT II
Connection verification of permissions must be enforced.
Microsoft Office System 2016 Security Technical Implementation Guide
V-271341
CAT II
SQL Server must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Microsoft SQL Server 2022 Instance Security Technical Implementation Guide
V-220712
CAT I
Only accounts responsible for the administration of a system must have Administrator rights on the system.
Microsoft Windows 10 Security Technical Implementation Guide
V-220907
CAT II
Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
Microsoft Windows 10 Security Technical Implementation Guide
V-220933
CAT II
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
Microsoft Windows 10 Security Technical Implementation Guide
V-220956
CAT II
The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
Microsoft Windows 10 Security Technical Implementation Guide
V-220958
CAT I
The Act as part of the operating system user right must not be assigned to any groups or accounts.
Microsoft Windows 10 Security Technical Implementation Guide
V-220960
CAT II
The Back up files and directories user right must only be assigned to the Administrators group.
Microsoft Windows 10 Security Technical Implementation Guide
V-220961
CAT II
The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.
Microsoft Windows 10 Security Technical Implementation Guide
V-220962
CAT II
The Create a pagefile user right must only be assigned to the Administrators group.
Microsoft Windows 10 Security Technical Implementation Guide
V-220963
CAT I
The Create a token object user right must not be assigned to any groups or accounts.
Microsoft Windows 10 Security Technical Implementation Guide
V-220964
CAT II
The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
Microsoft Windows 10 Security Technical Implementation Guide
V-220965
CAT II
The Create permanent shared objects user right must not be assigned to any groups or accounts.
Microsoft Windows 10 Security Technical Implementation Guide