STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-7 (5) — Least Functionality

CCI-001774

Definition

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

Parent Control

CM-7 (5)Least FunctionalityConfiguration Management

Linked STIG Checks (125)

V-252487CAT IIIThe macOS system must be configured to disable the iCloud Calendar services.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252488CAT IIIThe macOS system must be configured to disable the iCloud Reminders services.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252489CAT IIIThe macOS system must be configured to disable iCloud Address Book services.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252490CAT IIIThe macOS system must be configured to disable the Mail iCloud services.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252491CAT IIIThe macOS system must be configured to disable the iCloud Notes services.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252493CAT IIThe macOS system must be configured to disable Siri and dictation.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252496CAT IThe macOS system must be configured to disable the system preference pane for Apple ID.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252497CAT IIThe macOS system must be configured to disable the system preference pane for Internet Accounts.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252502CAT IIThe macOS system must be configured to disable the Siri Setup services.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252503CAT IIThe macOS system must disable iCloud Keychain synchronization.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252504CAT IIThe macOS system must disable iCloud document synchronization.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252505CAT IIThe macOS system must disable iCloud bookmark synchronization.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252506CAT IIThe macOS system must disable iCloud photo library.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252508CAT IIThe macOS system must be configured to disable the system preference pane for TouchID.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252509CAT IIThe macOS system must be configured to disable the system preference pane for Wallet and ApplePay.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252510CAT IIThe macOS system must be configured to disable the system preference pane for Siri.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257193CAT IIIThe macOS system must be configured to disable the iCloud Calendar services.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257194CAT IIIThe macOS system must be configured to disable the iCloud Reminders services.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257195CAT IIIThe macOS system must be configured to disable iCloud Address Book services.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257196CAT IIIThe macOS system must be configured to disable the iCloud Mail services.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257197CAT IIIThe macOS system must be configured to disable the iCloud Notes services.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257198CAT IIThe macOS system must cover or disable the built-in or attached camera when not in use.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257199CAT IIThe macOS system must be configured to disable Siri and dictation.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257202CAT IThe macOS system must be configured to disable the system preference pane for Apple ID.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257208CAT IIThe macOS system must be configured to disable the Siri Setup services.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257209CAT IIThe macOS system must disable iCloud Keychain synchronization.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257210CAT IIThe macOS system must disable iCloud Document synchronization.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257211CAT IIThe macOS system must disable iCloud Bookmark synchronization.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257212CAT IIThe macOS system must disable the iCloud Photo Library.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257214CAT IIThe macOS system must be configured to disable the system preference pane for TouchID and Password.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257215CAT IIThe macOS system must be configured to disable the system preference pane for Wallet and ApplePay.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257216CAT IIThe macOS system must be configured to disable the system preference pane for Siri.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-222517CAT IIThe application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.Application Security and Development Security Technical Implementation Guide V-276005CAT IIAx-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219324CAT IIThe Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238360CAT IIThe Ubuntu operating system must be configured to use AppArmor.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260556CAT IIUbuntu 22.04 LTS must have the "apparmor" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260557CAT IIUbuntu 22.04 LTS must be configured to use AppArmor.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270659CAT IIUbuntu 24.04 LTS must have AppArmor installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270660CAT IIUbuntu 24.04 LTS must be configured to use AppArmor.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-259880CAT IIThe Infrastructure as a Service (IaaS)/Platform as a Service (PaaS)/Software as a Service (SaaS) must register the service/application with the DOD DMZ/IAP allowlist for internet-facing inbound and outbound traffic.Cloud Computing Mission Owner Operating System Security Requirements Guide V-269330CAT IIAlmaLinux OS 9 fapolicy module must be enabled.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269331CAT IIAlmaLinux OS 9 fapolicy module must be installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233192CAT IIThe container platform registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform.Container Platform Security Requirements Guide V-235838CAT IIContent Trust enforcement must be enabled in Universal Control Plane (UCP) in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235839CAT IIOnly trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235846CAT IIOnly trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-278398CAT IINGINX must be configured with a deny-all, permit-by-exception policy to allow the execution of authorized software programs.F5 NGINX Security Technical Implementation Guide V-203722CAT IIThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.General Purpose Operating System Security Requirements Guide V-215335CAT IIAIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.IBM AIX 7.x Security Technical Implementation Guide V-223777CAT IIBM RACF must define UACC of NONE on all profiles.IBM z/OS RACF Security Technical Implementation Guide V-223957CAT IThe CA-TSS Facility Control Option must specify the sub option of MODE=FAIL.IBM z/OS TSS Security Technical Implementation Guide V-74175CAT IIA McAfee Application Control written policy must be documented to outline the organization-specific variables for application whitelisting.McAfee Application Control 7.x Security Technical Implementation Guide V-74203CAT IIThe configuration of features under McAfee Application Control Options policies Enforce feature control must be documented in the organizations written policy.McAfee Application Control 7.x Security Technical Implementation Guide V-74205CAT IIThe organizations written policy must include a process for how whitelisted applications are deemed to be allowed.McAfee Application Control 7.x Security Technical Implementation Guide V-74207CAT IIThe organizations written policy must include procedures for how often the whitelist of allowed applications is reviewed.McAfee Application Control 7.x Security Technical Implementation Guide V-74209CAT IIThe Solidcore client must be enabled.McAfee Application Control 7.x Security Technical Implementation Guide V-74213CAT IThe Solidcore client Command Line Interface (CLI) Access Password must be changed from the default.McAfee Application Control 7.x Security Technical Implementation Guide V-74215CAT IIThe organization-specific Rules policy must only include executable and dll files that are associated with applications as allowed by the organizations written policy.McAfee Application Control 7.x Security Technical Implementation Guide V-74223CAT IIThe McAfee Application Control Options Reputation-Based Execution settings, if enabled, must be configured to allow Most Likely Trusted or Known Trusted only.McAfee Application Control 7.x Security Technical Implementation Guide V-74231CAT IIOrganization-specific McAfee Applications Control Options policies must be created and applied to all endpoints.McAfee Application Control 7.x Security Technical Implementation Guide V-74233CAT IIThe McAfee Application Control Options policy must be configured to disable Self-Approval.McAfee Application Control 7.x Security Technical Implementation Guide V-74235CAT IIThe McAfee Application Control Options policy End User Notification, if configured by organization, must have all default variables replaced with the organization-specific data.McAfee Application Control 7.x Security Technical Implementation Guide V-74237CAT IIThe McAfee Application Control Options policies Enforce feature control memory protection must be enabled.McAfee Application Control 7.x Security Technical Implementation Guide V-74239CAT IIEnabled features under McAfee Application Control Options policies Enforce feature control must not be configured unless documented in written policy and approved by ISSO/ISSM.McAfee Application Control 7.x Security Technical Implementation Guide V-74241CAT IIThe McAfee Application Control Options Inventory option must be configured to hide OS Files.McAfee Application Control 7.x Security Technical Implementation Guide V-74243CAT IIThe McAfee Application Control Options Inventory interval option must be configured to pull inventory from endpoints on a regular basis not to exceed seven days.McAfee Application Control 7.x Security Technical Implementation Guide V-74247CAT IIThe McAfee Applications Default Rules policy must be part of the effective rules policy applied to every endpoint.McAfee Application Control 7.x Security Technical Implementation Guide V-74249CAT IIA copy of the McAfee Default Rules policy must be part of the effective rules policy applied to every endpoint.McAfee Application Control 7.x Security Technical Implementation Guide V-74251CAT IIThe organization-specific Rules policies must be part of the effective rules policy applied to all endpoints.McAfee Application Control 7.x Security Technical Implementation Guide V-74253CAT IIThe organization-specific Solidcore Client Policies must be created and applied to all endpoints.McAfee Application Control 7.x Security Technical Implementation Guide V-74255CAT IIThe Throttling settings must be enabled and configured to settings according to organizations requirements.McAfee Application Control 7.x Security Technical Implementation Guide V-74257CAT IIThe Solidcore Client Exception Rules must be documented in the organizations written policy.McAfee Application Control 7.x Security Technical Implementation Guide V-235755CAT IIIExtensions that are approved for use must be allowlisted if used.Microsoft Edge Security Technical Implementation Guide V-220705CAT IIThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Microsoft Windows 10 Security Technical Implementation Guide V-253262CAT IIThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Microsoft Windows 11 Security Technical Implementation Guide V-224826CAT IIWindows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205807CAT IIWindows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254245CAT IIWindows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Microsoft Windows Server 2022 Security Technical Implementation Guide V-277992CAT IIWindows Server 2025 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260942CAT IIMKE must only run signed images.Mirantis Kubernetes Engine Security Technical Implementation Guide V-279586CAT IINutanix OS must enable an application firewall.Nutanix Acropolis GPOS Security Technical Implementation Guide V-248859CAT IIThe OL 8 "fapolicy" module must be installed.Oracle Linux 8 Security Technical Implementation Guide V-248860CAT IIThe OL 8 "fapolicy" module must be enabled.Oracle Linux 8 Security Technical Implementation Guide V-248861CAT IIThe OL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Oracle Linux 8 Security Technical Implementation Guide V-271506CAT IIOL 9 must have the fapolicy module installed.Oracle Linux 9 Security Technical Implementation Guide V-271507CAT IIOL 9 must enable the fapolicy module.Oracle Linux 9 Security Technical Implementation Guide V-253533CAT IIImages stored within the container registry must contain only images to be run as containers within the container platform.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-280969CAT IIRHEL 10 must have the "fapolicy" module installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280970CAT IIRHEL 10 must enable the "fapolicy" module.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280971CAT IIRHEL 10 must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258089CAT IIRHEL 9 fapolicy module must be installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258090CAT IIRHEL 9 fapolicy module must be enabled.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257513CAT IOpenShift role-based access controls (RBAC) must be enforced.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275646CAT IIUbuntu OS must be configured to use AppArmor.Riverbed NetIM OS Security Technical Implementation Guide V-217158CAT IIThe SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-234033CAT IITanium must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.Tanium 7.3 Security Technical Implementation Guide V-253797CAT IIThe application must employ a deny-all, permit-by-exception (allowlist) policy to allow the execution of authorized software programs.Tanium 7.x Security Technical Implementation Guide V-213316CAT IIA Trellix Application Control written policy must be documented to outline the organization-specific variables for application whitelisting.Trellix Application Control 8.x Security Technical Implementation Guide V-213323CAT IIThe configuration of features under Trellix Application Control Options policies Enforce feature control must be documented in the organizations written policy.Trellix Application Control 8.x Security Technical Implementation Guide V-213324CAT IIThe organizations written policy must include a process for how whitelisted applications are deemed to be allowed.Trellix Application Control 8.x Security Technical Implementation Guide V-213325CAT IIThe organizations written policy must include procedures for how often the whitelist of allowed applications is reviewed.Trellix Application Control 8.x Security Technical Implementation Guide V-213326CAT IIThe Solidcore client must be enabled.Trellix Application Control 8.x Security Technical Implementation Guide V-213328CAT IThe Solidcore client Command Line Interface (CLI) Access Password must be changed from the default.Trellix Application Control 8.x Security Technical Implementation Guide V-213329CAT IIThe organization-specific Rules policy must only include executable and dll files that are associated with applications as allowed by the organizations written policy.Trellix Application Control 8.x Security Technical Implementation Guide V-213331CAT IIThe Trellix Application Control Options Reputation-Based Execution settings, if enabled, must be configured to allow Most Likely Trusted or Known Trusted only.Trellix Application Control 8.x Security Technical Implementation Guide V-213336CAT IIThe Trellix Application Control Options policy must be configured to disable Self-Approval.Trellix Application Control 8.x Security Technical Implementation Guide V-213337CAT IIThe Trellix Application Control Options policy End User Notification, if configured by organization, must have all default variables replaced with the organization-specific data.Trellix Application Control 8.x Security Technical Implementation Guide V-213338CAT IIThe Trellix Application Control Options policies Enforce feature control memory protection must be enabled.Trellix Application Control 8.x Security Technical Implementation Guide V-213339CAT IIEnabled features under Trellix Application Control Options policies Enforce feature control must not be configured unless documented in written policy and approved by ISSO/ISSM.Trellix Application Control 8.x Security Technical Implementation Guide V-213340CAT IIThe Trellix Application Control Options Inventory option must be configured to hide OS Files.Trellix Application Control 8.x Security Technical Implementation Guide V-213341CAT IIThe Trellix Application Control Options Inventory interval option must be configured to pull inventory from endpoints on a regular basis not to exceed seven days.Trellix Application Control 8.x Security Technical Implementation Guide V-213342CAT IIThe Trellix Applications Default Rules policy must be part of the effective rules policy applied to every endpoint.Trellix Application Control 8.x Security Technical Implementation Guide V-213343CAT IIA copy of the Trellix Default Rules policy must be part of the effective rules policy applied to every endpoint.Trellix Application Control 8.x Security Technical Implementation Guide V-213344CAT IIThe organization-specific Rules policies must be part of the effective rules policy applied to all endpoints.Trellix Application Control 8.x Security Technical Implementation Guide V-213345CAT IIThe organization-specific Solidcore Client Policies must be created and applied to all endpoints.Trellix Application Control 8.x Security Technical Implementation Guide V-213346CAT IIThe Throttling settings must be enabled and configured to settings according to organizations requirements.Trellix Application Control 8.x Security Technical Implementation Guide V-213347CAT IIThe Solidcore Client Exception Rules must be documented in the organizations written policy.Trellix Application Control 8.x Security Technical Implementation Guide V-282589CAT IITOSS 5 fapolicy module must be installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-256410CAT IThe ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified.VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-258746CAT IThe ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified.VMware vSphere 8.0 ESXi Security Technical Implementation Guide V-207475CAT IIThe VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs.Virtual Machine Manager Security Requirements Guide V-73235CAT IIWindows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Windows Server 2016 Security Technical Implementation Guide V-73235CAT IIWindows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Windows Server 2016 Security Technical Implementation Guide V-93379CAT IIWindows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Windows Server 2019 Security Technical Implementation Guide