STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-11 (2) — User-Installed Software

CCI-001812

Definition

The information system prohibits user installation of software without explicit privileged status.

Parent Control

CM-11 (2)User-Installed SoftwareConfiguration Management

Linked STIG Checks (64)

V-222510CAT IIThe application must prohibit user installation of software without explicit privileged status.Application Security and Development Security Technical Implementation Guide V-251602CAT IIThe programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks.CA IDMS Security Technical Implementation Guide V-251603CAT IIThe commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.CA IDMS Security Technical Implementation Guide V-261923CAT IIPostgreSQL must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.Crunchy Data Postgres 16 Security Technical Implementation Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-224200CAT IIThe EDB Postgres Advanced Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213625CAT IIThe EDB Postgres Advanced Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-230946CAT IIForescout must prohibit installation of software without explicit privileged permission by only authorized individuals.Forescout Network Device Management Security Technical Implementation Guide V-234188CAT IIThe FortiGate device must prohibit installation of software without explicit privileged status.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-215404CAT IIAIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.IBM AIX 7.x Security Technical Implementation Guide V-213723CAT IIDB2 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-237935CAT IIThe IBM z/VM Privilege command class A and Class B must be properly assigned.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-253922CAT IIThe Juniper EX switch must be configured to prohibit installation of software without explicit privileged status.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-217336CAT IIThe Juniper router must be configured to prohibit installation of software without explicit privileged status.Juniper Router NDM Security Technical Implementation Guide V-66485CAT IIThe Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.Juniper SRX SG NDM Security Technical Implementation Guide V-223202CAT IIThe Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-213872CAT IISQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.MS SQL Server 2014 Instance Security Technical Implementation Guide V-253731CAT IIMariaDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.MariaDB Enterprise 10.x Security Technical Implementation Guide V-255318CAT IIAzure SQL Database must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.Microsoft Azure SQL Database Security Technical Implementation Guide V-276234CAT IIAzure SQL Managed Instance must prohibit user installation of logic modules without explicit privileged status.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-235753CAT IIIURLs must be allowlisted for plugin use if used.Microsoft Edge Security Technical Implementation Guide V-221254CAT IIThe Exchange application directory must be protected from unauthorized access.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-228400CAT IIThe Exchange application directory must be protected from unauthorized access.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259632CAT IIThe Exchange application directory must be protected from unauthorized access.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259699CAT IIThe Exchange application directory must be protected from unauthorized access.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-220856CAT IIUsers must be prevented from changing installation options.Microsoft Windows 10 Security Technical Implementation Guide V-220857CAT IThe Windows Installer Always install with elevated privileges must be disabled.Microsoft Windows 10 Security Technical Implementation Guide V-253410CAT IIUsers must be prevented from changing installation options.Microsoft Windows 11 Security Technical Implementation Guide V-253411CAT IThe Windows Installer feature "Always install with elevated privileges" must be disabled.Microsoft Windows 11 Security Technical Implementation Guide V-224953CAT IIUsers must be prevented from changing installation options.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224954CAT IThe Windows Installer Always install with elevated privileges option must be disabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205801CAT IIWindows Server 2019 must prevent users from changing installation options.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205802CAT IWindows Server 2019 must disable the Windows Installer Always install with elevated privileges option.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254373CAT IIWindows Server 2022 must prevent users from changing installation options.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254374CAT IWindows Server 2022 must disable the Windows Installer Always install with elevated privileges option.Microsoft Windows Server 2022 Security Technical Implementation Guide V-221191CAT IIMongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252174CAT IIMongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265941CAT IIMongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-235168CAT IIThe MySQL Database Server 8.0 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.Oracle MySQL 8.0 Security Technical Implementation Guide V-214121CAT IIPostgreSQL must prohibit user installation of logic modules (functions, trigger procedures, views, etc.) without explicit privileged status.PostgreSQL 9.x Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-254572CAT IIRancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-204479CAT IIThe Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204488CAT IIThe Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204501CAT IIThe Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204575CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204598CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204599CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204621CAT IThe Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-257513CAT IOpenShift role-based access controls (RBAC) must be enforced.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251208CAT IIRedis Enterprise DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.Redis Enterprise 6.x Security Technical Implementation Guide V-241008CAT IITanium must prohibit user installation of software without explicit privileged status and enforce access restrictions associated with changes to application configuration.Tanium 7.0 Security Technical Implementation Guide V-234069CAT IIThe Tanium application must prohibit user installation of software without explicit privileged status.Tanium 7.3 Security Technical Implementation Guide V-254938CAT IIThe Tanium application must prohibit user installation of software without explicit privileged status.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253795CAT IIThe Tanium application must prohibit user installation of software without explicit privileged status.Tanium 7.x Security Technical Implementation Guide V-241162CAT IITrend Deep Security must prohibit user installation of software without explicit privileged status.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-265292CAT IThe NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.VMware NSX 4.x Manager NDM Security Technical Implementation Guide V-73583CAT IIUsers must be prevented from changing installation options.Windows Server 2016 Security Technical Implementation Guide V-73583CAT IIUsers must be prevented from changing installation options.Windows Server 2016 Security Technical Implementation Guide V-73585CAT IThe Windows Installer Always install with elevated privileges option must be disabled.Windows Server 2016 Security Technical Implementation Guide V-73585CAT IThe Windows Installer Always install with elevated privileges option must be disabled.Windows Server 2016 Security Technical Implementation Guide V-93199CAT IIWindows Server 2019 must prevent users from changing installation options.Windows Server 2019 Security Technical Implementation Guide V-93201CAT IWindows Server 2019 must disable the Windows Installer Always install with elevated privileges option.Windows Server 2019 Security Technical Implementation Guide