STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-6 (8) — Least Privilege

CCI-002233

Definition

Prevent the organization-defined software from executing at higher privilege levels than users executing the software.

Parent Control

AC-6 (8)Least PrivilegeAccess Control

Linked STIG Checks (104)

V-274086CAT IIAmazon Linux 2023 must audit uses of the "execve" system call.Amazon Linux 2023 Security Technical Implementation Guide V-268148CAT IINixOS must prevent all software from executing at higher privilege levels than users executing the software.Anduril NixOS Security Technical Implementation Guide V-254601CAT IIApple iOS/iPadOS 16 must not allow non-DoD applications to access DoD data.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-250942CAT IIApple iOS/iPadOS 15 must not allow non-DoD applications to access DoD data.Apple iOS/iPadOS 15 Security Technical Implementation Guide V-257118CAT IIApple iOS/iPadOS 16 must not allow non-DOD applications to access DOD data.Apple iOS/iPadOS 16 BYOAD Security Technical Implementation Guide V-257134CAT IIApple iOS/iPadOS 16 must not allow DOD applications to access non-DOD data.Apple iOS/iPadOS 16 BYOAD Security Technical Implementation Guide V-259775CAT IIApple iOS/iPadOS 17 must not allow non-DOD applications to access DOD data.Apple iOS/iPadOS 17 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-259794CAT IIApple iOS/iPadOS 17 must not allow DOD applications to access non-DOD data.Apple iOS/iPadOS 17 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-258333CAT IIApple iOS/iPadOS 17 must not allow non-DOD applications to access DOD data.Apple iOS/iPadOS 17 Security Technical Implementation Guide V-268017CAT IIApple iOS/iPadOS 18 must not allow non-DOD applications to access DOD data.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-278777CAT IIApple iOS/iPadOS 26 must not allow non-DOD applications to access DOD data.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-276388CAT IIApple visionOS 2 must not allow non-DOD applications to access DOD data.Apple visionOS 2 Security Technical Implementation Guide V-282797CAT IIApple visionOS 26 must not allow non-DOD applications to access DOD data.Apple visionOS 26 Security Technical Implementation Guide V-222430CAT IThe application must execute without excessive account permissions.Application Security and Development Security Technical Implementation Guide V-276005CAT IIAx-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-251639CAT IIIDMS must restrict the use of code that provides elevated privileges to specific instances.CA IDMS Security Technical Implementation Guide V-219281CAT IIThe Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238304CAT IIThe Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260648CAT IIUbuntu 22.04 LTS must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270689CAT IIUbuntu 24.04 LTS must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269146CAT IIAlmaLinux OS 9 must audit uses of the "execve" system call.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233163CAT IIContainer images instantiated by the container platform must execute using least privileges.Container Platform Security Requirements Guide V-233543CAT IIExecution of software modules (to include functions and trigger procedures) with elevated privileges must be restricted to necessary cases only.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261916CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206587CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.Database Security Requirements Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235830CAT IIDocker Enterprise images must be built with the USER instruction to prevent containers from running as root.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-270947CAT IDragos Platforms must limit privileges and not allow the ability to run shell.Dragos Platform 2.x Security Technical Implementation Guide V-224193CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-224194CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213618CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-213619CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259274CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-259275CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-203696CAT IIThe operating system must prevent all software from executing at higher privilege levels than users executing the software.General Purpose Operating System Security Requirements Guide V-258487CAT IIGoogle Android 13 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].Google Android 13 BYOAD Security Technical Implementation Guide V-254781CAT IIGoogle Android 13 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].Google Android 13 COPE Security Technical Implementation Guide V-258425CAT IIGoogle Android 14 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].Google Android 14 COPE Security Technical Implementation Guide V-260152CAT IIGoogle Android 14 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].Google Android 14 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-267543CAT IIGoogle Android 15 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].Google Android 15 COPE Security Technical Implementation Guide V-276868CAT IIGoogle Android 16 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].Google Android 16 COPE Security Technical Implementation Guide V-274404CAT IIHoneywell Android 13 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].Honeywell Android 13 COPE Security Technical Implementation Guide V-215234CAT IINFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs.IBM AIX 7.x Security Technical Implementation Guide V-223536CAT IIIBM z/OS Surrogate users must be controlled in accordance with proper security requirements.IBM z/OS ACF2 Security Technical Implementation Guide V-223619CAT IIIBM z/OS UNIX resources must be protected in accordance with security requirements.IBM z/OS ACF2 Security Technical Implementation Guide V-223672CAT IIIBM RACF batch jobs must be properly secured.IBM z/OS RACF Security Technical Implementation Guide V-223673CAT IIIBM RACF batch jobs must be protected with propagation control.IBM z/OS RACF Security Technical Implementation Guide V-223692CAT IIThe IBM RACF JES(BATCHALLRACF) SETROPTS value must be set to JES(BATCHALLRACF).IBM z/OS RACF Security Technical Implementation Guide V-223693CAT IIThe IBM z/OS JES(XBMALLRACF) SETROPTS value must be set to JES(XBMALLRACF).IBM z/OS RACF Security Technical Implementation Guide V-223755CAT IIIBM z/OS surrogate users must be controlled in accordance with proper security requirements.IBM z/OS RACF Security Technical Implementation Guide V-223844CAT IIIBM z/OS UNIX resources must be protected in accordance with security requirements.IBM z/OS RACF Security Technical Implementation Guide V-223850CAT IIThe IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE.IBM z/OS RACF Security Technical Implementation Guide V-223959CAT IIThe CA-TSS SUBACID Control Option must be set to U,8.IBM z/OS TSS Security Technical Implementation Guide V-223960CAT IICA-TSS must use propagation control to eliminate ACID inheritance.IBM z/OS TSS Security Technical Implementation Guide V-223961CAT IIIBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID.IBM z/OS TSS Security Technical Implementation Guide V-223996CAT IIIBM z/OS Surrogate users must be controlled in accordance with proper security requirements.IBM z/OS TSS Security Technical Implementation Guide V-224077CAT IIIBM z/OS UNIX resources must be protected in accordance with security requirements.IBM z/OS TSS Security Technical Implementation Guide V-259734CAT IIThe IBM Security zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and must be audited.IBM zSecure Suite Security Technical Implementation Guide V-213866CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213922CAT IIExecution of stored procedures and functions that utilize execute as must be restricted to necessary cases only.MS SQL Server 2016 Database Security Technical Implementation Guide V-213980CAT IIUse of credentials and proxies must be restricted to necessary cases only.MS SQL Server 2016 Instance Security Technical Implementation Guide V-214030CAT IIExecution of startup stored procedures must be restricted to necessary cases only.MS SQL Server 2016 Instance Security Technical Implementation Guide V-205545CAT IIThe Mainframe Product must prevent software as identified in the site security plan from executing at higher privilege levels than users executing the software.Mainframe Product Security Requirements Guide V-253724CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220378CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.MarkLogic Server v9 Security Technical Implementation Guide V-255317CAT IIAzure SQL Database must restrict execution of stored procedures and functions that utilize [execute as] to necessary cases only.Microsoft Azure SQL Database Security Technical Implementation Guide V-276233CAT IIAzure SQL Managed Instance must restrict execution of stored procedures and functions that utilize "execute as" to necessary cases only.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-271188CAT IIExecution of stored procedures and functions that use execute as must be restricted to necessary cases only.Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-271342CAT IIUse of credentials and proxies must be restricted to necessary cases only.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-274446CAT IIExecution of startup stored procedures must be restricted to necessary cases only.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-260934CAT IIAll containers must be restricted from acquiring additional privileges.Mirantis Kubernetes Engine Security Technical Implementation Guide V-260936CAT IIAll containers must be restricted to mounting the root filesystem as read only.Mirantis Kubernetes Engine Security Technical Implementation Guide V-260937CAT IIThe default seccomp profile must not be disabled.Mirantis Kubernetes Engine Security Technical Implementation Guide V-260938CAT IIDocker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.Mirantis Kubernetes Engine Security Technical Implementation Guide V-260939CAT IIMKE users must not have permissions to create containers or pods that share the host user namespace.Mirantis Kubernetes Engine Security Technical Implementation Guide V-260940CAT IIUse of privileged Linux containers must be limited to system containers.Mirantis Kubernetes Engine Security Technical Implementation Guide V-272336CAT IIMotorola Solutions Android 13 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].Motorola Solutions Android 13 COPE Security Technical Implementation Guide V-279545CAT IINutanix OS must audit the execution of privileged functions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-248722CAT IIThe OL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.Oracle Linux 8 Security Technical Implementation Guide V-271570CAT IIOL 9 must audit uses of the execve system call.Oracle Linux 9 Security Technical Implementation Guide V-235180CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.Oracle MySQL 8.0 Security Technical Implementation Guide V-253540CAT IIPrisma Cloud Compute must prevent unauthorized and unintended information transfer.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-214078CAT IIExecution of software modules (to include functions and trigger procedures) with elevated privileges must be restricted to necessary cases only.PostgreSQL 9.x Security Technical Implementation Guide V-254571CAT IIRancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-281116CAT IIRHEL 10 must generate audit records for successful and unsuccessful uses of the "execve" system call.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230386CAT IIThe RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258176CAT IIRHEL 9 must audit uses of the "execve" system call.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257557CAT IContainer images instantiated by OpenShift must execute using least privileges.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251189CAT IIExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.Redis Enterprise 6.x Security Technical Implementation Guide V-275733CAT IIUbuntu OS must prevent all software from executing at higher privilege levels than users executing the software, and the audit system must be configured to audit the execution of privileged functions.Riverbed NetIM OS Security Technical Implementation Guide V-261369CAT ISLEM 5 must use a Linux Security Module configured to enforce limits on system services.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217158CAT IIThe SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-260453CAT IISamsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.Samsung Android 14 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-272602CAT IISamsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.Samsung Android 15 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-276646CAT IISamsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.Samsung Android 16 COPE Security Technical Implementation Guide V-255160CAT IISamsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes.Samsung Android OS 13 with Knox 3.x COPE Security Technical Implementation Guide V-258686CAT IISamsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.Samsung Android OS 14 with Knox 3.x COPE Security Technical Implementation Guide V-269052CAT IISamsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.Samsung Android OS 15 with Knox 3.x COPE Security Technical Implementation Guide V-253030CAT IIThe TOSS audit system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282561CAT IITOSS 5 must audit uses of the execve system call.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-258809CAT IIThe Photon operating system must be configured to audit the execution of privileged functions.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-207446CAT IIThe VMM must prevent all software from executing at higher privilege levels than users executing the software.Virtual Machine Manager Security Requirements Guide V-283635CAT IIZebra Android 14 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].Zebra Technologies Android 14 COPE Security Technical Implementation Guide