STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-6 (10) — Least Privilege

CCI-002235

Definition

Prevent non-privileged users from executing privileged functions.

Parent Control

AC-6 (10)Least PrivilegeAccess Control

Linked STIG Checks (200)

V-243506CAT IUpdate access to the directory schema must be restricted to appropriate accounts.Active Directory Forest Security Technical Implementation Guide V-274012CAT IIAmazon Linux 2023 must have the sudo package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274169CAT IIAmazon Linux 2023 must enable discretionary access control on hardlinks.Amazon Linux 2023 Security Technical Implementation Guide V-274170CAT IIAmazon Linux 2023 must enable kernel parameters to enforce discretionary access control on symlinks.Amazon Linux 2023 Security Technical Implementation Guide V-274173CAT IIAmazon Linux 2023 debug-shell systemd service must be disabled.Amazon Linux 2023 Security Technical Implementation Guide V-214261CAT IINon-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214345CAT IINon-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214389CAT IINon-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-222948CAT II$CATALINA_HOME/bin folder permissions must be set to 750.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222983CAT IITomcat user account must be set to nologin.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222984CAT IITomcat user account must be a non-privileged user.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-254641CAT IIApple iOS/iPadOS 16 must be configured to disable Auto Unlock of the iPhone by an Apple Watch.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-258376CAT IIApple iOS/iPadOS 17 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.Apple iOS/iPadOS 17 Security Technical Implementation Guide V-268064CAT IIApple iOS/iPadOS 18 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-278823CAT IIApple iOS/iPadOS 26 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-257772CAT IIThe macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257776CAT IIThe macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259515CAT IThe macOS system must require administrator privileges to modify systemwide settings.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268514CAT IThe macOS system must require an administrator password to modify systemwide preferences.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277123CAT IThe macOS system must require an administrator password to modify systemwide preferences.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-274643CAT IIAccess to API privileged features and functions must be restricted.Application Programming Interface (API) Security Requirements Guide V-222429CAT IIThe application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Application Security and Development Security Technical Implementation Guide V-204784CAT IIThe application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Application Server Security Requirements Guide V-272636CAT IICylanceON-PREM must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276005CAT IIAx-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-251636CAT IIIDMS must prevent users without the appropriate access from executing privileged functions or tasks within the IDMS environment.CA IDMS Security Technical Implementation Guide V-251637CAT IIIDMS must prevent unauthorized users from executing certain privileged commands that can be used to change the runtime IDMS environment.CA IDMS Security Technical Implementation Guide V-251638CAT IIIDMS must protect its user catalogs and system dictionaries to prevent unauthorized users from bypassing or updating security settings.CA IDMS Security Technical Implementation Guide V-219322CAT IIIPam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238360CAT IIThe Ubuntu operating system must be configured to use AppArmor.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260557CAT IIUbuntu 22.04 LTS must be configured to use AppArmor.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270660CAT IIUbuntu 24.04 LTS must be configured to use AppArmor.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-242615CAT IThe Cisco ISE must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Cisco ISE NDM Security Technical Implementation Guide V-269140CAT IThe systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269141CAT IThe Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269142CAT IIAlmaLinux OS 9 must have the sudo package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269143CAT IIThe AlmaLinux OS 9 debug-shell systemd service must be disabled.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269144CAT IIAlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269145CAT IIAlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233162CAT IIThe container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Container Platform Security Requirements Guide V-233614CAT IPostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261915CAT IIPostgreSQL must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206586CAT IIThe DBMS must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Database Security Requirements Guide V-269790CAT IThe Dell OS10 Switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Dell OS10 Switch NDM Security Technical Implementation Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-279961CAT IIThe DNS Name Server software must run with restricted privileges.Domain Name System (DNS) Security Requirements Guide V-270947CAT IDragos Platforms must limit privileges and not allow the ability to run shell.Dragos Platform 2.x Security Technical Implementation Guide V-224192CAT IIThe EDB Postgres Advanced Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213617CAT IIThe EDB Postgres Advanced Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259273CAT IIThe EDB Postgres Advanced Server must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-203695CAT IThe operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.General Purpose Operating System Security Requirements Guide V-254797CAT IIGoogle Android 13 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].Google Android 13 COPE Security Technical Implementation Guide V-258405CAT IIGoogle Android 14 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].Google Android 14 COBO Security Technical Implementation Guide V-258441CAT IIGoogle Android 14 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].Google Android 14 COPE Security Technical Implementation Guide V-267462CAT IIGoogle Android 15 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].Google Android 15 COBO Security Technical Implementation Guide V-267560CAT IIGoogle Android 15 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].Google Android 15 COPE Security Technical Implementation Guide V-276780CAT IIGoogle Android 16 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].Google Android 16 COBO Security Technical Implementation Guide V-276885CAT IIGoogle Android 16 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].Google Android 16 COPE Security Technical Implementation Guide V-255248CAT IISSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.HPE 3PAR SSMC Operating System Security Technical Implementation Guide V-274328CAT IIHoneywell Android 13 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].Honeywell Android 13 COBO Security Technical Implementation Guide V-274427CAT IIHoneywell Android 13 must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].Honeywell Android 13 COPE Security Technical Implementation Guide V-213718CAT IDB2 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-256858CAT IISign-on to the ESCD Application Console must be restricted to only authorized personnel.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-256860CAT IIThe Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-256871CAT IIAccess to the Hardware Management Console must be restricted to only authorized personnel.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-256873CAT IIAutomatic Call Answering to the Hardware Management Console must be disabled.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-256889CAT IProduct engineering access to the Hardware Management Console must be disabled.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-250342CAT IIUsers in a reader-role must be authorized.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255835CAT IIThe WebSphere Application Server users in the admin role must be authorized.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255837CAT IIThe WebSphere Application Server users in a LDAP user registry group must be authorized for that group.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223434CAT IICA-ACF2 must limit access to SYS(x).TRACE to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223435CAT IICA-ACF2 allocate access to system user catalogs must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223439CAT IIBM z/OS must protect dynamic lists in accordance with proper security requirements.IBM z/OS ACF2 Security Technical Implementation Guide V-223440CAT IIBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223441CAT ICA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.IBM z/OS ACF2 Security Technical Implementation Guide V-223442CAT ICA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users.IBM z/OS ACF2 Security Technical Implementation Guide V-223444CAT IIIBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223445CAT ICA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223446CAT ICA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223447CAT ICA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.IBM z/OS ACF2 Security Technical Implementation Guide V-223448CAT ICA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223449CAT ICA-ACF2 must limit Write and Allocate access to all APF-authorized libraries to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223450CAT ICA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223451CAT IICA-ACF2 must limit Write and Allocate access to LINKLIST libraries to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223452CAT IICA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223453CAT ICA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223454CAT IICA-ACF2 Access to SYS1.LINKLIB must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223455CAT IICA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS ACF2 Security Technical Implementation Guide V-223456CAT ICA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use.IBM z/OS ACF2 Security Technical Implementation Guide V-223457CAT IIIBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.IBM z/OS ACF2 Security Technical Implementation Guide V-223458CAT IICA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.IBM z/OS ACF2 Security Technical Implementation Guide V-223459CAT IIACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users.IBM z/OS ACF2 Security Technical Implementation Guide V-223463CAT IIBM z/OS SYS1.PARMLIB must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223465CAT IICA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223466CAT IIICA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223514CAT IACF2 security data sets and/or databases must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223554CAT IIIBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS ACF2 Security Technical Implementation Guide V-223597CAT IIIBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.IBM z/OS ACF2 Security Technical Implementation Guide V-223626CAT IIIBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223649CAT IIBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223650CAT IIIIBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223666CAT IIBM RACF access to the System Master Catalog must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223667CAT IIBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.IBM z/OS RACF Security Technical Implementation Guide V-223668CAT IIBM z/OS must protect dynamic lists in accordance with proper security requirements.IBM z/OS RACF Security Technical Implementation Guide V-223669CAT IIIBM RACF allocate access to system user catalogs must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223670CAT IIIBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.IBM z/OS RACF Security Technical Implementation Guide V-223671CAT IIIBM RACF must limit access to SYS(x).TRACE to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223675CAT IIBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users.IBM z/OS RACF Security Technical Implementation Guide V-223676CAT IIBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223677CAT IIBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223678CAT IIBM RACF must limit write or greater access to all LPA libraries to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223679CAT IIBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223680CAT IIIBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.IBM z/OS RACF Security Technical Implementation Guide V-223681CAT IIIBM RACF must limit access to SYSTEM DUMP data sets to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223682CAT IIBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223683CAT IIIBM RACF access to SYS1.LINKLIB must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223685CAT IIBM RACF security data sets and/or databases must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223686CAT IIIBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS RACF Security Technical Implementation Guide V-223687CAT IIBM RACF must limit all system PROCLIB data sets to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223688CAT IIIBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.IBM z/OS RACF Security Technical Implementation Guide V-223689CAT IIIBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223690CAT IIIBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223691CAT IIThe IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.IBM z/OS RACF Security Technical Implementation Guide V-223697CAT IIBM z/OS SYS1.PARMLIB must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223701CAT IIIBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS RACF Security Technical Implementation Guide V-223818CAT IIIBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.IBM z/OS RACF Security Technical Implementation Guide V-223837CAT IIBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use.IBM z/OS RACF Security Technical Implementation Guide V-223849CAT IIIBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-235033CAT IIIBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only.IBM z/OS RACF Security Technical Implementation Guide V-223881CAT IIIBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS TSS Security Technical Implementation Guide V-223882CAT IIBM z/OS SYS1.PARMLIB must be properly protected.IBM z/OS TSS Security Technical Implementation Guide V-223894CAT ICA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223895CAT ICA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223896CAT ICA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223897CAT ICA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223898CAT IIBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.IBM z/OS TSS Security Technical Implementation Guide V-223899CAT ICA-TSS must limit Write or greater access to all LPA libraries to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223900CAT ICA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223901CAT IIICA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223902CAT IICA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223903CAT ICA-TSS security data sets and/or databases must be properly protected.IBM z/OS TSS Security Technical Implementation Guide V-223904CAT ICA-TSS must limit access to the System Master Catalog to appropriate authorized users.IBM z/OS TSS Security Technical Implementation Guide V-223906CAT IICA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223907CAT IICA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223908CAT ICA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel.IBM z/OS TSS Security Technical Implementation Guide V-223909CAT IICA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.IBM z/OS TSS Security Technical Implementation Guide V-223910CAT IICA-TSS must limit access to SYSTEM DUMP data sets to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223911CAT IICA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups.IBM z/OS TSS Security Technical Implementation Guide V-223912CAT IICA-TSS must limit access to SYS(x).TRACE to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223913CAT IICA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223914CAT ICA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.IBM z/OS TSS Security Technical Implementation Guide V-223915CAT ICA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users.IBM z/OS TSS Security Technical Implementation Guide V-223917CAT IIBM z/OS must protect dynamic lists in accordance with proper security requirements.IBM z/OS TSS Security Technical Implementation Guide V-223919CAT IIIBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.IBM z/OS TSS Security Technical Implementation Guide V-223965CAT IIThe IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.IBM z/OS TSS Security Technical Implementation Guide V-223966CAT IICA-TSS Default ACID must be properly defined.IBM z/OS TSS Security Technical Implementation Guide V-223967CAT IThe CA-TSS BYPASS attribute must be limited to trusted STCs only.IBM z/OS TSS Security Technical Implementation Guide V-223968CAT IICA-TSS MSCA ACID must perform security administration only.IBM z/OS TSS Security Technical Implementation Guide V-223969CAT ICA-TSS ACIDs granted the CONSOLE attribute must be justified.IBM z/OS TSS Security Technical Implementation Guide V-223970CAT IICA-TSS ACIDs defined as security administrators must have the NOATS attribute.IBM z/OS TSS Security Technical Implementation Guide V-224049CAT IIIBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.IBM z/OS TSS Security Technical Implementation Guide V-224073CAT ICA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use.IBM z/OS TSS Security Technical Implementation Guide V-224081CAT IIIBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.IBM z/OS TSS Security Technical Implementation Guide V-259733CAT IIIBM Security zSecure must prevent nonprivileged users from executing privileged zSecure functions.IBM zSecure Suite Security Technical Implementation Guide V-237943CAT IIThe IBM z/VM CP Privilege Class A, B, and D must be restricted to appropriate system operators.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-237954CAT IIThe IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-237955CAT IIThe IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-237956CAT IIThe IBM z/VM ANY Privilege Class must not be listed for privilege commands.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-213539CAT IIThe application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-253947CAT IThe Juniper EX switch must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-213865CAT IISQL Server must prevent non-privileged users from executing privileged functionality, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213979CAT IISQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.MS SQL Server 2016 Instance Security Technical Implementation Guide V-205544CAT IIThe Mainframe Product must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Mainframe Product Security Requirements Guide V-253723CAT IIMariaDB must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220377CAT IIMarkLogic Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.MarkLogic Server v9 Security Technical Implementation Guide V-255341CAT IIAzure SQL Database must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Microsoft Azure SQL Database Security Technical Implementation Guide V-276307CAT IIAzure SQL Managed Instance must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-259631CAT IIRole-Based Access Control must be defined for privileged and nonprivileged users.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259698CAT IIRole-Based Access Control must be defined for privileged and nonprivileged users.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-218814CAT IIIIS 10.0 web server system files must conform to minimum file permission requirements.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-223293CAT IIUsers must be prevented from creating new trusted locations in the Trust Center.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223353CAT IIOutlook must be configured to prevent users overriding attachment security settings.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-238035CAT IIConnection verification of permissions must be enforced.Microsoft Office System 2016 Security Technical Implementation Guide V-271341CAT IISQL Server must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-220712CAT IOnly accounts responsible for the administration of a system must have Administrator rights on the system.Microsoft Windows 10 Security Technical Implementation Guide V-220907CAT IIDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.Microsoft Windows 10 Security Technical Implementation Guide V-220933CAT IIRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.Microsoft Windows 10 Security Technical Implementation Guide V-220956CAT IIThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.Microsoft Windows 10 Security Technical Implementation Guide V-220958CAT IThe Act as part of the operating system user right must not be assigned to any groups or accounts.Microsoft Windows 10 Security Technical Implementation Guide V-220960CAT IIThe Back up files and directories user right must only be assigned to the Administrators group.Microsoft Windows 10 Security Technical Implementation Guide V-220961CAT IIThe Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.Microsoft Windows 10 Security Technical Implementation Guide V-220962CAT IIThe Create a pagefile user right must only be assigned to the Administrators group.Microsoft Windows 10 Security Technical Implementation Guide V-220963CAT IThe Create a token object user right must not be assigned to any groups or accounts.Microsoft Windows 10 Security Technical Implementation Guide V-220964CAT IIThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.Microsoft Windows 10 Security Technical Implementation Guide V-220965CAT IIThe Create permanent shared objects user right must not be assigned to any groups or accounts.Microsoft Windows 10 Security Technical Implementation Guide V-220966CAT IIThe Create symbolic links user right must only be assigned to the Administrators group.Microsoft Windows 10 Security Technical Implementation Guide V-220967CAT IThe Debug programs user right must only be assigned to the Administrators group.Microsoft Windows 10 Security Technical Implementation Guide V-220973CAT IIThe Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.Microsoft Windows 10 Security Technical Implementation Guide