STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-11 (2) — User-Installed Software

CCI-003980

Definition

Allow user installation of software only with explicit privileged status.

Parent Control

CM-11 (2)User-Installed SoftwareConfiguration Management

Linked STIG Checks (55)

V-268152CAT IINixOS must prohibit user installation of system software without explicit privileged status.Anduril NixOS Security Technical Implementation Guide V-259571CAT IIThe macOS system must prohibit user installation of software into /users/.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268566CAT IIThe macOS system must prohibit user installation of software into /users/.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277176CAT IIThe macOS system must prohibit user installation of software into /users/.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222510CAT IIThe application must prohibit user installation of software without explicit privileged status.Application Security and Development Security Technical Implementation Guide V-233184CAT IIThe container platform must prohibit the installation of patches and updates without explicit privileged status.Container Platform Security Requirements Guide V-233185CAT IThe container platform runtime must prohibit the instantiation of container images without explicit privileged status.Container Platform Security Requirements Guide V-233186CAT IIThe container platform registry must prohibit installation or modification of container images without explicit privileged status.Container Platform Security Requirements Guide V-233587CAT IIPostgreSQL must prohibit user installation of logic modules (functions, trigger procedures, views, etc.) without explicit privileged status.Crunchy Data PostgreSQL Security Technical Implementation Guide V-206596CAT IIThe DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.Database Security Requirements Guide V-259283CAT IIThe EDB Postgres Advanced Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-230946CAT IIForescout must prohibit installation of software without explicit privileged permission by only authorized individuals.Forescout Network Device Management Security Technical Implementation Guide V-203716CAT IIThe operating system must prohibit user installation of system software without explicit privileged status.General Purpose Operating System Security Requirements Guide V-215404CAT IIAIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.IBM AIX 7.x Security Technical Implementation Guide V-223454CAT IICA-ACF2 Access to SYS1.LINKLIB must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223463CAT IIBM z/OS SYS1.PARMLIB must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223683CAT IIIBM RACF access to SYS1.LINKLIB must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223697CAT IIBM z/OS SYS1.PARMLIB must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223882CAT IIBM z/OS SYS1.PARMLIB must be properly protected.IBM z/OS TSS Security Technical Implementation Guide V-223893CAT IICA-TSS access to SYS1.LINKLIB must be properly protected.IBM z/OS TSS Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-253922CAT IIThe Juniper EX switch must be configured to prohibit installation of software without explicit privileged status.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-217336CAT IIThe Juniper router must be configured to prohibit installation of software without explicit privileged status.Juniper Router NDM Security Technical Implementation Guide V-223202CAT IIThe Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-205564CAT IIThe Mainframe product must prohibit user installation of software without explicit privileged status.Mainframe Product Security Requirements Guide V-253731CAT IIMariaDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.MariaDB Enterprise 10.x Security Technical Implementation Guide V-255318CAT IIAzure SQL Database must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.Microsoft Azure SQL Database Security Technical Implementation Guide V-235753CAT IIIURLs must be allowlisted for plugin use if used.Microsoft Edge Security Technical Implementation Guide V-259632CAT IIThe Exchange application directory must be protected from unauthorized access.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259699CAT IIThe Exchange application directory must be protected from unauthorized access.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-271147CAT IIThe role(s)/group(s) used to modify database structure (including but not limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users.Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-253410CAT IIUsers must be prevented from changing installation options.Microsoft Windows 11 Security Technical Implementation Guide V-253411CAT IThe Windows Installer feature "Always install with elevated privileges" must be disabled.Microsoft Windows 11 Security Technical Implementation Guide V-205801CAT IIWindows Server 2019 must prevent users from changing installation options.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205802CAT IWindows Server 2019 must disable the Windows Installer Always install with elevated privileges option.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254373CAT IIWindows Server 2022 must prevent users from changing installation options.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254374CAT IWindows Server 2022 must disable the Windows Installer Always install with elevated privileges option.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278120CAT IIWindows Server 2025 must prevent users from changing installation options.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278121CAT IWindows Server 2025 must disable the Windows Installer Always install with elevated privileges option.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260906CAT ILeast privilege access and need to know must be required to access MKE runtime and instantiate container images.Mirantis Kubernetes Engine Security Technical Implementation Guide V-279380CAT IIMongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-202105CAT IIThe network device must prohibit installation of software without explicit privileged status.Network Device Management Security Requirements Guide V-235168CAT IIThe MySQL Database Server 8.0 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.Oracle MySQL 8.0 Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-254572CAT IIRancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-281176CAT IIRHEL 10 must be configured so that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-257513CAT IOpenShift role-based access controls (RBAC) must be enforced.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251208CAT IIRedis Enterprise DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.Redis Enterprise 6.x Security Technical Implementation Guide V-206742CAT IIThe SDN controller must be configured to prohibit user installation of software without explicit privileged status.SDN Controller Security Requirements Guide V-279250CAT IThe Edge SWG must be configured to assign appropriate user roles or access levels to authenticated users.Symantec Edge SWG NDM Security Technical Implementation Guide V-254938CAT IIThe Tanium application must prohibit user installation of software without explicit privileged status.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253795CAT IIThe Tanium application must prohibit user installation of software without explicit privileged status.Tanium 7.x Security Technical Implementation Guide V-234520CAT IIThe UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.Unified Endpoint Management Server Security Requirements Guide V-234521CAT IIThe UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.Unified Endpoint Management Server Security Requirements Guide V-207468CAT IIThe VMM must prohibit user installation of software without explicit privileged status.Virtual Machine Manager Security Requirements Guide