STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Security and Development Security Technical Implementation Guide

V-222429

CAT II (Medium)

The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Rule ID

SV-222429r961353_rule

STIG

Application Security and Development Security Technical Implementation Guide

Version

V6R4

CCIs

CCI-002235

Discussion

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

Check Content

Identify the application user account(s) that the application uses to run. These accounts include the application processes (defined by Control Panel Services (Windows) or ps –ef (UNIX)) or for an n-tier application, the account that connects from one service (such as a web server) to another (such as a database server).

Determine the OS user groups in which each account is a member.

List the user rights assigned to these users and groups and evaluate whether any of them are unnecessary.

If the OS rights exceed application operational requirements, this is a finding.

If the application user account is a member of the Administrators group (Windows) or has a User Identification (UID) of 0 (i.e., is equivalent to root in UNIX), this is a finding.

Search the file system to determine if the application user or groups have ownership or permissions to any files or directories.

Review the list of files and identify any that are outside the scope of the application.

If there are such files outside the scope of the application, this is a finding.

Check ownership and permissions; identify permissions beyond the minimum necessary to support the application.

If there are instances of unnecessary ownership or permissions, this is a finding.

The finding details should note the full path of the file(s) and the associated issue (i.e., outside scope, permissions improperly granted to user X, etc.).

Fix Text

Modify the application to limit access and prevent the disabling or circumvention of security safeguards.