STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

DISA Rule

SV-222429r508029_rule

Vulnerability Number

V-222429

Group Title

SRG-APP-000340

Rule Version

APSC-DV-000500

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Modify the application to limit access and prevent the disabling or circumvention of security safeguards.

Check Contents

Identify the application user account(s) that the application uses to run. These accounts include the application processes (defined by Control Panel Services (Windows) or ps –ef (UNIX)) or for an n-tier application, the account that connects from one service (such as a web server) to another (such as a database server).

Determine the OS user groups in which each account is a member.

List the user rights assigned to these users and groups and evaluate whether any of them are unnecessary.

If the OS rights exceed application operational requirements, this is a finding.

If the application user account is a member of the Administrators group (Windows) or has a User Identification (UID) of 0 (i.e., is equivalent to root in UNIX), this is a finding.

Search the file system to determine if the application user or groups have ownership or permissions to any files or directories.

Review the list of files and identify any that are outside the scope of the application.

If there are such files outside the scope of the application, this is a finding.

Check ownership and permissions; identify permissions beyond the minimum necessary to support the application.

If there are instances of unnecessary ownership or permissions, this is a finding.

The finding details should note the full path of the file(s) and the associated issue (i.e., outside scope, permissions improperly granted to user X, etc.).

Vulnerability Number

V-222429

Documentable

False

Rule Version

APSC-DV-000500

Severity Override Guidance

Identify the application user account(s) that the application uses to run. These accounts include the application processes (defined by Control Panel Services (Windows) or ps –ef (UNIX)) or for an n-tier application, the account that connects from one service (such as a web server) to another (such as a database server).

Determine the OS user groups in which each account is a member.

List the user rights assigned to these users and groups and evaluate whether any of them are unnecessary.

If the OS rights exceed application operational requirements, this is a finding.

If the application user account is a member of the Administrators group (Windows) or has a User Identification (UID) of 0 (i.e., is equivalent to root in UNIX), this is a finding.

Search the file system to determine if the application user or groups have ownership or permissions to any files or directories.

Review the list of files and identify any that are outside the scope of the application.

If there are such files outside the scope of the application, this is a finding.

Check ownership and permissions; identify permissions beyond the minimum necessary to support the application.

If there are instances of unnecessary ownership or permissions, this is a finding.

The finding details should note the full path of the file(s) and the associated issue (i.e., outside scope, permissions improperly granted to user X, etc.).

Check Content Reference

M

Target Key

4093

Comments