Summary

The users that will access the system with administrator or root privileges must be defined.

Description

Systems should have a set of roles with different levels of privilege to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated. That includes the set of users that will have administrator or root privileges, as this should not be a default role.

Supported In

This requirement is verified in following services

References

• CAPEC™-122. Privilege abuse
• CAPEC™-233. Privilege escalation
• CIS-5_1. Establish and maintain an inventory of accounts
• CWE™-250. Execution with unnecessary privileges
• CWE™-266. Incorrect privilege assignment
• CWE™-276. Incorrect default permissions
• CWE™-285. Improper authorization
• CWE™-497. Exposure of sensitive system information to an unauthorized control sphere
• HIPAA-164_308_a_3_i. Standard: workforce security
• HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
• NIST 800-53-AC-2_6. Dynamic privilege management
• NIST 800-53-AC-2_7a. Establish and administer privileged user accounts
• NIST 800-53-AC-2_7b. Monitor privileged role or attribute assignments
• NIST 800-53-AC-2_7c. Monitor changes to roles or attributes
• OWASP TOP 10-A1. Broken access control
• SOC2®-CC6_2. Logical and physical access controls
• BIZEC-APP-APP-04. Improper authorization (missing, broken, proprietary, generic)
• CERT-C-FIO32-C. Do not perform operations on devices that are only appropriate for files
• NY SHIELD Act-5575_B_2. Personal and private information
• MITRE ATT&CK®-M1024. Restrict registry permissions
• MITRE ATT&CK®-M1026. Privileged account management
• MITRE ATT&CK®-M1052. User account control
• MITRE ATT&CK®-M1056. Pre-compromise
• CMMC-AC_L1-3_1_1. Authorized access control
• CMMC-AC_L2-3_1_4. Separation of duties
• CMMC-AC_L2-3_1_15. Privileged remote access
• CMMC-AU_L2-3_3_9. Audit management
• CMMC-SC_L2-3_13_3. Role separation
• HITRUST CSF-01_c. Privilege management
• HITRUST CSF-05_c. Allocation of information security responsibilities
• HITRUST CSF-09_r. Security of system documentation
• FedRAMP-AC-2_7. Account management - Role-based schemes
• FedRAMP-CA-6. Security authorization
• FedRAMP-PS-3_3. Personnel screening - Information with special protection measures
• FedRAMP-RA-5_4. Privileged access
• ISO/IEC 27002-8_2. Privileged access rights
• LGPD-23_I. Rules
• LGPD-46. Security and Secrecy of Data
• OSSTMM3-10_15_2. Telecommunications security (privileges audit) - Authorization
• OSSTMM3-11_9_2. Data networks security - Common configuration errors
• FERPA-D_35_a_2. Conditions of prior consent required to disclose information
• MVSP-4_2. Operational controls - Logical access
• OWASP SCP-5. Access control
• BSAFSS-IA_2-1. Policies to control access to data and processes
• NIST 800-171-1_4. Separate the duties of individuals
• NIST 800-171-1_7. Prevent non-privileged users from executing privileged functions
• SWIFT CSCF-1_2. Operating system privilege account control
• C2M2-2_3_d. Management activities for the THREAT domain
• C2M2-3_5_d. Management activities for the RISK domain
• C2M2-4_1_h. Establish identities and manage authentication
• C2M2-9_5_h. Implement data security for cybersecurity architecture
• PCI DSS-3_7_7. Prevention of unauthorized substitution of cryptographic keys
• PCI DSS-6_5_4. Changes to all system components are managed securely
• PCI DSS-8_2_4. User identification for users and administrators are strictly managed
• SIG Lite-SL_76. Are staff able to access client scoped data?
• SIG Core-H_2_15. Access control
• SIG Core-H_4_6_1. Access control
• SIG Core-H_4_6_3. Access control
• SIG Core-H_6_1. Access control
• SIG Core-I_1_18_3. Application security
• SIG Core-I_3_2_10. Application security
• SIG Core-P_8_2. Privacy
• SIG Core-U_1_6_1. Server security
• OWASP API Security Top 10-API1. Broken Object Level Authorization
• ISO/IEC 27001-8_2. Privileged access rights
• CASA-13_1_4. Generic Web Service Security
• Resolution SB 2021 2126-Art_26_11_d. Information Security
• Resolution SB 2021 2126-Art_26_11_e. Information Security
• Resolution SB 2021 2126-Art_27_18. Security in Electronic Channels
• FISMA-AC-2_6. Dynamic privilege management
• FISMA-AC-2_7a. Establish and administer privileged user accounts
• FISMA-AC-2_7b. Monitor privileged role or attribute assignments
• FISMA-AC-2_7c. Monitor changes to roles or attributes
• CWE TOP 25-269. Improper Privilege Management
• CWE TOP 25-862. Missing authorization
• CWE TOP 25-863. Incorrect Authorization
• SANS 25-11. Missing authorization
• SANS 25-22. Improper Privilege Management
• SANS 25-24. Incorrect Authorization

Vulnerabilities

• 031.Excessive privileges - AWS
• 159.Excessive privileges
• 160.Excessive privileges - Temporary Files
• 266.Excessive Privileges - Docker
• 267.Excessive Privileges - Kubernetes
• 325.Excessive privileges - Wildcards
• 346.Excessive privileges - Mobile App
• 430.Serverless - one dedicated IAM role per function

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.