Define users with privileges
Summary
The users that will access the system with administrator or root privileges must be defined.
Description
Systems should have a set of roles with different levels of privilege to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated. That includes the set of users that will have administrator or root privileges, as this should not be a default role.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-122. Privilege abuse
- CAPEC™-233. Privilege escalation
- CIS-5_1. Establish and maintain an inventory of accounts
- CWE™-250. Execution with unnecessary privileges
- CWE™-266. Incorrect privilege assignment
- CWE™-276. Incorrect default permissions
- CWE™-285. Improper authorization
- CWE™-497. Exposure of sensitive system information to an unauthorized control sphere
- HIPAA-164_308_a_3_i. Standard: workforce security
- HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
- NIST 800-53-AC-2_6. Dynamic privilege management
- NIST 800-53-AC-2_7a. Establish and administer privileged user accounts
- NIST 800-53-AC-2_7b. Monitor privileged role or attribute assignments
- NIST 800-53-AC-2_7c. Monitor changes to roles or attributes
- OWASP TOP 10-A1. Broken access control
- SOC2®-CC6_2. Logical and physical access controls
- NIST Framework-ID_AM-5. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established
- BIZEC-APP-APP-04. Improper authorization (missing, broken, proprietary, generic)
- CERT-C-FIO32-C. Do not perform operations on devices that are only appropriate for files
- NY SHIELD Act-5575_B_2. Personal and private information
- MITRE ATT&CK®-M1024. Restrict registry permissions
- MITRE ATT&CK®-M1026. Privileged account management
- MITRE ATT&CK®-M1052. User account control
- MITRE ATT&CK®-M1056. Pre-compromise
- CMMC-AC_L1-3_1_1. Authorized access control
- CMMC-AC_L2-3_1_4. Separation of duties
- CMMC-AC_L2-3_1_15. Privileged remote access
- CMMC-AU_L2-3_3_9. Audit management
- CMMC-SC_L2-3_13_3. Role separation
- HITRUST CSF-01_c. Privilege management
- HITRUST CSF-05_c. Allocation of information security responsibilities
- HITRUST CSF-09_r. Security of system documentation
- FedRAMP-AC-2_7. Account management - Role-based schemes
- FedRAMP-CA-6. Security authorization
- FedRAMP-PS-3_3. Personnel screening - Information with special protection measures
- FedRAMP-RA-5_4. Privileged access
- ISO/IEC 27002-8_2. Privileged access rights
- LGPD-23_I. Rules
- LGPD-46. Security and Secrecy of Data
- OSSTMM3-10_15_2. Telecommunications security (privileges audit) - Authorization
- OSSTMM3-11_9_2. Data networks security - Common configuration errors
- FERPA-D_35_a_2. Conditions of prior consent required to disclose information
- MVSP-4_2. Operational controls - Logical access
- OWASP SCP-5. Access control
- BSAFSS-IA_2-1. Policies to control access to data and processes
- NIST 800-171-1_4. Separate the duties of individuals
- NIST 800-171-1_7. Prevent non-privileged users from executing privileged functions
- CWE TOP 25-862. Missing authorization
- SWIFT CSCF-1_2. Operating system privilege account controls
- C2M2-2_3_d. Management activities for the THREAT domain
- C2M2-3_5_d. Management activities for the RISK domain
- C2M2-4_1_h. Establish identities and manage authentication
- C2M2-9_5_h. Implement data security for cybersecurity architecture
- PCI DSS-3_7_7. Prevention of unauthorized substitution of cryptographic keys
- PCI DSS-6_5_4. Changes to all system components are managed securely
- PCI DSS-8_2_4. User identification for users and administrators are strictly managed
- SIG Lite-SL_76. Are staff able to access client scoped data?
- SIG Core-H_2_15. Access control
- SIG Core-H_4_6_1. Access control
- SIG Core-H_4_6_3. Access control
- SIG Core-H_6_1. Access control
- SIG Core-I_1_18_3. Application security
- SIG Core-I_3_2_10. Application security
- SIG Core-P_8_2. Privacy
- SIG Core-U_1_6_1. Server security
- OWASP API Security Top 10-API1. Broken Object Level Authorization
- ISO/IEC 27001-8_2. Privileged access rights
- CASA-13_1_4. Generic Web Service Security
- Resolution SB 2021 2126-Art_26_11_d. Information Security
- Resolution SB 2021 2126-Art_26_11_e. Information Security
- Resolution SB 2021 2126-Art_27_18. Security in Electronic Channels
Vulnerabilities
- 031. Excessive privileges - AWS
- 159. Excessive privileges
- 160. Excessive privileges - Temporary Files
- 266. Excessive Privileges - Docker
- 267. Excessive Privileges - Kubernetes
- 325. Excessive privileges - Wildcards
- 346. Excessive privileges - Mobile App
- 430. Serverless - one dedicated IAM role per function
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.