Set user's required privileges
Summary
The privileges required by the users who will access the system must be defined.
Description
Systems should have a set of roles with different levels of privileges to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-1. Accessing functionality not properly constrained by ACLs
- CAPEC™-122. Privilege abuse
- CAPEC™-690. Metadata Spoofing
- CIS-3_3. Configure data access control lists
- CWE™-250. Execution with unnecessary privileges
- CWE™-276. Incorrect default permissions
- HIPAA-164_312_a_1. Standard: access control
- HIPAA-164_312_d. Standard: person or entity authentication
- NERC CIP-005-5_R1_3. Electronic security perimeter
- NIST 800-53-AC-2_6. Dynamic privilege management
- NIST 800-53-AC-2_7a. Establish and administer privileged user accounts
- NIST 800-53-AC-2_7b. Monitor privileged role or attribute assignments
- NIST 800-53-AC-2_7c. Monitor changes to roles or attributes
- OWASP TOP 10-A1. Broken access control
- OWASP TOP 10-A7. Identification and authentication failures
- NIST Framework-ID_AM-5. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established
- BIZEC-APP-APP-04. Improper authorization (missing, broken, proprietary, generic)
- CERT-C-FIO32-C. Do not perform operations on devices that are only appropriate for files
- MITRE ATT&CK®-M1018. User account management
- MITRE ATT&CK®-M1024. Restrict registry permissions
- MITRE ATT&CK®-M1026. Privileged account management
- MITRE ATT&CK®-M1052. User account control
- PA-DSS-5_2_8. Improper access controls
- SANS 25-14. Improper Authentication
- PDPO-S1_4. Security of personal data
- CMMC-AC_L1-3_1_1. Authorized access control
- CMMC-AC_L2-3_1_4. Separation of duties
- CMMC-AC_L2-3_1_6. Non-privileged account use
- CMMC-AC_L2-3_1_15. Privileged remote access
- CMMC-SC_L2-3_13_3. Role separation
- CMMC-SC_L2-3_13_4. Shared resource control
- HITRUST CSF-01_c. Privilege management
- HITRUST CSF-01_q. User identification and authentication
- HITRUST CSF-07_b. Ownership of assets
- HITRUST CSF-09_c. Segregation of duties
- HITRUST CSF-09_r. Security of system documentation
- HITRUST CSF-10_j. Access control to program source code
- FedRAMP-AC-2_7. Account management - Role-based schemes
- FedRAMP-AC-6_1. Least privilege - Authorize access to security functions
- FedRAMP-AC-6_2. Least privilege - Non-privileged access for nonsecurity functions
- FedRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges
- FedRAMP-PS-3_3. Personnel screening - Information with special protection measures
- ISO/IEC 27002-5_16. Identity management
- ISO/IEC 27002-7_2. Physical entry controls
- ISO/IEC 27002-8_2. Privileged access rights
- ISO/IEC 27002-8_3. Information access restriction
- LGPD-46. Security and Secrecy of Data
- ISA/IEC 62443-UC-2_1. Authorization enforcement
- WASSEC-6_2_1_2. Authentication - Insufficient authentication
- OSSTMM3-9_15_2. Wireless security (privileges audit) - Authorization
- WASC-A_12. Content spoofing
- WASC-W_17. Improper filesystem permissions
- WASC-W_02. Insufficient authorization
- ISSAF-P_6_15. Host security - Linux security (local attacks)
- ISSAF-Q_16_20. Host security - Windows security (local attacks)
- ISSAF-S_5_1. Web server security - Countermeasures (secure administrative access)
- ISSAF-U_11. Web application SQL injections - Get control on host
- ISSAF-U_15. Web application SQL injections – Countermeasures
- MVSP-4_2. Operational controls - Logical access
- OWASP SCP-5. Access control
- BSAFSS-IA_2-2. Policies to control access to data and processes
- NIST 800-171-1_1. Limit system access to authorized users, processes acting on behalf of authorized users and devices
- NIST 800-171-1_7. Prevent non-privileged users from executing privileged functions
- NIST 800-171-3_9. Limit management of audit logging functionality to a subset of privileged users
- NIST 800-171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- CWE TOP 25-862. Missing authorization
- SWIFT CSCF-5_1. Logical access control
- OWASP ASVS-1_2_1. Authentication architecture
- C2M2-4_1_g. Establish identities and manage authentication
- C2M2-8_3_c. Assign cybersecurity responsibilities
- PCI DSS-1_4_3. Implement anti-spoofing measures
- PCI DSS-1_4_4. Network connections between trusted and untrusted networks are controlled
- PCI DSS-7_2_2. Access to system components and data is appropriately defined and assigned
- PCI DSS-7_3_2. Access to system components and data is managed via an access control system
- SIG Lite-SL_33. Are staff able to access client Scoped Data in an unencrypted state?
- SIG Core-D_4_4_1. Asset and information management
- OWASP ASVS-4_1_1. General access control design
- OWASP ASVS-4_1_2. General access control design
- OWASP API Security Top 10-API5. Broken Function Level Authorization
- ISO/IEC 27001-5_16. Identity management
- ISO/IEC 27001-7_2. Physical entry controls
- ISO/IEC 27001-8_2. Privileged access rights
- ISO/IEC 27001-8_3. Information access restriction
- CASA-4_1_1. General Access Control Design
- CASA-4_1_2. General Access Control Design
Vulnerabilities
- 031. Excessive privileges - AWS
- 032. Spoofing
- 039. Improper authorization control for web services
- 073. Improper authorization control for web services - RDS
- 075. Unauthorized access to files - APK Content Provider
- 159. Excessive privileges
- 160. Excessive privileges - Temporary Files
- 201. Unauthorized access to files
- 202. Unauthorized access to files - Debug APK
- 203. Unauthorized access to files - S3 Bucket
- 204. Insufficient data authenticity validation
- 266. Excessive Privileges - Docker
- 267. Excessive Privileges - Kubernetes
- 325. Excessive privileges - Wildcards
- 346. Excessive privileges - Mobile App
- 430. Serverless - one dedicated IAM role per function
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.