The operating system must enforce attribute-based access control policy over defined subjects and objects based upon organization-defined attributes to assume access permissions.

STIG ID: SRG-OS-000835-GPOS-00305  |  SRG: SRG-OS-000835 |  Severity: medium (CAT II)  |  CCI: CCI-003650,CCI-000366 |  Vulnerability Id: V-278976

Vulnerability Discussion

Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource.

This requirement also applies to Zero Trust initiatives.

Check

Verify the operating system is configured to enforce attribute-based access control policy over defined subjects and objects based upon organization-defined attributes to assume access permissions.

If the operating system is not configured to enforce attribute-based access control policy over defined subjects and objects based upon organization-defined attributes to assume access permissions, this is a finding.

Fix

Configure the operating system to enforce attribute-based access control policy over defined subjects and objects based upon organization-defined attributes to assume access permissions.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.