myctrl.tools
Compare

SI-3(8)Detect Unauthorized Commands

>Control Description

a

Detect the following unauthorized operating system commands through the kernel application programming interface on organization-defined system hardware components: organization-defined unauthorized operating system commands; and

b

[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command].

>Supplemental Guidance

Detecting unauthorized commands can be applied to critical interfaces other than kernel-based interfaces, including interfaces with virtual machines and privileged applications. Unauthorized operating system commands include commands for kernel functions from system processes that are not trusted to initiate such commands as well as commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands.

Organizations can also define hardware components by component type, component, component location in the network, or a combination thereof. Organizations may select different actions for different types, classes, or instances of malicious commands.

>Related Controls

AU-2
AU-6
AU-12

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern detect unauthorized commands?
  • Who is responsible for monitoring system and information integrity?
  • How frequently are integrity monitoring processes reviewed and updated?

Technical Implementation:

  • What technical controls detect and respond to detect unauthorized commands issues?
  • How are integrity violations identified and reported?
  • What automated tools support system and information integrity monitoring?
  • What anti-malware solutions are deployed and how are they configured?

Evidence & Documentation:

  • Can you provide recent integrity monitoring reports or alerts?
  • What logs demonstrate that SI-3(8) is actively implemented?
  • Where is evidence of integrity monitoring maintained and for how long?
  • Can you show recent malware detection reports and response actions?

Ask AI

Configure your API key to use AI features.