This Control directly supports the implied Control(s):
Establish, implement, and maintain system hardening procedures., CC ID: 12001
This Control has the following implementation support Control(s):
Verify the /home file system, /export/home file system, and /var file system each has its own partition., CC ID: 02163
Verify the root shell environment is located outside the /usr directory in a partitioned environment., CC ID: 02158
Verify the primary filesystem partition uses an appropriate filesystem., CC ID: 05716
Enable the OS/2 subsystem, as appropriate., CC ID: 05717
Configure the "nodev" option for "/tmp" setting to organizational standards., CC ID: 08725
Configure the "nodev" option for "/dev/shm" setting to organizational standards., CC ID: 08726
Configure the "/tmp filesystem partition" setting to organizational standards., CC ID: 08727
Configure the "var/log" filesystem to organizational standards., CC ID: 08728
Configure the âvar/log/auditâ filesystem to organizational standards., CC ID: 08729
Configure the "nosuid" setting on the "/tmp" directory to organizational standards., CC ID: 08730
Configure the "noexec" setting on the "/tmp" directory to organizational standards., CC ID: 08731
Configure the "nosuid" setting on the "/dev/shm" directory to organizational standards., CC ID: 08732
Configure the "noexec" option for "/dev/shm" to organizational standards., CC ID: 08733
Configure the "/var/tmp filesystem partition" setting to organizational standards., CC ID: 08734
Configure the "nodev" option for "/run/shm" to organizational standards., CC ID: 11376
Configure the "nosuid" option for "/run/shm" to organizational standards., CC ID: 11377
Configure the "noexec" option for "/run/shm" to organizational standards., CC ID: 11378
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Ensure a separate partition for containers has been created Description: All Docker containers and their data and metadata is stored under `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions dependent on how the Linux operating syste… (1.2.1, The Center for Internet Security Docker Level 1 Linux Host OS Benchmark, v 1.2.0)
Ensure a separate partition for containers has been created Description: All Docker containers and their data and metadata is stored under `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions dependent on how the Linux operating syste… (1.2.1, The Center for Internet Security Docker Level 2 Linux Host OS Benchmark, v 1.2.0)
The control system shall provide the capability to support partitioning of data, applications and services based on criticality to facilitate implementing a zoning model. (9.6.1 ¶ 1, IEC 62443-3-3: Industrial communication networks â Network and system security â Part 3-3: System security requirements and security levels, Edition 1)
Information used by browser-based applications (e.g., configuration files) should be protected against corruption or unauthorized disclosure by locating them on partitions inaccessible to web servers (or other connected servers). (CF.04.02.02a, The Standard of Good Practice for Information Security)
Information used by browser-based applications (e.g., configuration files) should be protected against corruption or unauthorized disclosure by locating them on partitions inaccessible to web servers (or other connected servers). (CF.04.02.02a, The Standard of Good Practice for Information Security, 2013)
For cloud computing services that use a hypervisor to transmit, process, or store scoped data, is volume or disk partitioning in place to prevent inadvertent resource bottlenecks from guest operating systems? (§ V.1.72.30, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Physical separation from non-DoD/non-Federal Government tenants (i.e., public, local/state government tenants) is required. (Section 5.2.2.4 ¶ 2, Bullet 6, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
The data storage and management services must be logically or physically separated from the User Interface services by using different Operating System instances, different computers, different network addresses, different central processing units, combinations of these, or other methods. (DCPA-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Partitions, domains, or other techniques must be used to isolate the security support structure, including the integrity of and Access Control to software, hardware, and firmware that performs security functions. (DCSP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Employ [Selection: (one or more): [Assignment: organization-defined physical isolation techniques]; [Assignment: organization-defined logical isolation techniques]] in organizational systems and system components. (3.13.4e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
Organizational records and documents should be examined to ensure user functionality is separated by physical and/or logical means from management functionality and specific responsibilities and actions are defined for the implementation of the application partitioning control. Any problems discover… (SC-2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
In addition to grouping container workloads onto hosts by sensitivity level, organizations should not mix containerized and non-containerized workloads on the same host instance. For example, if a host is running a web server container, it should not also run a web server (or any other app) as a reg… (4.5.2 ¶ 1, NIST SP 800-190, Application Container Security Guide)
The smart grid Information System must partition communications for management functionality and telemetry/data acquisition services. (SG.SC-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must partition the smart grid Information System into components located in separate logical domains/environments or physical domains/environments. (SG.SC-30 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must partition the Information System into components that reside in separate physical domains or environments, as necessary. (App F § SC-32, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization partitions the information system into {organizationally documented information system components} residing in separate physical domains or environments based on {organizationally documented circumstances for physical separation of components}. (SC-32 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components]. (SC-32 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Partition the system into [Assignment: organization-defined system components] residing in separate [Selection: physical; logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components]. (SC-32 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Partition privileged functions into separate physical domains. (SC-32(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Partition the system into [Assignment: organization-defined system components] residing in separate [Selection: physical; logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components]. (SC-32 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Partition privileged functions into separate physical domains. (SC-32(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Partition hard drive to compartmentalize data. Solaris 9 allows for soft partitioning which can be used to subdivide disks into as many as 8192 logical volumes. Slices that are used for soft partitions cannot be used for other purposes. (§ 1.1, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)
