Capacity
CCI-001749
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
19
Rule
Severity: High
Verify File Hashes with RPM
14
Rule
Severity: High
Ensure gpgcheck Enabled In Main yum Configuration
13
Rule
Severity: High
Ensure Red Hat GPG Key Installed
14
Rule
Severity: High
Ensure gpgcheck Enabled for Local Packages
10
Rule
Severity: High
Ensure gpgcheck Enabled for All yum Package Repositories
8
Rule
Severity: High
Ensure gpgcheck Enabled for Repository Metadata
12
Rule
Severity: Medium
Disable Kernel Image Loading
5
Rule
Severity: High
Ensure gpgcheck Enabled In Main dnf Configuration
4
Rule
Severity: High
Ensure gpgcheck Enabled for All dnf Package Repositories
1
Rule
Severity: High
Ensure Fedora GPG Key Installed
3
Rule
Severity: High
Ensure Oracle Linux GPG Key Installed
2
Rule
Severity: High
Ensure gpgcheck Enabled In Main zypper Configuration
2
Rule
Severity: High
Ensure gpgcheck Enabled for All zypper Package Repositories
2
Rule
Severity: High
Ensure SUSE GPG Key Installed
1
Rule
Severity: Medium
The application server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
2
Rule
Severity: Medium
The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Low
Docker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.
1
Rule
Severity: Medium
The FortiGate device must only install patches or updates that are validated by the vendor via digital signature or hash.
2
Rule
Severity: Low
Forescout must prevent the installation of patches, service packs, plug-ins, or modules without verification the update has been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Medium
The DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Medium
The Mainframe Product must prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization.
8
Rule
Severity: Medium
Add-ins to Office applications must be signed by a Trusted Publisher.
8
Rule
Severity: Medium
Trust Bar Notifications for unsigned application add-ins must be blocked.
12
Rule
Severity: Medium
Trust Bar Notifications for unsigned application add-ins must be blocked.
6
Rule
Severity: Medium
Application add-ins must be signed by Trusted Publisher.
8
Rule
Severity: Medium
Add-ins to Office applications must be signed by a Trusted Publisher.
3
Rule
Severity: Medium
Exchange Local machine policy must require signed scripts.
2
Rule
Severity: Medium
The Exchange local machine policy must require signed scripts.
2
Rule
Severity: Medium
Disabling of Fully Trusted Solutions access to computers must be configured.
1
Rule
Severity: Medium
A form that is digitally signed must be displayed with a warning.
1
Rule
Severity: Medium
A form that is digitally signed must be displayed with a warning.
1
Rule
Severity: Medium
Users must be prevented from using or inserting apps that come from the Office Store.
1
Rule
Severity: Medium
Access to updates, add-ins, and patches on Office.com must be disabled.
1
Rule
Severity: Medium
Trust Bar Notifications for unsigned applications must be disabled.
1
Rule
Severity: Medium
The network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Medium
Nutanix AOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Medium
The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.
1
Rule
Severity: Medium
The Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.
2
Rule
Severity: Medium
The Tanium Server must be configured to only allow signed content to be imported.
5
Rule
Severity: Medium
The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.
5
Rule
Severity: Medium
The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.
2
Rule
Severity: Medium
The Tanium Server must be configured to allow only signed content to be imported.
1
Rule
Severity: Medium
The UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Medium
A private web server must subscribe to certificates, issued from any DoD-authorized Certificate Authority, as an access control mechanism for web users.
2
Rule
Severity: Medium
Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.
4
Rule
Severity: High
The macOS system must have the security assessment policy subsystem enabled.
2
Rule
Severity: High
The macOS system must apply gatekeeper settings to block applications from unidentified developers.
1
Rule
Severity: Medium
Advance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
2
Rule
Severity: High
The macOS system must enable Gatekeeper.
2
Rule
Severity: Medium
The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Medium
The container platform must be built from verified packages.
1
Rule
Severity: Medium
The container platform must verify container images.
1
Rule
Severity: High
The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
3
Rule
Severity: Medium
Exchange local machine policy must require signed scripts.
1
Rule
Severity: Medium
Checking for signatures on downloaded programs must be enforced.
2
Rule
Severity: Medium
Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.
2
Rule
Severity: Medium
Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.
2
Rule
Severity: Medium
Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.
2
Rule
Severity: Medium
Project must automatically disable unsigned add-ins without informing users.
2
Rule
Severity: Medium
Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.
2
Rule
Severity: Medium
Publisher must automatically disable unsigned add-ins without informing users.
2
Rule
Severity: Medium
Publisher must disable all unsigned VBA macros.
2
Rule
Severity: Medium
Visio must automatically disable unsigned add-ins without informing users.
2
Rule
Severity: Medium
Word must automatically disable unsigned add-ins without informing users.
2
Rule
Severity: High
The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
2
Rule
Severity: High
The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
2
Rule
Severity: High
The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
2
Rule
Severity: Medium
The Oracle Linux operating system must ensure cryptographic verification of vendor software packages.
2
Rule
Severity: High
YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.
2
Rule
Severity: High
OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
2
Rule
Severity: Medium
OL 8 must prevent the loading of a new kernel for later execution.
2
Rule
Severity: Medium
OL 8 must ensure cryptographic verification of vendor software packages.
2
Rule
Severity: Medium
OpenShift must verify container images.
2
Rule
Severity: High
RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
2
Rule
Severity: High
RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
2
Rule
Severity: Medium
RHEL 8 must prevent the loading of a new kernel for later execution.
2
Rule
Severity: High
All Automation Controller NGINX front-end web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
2
Rule
Severity: Medium
Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Automation Controller NGINX front-end web server.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must ensure cryptographic verification of vendor software packages.
2
Rule
Severity: Medium
RHEL 8 must ensure cryptographic verification of vendor software packages.
2
Rule
Severity: Medium
RHEL 9 must prevent the loading of a new kernel for later execution.
2
Rule
Severity: Medium
RHEL 9 must ensure cryptographic verification of vendor software packages.
2
Rule
Severity: High
RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.
2
Rule
Severity: High
RHEL 9 must check the GPG signature of locally installed software packages before installation.
2
Rule
Severity: High
RHEL 9 must have GPG signature verification enabled for all software repositories.
2
Rule
Severity: Medium
RHEL 9 subscription-manager package must be installed.
2
Rule
Severity: Medium
The SUSE operating system tool zypper must have gpgcheck enabled.
2
Rule
Severity: High
The SUSE operating system tool zypper must have gpgcheck enabled.
2
Rule
Severity: Medium
The system must verify that package updates are digitally signed.
1
Rule
Severity: Medium
The VMM must prevent the installation of guest VMs, patches, service packs, device drivers, or VMM components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: High
The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified.
1
Rule
Severity: Medium
VAMI server binaries and libraries must be verified for their integrity.
1
Rule
Severity: Medium
Performance Charts application files must be verified for their integrity.
1
Rule
Severity: Medium
Performance Charts must only run one webapp.
1
Rule
Severity: Medium
ESX Agent Manager application files must be verified for their integrity.
1
Rule
Severity: Medium
ESX Agent Manager must only run one webapp.
1
Rule
Severity: Medium
Lookup Service application files must be verified for their integrity.
1
Rule
Severity: Medium
Lookup Service must only run one webapp.
3
Rule
Severity: High
The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified.
1
Rule
Severity: Medium
The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
1
Rule
Severity: Medium
The Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
1
Rule
Severity: Medium
The Photon operating system YUM repository must cryptographically verify the authenticity of all software packages during installation.
1
Rule
Severity: Medium
The Security Token Service application files must be verified for their integrity.
1
Rule
Severity: Medium
The Security Token Service must only run one webapp.
1
Rule
Severity: Medium
vSphere UI application files must be verified for their integrity.
1
Rule
Severity: Medium
vSphere UI plugins must be authorized before use.
3
Rule
Severity: High
The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.
3
Rule
Severity: High
The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.
1
Rule
Severity: Medium
All web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.
1
Rule
Severity: Medium
Expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.
1
Rule
Severity: Low
Ubuntu 22.04 LTS must be configured so that the Advance Package Tool (APT) prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
1
Rule
Severity: Medium
MKE must only run signed images.
1
Rule
Severity: Medium
Rancher RKE2 must be built from verified packages.
1
Rule
Severity: High
The SLEM 5 tool zypper must have gpgcheck enabled.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules