CCI-001749

The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

21 rules found Severity: High

4 rules found Severity: High

3 rules found Severity: High

10 rules found Severity: High

5 rules found Severity: High

4 rules found Severity: Medium

2 rules found Severity: High

1 rule found Severity: High

4 rules found Severity: High

2 rules found Severity: High

1 rule found Severity: Low

1 rule found Severity: Medium

7 rules found Severity: Medium

13 rules found Severity: Medium

6 rules found Severity: Medium

8 rules found Severity: Medium

3 rules found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

4 rules found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

CCI-001749

Verify File Hashes with RPM

Ensure gpgcheck Enabled In Main yum Configuration

Ensure gpgcheck Enabled for Local Packages

Ensure gpgcheck Enabled for All yum Package Repositories

Ensure gpgcheck Enabled for Repository Metadata

Ensure Red Hat GPG Key Installed

Disable Kernel Image Loading

Ensure gpgcheck Enabled In Main dnf Configuration

Ensure gpgcheck Enabled for All dnf Package Repositories

Ensure Fedora GPG Key Installed

Ensure Oracle Linux GPG Key Installed

Ensure SUSE GPG Key Installed

Docker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.

The FortiGate device must only install patches or updates that are validated by the vendor via digital signature or hash.

The DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Add-ins to Office applications must be signed by a Trusted Publisher.

Trust Bar Notifications for unsigned application add-ins must be blocked.

Trust Bar Notifications for unsigned application add-ins must be blocked.

Application add-ins must be signed by Trusted Publisher.

Add-ins to Office applications must be signed by a Trusted Publisher.

Exchange Local machine policy must require signed scripts.

The Exchange local machine policy must require signed scripts.

Disabling of Fully Trusted Solutions access to computers must be configured.

A form that is digitally signed must be displayed with a warning.

A form that is digitally signed must be displayed with a warning.

Users must be prevented from using or inserting apps that come from the Office Store.

Access to updates, add-ins, and patches on Office.com must be disabled.

Trust Bar Notifications for unsigned applications must be disabled.

Nutanix AOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.

The Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.

The Tanium Server must be configured to only allow signed content to be imported.

The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.

The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.

The macOS system must have the security assessment policy subsystem enabled.

Advance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Checking for signatures on downloaded programs must be enforced.

The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.

The Red Hat Enterprise Linux operating system must ensure cryptographic verification of vendor software packages.

The F5 BIG-IP appliance must be configured to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

MKE must only run signed images.

The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.

The Oracle Linux operating system must ensure cryptographic verification of vendor software packages.

All Automation Controller NGINX front-end web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Automation Controller NGINX front-end web server.

The SLEM 5 tool zypper must have gpgcheck enabled.

The Tanium Server must be configured to allow only signed content to be imported.

Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.

The macOS system must apply gatekeeper settings to block applications from unidentified developers.

The macOS system must enable Gatekeeper.

The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Forescout must prevent the installation of patches, service packs, plug-ins, or modules without verification the update has been digitally signed using a certificate that is recognized and approved by the organization.

Exchange local machine policy must require signed scripts.

Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.

Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.

Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.

Project must automatically disable unsigned add-ins without informing users.

Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.

Publisher must automatically disable unsigned add-ins without informing users.

Publisher must disable all unsigned VBA macros.

Visio must automatically disable unsigned add-ins without informing users.

Word must automatically disable unsigned add-ins without informing users.

YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.

OL 8 must prevent the loading of a new kernel for later execution.

Rancher RKE2 must be built from verified packages.

OpenShift must verify container images.

RHEL 8 must prevent the loading of a new kernel for later execution.

OL 8 must ensure cryptographic verification of vendor software packages.

RHEL 9 must prevent the loading of a new kernel for later execution.

RHEL 9 must ensure cryptographic verification of vendor software packages.

RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.

RHEL 9 must check the GPG signature of locally installed software packages before installation.

RHEL 9 must have GPG signature verification enabled for all software repositories.

RHEL 9 subscription-manager package must be installed.

RHEL 8 must ensure cryptographic verification of vendor software packages.

The SUSE operating system tool zypper must have gpgcheck enabled.

The SUSE operating system tool zypper must have gpgcheck enabled.

The system must verify that package updates are digitally signed.

The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified.