CCI-003992

Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.

The macOS system must apply gatekeeper settings to block applications from unidentified developers.

The macOS system must enable Gatekeeper.

The macOS system must enable gatekeeper.

The application server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate recognized and approved by the organization.

The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Ubuntu 22.04 LTS must be configured so that the Advance Package Tool (APT) prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

The Central Log Server must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

The container platform must be built from verified packages.

The container platform must verify container images.

The DBMS must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate recognized and approved by the organization.

The DNS server implementation must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Forescout must prevent the installation of patches, service packs, plug-ins, or modules without verification the update has been digitally signed using a certificate that is recognized and approved by the organization.

The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

A private web server must subscribe to certificates, issued from any DOD-authorized Certificate Authority (CA), as an access control mechanism for web users.

The Mainframe Product must prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization.

MKE must only run signed images.

Exchange local machine policy must require signed scripts.

Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.

Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.

Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.

Project must automatically disable unsigned add-ins without informing users.

Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.

Publisher must automatically disable unsigned add-ins without informing users.

Publisher must disable all unsigned VBA macros.

Visio must automatically disable unsigned add-ins without informing users.

Word must automatically disable unsigned add-ins without informing users.

The network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.

The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.

OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

OL 8 must prevent the loading of a new kernel for later execution.

The Oracle Linux operating system must ensure cryptographic verification of vendor software packages.

OL 8 must ensure cryptographic verification of vendor software packages.

All Automation Controller NGINX front-end web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Automation Controller NGINX front-end web server.

OpenShift must verify container images.

RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

RHEL 8 must prevent the loading of a new kernel for later execution.

RHEL 9 must prevent the loading of a new kernel for later execution.

RHEL 9 must ensure cryptographic verification of vendor software packages.

RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.

RHEL 9 must check the GPG signature of locally installed software packages before installation.

RHEL 9 must have GPG signature verification enabled for all software repositories.

RHEL 9 subscription-manager package must be installed.

RHEL 8 must ensure cryptographic verification of vendor software packages.

The SUSE operating system tool zypper must have gpgcheck enabled.

The SUSE operating system tool zypper must have gpgcheck enabled.

The system must verify that package updates are digitally signed.

The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.

The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.

The Tanium Server must be configured to allow only signed content to be imported.

TOSS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

The VMM must prevent the installation of guest VMs, patches, service packs, device drivers, or VMM components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified.

All web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

Expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.

The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.

The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.

The UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Ensure gpgcheck Enabled In Main dnf Configuration

Ensure gpgcheck Enabled for All dnf Package Repositories

Ensure gpgcheck Enabled for Local Packages

Ensure gpgcheck Enabled In Main yum Configuration

Ensure Red Hat GPG Key Installed

Disable unauthenticated repositories in APT configuration

Install subscription-manager Package

Disable Kernel Image Loading

Ensure gpgcheck Enabled for All yum Package Repositories

Ensure gpgcheck Enabled In Main zypper Configuration

Ensure gpgcheck Enabled for All zypper Package Repositories