CCI-003992

The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

8 rules found Severity: High

6 rules found Severity: High

13 rules found Severity: High

10 rules found Severity: High

5 rules found

6 rules found Severity: Medium

10 rules found Severity: Medium

7 rules found Severity: High

3 rules found Severity: High

2 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

The DNS server implementation must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

A private web server must subscribe to certificates, issued from any DOD-authorized Certificate Authority (CA), as an access control mechanism for web users.

MKE must only run signed images.

The network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.

The Oracle Linux operating system must ensure cryptographic verification of vendor software packages.

All Automation Controller NGINX front-end web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Automation Controller NGINX front-end web server.

The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.

The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.

The Tanium Server must be configured to allow only signed content to be imported.

TOSS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

All web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.

Expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.

Ensure gpgcheck Enabled In Main dnf Configuration

Ensure gpgcheck Enabled for All dnf Package Repositories

Ensure gpgcheck Enabled for Local Packages

Ensure gpgcheck Enabled In Main yum Configuration

Ensure Red Hat GPG Key Installed

Disable unauthenticated repositories in APT configuration

Install subscription-manager Package

Disable Kernel Image Loading

Ensure gpgcheck Enabled for All yum Package Repositories

Ensure gpgcheck Enabled In Main zypper Configuration

Ensure gpgcheck Enabled for All zypper Package Repositories

NixOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.

The macOS system must apply gatekeeper settings to block applications from unidentified developers.

The macOS system must enable Gatekeeper.

The macOS system must enable gatekeeper.

The application server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate recognized and approved by the organization.

The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

The Central Log Server must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

AlmaLinux OS 9 must check the GPG signature of software packages originating from external software repositories before installation.

AlmaLinux OS 9 must ensure cryptographic verification of vendor software packages.

AlmaLinux OS 9 must check the GPG signature of locally installed software packages before installation.

AlmaLinux OS 9 must check the GPG signature of repository metadata before package installation.

AlmaLinux OS 9 must have GPG signature verification enabled for all software repositories.

AlmaLinux OS 9 must prevent the loading of a new kernel for later execution.

The container platform must be built from verified packages.

The container platform must verify container images.

The Dell OS10 Switch must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

The DBMS must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate recognized and approved by the organization.

Forescout must prevent the installation of patches, service packs, plug-ins, or modules without verification the update has been digitally signed using a certificate that is recognized and approved by the organization.

The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

The HYCU virtual appliance must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

The Mainframe Product must prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Exchange local machine policy must require signed scripts.

Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.

Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.

Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.

Project must automatically disable unsigned add-ins without informing users.

Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.

Publisher must automatically disable unsigned add-ins without informing users.

Publisher must disable all unsigned VBA macros.

Visio must automatically disable unsigned add-ins without informing users.

Word must automatically disable unsigned add-ins without informing users.

YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.

OL 8 must prevent the loading of a new kernel for later execution.

OpenShift must verify container images.

OL 8 must ensure cryptographic verification of vendor software packages.

RHEL 9 must prevent the loading of a new kernel for later execution.

RHEL 9 must ensure cryptographic verification of vendor software packages.

RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.

RHEL 9 must check the GPG signature of locally installed software packages before installation.

RHEL 9 must have GPG signature verification enabled for all software repositories.

RHEL 9 subscription-manager package must be installed.

RHEL 8 must prevent the loading of a new kernel for later execution.

RHEL 8 must ensure cryptographic verification of vendor software packages.

The SUSE operating system tool zypper must have gpgcheck enabled.

The SUSE operating system tool zypper must have gpgcheck enabled.

The system must verify that package updates are digitally signed.

The UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

The VMM must prevent the installation of guest VMs, patches, service packs, device drivers, or VMM components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified.

The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.

The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.