Information
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure the operating system to disable the built-in or attached camera when not in use.
First determine the driver being used by the camera with the following command:
$ sudo dmesg | grep -i video
[ 44.630131] ACPI: Video Device [VGA]
[ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7
[ 46.670133] videodev: Linux video capture interface: v2.00
[ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)
[ 47.235752] usbcore: registered new interface driver uvcvideo
[ 47.235756] USB Video Class driver (1.1.1)
Next, build or modify the '/etc/modprobe.d/blacklist.conf' file by using the following example:
##Disable WebCam
blacklist uvcvideo
Reboot the system for the settings to take effect.