Detections
Analytics

800-53|CM-5(3)

Title

SIGNED COMPONENTS

Description

The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Supplemental

Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.

Reference Item Details

Related: CM-7,SC-13,SI-7

Category: CONFIGURATION MANAGEMENT

Parent Title: ACCESS RESTRICTIONS FOR CHANGE

Family: CONFIGURATION MANAGEMENT

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.1.2 Ensure gpgcheck is configuredUnixCIS AlmaLinux OS 8 v4.0.0 L1 Workstation
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Rocky Linux 10 v1.0.0 L1 Workstation
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Rocky Linux 8 v3.0.0 L1 Server
1.2.1.2 Ensure gpgcheck is configuredUnixCIS AlmaLinux OS 10 v1.0.0 L1 Workstation
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Red Hat Enterprise Linux 10 v1.0.1 L1 Workstation
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Oracle Linux 8 v4.0.0 L1 Workstation
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Red Hat Enterprise Linux 10 v1.0.1 L1 Server
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Oracle Linux 10 v1.0.0 L1 Workstation
1.2.1.2 Ensure gpgcheck is configuredUnixCIS AlmaLinux OS 8 v4.0.0 L1 Server
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Red Hat Enterprise Linux 8 v4.0.0 L1 Server
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Red Hat Enterprise Linux 8 v4.0.0 L1 Workstation
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Oracle Linux 10 v1.0.0 L1 Server
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Rocky Linux 10 v1.0.0 L1 Server
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Rocky Linux 8 v3.0.0 L1 Workstation
1.2.1.2 Ensure gpgcheck is configuredUnixCIS Oracle Linux 8 v4.0.0 L1 Server
1.2.1.2 Ensure gpgcheck is configuredUnixCIS AlmaLinux OS 10 v1.0.0 L1 Server
1.2.1.5 Ensure DNF is configured to perform a signature check on local packagesUnixCIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG
1.2.1.6 Ensure cryptographic verification of vendor software packagesUnixCIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG
1.2.3 Ensure gpgcheck is globally activatedUnixCIS Amazon Linux 2 STIG v2.0.0 STIG
1.2.3 Ensure gpgcheck is globally activatedUnixCIS Amazon Linux 2 STIG v2.0.0 L1 Workstation
1.2.3 Ensure gpgcheck is globally activatedUnixCIS Amazon Linux 2 STIG v2.0.0 L1 Server
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.4 Ensure software packages have been digitally signed by a Certificate Authority (CA)UnixCIS Amazon Linux 2 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3 OL08-00-010019UnixCIS Oracle Linux 8 STIG v1.0.0 CAT II
1.5.12 Ensure kernel image loading is disabledUnixCIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG
1.8 UBTU-22-214010UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT III
1.23 RHEL-09-213020UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.43 RHEL-09-214010UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.44 RHEL-09-214015UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT I
1.45 RHEL-09-214020UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT I
1.46 RHEL-09-214025UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT I
1.49 RHEL-09-215010UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.52 UBTU-24-300001UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT III
1.58 OL08-00-010370UnixCIS Oracle Linux 8 STIG v1.0.0 CAT I
1.59 OL08-00-010371UnixCIS Oracle Linux 8 STIG v1.0.0 CAT I
1.60 OL08-00-010372UnixCIS Oracle Linux 8 STIG v1.0.0 CAT II
1.89 APPL-14-002060UnixCIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT I
1.92 APPL-14-002064UnixCIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT I
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 11 v1.0.0
5.5 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 9 v1.0.0
6.1.1 Audit system file permissionsUnixCIS Amazon Linux 2 STIG v2.0.0 L2 Workstation
6.1.1 Audit system file permissionsUnixCIS Amazon Linux 2 STIG v2.0.0 STIG
6.1.1 Audit system file permissionsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
6.1.1 Audit system file permissionsUnixCIS Amazon Linux 2 STIG v2.0.0 L2 Server
ALMA-09-009590 - AlmaLinux OS 9 must check the GPG signature of software packages originating from external software repositories before installation.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r4
ALMA-09-009700 - AlmaLinux OS 9 must ensure cryptographic verification of vendor software packages.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r4
ALMA-09-009810 - AlmaLinux OS 9 must check the GPG signature of locally installed software packages before installation.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r4
ALMA-09-009920 - AlmaLinux OS 9 must check the GPG signature of repository metadata before package installation.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r4