Detections
Analytics

800-53|SI-7

Title

SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

Description

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

Supplemental

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.

Reference Item Details

Related: SA-12,SC-13,SC-8,SI-3

Category: SYSTEM AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.2.2 Ensure 'Require that application add-ins are signed by Trusted Publisher' is set to EnabledWindowsCIS Microsoft Office Access 2013 v1.0.1
1.1.3.2.2 Ensure 'Require that application add-ins are signed by Trusted Publisher' is set to EnabledWindowsCIS Microsoft Office Access 2016 v1.0.1
1.1.3.17.9 Set 'User Account Control: Only elevate executables that are signed and validated' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.11 - /etc/security/login.cfg - 'pwd_algorithm = ssha256 (AIX 5.3 TL7+ only)'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.2.1 Restrict Access to VTY SessionsCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Amazon Linux v2.1.0 L1
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.2.3 Ensure gpgcheck is globally activatedUnixCIS Amazon Linux v2.1.0 L1
1.2.3.9 Set 'Choose the boot-start drivers that can be initialized:' to 'Enabled:Good, unknown and bad but critical'WindowsCIS Windows 8 L1 v1.0.0
1.2.4 Create 'access-list' for use with 'line vty'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.4 Create 'access-list' for use with 'line vty'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.4 Ensure software packages have been digitally signed by a Certificate Authority (CA)UnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.2.4.2.2.28 Set 'Minimum characters:' to 'Enabled:7 or more characters'WindowsCIS Windows 8 L1 v1.0.0
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.3.2 Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled'WindowsCIS Microsoft Office Enterprise v1.2.0 L1
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Amazon Linux v2.1.0 L1
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Amazon Linux v2.1.0 L1
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.4.2 Ensure authentication required for single user modeUnixCIS Amazon Linux v2.1.0 L1
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - password_pbkdf2UnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.2 Ensure bootloader password is set - password_pbkdf2UnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.4.2 Ensure bootloader password is set - superusersUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.2 Ensure bootloader password is set - superusersUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.4.3 Ensure interactive boot is not enabledUnixCIS Amazon Linux v2.1.0 L1
1.4.7.2.6 Ensure 'Require That Application Add-ins are Signed By Trusted Publisher' is set to EnabledWindowsCIS Microsoft Office Excel 2016 v1.0.1
1.4.7.2.6 Ensure 'Require That Application Add-ins are Signed By Trusted Publisher' is set to EnabledWindowsCIS Microsoft Office Excel 2013 v1.0.1
1.5.4 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.5 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.5.6 Create an 'access-list' for use with SNMPCiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.5.6 Create an 'access-list' for use with SNMPCiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.5.6 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1