CCI|CCI-003992

Title

Prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Reference Item Details

Category: 2024

Audit Items

View all Reference Audit Items

NamePluginAudit Name
APPL-14-002060 - The macOS system must apply gatekeeper settings to block applications from unidentified developers.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2
APPL-14-002064 - The macOS system must enable Gatekeeper.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2
APPL-15-002060 - The macOS system must apply gatekeeper settings to block applications from unidentified developers.UnixDISA Apple macOS 15 (Sequoia) STIG v1r1
APPL-15-002064 - The macOS system must enable gatekeeper.UnixDISA Apple macOS 15 (Sequoia) STIG v1r1
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v3r1
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
ESXI-80-000133 The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified.UnixDISA VMware vSphere 8.0 ESXi STIG OS v2r1
EX19-ED-000053 - Exchange local machine policy must require signed scripts.WindowsDISA Microsoft Exchange 2019 Edge Server STIG v2r1
EX19-MB-000061 - Exchange local machine policy must require signed scripts.WindowsDISA Microsoft Exchange 2019 Mailbox Server STIG v2r2
O365-AC-000002 - Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.WindowsDISA STIG Microsoft Office 365 ProPlus v3r1
O365-CO-000007 - Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.WindowsDISA STIG Microsoft Office 365 ProPlus v3r1
O365-EX-000028 - Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.WindowsDISA STIG Microsoft Office 365 ProPlus v3r1
O365-PR-000002 - Project must automatically disable unsigned add-ins without informing users.WindowsDISA STIG Microsoft Office 365 ProPlus v3r1
O365-PT-000008 - Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.WindowsDISA STIG Microsoft Office 365 ProPlus v3r1
O365-PU-000002 - Publisher must automatically disable unsigned add-ins without informing users.WindowsDISA STIG Microsoft Office 365 ProPlus v3r1
O365-PU-000003 - Publisher must disable all unsigned VBA macros.WindowsDISA STIG Microsoft Office 365 ProPlus v3r1
O365-VI-000003 - Visio must automatically disable unsigned add-ins without informing users.WindowsDISA STIG Microsoft Office 365 ProPlus v3r1
O365-WD-000001 - Word must automatically disable unsigned add-ins without informing users.WindowsDISA STIG Microsoft Office 365 ProPlus v3r1
OL07-00-010019 - The Oracle Linux operating system must ensure cryptographic verification of vendor software packages.UnixDISA Oracle Linux 7 STIG v3r1
OL07-00-010020 - The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.UnixDISA Oracle Linux 7 STIG v3r1
OL07-00-020050 - The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization - CA that is recognized and approved by the organization.UnixDISA Oracle Linux 7 STIG v3r1
OL07-00-020060 - The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization - CA that is recognized and approved by the organization.UnixDISA Oracle Linux 7 STIG v3r1
OL08-00-010019 - OL 8 must ensure cryptographic verification of vendor software packages.UnixDISA Oracle Linux 8 STIG v2r2
OL08-00-010370 - YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.UnixDISA Oracle Linux 8 STIG v2r2
OL08-00-010371 - OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.UnixDISA Oracle Linux 8 STIG v2r2
OL08-00-010372 - OL 8 must prevent the loading of a new kernel for later execution.UnixDISA Oracle Linux 8 STIG v2r2
PHTN-40-000130 The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.UnixDISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1
PHTN-40-000199 The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.UnixDISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1
RHEL-08-010019 - RHEL 8 must ensure cryptographic verification of vendor software packages.UnixDISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-08-010370 - RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.UnixDISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-08-010371 - RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.UnixDISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-08-010372 - RHEL 8 must prevent the loading of a new kernel for later execution.UnixDISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-09-213020 - RHEL 9 must prevent the loading of a new kernel for later execution.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-214010 - RHEL 9 must ensure cryptographic verification of vendor software packages.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-214015 - RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-214020 - RHEL 9 must check the GPG signature of locally installed software packages before installation.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-214025 - RHEL 9 must have GPG signature verification enabled for all software repositories.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-215010 - RHEL 9 subscription-manager package must be installed.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
SLES-12-010550 - The SUSE operating system tool zypper must have gpgcheck enabled.UnixDISA SLES 12 STIG v3r1
SLES-15-010430 - The SUSE operating system tool zypper must have gpgcheck enabled.UnixDISA SLES 15 STIG v2r2
SOL-11.1-020020 - The system must verify that package updates are digitally signed.UnixDISA STIG Solaris 11 SPARC v3r1
SOL-11.1-020020 - The system must verify that package updates are digitally signed.UnixDISA STIG Solaris 11 X86 v3r1
UBTU-20-010438 - The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.UnixDISA STIG Ubuntu 20.04 LTS v2r1
UBTU-22-214010 - Ubuntu 22.04 LTS must be configured so that the Advance Package Tool (APT) prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.UnixDISA STIG Canonical Ubuntu 22.04 LTS v2r2