800-53|SI-7

Title

SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

Description

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

Supplemental

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.

Reference Item Details

Related: SA-12,SC-13,SC-8,SI-3

Category: SYSTEM AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.2.2 Ensure 'Require that application add-ins are signed by Trusted Publisher' is set to EnabledWindowsCIS Microsoft Office Access 2013 v1.0.1
1.1.3.2.2 Ensure 'Require that application add-ins are signed by Trusted Publisher' is set to EnabledWindowsCIS Microsoft Office Access 2016 v1.0.1
1.1.3.17.9 Set 'User Account Control: Only elevate executables that are signed and validated' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.11 - /etc/security/login.cfg - 'pwd_algorithm = ssha256 (AIX 5.3 TL7+ only)'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Amazon Linux v2.1.0 L1
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.2.3 Ensure gpgcheck is globally activatedUnixCIS Amazon Linux v2.1.0 L1
1.2.3.9 Set 'Choose the boot-start drivers that can be initialized:' to 'Enabled:Good, unknown and bad but critical'WindowsCIS Windows 8 L1 v1.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.4 Ensure software packages have been digitally signed by a Certificate Authority (CA)UnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.2.4.2.2.28 Set 'Minimum characters:' to 'Enabled:7 or more characters'WindowsCIS Windows 8 L1 v1.0.0
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Amazon Linux v2.1.0 L1
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Amazon Linux v2.1.0 L1
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.2 Ensure authentication required for single user modeUnixCIS Amazon Linux v2.1.0 L1
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - password_pbkdf2UnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.2 Ensure bootloader password is set - password_pbkdf2UnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.4.2 Ensure bootloader password is set - superusersUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.2 Ensure bootloader password is set - superusersUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.4.3 Ensure boot loader does not allow removable mediaUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.4.3 Ensure interactive boot is not enabledUnixCIS Amazon Linux v2.1.0 L1
1.4.3 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.4.3 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.4.7.2.6 Ensure 'Require That Application Add-ins are Signed By Trusted Publisher' is set to EnabledWindowsCIS Microsoft Office Excel 2013 v1.0.1
1.4.7.2.6 Ensure 'Require That Application Add-ins are Signed By Trusted Publisher' is set to EnabledWindowsCIS Microsoft Office Excel 2016 v1.0.1
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 16 L1 v1.1.2