800-53|SI-7(6)

Title

CRYPTOGRAPHIC PROTECTION

Description

The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

Supplemental

Cryptographic mechanisms used for the protection of integrity include, for example, digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information.

Reference Item Details

Related: SC-13

Category: SYSTEM AND INFORMATION INTEGRITY

Parent Title: SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.17.9 Set 'User Account Control: Only elevate executables that are signed and validated' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.11 - /etc/security/login.cfg - 'pwd_algorithm = ssha256 (AIX 5.3 TL7+ only)'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Amazon Linux v2.1.0 L1
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.2.2 Ensure GPG keys are configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.2.3 Ensure gpgcheck is globally activatedUnixCIS Amazon Linux v2.1.0 L1
1.2.4 Ensure software packages have been digitally signed by a Certificate Authority (CA)UnixCIS Amazon Linux 2 STIG v1.0.0 L3
2.4 Do not use insecure registriesUnixCIS Docker 1.12.0 v1.0.0 L1 Docker
2.4 Do not use insecure registriesUnixCIS Docker 1.11.0 v1.0.0 L1 Docker
2.4 Do not use insecure registriesUnixCIS Docker 1.13.0 v1.0.0 L1 Docker
2.4 Ensure insecure registries are not usedUnixCIS Docker Community Edition v1.1.0 L1 Docker
2.5 Do not use insecure registriesUnixCIS Docker 1.6 v1.0.0 L1 Docker
2.5.6 - NFS - secure NFS - 'all entries in /etc/exports contain sec='UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.15.1 - TE - implementation (AIX 6.1 only) - 'TE is enabled'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.15.1 - TE - implementation (AIX 6.1 only) - 'TEP is enabled'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.29.2 Ensure 'Legacy Format Signatures' is set to DisabledWindowsCIS Microsoft Office 2016 v1.1.0
4.5 Enable Content trust for DockerUnixCIS Docker 1.11.0 v1.0.0 L2 Docker
4.5 Enable Content trust for DockerUnixCIS Docker 1.12.0 v1.0.0 L2 Docker
4.5 Enable Content trust for DockerUnixCIS Docker 1.13.0 v1.0.0 L2 Docker
4.5 Ensure Content trust for Docker is EnabledUnixCIS Docker Community Edition v1.1.0 L2 Docker
Big Sur - Enable Authenticated RootUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enable Authenticated RootUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Enable Authenticated RootUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enable Authenticated RootUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enable Authenticated RootUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enable Authenticated RootUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enable Authenticated RootUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Enable Authenticated RootUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enable Authenticated RootUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Low
Ensure GPG keys are configured - apt-key listUnixTenable Cisco Firepower Management Center OS Best Practices Audit
Ensure GPG keys are configured - yumUnixTenable Cisco Firepower Management Center OS Best Practices Audit
FireEye - Boot image must be signedFireEyeTNS FireEye
IBM i : Verify Object on Restore (QVFYOBJRST) - '3'AS/400IBM iSeries Security Reference v5r4
IBM i : Verify Object on Restore (QVFYOBJRST) - '3'AS/400IBM System i Security Reference for V7R1 and V6R1
IBM i : Verify Object on Restore (QVFYOBJRST) - '3'AS/400IBM System i Security Reference for V7R2
IBM i : Verify Object on Restore (QVFYOBJRST) - '3'AS/400IBM System i Security Reference for V7R3
Monterey - Enable Authenticated RootUnixNIST macOS Monterey v1.0.0 - 800-171
Monterey - Enable Authenticated RootUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Enable Authenticated RootUnixNIST macOS Monterey v1.0.0 - 800-53r4 High
Monterey - Enable Authenticated RootUnixNIST macOS Monterey v1.0.0 - 800-53r4 Moderate
Monterey - Enable Authenticated RootUnixNIST macOS Monterey v1.0.0 - All Profiles
Monterey - Enable Authenticated RootUnixNIST macOS Monterey v1.0.0 - 800-53r5 Low
Monterey - Enable Authenticated RootUnixNIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Enable Authenticated RootUnixNIST macOS Monterey v1.0.0 - 800-53r4 Low
Monterey - Enable Authenticated RootUnixNIST macOS Monterey v1.0.0 - CNSSI 1253
PCI 2.2.4 - Verify that common security parameter settings are included - NFS - 'all entries in /etc/exports contain sec='UnixPCI DSS 2.0/3.0 - AIX
PCI 8.2 - /etc/security/login.cfg - 'pwd_algorithm = ssha256 (AIX 5.3 TL7+ only)'UnixPCI DSS 2.0/3.0 - AIX
SQL2-00-015350 - Software, applications, and configuration files that are part of, or related to, the SQL Server 2012 installation must be monitored to discover unauthorized changes.WindowsDISA STIG SQL Server 2012 Database OS Audit v1r20