File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (61 lines) | stat: -rw-r--r-- 2,614 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
documentation_complete: true

title: 'Disable the uvcvideo module'

description: |-
    If the device contains a camera it should be covered or disabled when not in use.

rationale: |-
    Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information.
    Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.

severity: medium

identifiers:
    cce@rhel8: CCE-86960-2
    cce@rhel9: CCE-86961-0

references:
    nist: CM-7 (a),CM-7 (5) (b)
    srg: SRG-OS-000095-GPOS-00049,SRG-OS-000370-GPOS-00155
    stigid@ol8: OL08-00-040020

platform: system_with_kernel

ocil_clause: 'the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use'

ocil: |-
    If the device or {{{ full_name }}} does not have a camera installed, this requirement is not applicable.

    This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

    This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

    For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.

    For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

    If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:

    Verify the operating system disables the ability to load the uvcvideo kernel module.

    $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true"

    install uvcvideo /bin/true

fixtext: |-
    Configure {{{ full_name }}} to disable the built-in or attached camera when not in use.

    Build or modify the "/etc/modprobe.d/blacklist.conf" file by using the following example:

    install uvcvideo /bin/true
    blacklist uvcvideo

    Reboot the system for the settings to take effect.

srg_requirement: '{{{ full_name }}} must cover or disable the built-in or attached camera when not in use.'

template:
    name: kernel_module_disabled
    vars:
        kernmodule: uvcvideo