Check: TOSS-04-040150
Tri-Lab Operating System Stack (TOSS) 4 STIG:
TOSS-04-040150
(in versions v2 r1 through v1 r1)
Title
TOSS must cover or disable the built-in or attached camera when not in use. (Cat II impact)
Discussion
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.
Check Content
If the device or operating system does not have a camera installed, this requirement is Not Applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: Determine if the camera is disabled via blacklist with the following command: $ sudo grep blacklist /etc/modprobe.d/* /etc/modprobe.d/blacklist.conf:blacklist uvcvideo Determine if a camera driver is in use with the following command: $ sudo dmesg | grep -i video [ 44.630131] ACPI: Video Device [VGA] [ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7 [ 46.670133] videodev: Linux video capture interface: v2.00 [ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675) [ 47.235752] usbcore: registered new interface driver uvcvideo [ 47.235756] USB Video Class driver (1.1.1) If the camera driver blacklist is missing, a camera driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.
Fix Text
Configure the operating system to disable the built-in or attached camera when not in use. First determine the driver being used by the camera with the following command: $ sudo dmesg | grep -i video [ 44.630131] ACPI: Video Device [VGA] [ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7 [ 46.670133] videodev: Linux video capture interface: v2.00 [ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675) [ 47.235752] usbcore: registered new interface driver uvcvideo [ 47.235756] USB Video Class driver (1.1.1) Next, build or modify the "/etc/modprobe.d/blacklist.conf" file by using the following example: ##Disable WebCam blacklist uvcvideo Reboot the system for the settings to take effect.
Additional Identifiers
Rule ID: SV-253070r958478_rule
Vulnerability ID: V-253070
Group Title: SRG-OS-000095-GPOS-00049
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
Configure the system to provide only organization-defined mission essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |