STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:SV-230493r627750_rule
V-230493
SRG-OS-000095-GPOS-00049
RHEL-08-040020
CAT II
10
Configure the operating system to disable the built-in or attached camera when not in use.
First determine the driver being used by the camera with the following command:
$ sudo dmesg | grep -i video
[ 44.630131] ACPI: Video Device [VGA]
[ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7
[ 46.670133] videodev: Linux video capture interface: v2.00
[ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)
[ 47.235752] usbcore: registered new interface driver uvcvideo
[ 47.235756] USB Video Class driver (1.1.1)
Next, build or modify the "/etc/modprobe.d/blacklist.conf" file by using the following example:
##Disable WebCam
blacklist uvcvideo
Reboot the system for the settings to take effect.
If the device or operating system does not have a camera installed, this requirement is not applicable.
This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.
This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.
For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.
For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.
If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:
Determine if the camera is disabled via blacklist with the following command:
$ sudo grep blacklist /etc/modprobe.d/*
/etc/modprobe.d/blacklist.conf:blacklist uvcvideo
Determine if a camera driver is in use with the following command:
$ sudo dmesg | grep -i video
[ 44.630131] ACPI: Video Device [VGA]
[ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7
[ 46.670133] videodev: Linux video capture interface: v2.00
[ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)
[ 47.235752] usbcore: registered new interface driver uvcvideo
[ 47.235756] USB Video Class driver (1.1.1)
If the camera driver blacklist is missing, a camera driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.
V-230493
False
RHEL-08-040020
If the device or operating system does not have a camera installed, this requirement is not applicable.
This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.
This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.
For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.
For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.
If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:
Determine if the camera is disabled via blacklist with the following command:
$ sudo grep blacklist /etc/modprobe.d/*
/etc/modprobe.d/blacklist.conf:blacklist uvcvideo
Determine if a camera driver is in use with the following command:
$ sudo dmesg | grep -i video
[ 44.630131] ACPI: Video Device [VGA]
[ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7
[ 46.670133] videodev: Linux video capture interface: v2.00
[ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)
[ 47.235752] usbcore: registered new interface driver uvcvideo
[ 47.235756] USB Video Class driver (1.1.1)
If the camera driver blacklist is missing, a camera driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.
M
2921