RHEL 8 must cover or disable the built-in or attached camera when not in use.

STIG ID: RHEL-08-040020  |  SRG: SRG-OS-000095-GPOS-00049 |  Severity: medium (CAT II)  |  CCI: CCI-000381 |  Vulnerability Id: V-230493

Vulnerability Discussion

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.

Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155

Check

If the device or operating system does not have a camera installed, this is not applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local authorizing official (AO) decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software.

Verify the operating system disables the ability to load the uvcvideo kernel module and ensure that the uvcvideo protocol module is disabled with the following command:

$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "blacklist"

/etc/modprobe.d/blacklist:install uvcvideo /bin/false
/etc/modprobe.d/blacklist:blacklist uvcvideo

If the command does not return uncommented output and the collaborative computing device has not been authorized for use, this is a finding.

Fix

Configure the operating system to disable the built-in or attached camera when not in use.

Add or update the followind lines in the "/etc/modprobe.d/blacklist.conf" file:

install uvcvideo /bin/false
blacklist uvcvideo

Reboot the system for the settings to take effect.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.