diff --git a/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml index 1a6a3591ed79..304e3a10d905 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml @@ -13,8 +13,8 @@ rationale: |- public web server and private servers the intent of data and resource segregation can be compromised. - In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that - isolates inbound traffic from external network to the internal network, + In addition to the requirements of applicable DMZ segmentation policies that + isolate inbound traffic from the external network to the internal network, resources such as printers, files, and folders/directories will not be shared between public web servers and assets located within the internal network. diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml index bc2cf5ccdc83..3d661dde7d35 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml @@ -8,33 +8,6 @@ description: |- default text with a message compliant with the local site policy or a legal disclaimer. - The DoD required text is either: -

- You are accessing a U.S. Government (USG) Information System (IS) that - is provided for USG-authorized use only. By using this IS (which includes - any device attached to this IS), you consent to the following conditions: -
-The USG routinely intercepts and monitors communications on this IS - for purposes including, but not limited to, penetration testing, COMSEC - monitoring, network operations and defense, personnel misconduct (PM), law - enforcement (LE), and counterintelligence (CI) investigations. -
-At any time, the USG may inspect and seize data stored on this IS. -
-Communications using, or data stored on, this IS are not private, - are subject to routine monitoring, interception, and search, and may be - disclosed or used for any USG-authorized purpose. -
-This IS includes security measures (e.g., authentication and access - controls) to protect USG interests -- not for your personal benefit or - privacy. -
-Notwithstanding the above, using this IS does not constitute consent - to PM, LE or CI investigative searching or monitoring of the content of - privileged communications, or work product, related to personal - representation or services by attorneys, psychotherapists, or clergy, and - their assistants. Such communications and work product are private and - confidential. See User Agreement for details.
-

- OR: -

- I've read & consent to terms in IS user agreem't. - rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml index 32df952364e3..92326b1028f8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml @@ -8,33 +8,6 @@ description: |- default text with a message compliant with the local site policy or a legal disclaimer. - The DoD required text is either: -

- You are accessing a U.S. Government (USG) Information System (IS) that - is provided for USG-authorized use only. By using this IS (which includes - any device attached to this IS), you consent to the following conditions: -
-The USG routinely intercepts and monitors communications on this IS - for purposes including, but not limited to, penetration testing, COMSEC - monitoring, network operations and defense, personnel misconduct (PM), law - enforcement (LE), and counterintelligence (CI) investigations. -
-At any time, the USG may inspect and seize data stored on this IS. -
-Communications using, or data stored on, this IS are not private, - are subject to routine monitoring, interception, and search, and may be - disclosed or used for any USG-authorized purpose. -
-This IS includes security measures (e.g., authentication and access - controls) to protect USG interests -- not for your personal benefit or - privacy. -
-Notwithstanding the above, using this IS does not constitute consent - to PM, LE or CI investigative searching or monitoring of the content of - privileged communications, or work product, related to personal - representation or services by attorneys, psychotherapists, or clergy, and - their assistants. Such communications and work product are private and - confidential. See User Agreement for details.
-

- OR: -

- I've read & consent to terms in IS user agreem't. - rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml index 35fe221fcf9f..3a30fff7f995 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml @@ -4,48 +4,19 @@ documentation_complete: true title: 'Enable the SSH login confirmation banner' description: |- - This rule verifies that that the SSH login confirmation banner is set + This rule verifies that the SSH login confirmation banner is set correctly. - The DoD required text is: -

- if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then
- while true; do
- read -p "
- You are accessing a U.S. Government (USG) Information System (IS) that is provided for - USG-authorized use only.
- By using this IS (which includes any device attached to this IS), you consent to the - following conditions:
- -The USG routinely intercepts and monitors communications on this IS for purposes - including, but not limited to, penetration testing, COMSEC monitoring, network - operations and defense, personnel misconduct (PM), law enforcement (LE), and - counterintelligence (CI) investigations.
- -At any time, the USG may inspect and seize data stored on this IS.
- -Communications using, or data stored on, this IS are not private, are subject to routine - monitoring, interception, and search, and may be disclosed or used for any USG- - authorized purpose.
- -This IS includes security measures (e.g., authentication and access controls) to protect - USG interests--not for your personal benefit or privacy.
- -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI - investigative searching or monitoring of the content of privileged communications, or - work product, related to personal representation or services by attorneys, - psychotherapists, or clergy, and their assistants. Such communications and work product - are private and confidential. See User Agreement for details.
- Do you agree? [y/N] " yn
- case $yn in - [Yy]* ) break ;;
- [Nn]* ) exit 1 ;;
- esac
- done
- fi
-
+ The confirmation text is configurable through the var_ssh_confirm_text + variable, which supports the DoD-required consent text or a generic + alternative. rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - + severity: medium ocil_clause: 'it does not display the required banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/tests/banner_etc_profiled_ssh_confirm_generic.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/tests/banner_etc_profiled_ssh_confirm_generic.pass.sh new file mode 100644 index 000000000000..ff0f0ddd7224 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/tests/banner_etc_profiled_ssh_confirm_generic.pass.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# platform = multi_platform_all +# variables = var_ssh_confirm_text=generic_default +{{% set var_ssh_confirm_text='#!/bin/bash +if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then + while true; do + read -p " +This system is accessible only to authorized users. +By accessing this system, you agree to comply with your organization\'s acceptable use policy and applicable security requirements. +Unauthorized access, use, or modification of this system is prohibited and may be subject to disciplinary action or legal penalties. +All activity on this system may be monitored, recorded, and audited in accordance with your organization\'s policies. +Do you agree? [y/N] " yn + case $yn in + [Yy]* ) break ;; + [Nn]* ) exit 1 ;; + esac + done +fi +' %}} +echo '{{{ var_ssh_confirm_text }}}' | fold -sw 80 >/etc/profile.d/ssh_confirm.sh diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml index 9cce04ec9ae5..35e3d0b04ef1 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml @@ -8,33 +8,6 @@ description: |- Replace the default text with a message compliant with the local site policy or a legal disclaimer. - The DoD required text is either: -

- You are accessing a U.S. Government (USG) Information System (IS) that - is provided for USG-authorized use only. By using this IS (which includes - any device attached to this IS), you consent to the following conditions: -
-The USG routinely intercepts and monitors communications on this IS - for purposes including, but not limited to, penetration testing, COMSEC - monitoring, network operations and defense, personnel misconduct (PM), law - enforcement (LE), and counterintelligence (CI) investigations. -
-At any time, the USG may inspect and seize data stored on this IS. -
-Communications using, or data stored on, this IS are not private, - are subject to routine monitoring, interception, and search, and may be - disclosed or used for any USG-authorized purpose. -
-This IS includes security measures (e.g., authentication and access - controls) to protect USG interests -- not for your personal benefit or - privacy. -
-Notwithstanding the above, using this IS does not constitute consent - to PM, LE or CI investigative searching or monitoring of the content of - privileged communications, or work product, related to personal - representation or services by attorneys, psychotherapists, or clergy, and - their assistants. Such communications and work product are private and - confidential. See User Agreement for details.
-

- OR: -

- I've read & consent to terms in IS user agreem't. - rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification diff --git a/linux_os/guide/system/accounts/accounts-banners/var_ssh_confirm_text.var b/linux_os/guide/system/accounts/accounts-banners/var_ssh_confirm_text.var index 55a7959f725b..f79d8ea0acbd 100644 --- a/linux_os/guide/system/accounts/accounts-banners/var_ssh_confirm_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/var_ssh_confirm_text.var @@ -16,4 +16,5 @@ interactive: false options: # How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions dod_default: ^\#!\/bin\/bash(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)if[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_CLIENT"[\s\n]+\][\s\n]+\|\|[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_TTY"[\s\n]+\];[\s\n]+then(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+while[\s\n]+true;[\s\n]+do(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+read[\s\n]+\-p[\s\n]+"[\s\n]+(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Do[\s\n]+you[\s\n]+agree\?[\s\n]+\[y\/N\][\s\n]+"[\s\n]+yn(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+case[\s\n]+\$yn[\s\n]+in(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Yy\]\*[\s\n]+\)[\s\n]+break[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Nn\]\*[\s\n]+\)[\s\n]+exit[\s\n]+1[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+esac(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+done(?:[\n]+|(?:\\n)+)fi(?:[\n]+|(?:\\n)+)$ + generic_default: ^\#!\/bin\/bash(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)if[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_CLIENT"[\s\n]+\][\s\n]+\|\|[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_TTY"[\s\n]+\];[\s\n]+then(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+while[\s\n]+true;[\s\n]+do(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+read[\s\n]+\-p[\s\n]+"[\s\n]+(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)This[\s\n]+system[\s\n]+is[\s\n]+accessible[\s\n]+only[\s\n]+to[\s\n]+authorized[\s\n]+users\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)By[\s\n]+accessing[\s\n]+this[\s\n]+system,[\s\n]+you[\s\n]+agree[\s\n]+to[\s\n]+comply[\s\n]+with[\s\n]+your[\s\n]+organization's[\s\n]+acceptable[\s\n]+use[\s\n]+policy[\s\n]+and[\s\n]+applicable[\s\n]+security[\s\n]+requirements\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Unauthorized[\s\n]+access,[\s\n]+use,[\s\n]+or[\s\n]+modification[\s\n]+of[\s\n]+this[\s\n]+system[\s\n]+is[\s\n]+prohibited[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+subject[\s\n]+to[\s\n]+disciplinary[\s\n]+action[\s\n]+or[\s\n]+legal[\s\n]+penalties\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)All[\s\n]+activity[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+may[\s\n]+be[\s\n]+monitored,[\s\n]+recorded,[\s\n]+and[\s\n]+audited[\s\n]+in[\s\n]+accordance[\s\n]+with[\s\n]+your[\s\n]+organization's[\s\n]+policies\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Do[\s\n]+you[\s\n]+agree\?[\s\n]+\[y\/N\][\s\n]+"[\s\n]+yn(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+case[\s\n]+\$yn[\s\n]+in(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Yy\]\*[\s\n]+\)[\s\n]+break[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Nn\]\*[\s\n]+\)[\s\n]+exit[\s\n]+1[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+esac(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+done(?:[\n]+|(?:\\n)+)fi$ diff --git a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml index 849d62a869ed..b08dcdac4b40 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml @@ -1,7 +1,7 @@ documentation_complete: true -title: 'Configure GnuTLS library to use DoD-approved TLS Encryption' +title: 'Configure GnuTLS library to use Approved TLS Encryption' description: |- Crypto Policies provide a centralized control over crypto algorithms usage of many packages. @@ -33,17 +33,17 @@ references: ocil_clause: 'cryptographic policy for gnutls is not configured or is configured incorrectly' ocil: |- - To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run: + To verify if GnuTLS uses the defined approved TLS Crypto Policy, run:
$ sudo grep
     '+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'
     /etc/crypto-policies/back-ends/gnutls.config
and verify that a match exists. fixtext: |- - Configure the {{{ full_name }}} GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config": + Configure the {{{ full_name }}} GnuTLS library to use only approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config": +VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0 A reboot is required for the changes to take effect. srg_requirement: - {{{ full_name }}} must implement DoD-approved TLS encryption in the GnuTLS package. + {{{ full_name }}} must implement approved TLS encryption in the GnuTLS package. diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml index 38d109e4f6d3..481041d37628 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml @@ -23,8 +23,8 @@ rationale: |- a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have - to verify the software again. NOTE: For U.S. Military systems, this - requirement does not mandate DoD certificates for this purpose; however, + to verify the software again. NOTE: For regulated systems, this requirement + does not mandate organization-specific certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.