The Red Hat Enterprise Linux operating system must ensure cryptographic verification of vendor software packages.

An XCCDF Rule

Description

Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.

ID: SV-256968r902687_rule
Version: RHEL-07-010019
Severity: Medium
References: CCI-001749
Updated: 15 days ago

Remediation Templates

Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values.

Insert RHEL 7 installation disc or attach RHEL 7 installation image to the system. Mount the disc or image to make the contents accessible inside the system.

Assuming the mounted location is "/media/cdrom", use the following command to copy Red Hat GPG key file onto the system:
     $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/
	 
Import Red Hat GPG keys from key file into system keyring:

     $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
	 
Using the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.

The Red Hat Enterprise Linux operating system must ensure cryptographic verification of vendor software packages.

Description

Remediation Templates

A Manual Procedure