Ensure gpgcheck Enabled for Local Packages
An XCCDF Rule
Description
dnf
should be configured to verify the signature(s) of local packages
prior to installation. To configure dnf
to verify signatures of local
packages, set the localpkg_gpgcheck
to 1
in /etc/dnf/dnf.conf
.
Rationale
Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization.
- ID
- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
- Severity
- High
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q dnf; then
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck")
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)