Ensure gpgcheck Enabled for All yum Package Repositories

An XCCDF Rule

Description

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:

gpgcheck=0

Rationale

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."

ID: xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Severity: High
References: BP28(R15)

11 2 3 9

5.10.4.1

APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02

3.4.8

CCI-001749

164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i)

4.3.4.3.2 4.3.4.3.3 4.3.4.4.4

SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6

A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4

CM-11(a) CM-11(b) CM-5(3) CM-6(a) SA-12 SA-12(10) SC-12 SC-12(3) SI-7

PR.DS-6 PR.DS-8 PR.IP-1

FPT_TUD_EXT.1 FPT_TUD_EXT.2

Req-6.2

6.3.3

SRG-OS-000366-GPOS-00153
Updated: about 1 year ago