Skip to content

Ensure gpgcheck Enabled for All zypper Package Repositories

An XCCDF Rule

Description

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:

gpgcheck=0

Rationale

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."

ID
xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Severity
High
References
Updated



Remediation - Ansible

- name: Grep for zypper repo section names
  shell: |
    set -o pipefail
    grep -HEr '^\[.+\]' -r /etc/zypp/repos.d/
  register: repo_grep_results
  failed_when: repo_grep_results.rc not in [0, 1]

Remediation - Shell Script


sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/zypp/repos.d/*