Ensure Red Hat GPG Key Installed

An XCCDF Rule

Description

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:

$ sudo subscription-manager register

If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:

$ sudo rpm --import /media/cdrom/RPM-GPG-KEY

Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command:

sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Rationale

Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

ID: xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Severity: High
References: BP28(R15)

11 2 3 9

5.10.4.1

APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02

3.4.8

CCI-001749

164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i)

4.3.4.3.2 4.3.4.3.3 4.3.4.4.4

SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6

A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4

CIP-003-8 R4.2 CIP-003-8 R6 CIP-007-3 R4 CIP-007-3 R4.1 CIP-007-3 R4.2 CIP-007-3 R5.1

CM-5(3) CM-6(a) SC-12 SC-12(3) SI-7

PR.DS-6 PR.DS-8 PR.IP-1

FPT_TUD_EXT.1 FPT_TUD_EXT.2

Req-6.2

SRG-OS-000366-GPOS-00153

6.3.3
Updated: about 1 year ago