Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-50689 | OL6-00-000008 | SV-64895r2_rule | High |
| Description |
|---|
| This key is necessary to cryptographically verify packages that packages are from the operating system vendor. |
| STIG | Date |
|---|---|
| Oracle Linux 6 Security Technical Implementation Guide | 2016-06-05 |
Details
| Check Text ( C-53181r2_chk ) |
|---|
| To ensure that the GPG key is installed, run: $ rpm -q gpg-pubkey The command should return the string below: gpg-pubkey-ec551f03-4c2d256a If the operating system vendor GPG Key is not installed, this is a finding. |
| Fix Text (F-55485r1_fix) |
|---|
| To ensure the system can cryptographically verify the software packages come from the operating system vendor (and connect to the vendor's network software repository to receive them if desired), the vendor GPG key must properly be installed. To ensure the GPG key is installed, run: # wget http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6 # rpm --import RPM-GPG-KEY-oracle-ol6 |