The system package management tool must cryptographically verify the authenticity of software packages during installation.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22588 | GEN008800 | SV-26990r1_rule | ECSC-1 | Low |
| Description |
|---|
| To prevent the installation of software from unauthorized sources, the system package management tool must use cryptographic algorithms to verify the packages are authentic. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 5 Security Technical Implementation Guide | 2015-06-12 |
Details
| Check Text ( C-27933r2_chk ) |
|---|
| Verify RPM signature validation is not disabled. # grep nosignature /etc/rpmrc /usr/lib/rpm/rpmrc /usr/lib/rpm/redhat/rpmrc ~root/.rpmrc If any configuration is found, this is a finding. Verify YUM signature validation is not disabled. # grep gpgcheck /etc/yum.conf /etc/yum.repos.d/* If any "gpgcheck" setting is returned that is not equal to "1", this is a finding. |
| Fix Text (F-24256r1_fix) |
|---|
| Edit the RPM configuration file containing the "nosignature" option and remove the option. Edit the YUM configuration containing "gpgcheck=0" and set the value to "1". |