UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system package management tool must cryptographically verify the authenticity of software packages during installation.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22588 GEN008800 SV-46080r1_rule ECSC-1 Low
Description
To prevent the installation of software from unauthorized sources, the system package management tool must use cryptographic algorithms to verify the packages are authentic.
STIG Date
SUSE Linux Enterprise Server v11 for System z 2013-04-18

Details

Check Text ( C-43338r1_chk )
Ensure that the suse-build-key package is installed and the build-key file exists:
# rpm –ql suse-build-key
# ls –l /usr/lib/rpm/gnupg/suse-build-key.gpg

Ensure that the value of the CHECK_SIGNATURES variable is set to “yes”
# grep –I check_signature /etc/sysconfig/security
If the /usr/lib/rpm/gnupg/suse-build-key.gpg file does not exist or CHECK_SIGNATURES is not set to “yes”, this is a finding.
Fix Text (F-39426r2_fix)
Install the suse-build-key package from the vendor repository
# rpm –Uvh suse-build-key-.noarch.rpm && SuSEconfig

Use the YaST System > “/etc/sysconfig Editor” module to set the value of the CHECK_SIGNATURES variable to “yes”. It can be found by expanding the plus signs for System > Security > PolicyKit