1.2.3 Ensure gpgcheck is globally activated

Information

The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation.

Rationale:

It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Solution

Edit /etc/yum.conf and set 'gpgcheck=1' in the [main] section.
Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to '1'.

See Also

https://workbench.cisecurity.org/files/2449

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2c., CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 6475861b4eccb016402a4316a6b08818bc2a39113c195c3f7512b26c3100d5ee