1.2.1.2 Ensure gpgcheck is globally activated

Information

The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation.

It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Solution

Edit /etc/dnf/dnf.conf and set gpgcheck=1 :

Example

# sed -i 's/^gpgchecks*=s*.*/gpgcheck=1/' /etc/dnf/dnf.conf

Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1

Example:

# find /etc/yum.repos.d/ -name "*.repo" -exec echo "Checking:" {} ; -exec sed -i 's/^gpgchecks*=s*.*/gpgcheck=1/' {} ;

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4

Plugin: Unix

Control ID: 3562b9531eb5c3742c0083bda43416b08a12c43215a3f6c64ddc55544464b26f