1.2.2 Ensure gpgcheck is globally activated

Information

The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation.

Rationale:

It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Solution

Edit /etc/yum.conf and set ' gpgcheck=1 in the [main] section.
Edit any failing files in /etc/yum.repos.d/*.repo and set all instances of gpgcheck to ' 1.

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2c., CSCv6|4.5, CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 94b2d54e475a8a12be53247d53360bf153a8f48160cac21aaa02d755f7e73004