4.11 Install verified packages only

Information

Verify authenticity of the packages before installing them in the image.

Rationale:

Verifying authenticity of the packages is essential for building a secure container image. Tampered packages could potentially be malicious or have some known vulnerabilities that could be exploited.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Use GPG keys for downloading and verifying packages or any other secure package distribution mechanism of your choice.

Impact:

None

Default Value:

Not Applicable

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 0e55fc5683ef5e5d91e06a319c493e69e876530312878f4c8769da5211dd9df3