4.11 Ensure only verified packages are are installed

Information

You should verify the authenticity of packages before installing them into images.

Rationale:

Verifying authenticity of software packages is essential for building a secure container image. Packages with no known provenance could potentially be malicious or have vulnerabilities that could be exploited.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

You should use a secure package distribution mechanism of your choice to ensure the authenticity of software packages.

Impact:

None

Default Value:

Not Applicable

See Also

https://workbench.cisecurity.org/files/2433