4.11 Ensure only verified packages are installed

Information

You should verify the authenticity of packages before installing them into images.

Rationale:

Verifying authenticity of software packages is essential for building a secure container image. Packages with no known provenance could potentially be malicious or have vulnerabilities that could be exploited.

Impact:

None

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

You should use a secure package distribution mechanism of your choice to ensure the authenticity of software packages.

Default Value:

Not Applicable

See Also

https://workbench.cisecurity.org/benchmarks/11818

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-22, CSCv7|18.3

Plugin: Unix

Control ID: 5f181be3016a348d1fce88fa76d318a327845e9fcb676ddc184858357c32832d