1.2.3 Ensure repo_gpgcheck is globally activated

Information

The repo_gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, will perform a GPG signature check on the repodata.

It is important to ensure that the repository data signature is always checked prior to installation to ensure that the software is not tampered with in any way.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Global configuration

Edit /etc/dnf/dnf.conf and set repo_gpgcheck=1 in the [main] section.

Example:

[main]
repo_gpgcheck=1

Per repository configuration

First check that the particular repository support GPG checking on the repodata.

Edit any failing files in /etc/yum.repos.d/* and set all instances starting with repo_gpgcheck to 1

Impact:

Not all repositories, notably RedHat, support repo_gpgcheck Take care to set this value to false (default) for particular repositories that do not support it. If enabled on repositories that do not support repo_gpgcheck installation of packages will fail.

Research is required by the user to determine which repositories is configured on the local system and, from that list, which support repo_gpgcheck

See Also

https://workbench.cisecurity.org/benchmarks/15289

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4

Plugin: Unix

Control ID: c2d970dbda0f05b016e2faea8a8035001ec573c29cf898cdb9f52b3014ec19e8