1.2.2 Ensure gpgcheck is globally activated

Information

The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation.

Rationale:

It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Solution

Edit /etc/yum.conf and set ' gpgcheck=1 in the [main] section.
Edit any failing files in /etc/yum.repos.d/*.repo and set all instances of gpgcheck to ' 1.

See Also

https://workbench.cisecurity.org/files/3144

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2c., CSCv6|4.5, CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 3ae530b642a3413a4ef404ec10c4bb95f89b057c12c462e4be2df5e2397c452c