1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.

Information

The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/*.repo files determines if an RPM package's signature is checked prior to its installation.

Rationale:

It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Solution

Edit /etc/yum.conf and set 'gpgcheck=1' in the [main] section.
Edit any failing files in /etc/yum.repos.d/*.repo and set all instances of gpgcheck to 1.

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-5(3), CCI|CCI-001749, CSCv7|3.4, Rule-ID|SV-204447r603261_rule, STIG-ID|RHEL-07-020050

Plugin: Unix

Control ID: 0b0f84fa41aec65618cdc179b0a7cc696bb8bf8d4384e1425e5daf7f736158d6