STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

DISA Rule

SV-230264r627750_rule

Vulnerability Number

V-230264

Group Title

SRG-OS-000366-GPOS-00153

Rule Version

RHEL-08-010370

Severity

CAT I

CCI(s)

• CCI-001749 - The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Weight

10

Fix Recommendation

Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.repos.d/[your_repo_name].repo" file:

gpgcheck=1

Check Contents

Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.

Check that YUM verifies the signature of packages from a repository prior to install with the following command:

$ sudo egrep '^\[.*\]|gpgcheck' /etc/yum.repos.d/*.repo

/etc/yum.repos.d/appstream.repo:[appstream]
/etc/yum.repos.d/appstream.repo:gpgcheck=1
/etc/yum.repos.d/baseos.repo:[baseos]
/etc/yum.repos.d/baseos.repo:gpgcheck=1

If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.

If there is no process to validate certificates that is approved by the organization, this is a finding.

Vulnerability Number

V-230264

Documentable

False

Rule Version

RHEL-08-010370

Severity Override Guidance

Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.

Check that YUM verifies the signature of packages from a repository prior to install with the following command:

$ sudo egrep '^\[.*\]|gpgcheck' /etc/yum.repos.d/*.repo

/etc/yum.repos.d/appstream.repo:[appstream]
/etc/yum.repos.d/appstream.repo:gpgcheck=1
/etc/yum.repos.d/baseos.repo:[baseos]
/etc/yum.repos.d/baseos.repo:gpgcheck=1

If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.

If there is no process to validate certificates that is approved by the organization, this is a finding.

Check Content Reference

M

Target Key

2921

Comments