Ensure Amazon GPG Key Installed
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
To ensure the system can cryptographically verify base software packages
come from Amazon (and to connect to the Amazon Network to receive them),
the Amazon GPG key must properly be installed. To install the Amazon GPG
key, run:
$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
Rationale
Changes to software components can have significant effects on the overall
security of the operating system. This requirement ensures the software has
not been tampered with and that it has been provided by a trusted vendor.
The Amazon GPG key is necessary to cryptographically verify packages are
from Amazon.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# The fingerprint below are retrieved from the offical amazon linux 2023 machine
readonly AMAZON_RELEASE_FINGERPRINT=""
# Location of the key we would like to import (once it's integrity verified)
readonly AMAZON_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023"
RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$AMAZON_RELEASE_KEY")")
# Verify /etc/pki/rpm-gpg directory permissions are safe
if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
then
# If they are safe, try to obtain fingerprints from the key file
# (to ensure there won't be e.g. CRC error).
readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$AMAZON_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10)
GPG_RESULT=$?
# No CRC error, safe to proceed
if [ "${GPG_RESULT}" -eq "0" ]
then
echo "${GPG_OUT[*]}" | grep -vE "${AMAZON_RELEASE_FINGERPRINT}" || {
# If $AMAZON_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
rpm --import "${AMAZON_RELEASE_KEY}"
}
fi
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Read permission of GPG key directory
ansible.builtin.stat:
path: /etc/pki/rpm-gpg/
register: gpg_key_directory_permission
check_mode: false
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_amazon_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Read signatures in GPG key
ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023"
changed_when: false
register: gpg_fingerprints
check_mode: false
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_amazon_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Set Fact - Installed GPG Fingerprints
ansible.builtin.set_fact:
gpg_installed_fingerprints: |-
{{ gpg_fingerprints.stdout | regex_findall('^pub.*
(?:^fpr[:]*)([0-9A-Fa-f]*)', '\1') | list }}
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_amazon_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Set Fact - Valid fingerprints
ansible.builtin.set_fact:
gpg_valid_fingerprints:
- ''
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_amazon_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Import Amazon GPG key
ansible.builtin.rpm_key:
state: present
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
when:
- gpg_key_directory_permission.stat.mode <= '0755'
- (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==
0
- gpg_installed_fingerprints | length > 0
- ansible_distribution == "Amazon" and ansible_distribution_version == "2023"
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_amazon_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy