Ensure gpgcheck Enabled for All yum Package Repositories

Classification:

compliance

Framework:

Control:

Description

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:

gpgcheck=0

Rationale

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."

Remediation

Shell script

The following script can be run on the host to remediate the issue.

sed -i 's/gpgcheck\s\*=.\*/gpgcheck=1/g' /etc/yum.repos.d/\*

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Grep for yum repo section names
 shell: |
 set -o pipefail
 grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
 register: repo\_grep\_results
 failed\_when: repo\_grep\_results.rc not in [0, 1]
 changed\_when: false
 tags:
 - CCE-26876-3
 - CJIS-5.10.4.1
 - NIST-800-171-3.4.8
 - NIST-800-53-CM-11(a)
 - NIST-800-53-CM-11(b)
 - NIST-800-53-CM-5(3)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-SA-12
 - NIST-800-53-SA-12(10)
 - NIST-800-53-SC-12
 - NIST-800-53-SC-12(3)
 - NIST-800-53-SI-7
 - PCI-DSS-Req-6.2
 - PCI-DSSv4-6.3.3
 - enable\_strategy
 - ensure\_gpgcheck\_never\_disabled
 - high\_severity
 - low\_complexity
 - medium\_disruption
 - no\_reboot\_needed

- name: Set gpgcheck=1 for each yum repo
 ini\_file:
 path: '{{ item[0] }}'
 section: '{{ item[1] }}'
 option: gpgcheck
 value: '1'
 no\_extra\_spaces: true
 loop: '{{ repo\_grep\_results.stdout | regex\_findall( ''(.+\.repo):\[(.+)\]\n?'' )
 }}'
 tags:
 - CCE-26876-3
 - CJIS-5.10.4.1
 - NIST-800-171-3.4.8
 - NIST-800-53-CM-11(a)
 - NIST-800-53-CM-11(b)
 - NIST-800-53-CM-5(3)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-SA-12
 - NIST-800-53-SA-12(10)
 - NIST-800-53-SC-12
 - NIST-800-53-SC-12(3)
 - NIST-800-53-SI-7
 - PCI-DSS-Req-6.2
 - PCI-DSSv4-6.3.3
 - enable\_strategy
 - ensure\_gpgcheck\_never\_disabled
 - high\_severity
 - low\_complexity
 - medium\_disruption
 - no\_reboot\_needed