1.2.1 Ensure GPG keys are configured

Information

The RPM Package Manager implements GPG key signing to verify package integrity during and after installation.

Rationale:

It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system. To this end, verify that GPG keys are configured correctly for your system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Update your package manager GPG keys in accordance with site policy.

Additional Information:

Fedora public keys: https://getfedora.org/security/

NIST SP 800-53 Rev. 5:

SI-2

See Also

https://workbench.cisecurity.org/files/3807

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 5aee96edf6f1ce8c3228a23e2bd7cbefd3f1ef1bea3b56272c7cd0f55f5b5e29