1.2.2 Ensure gpgcheck is globally activated

Information

The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation.

Rationale:

It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Solution

Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section.
Example:

# sed -i 's/^gpgchecks*=s*.*/gpgcheck=1/' /etc/dnf/dnf.conf

Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1.
Example:

# find /etc/yum.repos.d/ -name '*.repo' -exec echo 'Checking:' {} ; -exec sed -i 's/^gpgchecks*=s*.*/gpgcheck=1/' {} ;

Additional Information:

NIST SP 800-53 Rev. 5:

SI-2

See Also

https://workbench.cisecurity.org/files/3807

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4

Plugin: Unix

Control ID: 0fe2075c0d226af6db7a7f8de47c00b91b43e52a1884f5ac4b6484a4f233014d