1.2.3 Ensure gpgcheck is globally activated

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The gpgcheck option, found in the main section of the /etc/zypp/zypp.conf and individual /etc/zypp/repos.d/*.repo files determines if an RPM package's signature is checked prior to its installation.

Rationale:

It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Solution

Edit /etc/zypp/zypp.conf and set 'gpgcheck=1' in the [main] section.
Edit any failing files in /etc/zypp/repos.d/*.repo and set all instances of gpgcheck to 1.

See Also

https://workbench.cisecurity.org/files/2854

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(6), CSCv7|3.4

Plugin: Unix

Control ID: a3f625ea50fd18173a250be7cc2e68b82e09d8056e7d1197fd6d6e6dba4217ac