Detections
Analytics
AZLX-23-000110 - Amazon Linux 2023 must ensure cryptographic verification of vendor software packages.
Information
Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Amazon Linux cryptographically signs all software packages, which includes updates, with a GPG key to Verify they are valid.NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure Amazon Linux 2023 to have the public key for verifying RPM packages to be installed with the "system-release" package.Install the system-release installation with the following command:
$ sudo dnf install -y system-release
Ensure cryptographic verification of software packages is enabled by editing /etc/dnf/dnf.conf and under '[main]' in the configuration file add:
gpgcheck=1
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Amazon_Linux_2023_V1R2_STIG.zip
Item Details
Audit Name: DISA Amazon Linux 2023 STIG v1r2
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-5(3), CAT|II, CCI|CCI-003992, Rule-ID|SV-273995r1119973_rule, STIG-ID|AZLX-23-000110, Vuln-ID|V-273995
Plugin: Unix
Control ID: b61abb331ffd47773aa09a831b71262157c101bec0a82b546cbbac007b8da981