Detections
Analytics
OL09-00-000499 - OL 9 must ensure cryptographic verification of vendor software packages.
Information
Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Oracle cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.Solution
Install Oracle package-signing keys on the system and verify their fingerprints match vendor values.To verify Oracle Linux Downloads, users need:
-A checksum file corresponding to the downloaded ISO.
-The public GPG key to verify the Oracle key used to sign the checksum file.
The checksum file contains a list of files that are part of a download package with the corresponding checksums as well as a GPG signature. The GPG signature enables anyone to verify that checksum file was published by Oracle. The steps below describe how to verify they checksum file itself and then verify the contents of the Oracle Linux download by checking against the checksum file.
Import the Oracle Linux GPG key corresponding to the Oracle Linux release:
$ curl https://yum.oracle.com/RPM-GPG-KEY-oracle-ol9 | gpg --import
Note: No "sudo" for curl command
Download the appropriate checksum file and place it in the same directory as the Oracle Linux ISO download:
$ curl https://linux.oracle.com/security/gpg/checksum/OracleLinux-R9-U3-Server-x86_64.checksum > OracleLinux-R9-U3-Server-x86_64.checksum
Download GPG Key:
$ curl https://yum.oracle.com/RPM-GPG-KEY-oracle-ol9 -o RPM-GPG-KEY-oracle
Note: No "sudo" for curl command
To verify the checksum file:
$ gpg --verify-files OracleLinux-R9-U3-Server-x86_64.checksum
gpg: Signature made Wed 15 Nov 2023 07:22:32 AM EST
gpg: using RSA key 3E6D826D3FBAB389C2F38E34BC4D06A08D8B756F
gpg: issuer "[email protected]"
gpg: Good signature from "Oracle Linux (release key 1) <[email protected]>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E6D 826D 3FBA B389 C2F3 8E34 BC4D 06A0 8D8B 756F
Verify the ISO download as follows:
$ grep OracleLinux-R9-U3-x86_64-boot.iso OracleLinux-R9-U3-Server-x86_64.checksum | sha256sum -c
OracleLinux-R9-U3-x86_64-boot.iso: OK
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_9_V1R2_STIG.zip
Item Details
Audit Name: DISA Oracle Linux 9 STIG v1r2
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-5(3), CAT|II, CCI|CCI-003992, Rule-ID|SV-271526r1092460_rule, STIG-ID|OL09-00-000499, Vuln-ID|V-271526
Plugin: Unix
Control ID: e92eb4afd8e86f0ee2c67111dc90b99db8a50bf9c03a4b6bbf4461ae765e5e69