An error occurred:

Check: AZLX-23-000110

Amazon Linux 2023 STIG: AZLX-23-000110 (in version v1 r1)

Title

Amazon Linux 2023 must ensure cryptographic verification of vendor software packages. (Cat II impact)

Discussion

Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Amazon Linux cryptographically signs all software packages, which includes updates, with a GPG key to Verify they are valid.

Check Content

Verify Amazon Linux 2023 package-signing keys are installed on the system and verify their fingerprints match vendor values. Note: For Amazon Linux 2023 software packages, AWS uses GPG keys defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" by default. List Amazon Linux GPG keys installed on the system: $ sudo rpm -q gpg-pubkey --qf "%{NAME}-%{VERSION}-%{RELEASE} %{SUMMARY}\n" gpg-pubkey-d832c631-6515c85e Amazon Linux <amazon-linux@amazon.com> public key If there is no Amazon Linux GPG key installed, this is a finding. Extract the fingerprint from the key with this command: $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 pub rsa4096/D832C631 2022-12-08 [SC] Key fingerprint = B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631 uid Amazon Linux <amazon-linux@amazon.com> Compare the Key fingerprint with the key fingerprint from Amazon Documentation and instructions at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-keys.html If key fingerprints do not match, or the key file is missing, this is a finding.

Fix Text

Configure Amazon Linux 2023 to have the public key for verifying RPM packages to be installed with the "system-release" package. Install the system-release installation with the following command: $ sudo dnf install -y system-release Ensure cryptographic verification of software packages is enabled by editing /etc/dnf/dnf.conf and under '[main]' in the configuration file add: gpgcheck=1

Additional Identifiers

Rule ID: SV-273995r1119973_rule

Vulnerability ID: V-273995

Group Title: SRG-OS-000366-GPOS-00153

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-003992

Prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-14

Signed Components