Check: OL6-00-000008
Oracle Linux 6 STIG:
OL6-00-000008
(in versions v2 r7 through v1 r11)
Title
Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (Cat I impact)
Discussion
This key is necessary to cryptographically verify packages that packages are from the operating system vendor.
Check Content
To ensure that the GPG key is installed, run: # rpm -qi gpg-pubkey-ec551f03 | gpg --keyid-format long | grep oracle.com | cut -f3 -d" " |cut -f2 -d"/" The command should return the string below: 72F97B74EC551F03 If the operating system vendor GPG Key is not installed, this is a finding.
Fix Text
To ensure the system can cryptographically verify the software packages come from the operating system vendor (and connect to the vendor's network software repository to receive them if desired), the vendor GPG key must properly be installed. To ensure the GPG key is installed, run: # wget http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6 # rpm --import RPM-GPG-KEY-oracle-ol6
Additional Identifiers
Rule ID: SV-219543r854338_rule
Vulnerability ID: V-219543
Group Title: SRG-OS-000366
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000352 |
The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization. |
CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
Controls
Number | Title |
---|---|
CM-5 (3) |
Signed Components |