Check: RHEL-06-000008
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000008
(in versions v2 r2 through v1 r14)
Title
Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (Cat I impact)
Discussion
The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat.
Check Content
To ensure that the GPG keys are installed, run: $ rpm -q gpg-pubkey The command should return the strings below: gpg-pubkey-fd431d51-4ae0493b gpg-pubkey-2fa658e0-45700c69 If the Red Hat GPG Keys are not installed, this is a finding.
Fix Text
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run: # rhn_register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in "/media/cdrom", use the following command as the root user to import them into the keyring: # rpm --import /media/cdrom/RPM-GPG-KEY
Additional Identifiers
Rule ID: SV-217852r603264_rule
Vulnerability ID: V-217852
Group Title: SRG-OS-000366
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000352 |
The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization. |
| CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
Controls
| Number | Title |
|---|---|
| CM-5 (3) |
Signed Components |