Title

RHEL 8 must not install packages from the Extra Packages for Enterprise Linux (EPEL) repository. (Cat I impact)

Discussion

The EPEL is a repository of high-quality open-source packages for enterprise-class Linux distributions such as RHEL, CentOS, AlmaLinux, Rocky Linux, and Oracle Linux. These packages are not part of the official distribution but are built using the same Fedora build system to ensure compatibility and maintain quality standards.

Check Content

Verify that RHEL 8 is not able to install packages from the EPEL with the following command: $ dnf repolist rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) rhel-8-for-x86_64-baseos-source-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (Source RPMs) rhel-8-for-x86_64-supplementary-rpms Red Hat Enterprise Linux 8 for x86_64 - Supplementary (RPMs) satellite-tools-6.10-for-rhel-8-x86_64-rpms Red Hat Satellite Tools 6.10 for RHEL 8 x86_64 (RPMs) If any repositories containing the word "epel" in the name exist, this is a finding.

Fix Text

The repo package can be manually removed with the following command: $ sudo dnf remove epel-release Configure the operating system to disable use of the EPEL repository with the following command: $ sudo dnf config-manager --set-disabled epel

Additional Identifiers

Rule ID: SV-230492r1134888_rule

Vulnerability ID: V-230492

Group Title: SRG-OS-000095-GPOS-00049

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.