Profile Applicability:
• Level 1
Description:
GPG (GNU Privacy Guard) keys are used to verify the authenticity and integrity of software packages during installation or updates. Proper configuration of GPG keys ensures that packages come from trusted sources and have not been tampered with.
Rationale:
Configuring GPG keys for package verification prevents installation of malicious or compromised software, reducing the risk of security breaches and maintaining system trust.
Impact:
Pros:
Ensures that software packages are from trusted sources.
Protects the system from installation of unauthorized or altered packages.
Cons:
Improper configuration can block legitimate package installations.
Requires ongoing management of trusted keys.
Default Value:
Many Linux distributions include default trusted GPG keys, but additional keys may be needed depending on enabled repositories.
Pre-requisites:
Root or sudo privileges to manage GPG keys and package manager configurations.
Remediation:
Test Plan:
Using Linux command line:
List imported GPG keys:
For RPM-based systems:
rpm -qa gpg-pubkey*
For Debian-based systems:
apt-key list
Verify that package manager checks signatures during installs and updates.
Implementation Plan:
Using Linux command line:
Import the required GPG keys:
RPM-based:
rpm --import /path/to/RPM-GPG-KEY
Debian-based:
apt-key add /path/to/KEYFILE
Ensure package manager configuration enforces signature verification.
Update package metadata and refresh repositories.
Backout Plan:
Using Linux command line:
Remove untrusted or problematic keys:
RPM-based:
rpm -e gpg-pubkey-<keyid>
Debian-based:
apt-key del <keyid>
Revert package manager settings as needed.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
GnuPG Official Documentation