Profile Applicability:
• Level 1
Description:
The gpgcheck option in package managers ensures that all packages are verified against their GPG signatures before installation or updates. Enabling gpgcheck globally enforces signature verification across all repositories, preventing installation of untrusted or tampered packages.
Rationale:
Activating gpgcheck globally enhances system security by ensuring that only packages signed with trusted GPG keys are installed, reducing risks from compromised or malicious software.
Impact:
Pros:
Prevents installation of unsigned or malicious packages.
Improves overall system trustworthiness and compliance.
Cons:
Misconfigured or missing keys may cause package installation failures.
Requires proper management of trusted keys.
Default Value:
The gpgcheck option may be disabled or enabled by default depending on the distribution and package manager configuration.
Pre-requisites:
Root or sudo privileges to modify package manager configuration files.
Remediation:
Test Plan:
Using Linux command line:
1. Check if gpgcheck is enabled globally:
grep -i '^gpgcheck' /etc/yum.conf
2. Confirm the value is 1 (enabled).
Implementation Plan:
Using Linux command line:
- Edit /etc/yum.conf (for RPM-based systems) and set:
gpgcheck=1
Save the configuration.
3. Refresh repository metadata:
yum clean all yum repolist
Backout Plan:
Using Linux command line:
Revert the gpgcheck setting to its previous value (e.g., 0) in /etc/yum.conf.
Clean cache and refresh repositories if needed.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Red Hat Yum Configuration