Profile Applicability:
• Level 2
Description:
The repo_gpgcheck option enforces verification of repository metadata signatures using GPG keys. Enabling this setting globally ensures that the metadata used by package managers to list and retrieve packages is verified, preventing the use of tampered or malicious repository information.
Rationale:
Activating repo_gpgcheck globally enhances security by ensuring repository metadata integrity, reducing risks from compromised or malicious repositories.
Impact:
Pros:
Prevents use of unsigned or malicious repository metadata.
Strengthens overall package management security.
Cons:
Misconfiguration may cause repository access issues if keys are missing or invalid.
Default Value:
The repo_gpgcheck option is often disabled by default and must be explicitly enabled.
Pre-requisites:
Root or sudo privileges to modify repository configuration files.
Remediation:
Test Plan:
Using Linux command line:
- Check current global repo_gpgcheck setting in /etc/yum.conf:
grep -i '^repo_gpgcheck' /etc/yum.conf
Confirm that the value is set to 1 (enabled).
Implementation Plan:
Using Linux command line:
- Edit /etc/yum.conf and add or modify the line:
repo_gpgcheck=1
Save the file and exit.
Test repository access and package listing.
Backout Plan:
Using Linux command line:
Remove or set repo_gpgcheck=0 in /etc/yum.conf to disable.
Save and test package manager functionality.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Red Hat Yum Repository Configuration