UCF STIG Viewer Logo

The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.


Finding ID Version Rule ID IA Controls Severity
V-38462 RHEL-06-000514 SV-50262r1_rule High
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2015-05-26


Check Text ( C-46017r1_chk )
Verify RPM signature validation is not disabled:
# grep nosignature /etc/rpmrc /usr/lib/rpm/rpmrc /usr/lib/rpm/redhat/rpmrc ~root/.rpmrc
If any configuration is found, this is a finding.
Fix Text (F-43407r1_fix)
Edit the RPM configuration files containing the "nosignature" option and remove the option.