UCF STIG Viewer Logo

The system package management tool must cryptographically verify the authenticity of all software packages during installation.


Finding ID Version Rule ID IA Controls Severity
V-217856 RHEL-06-000015 SV-217856r505923_rule Low
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2020-09-03


Check Text ( C-19337r376583_chk )
To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections:


A value of "0" indicates that "gpgcheck" has been disabled for that repo.
If GPG checking is disabled, this is a finding.

If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.
Fix Text (F-19335r376584_fix)
To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form: