The HYCU virtual appliance must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268283 | HYCU-ND-000760 | SV-268283r1038766_rule | CCI-003992 | medium |
| Description | ||||
| Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. | ||||
| STIG | Date | |||
| HYCU Protege Security Technical Implementation Guide | 2024-10-29 | |||
Details
Check Text (C-268283r1038766_chk)
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.
Check that YUM verifies the signature of packages from a repository prior to install with the following command:
$ sudo grep -E '^\[.*\]|gpgcheck' /etc/yum.repos.d/*.repo
/etc/yum.repos.d/appstream.repo:[appstream]
/etc/yum.repos.d/appstream.repo:gpgcheck=1
/etc/yum.repos.d/baseos.repo:[baseos]
/etc/yum.repos.d/baseos.repo:gpgcheck=1
If "gpgcheck" is not set to "1", or if options are missing or commented out, this is a finding.
Execute the following command to check the kernel and cryptographic libraries, as well as the SHA256 checksums of the application files:
$ sudo /opt/grizzly/bin/hycu-selftest.sh
If the output is not OK for the OS, this is a finding.
If the output reports an error for any other file than /etc/issue for the App section, this is a finding.
Fix Text (F-72207r1038765_fix)
Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in every repo file in /etc/yum.repos.d/:
gpgcheck=1
Check the output of "sudo /opt/grizzly/bin/hycu-selftest.sh".
Investigate each file listed in the error output to determine a fix.