{"description": "Verify the operating system prevents the installation of patches,\nservice packs, device drivers, or operating system components of\nlocal packages without verification of the repository metadata.\nCheck that <tt>apt_get</tt> verifies the repository\nmetadata prior to install with the following command.\nThis should be configured by setting <tt>repo_gpgcheck</tt> to <tt>1</tt>\nin <tt>/etc/apt/apt.conf</tt>.", "rationale": "Changes to any software components can have significant effects to the\noverall security of the operating system. This requirement ensures the\nsoftware has not been tampered and has been provided by a trusted vendor.\nAccordingly, patches, service packs, device drivers, or operating system\ncomponents must be signed with a certificate recognized and approved by\nthe organization. Verifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from\na vendor. This ensures the software has not been tampered with and that it\nhas been provided by a trusted vendor. Self-signed certificates are\ndisallowed by this requirement. The operating system should not have\nto verify the software again. NOTE: For U.S. Military systems, this\nrequirement does not mandate DoD certificates for this purpose; however,\nthe certificate used to verify the software must be from an approved\nCertificate Authority.", "severity": "high", "references": {"cis-csc": ["11", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.312(b)", "164.312(c)(1)", "164.312(c)(2)", "164.312(e)(2)(i)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["CM-5(3)", "SI-7", "SC-12", "SC-12(3)", "CM-6(a)", "SA-12", "SA-12(10)", "CM-11(a)", "CM-11(b)"], "nist-csf": ["PR.IP-1"], "srg": ["SRG-OS-000366-GPOS-00153"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "gpgcheck is not enabled or configured correctly to verify repository metadata", "ocil": "To verify that <tt>repo_gpgcheck</tt> is configured properly, run the following\ncommand:\n<pre>$ grep repo_gpgcheck /etc/apt/apt.conf</pre>\nThe output should return something similar to:\n<pre>repo_gpgcheck=1</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[apt_get]", "platforms": ["package[apt_get]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_apt_get"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure gpgcheck Enabled for Repository Metadata", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml", "template": null}