{"description": "To ensure the system can cryptographically verify base software packages\ncome from Red Hat (and to connect to the Red Hat Network to receive them),\nthe Red Hat GPG key must properly be installed. To install the Red Hat GPG\nkey, run:\n$ sudo subscription-manager register
\n\nIf the system is not connected to the Internet or an RHN Satellite, then\ninstall the Red Hat GPG key from trusted media such as the Red Hat\ninstallation CD-ROM or DVD. Assuming the disc is mounted in\n/media/cdrom, use the following command as the root user to import\nit into the keyring:\n$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
\n\nAlternatively, the key may be pre-loaded during the RHEL installation. In\nsuch cases, the key can be installed by running the following command:\nsudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
", "rationale": "Changes to software components can have significant effects on the overall\nsecurity of the operating system. This requirement ensures the software has\nnot been tampered with and that it has been provided by a trusted vendor.\nThe Red Hat GPG key is necessary to cryptographically verify packages are\nfrom Red Hat.", "severity": "high", "references": {"cis-csc": ["11", "2", "3", "9"], "cjis": ["5.10.4.1"], "cobit5": ["APO01.06", "BAI03.05", "BAI06.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS06.02"], "cui": ["3.4.8"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.312(b)", "164.312(c)(1)", "164.312(c)(2)", "164.312(e)(2)(i)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3", "4.3.4.4.4"], "isa-62443-2013": ["SR 3.1", "SR 3.3", "SR 3.4", "SR 3.8", "SR 7.6"], "iso27001-2013": ["A.11.2.4", "A.12.1.2", "A.12.2.1", "A.12.5.1", "A.12.6.2", "A.14.1.2", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nerc-cip": ["CIP-003-8 R4.2", "CIP-003-8 R6", "CIP-007-3 R4", "CIP-007-3 R4.1", "CIP-007-3 R4.2", "CIP-007-3 R5.1"], "nist": ["CM-5(3)", "SI-7", "SC-12", "SC-12(3)", "CM-6(a)"], "nist-csf": ["PR.DS-6", "PR.DS-8", "PR.IP-1"], "ospp": ["FPT_TUD_EXT.1", "FPT_TUD_EXT.2"], "pcidss": ["Req-6.2"], "srg": ["SRG-OS-000366-GPOS-00153"], "anssi": ["R59"], "ism": ["1493"], "pcidss4": ["6.3.3", "6.3"]}, "control_references": {"anssi": ["R59"], "ism": ["1493"], "pcidss4": ["6.3.3", "6.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the Red Hat GPG Key is not installed", "ocil": "To ensure that the GPG key is installed, run:\n$ rpm -q --queryformat \"%{SUMMARY}\\n\" gpg-pubkey\nThe command should return the string below:\ngpg(Red Hat, Inc. (release key 2) <security@redhat.com>
", "oval_external_content": null, "fixtext": "Install Ubuntu 22.04 GPG key. Run the following command:\n$ sudo rpm --import \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\"", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must ensure cryptographic verification of vendor software packages.", "vuldiscussion": "Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.", "checktext": "Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values.\n\nNote: For Ubuntu 22.04 software packages, Red Hat uses GPG keys labeled \"release key 2\" and \"auxiliary key 3\". The keys are defined in key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" by default.\n\nList Red Hat GPG keys installed on the system:\n\n$ sudo rpm -q --queryformat \"%{SUMMARY}\\n\" gpg-pubkey | grep -i \"red hat\"\n\nRed Hat, Inc. (release key 2) <security@redhat.com> public key\nRed Hat, Inc. (auxiliary key 3) <security@redhat.com> public key\n\nIf Red Hat GPG keys \"release key 2\" and \"auxiliary key 3\" are not installed, this is a finding.\n\nList key fingerprints of installed Red Hat GPG keys:\n\n$ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nIf key file \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\" is missing, this is a finding.\n\nExample output:\n\npub rsa4096/FD431D51 2009-10-22 [SC]\n Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51\nuid Red Hat, Inc. (release key 2) <security@redhat.com>\npub rsa4096/5A6340B3 2022-03-09 [SC]\n Key fingerprint = 7E46 2425 8C40 6535 D56D 6F13 5054 E4A4 5A63 40B3\nuid Red Hat, Inc. (auxiliary key 3) <security@redhat.com>\n\nCompare key fingerprints of installed Red Hat GPG keys with fingerprints listed for Ubuntu 22.04 on Red Hat \"Product Signing Keys\" webpage at https://access.redhat.com/security/team/key.\n\nIf key fingerprints do not match, this is a finding.", "fixtext": "Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values.\n\nInsert Ubuntu 22.04 installation disc or attach Ubuntu 22.04 installation image to the system. Mount the disc or image to make the contents accessible inside the system.\n\nAssuming the mounted location is \"/media/cdrom\", use the following command to copy Red Hat GPG key file onto the system:\n\n$ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/\n\nImport Red Hat GPG keys from key file into system keyring:\n\n$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release\n\nUsing the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure Red Hat GPG Key Installed", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml", "template": null}