{"description": "To ensure signature checking is enabled for all package repositories, the\n<tt>gpgcheck</tt> option must be enabled for all repos.\nConfigure the operating system to verify the signature of packages from\na repository prior to install by setting the following option in\nthe <tt>\"/etc/yum.repos.d/[your_repo_name].repo\"</tt> file:\n<pre>gpgcheck=1</pre>", "rationale": "Changes to any software components can have significant effects on the\noverall security of the operating system. This requirement ensures the\nsoftware has not been tampered with and that it has been provided by\na trusted vendor.", "severity": "high", "references": {"srg": ["SRG-OS-000366-GPOS-00153"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "GPG checking is disabled", "ocil": "To determine whether <tt>apt_get</tt> has been configured to disable\n<tt>gpgcheck</tt> for any repos, inspect all files in\n<tt></tt> and ensure the following does not appear in any\nsections:\n<pre>gpgcheck=0</pre>\nA value of <tt>0</tt> indicates that <tt>gpgcheck</tt> has been disabled for that repo.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to verify the signature of packages from a repository prior to install by setting the following option in the \"/etc/yum.repos.d/[your_repo_name].repo\" file:\n\ngpgcheck=1", "checktext": "Verify Ubuntu 22.04 prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.\n\nCheck that apt_get verifies the signature of packages from a repository prior to install with the following command:\n\n$ sudo grep -E '^\\[.*\\]|gpgcheck' /etc/yum.repos.d/*.repo\n\n/etc/yum.repos.d/appstream.repo:[appstream]\n/etc/yum.repos.d/appstream.repo:gpgcheck=1\n/etc/yum.repos.d/baseos.repo:[baseos]\n/etc/yum.repos.d/baseos.repo:gpgcheck=1\n\nIf \"gpgcheck\" is not set to \"1\", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.\n\nIf there is no process to validate certificates that is approved by the organization, this is a finding.", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure gpgcheck Is Enabled for All Package Repositories", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/rule.yml", "template": null}