{"description": "To ensure signature checking is not disabled for\nany repos, remove any lines from files in <tt>/etc/yum.repos.d</tt> of the form:\n<pre>gpgcheck=0</pre>", "rationale": "Verifying the authenticity of the software prior to installation validates\nthe integrity of the patch or upgrade received from a vendor. This ensures\nthe software has not been tampered with and that it has been provided by a\ntrusted vendor. Self-signed certificates are disallowed by this\nrequirement. Certificates used to verify the software must be from an\napproved Certificate Authority (CA).\"", "severity": "high", "references": {"cis-csc": ["11", "2", "3", "9"], "cjis": ["5.10.4.1"], "cobit5": ["APO01.06", "BAI03.05", "BAI06.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS06.02"], "cui": ["3.4.8"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.312(b)", "164.312(c)(1)", "164.312(c)(2)", "164.312(e)(2)(i)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3", "4.3.4.4.4"], "isa-62443-2013": ["SR 3.1", "SR 3.3", "SR 3.4", "SR 3.8", "SR 7.6"], "iso27001-2013": ["A.11.2.4", "A.12.1.2", "A.12.2.1", "A.12.5.1", "A.12.6.2", "A.14.1.2", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["CM-5(3)", "SI-7", "SC-12", "SC-12(3)", "CM-6(a)", "SA-12", "SA-12(10)", "CM-11(a)", "CM-11(b)"], "nist-csf": ["PR.DS-6", "PR.DS-8", "PR.IP-1"], "ospp": ["FPT_TUD_EXT.1", "FPT_TUD_EXT.2"], "pcidss": ["Req-6.2"], "srg": ["SRG-OS-000366-GPOS-00153"], "anssi": ["R59"], "ism": ["1493"], "pcidss4": ["6.3.3", "6.3"]}, "control_references": {"anssi": ["R59"], "ism": ["1493"], "pcidss4": ["6.3.3", "6.3"]}, "components": [], "identifiers": {}, "ocil_clause": "GPG checking is disabled", "ocil": "To determine whether <tt>apt_get</tt> has been configured to disable\n<tt>gpgcheck</tt> for any repos,  inspect all files in\n<tt>/etc/yum.repos.d</tt> and ensure the following does not appear in any\nsections:\n<pre>gpgcheck=0</pre>\nA value of <tt>0</tt> indicates that <tt>gpgcheck</tt> has been disabled for that repo.", "oval_external_content": null, "fixtext": "Ensure signature checking is enabled for all package repositories with the command:\n\n$ sudo sed -i 's/gpgcheck\\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*", "checktext": "Verify that apt_get has not been configured to disable gpgcheck for any repos with the following command:\n\n$ grep gpgcheck /etc/yum.repos.d/*.repo | more\n\ngpgcheck = 1\n\nIf \"gpgcheck\" is not set to \"1\" for all returned lines, this is a finding.", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must have gpgcheck enabled for all repositories.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must have GPG signature verification enabled for all software repositories.", "vuldiscussion": "Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAll software packages must be signed with a cryptographic key recognized and approved by the organization.\n\nVerifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.", "checktext": "Verify that all software repositories defined in \"/etc/yum.repos.d/\" have been configured with \"gpgcheck\" enabled:\n\n$ grep -w gpgcheck /etc/yum.repos.d/*.repo | more\n\ngpgcheck = 1\n\nIf \"gpgcheck\" is not set to \"1\" for all returned lines, this is a finding.", "fixtext": "Configure all software repositories defined in \"/etc/yum.repos.d/\" to have \"gpgcheck\" enabled:\n\n$ sudo sed -i 's/gpgcheck\\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure gpgcheck Enabled for All apt_get Package Repositories", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml", "template": null}