{"description": "To ensure the system can cryptographically verify base software packages\ncome from SUSE (and to connect to the SUSE to receive them),\nthe SUSE GPG key must properly be installed. To install the SUSE GPG\nkey, run:\n<pre>$ sudo zypper install suse-build-key</pre>\n\nIf the system is not connected to the Internet or an RHN Satellite, then\ninstall the SUSE GPG key from trusted media such as the SUSE\ninstallation CD-ROM or DVD. Assuming the disc is mounted in\n<tt>/media/cdrom</tt>, use the following command as the root user to import\nit into the keyring:\n<pre>$ sudo rpm --import /media/cdrom/content.key</pre> or\n<pre>$ sudo rpm --import /media/cdrom/repodata/repomd.xml.key</pre>\n\nAlternatively, the key may be pre-loaded during the SUSE installation. In\nsuch cases, one can use the repository cache files to install the key,\nfor example by running the following command:\n<pre>sudo rpm --import /var/cache/zypp/raw/Basesystem_Module_15_SP2_x86_64:SLE-Module-Basesystem15-SP2-Pool/repodata/repomd.xml.key</pre>", "rationale": "Changes to software components can have significant effects on the overall\nsecurity of the operating system. This requirement ensures the software has\nnot been tampered with and that it has been provided by a trusted vendor.\nThe SUSE GPG key is necessary to cryptographically verify packages are\nfrom SUSE.", "severity": "high", "references": {"cis-csc": ["11", "2", "3", "9"], "cjis": ["5.10.4.1"], "cobit5": ["APO01.06", "BAI03.05", "BAI06.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS06.02"], "cui": ["3.4.8"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.312(b)", "164.312(c)(1)", "164.312(c)(2)", "164.312(e)(2)(i)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3", "4.3.4.4.4"], "isa-62443-2013": ["SR 3.1", "SR 3.3", "SR 3.4", "SR 3.8", "SR 7.6"], "iso27001-2013": ["A.11.2.4", "A.12.1.2", "A.12.2.1", "A.12.5.1", "A.12.6.2", "A.14.1.2", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nerc-cip": ["CIP-003-8 R4.2", "CIP-003-8 R6", "CIP-007-3 R4", "CIP-007-3 R4.1", "CIP-007-3 R4.2", "CIP-007-3 R5.1"], "nist": ["CM-5(3)", "SI-7", "SC-12", "SC-12(3)", "CM-6(a)"], "nist-csf": ["PR.DS-6", "PR.DS-8", "PR.IP-1"], "pcidss": ["Req-6.2"], "srg": ["SRG-OS-000366-GPOS-00153"], "pcidss4": ["6.3.3", "6.3"]}, "control_references": {"pcidss4": ["6.3.3", "6.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the SUSE GPG Key is not installed", "ocil": "To ensure that the GPG key is installed, run:\n<pre>$ rpm -q --queryformat \"%{SUMMARY}\\n\" gpg-pubkey</pre>\nThe command should return the string below:\n<pre>gpg(SuSE Package Signing Key &lt;build@suse.de&gt;)</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure SUSE GPG Key Installed", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/updating/ensure_suse_gpgkey_installed/rule.yml", "template": null}