File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (63 lines) | stat: -rw-r--r-- 2,488 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
documentation_complete: true


title: 'Ensure gpgcheck Enabled for Local Packages'

description: |-
    <tt>{{{ pkg_manager }}}</tt> should be configured to verify the signature(s) of local packages
    prior to installation. To configure <tt>{{{ pkg_manager }}}</tt> to verify signatures of local
    packages, set the <tt>localpkg_gpgcheck</tt> to <tt>1</tt> in <tt>{{{ pkg_manager_config_file }}}</tt>.

rationale: |-
    Changes to any software components can have significant effects to the overall security
    of the operating system. This requirement ensures the software has not been tampered and
    has been provided by a trusted vendor.
    <br /><br />
    Accordingly, patches, service packs, device drivers, or operating system components must
    be signed with a certificate recognized and approved by the organization.

severity: high

identifiers:
    cce@rhel8: CCE-80791-7
    cce@rhel9: CCE-83463-0
    cce@rhel10: CCE-89409-7
    cce@sle12: CCE-91475-4
    cce@sle15: CCE-91167-7

references:
    cis-csc: 11,3,9
    cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
    cui: 3.4.8
    hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i)
    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
    isa-62443-2013: 'SR 7.6'
    iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
    nist: CM-11(a),CM-11(b),CM-6(a),CM-5(3),SA-12,SA-12(10)
    nist-csf: PR.IP-1
    ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
    srg: SRG-OS-000366-GPOS-00153
    stigid@ol7: OL07-00-020060
    stigid@ol8: OL08-00-010371

ocil_clause: 'there is no process to validate certificates for local packages that is approved by the organization'

ocil: |-
    Verify that {{{ pkg_manager }}} verifies the signature of local packages prior to install with the following command:

    <pre>$ grep localpkg_gpgcheck {{{ pkg_manager_config_file }}}</pre>

    <pre>localpkg_gpgcheck=1</pre>

    If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.

platform: package[{{{ pkg_manager }}}]

fixtext: |-
    Configure {{{ full_name }}} to always check package signatures before installation of local packages.

    Add or update the following line in [main] section of the {{{ pkg_manager_config_file }}} file:

    localpkg_gpgcheck=1

srg_requirement: '{{{ full_name }}} must check the GPG sign of locally installed packages.'