File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (66 lines) | stat: -rw-r--r-- 2,674 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
documentation_complete: true


title: 'Ensure Red Hat GPG Key Installed'

description: |-
    To ensure the system can cryptographically verify base software packages
    come from Red Hat (and to connect to the Red Hat Network to receive them),
    the Red Hat GPG key must properly be installed. To install the Red Hat GPG
    key, run:
    <pre>$ sudo subscription-manager register</pre>

    If the system is not connected to the Internet or an RHN Satellite, then
    install the Red Hat GPG key from trusted media such as the Red Hat
    installation CD-ROM or DVD. Assuming the disc is mounted in
    <tt>/media/cdrom</tt>, use the following command as the root user to import
    it into the keyring:
    <pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre>

    Alternatively, the key may be pre-loaded during the RHEL installation. In
    such cases, the key can be installed by running the following command:
    <pre>sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release</pre>


rationale: |-
    Changes to software components can have significant effects on the overall
    security of the operating system. This requirement ensures the software has
    not been tampered with and that it has been provided by a trusted vendor.
    The Red Hat GPG key is necessary to cryptographically verify packages are
    from Red Hat.

severity: high

identifiers:
    cce@rhcos4: CCE-82754-3
    cce@rhel8: CCE-80795-8
    cce@rhel9: CCE-84180-9
    cce@rhel10: CCE-88256-3

references:
    cis-csc: 11,2,3,9
    cjis: 5.10.4.1
    cobit5: APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02
    cui: 3.4.8
    hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i)
    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
    isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 7.6'
    iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
    nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-007-3 R4,CIP-007-3 R4.1,CIP-007-3 R4.2,CIP-007-3 R5.1
    nist: CM-5(3),SI-7,SC-12,SC-12(3),CM-6(a)
    nist-csf: PR.DS-6,PR.DS-8,PR.IP-1
    ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
    pcidss: Req-6.2
    srg: SRG-OS-000366-GPOS-00153

ocil_clause: 'the Red Hat GPG Key is not installed'

ocil: |-
    To ensure that the GPG key is installed, run:
    <pre>$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</pre>
    The command should return the string below:
    <pre>gpg(Red Hat, Inc. (release key 2)  &lt;security@redhat.com&gt;</pre>

fixtext: |-
    Install {{{ full_name }}} GPG key. Run the following command:
    $ sudo rpm --import "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"