File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (62 lines) | stat: -rw-r--r-- 2,600 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
documentation_complete: true


title: 'Ensure SUSE GPG Key Installed'

description: |-
    To ensure the system can cryptographically verify base software packages
    come from SUSE (and to connect to the SUSE to receive them),
    the SUSE GPG key must properly be installed. To install the SUSE GPG
    key, run:
    <pre>$ sudo zypper install suse-build-key</pre>

    If the system is not connected to the Internet or an RHN Satellite, then
    install the SUSE GPG key from trusted media such as the SUSE
    installation CD-ROM or DVD. Assuming the disc is mounted in
    <tt>/media/cdrom</tt>, use the following command as the root user to import
    it into the keyring:
    <pre>$ sudo rpm --import /media/cdrom/content.key</pre> or
    <pre>$ sudo rpm --import /media/cdrom/repodata/repomd.xml.key</pre>

    Alternatively, the key may be pre-loaded during the SUSE installation. In
    such cases, one can use the repository cache files to install the key,
    for example by running the following command:
    <pre>sudo rpm --import /var/cache/zypp/raw/Basesystem_Module_15_SP2_x86_64:SLE-Module-Basesystem15-SP2-Pool/repodata/repomd.xml.key</pre>


rationale: |-
    Changes to software components can have significant effects on the overall
    security of the operating system. This requirement ensures the software has
    not been tampered with and that it has been provided by a trusted vendor.
    The SUSE GPG key is necessary to cryptographically verify packages are
    from SUSE.

severity: high

identifiers:
    cce@rhel10: CCE-89006-1
    cce@sle12: CCE-91482-0
    cce@sle15: CCE-85796-1

references:
    cis-csc: 11,2,3,9
    cjis: 5.10.4.1
    cobit5: APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02
    cui: 3.4.8
    hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i)
    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
    isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 7.6'
    iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
    nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-007-3 R4,CIP-007-3 R4.1,CIP-007-3 R4.2,CIP-007-3 R5.1
    nist: CM-5(3),SI-7,SC-12,SC-12(3),CM-6(a)
    nist-csf: PR.DS-6,PR.DS-8,PR.IP-1
    pcidss: Req-6.2
    srg: SRG-OS-000366-GPOS-00153

ocil_clause: 'the SUSE GPG Key is not installed'

ocil: |-
    To ensure that the GPG key is installed, run:
    <pre>$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</pre>
    The command should return the string below:
    <pre>gpg(SuSE Package Signing Key &lt;build@suse.de&gt;)</pre>