13 Nov
2017
13 Nov
'17
2:04 p.m.
I've run into the same problem. I go with setting the global yum.conf as DISA says and then override the setting in a repos.d file for the repos that really need repo_gpgcheck to be off.
I think this was a back-ported requirement from DISA, not something originating from SSG.
--
Paul Arnold, CISSP
Cole Engineering Services, Inc.
On 11/13/2017 02:37 PM, Trevor Vaughan wrote:
> Hi All,
>
> I've been re-roaming through the SSG and this is probably the first of
> a many part thread regarding different checks.
>
> TL;DR; The potential risk caused by enabling 'repo_gpgcheck' outweighs
> any potential benefit if TLS is enabled.
>
> In my opinion, the following check should *only* be enabled if all of
> your repositories are internally managed
> xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata.
>
> The reason for this is that YUM presently does not (to my knowledge)
> have any way to differentiate between package signing GPG keys and
> repo signing GPG keys.
>
> This means that if, for instance, I host my packages via some shared
> Nexus, then I have to add the Nexus GPG key to my trust list for the repo.
>
> I fundamentally do *not* want to do this! I shouldn't be allowing my
> Nexus maintainer to potentially install software on my system without
> my explicit knowledge.
>
> You should use TLS, and the repo should have a trusted certificate
> there and that should be sufficient for the metadata until RPM can
> tell the difference between these two certificates.
>
> Please let me know if I've missed something, but I don't remember
> seeing options to split out the two sets of certs.
>
> Additionally, this is marked as 'high' severity and that seems to be
> massive overkill considering that 1) the packages are still signed and
> validated and 2) TLS is required.
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788
>
> -- This account not approved for unencrypted proprietary information --