On Tuesday, November 14, 2017 9:37:18 AM EST Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
On 11/13/2017 06:59 PM, Steve Grubb wrote:
...the current rev of OSPP calls out for auditing of software update integrity checks. It calls out for integrity checks and for them to be enabled. It calls out for the vendor to supply SCAP content for the evaluated configuration. So that means we shouldn't be turning it off.
What are we gaining by enabling repo_gpgcheck in addition to gpgcheck?
It's for checking that the metadata hasn't been tampered with since signing. For example, suppose you need some packages out of EPEL. EPEL has a distributed mirror list that volunteers contribute bandwidth for everyone's benefit. However, what if their server became compromised and an attacker removed the entry for a critical package update for a network facing daemon? The intent being to keep people from patching to allow more compromises.
This setting would check the metadata to ensure that the signature verification shows the metadata is untampered with. TLS protects against modifying an in-transit package or metadata. But it doesn't tell you that your package resolution is using trustworthy data.
-Steve