Re: [PATCH 05/13] Mapped CCI-000352 to ensure_gpgcheck_globally_activated and ensure_gpgcheck_never_disabled
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000352 requires the OS to prevent the installation of sofware not
signed with an approved certificate. This is met by ensure_gpgcheck_globally_activated and
ensure_gpgcheck_never_disabled.
Signed-off-by: Willy Santos<wsantos(a)redhat.com>
---
rhel6/src/input/system/software/updating.xml | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/software/updating.xml
b/rhel6/src/input/system/software/updating.xml
index 7718b37..33b50db 100644
--- a/rhel6/src/input/system/software/updating.xml
+++ b/rhel6/src/input/system/software/updating.xml
@@ -94,6 +94,7 @@ protects against malicious tampering.
<ident cce="14914-6" />
<oval id="yum_gpgcheck_global_activation" />
<ref nist="SI-2"/>
+<ident cci="CCI-000352" />
</Rule>
<Rule id="ensure_gpgcheck_never_disabled">
@@ -111,5 +112,6 @@ protects against malicious tampering.
<ident cce="14813-0" />
<oval id="yum_gpgcheck_never_disabled" />
<ref nist="SI-2"/>
+<ident cci="CCI-000352" />
</Rule>
</Group>
Ack
Sidenote: If the requirement is to use signed packages we can set yum to
always check for that. However users could always do a rpm -ivh and get
around this. I think we should add prose stating specifically to only
install signed packages, regardless of how they're installed. I created
ticket #44 to track this.