CCE-90940-8Platform: rhel7,centos7 | Date: (C)2017-06-29 (M)2022-10-10 |
Ensure Red Hat GPG Key Installed
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them), the Red Hat GPG key must properly be installed.
To install the Red Hat GPG key, run:
'$ sudo rhn_register'
If the system is not connected to the Internet or an RHN Satellite,
then install the Red Hat GPG key from trusted media such as
the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted
in '/media/cdrom', use the following command as the root user to import
it into the keyring:
'$ sudo rpm --import /media/cdrom/RPM-GPG-KEY'
Parameter:
Technical Mechanism:
Changes to software components can have significant effects on the
overall security of the operating system. This requirement ensures
the software has not been tampered with and that it has been provided
by a trusted vendor. The Red Hat GPG key is necessary to
cryptographically verify packages are from Red Hat.
Fix:
# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
readonly REDHAT_RELEASE_2_FINGERPRINT="567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51"
readonly REDHAT_AUXILIARY_FINGERPRINT="43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0"
# Location of the key we would like to import (once it's integrity verified)
readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
RPM_GPG_DIR_PERMS=$(stat -c %a $(dirname $REDHAT_RELEASE_KEY))
# Verify /etc/pki/rpm-gpg directory permissions are safe
if [ $ -le "755" ]
then
# If they are safe, try to obtain fingerprints from the key file
# (to ensure there won't be e.g. CRC error)
IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint ${REDHAT_RELEASE_KEY}))
GPG_RESULT=$?
# No CRC error, safe to proceed
if [ $ -eq "0" ]
then
for ITEM in $
do
# Filter just hexadecimal fingerprints from gpg's output from
# processing of a key file
RESULT=$(echo $ | sed -n "s/[[:space:]]*Key fingerprint = \(.*\)/\1/p" | tr -s '[:space:]')
# If fingerprint matches Red Hat's release 2 or auxiliary key import the key
if [[ $ ]] && ([[ $ = $ ]] || \
[[ $ = $ ]])
then
rpm --import ${REDHAT_RELEASE_KEY}
fi
done
fi
fi
CCSS Severity: | CCSS Metrics: |
CCSS Score : | Attack Vector: |
Exploit Score: | Attack Complexity: |
Impact Score: | Privileges Required: |
Severity: | User Interaction: |
Vector: | Scope: |
| Confidentiality: |
| Integrity: |
| Availability: |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:31318 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:30595 |