← Rules Catalog
criticalsystemverified

Ensure EPEL repository is not configured

epel-repos-absent · RHEL ≥ 8 · 1 impl

Description

Extra Packages for Enterprise Linux (EPEL) repositories must not be configured (enabled OR disabled) on RHEL systems. Only DoD-approved repositories should be configured.

Rationale

EPEL packages are community-maintained and not covered by Red Hat's security response process. Installing packages from EPEL bypasses the verified software supply chain required for DoD systems.

Check → Remediate

Checkcommand
# Any configured EPEL repo — enabled OR disabled — is a finding.
if dnf repolist --all 2>/dev/null | grep -qi epel; then
  echo "FAIL: an EPEL repository is configured (repolist)"; exit 1
fi
if grep -riqE '(^\\[|baseurl|metalink).*epel' /etc/yum.repos.d/ 2>/dev/null; then
  echo "FAIL: an EPEL repository is present in /etc/yum.repos.d/"; exit 1
fi
echo "OK: no EPEL repository configured"; exit 0
expected_exit:
0
Remediatecommand_exec
dnf config-manager --disable epel 2>/dev/null || true; find /etc/yum.repos.d/ -name '*epel*' -exec rm -f {} +

Framework references

STIG

V-257830 / RHEL-09-215035V-230492 / RHEL-08-040010

NIST 800-53

CM-7SI-7SA-12

Live verification

rhel8:check
#repository#package#supply-chain#attack-surface