criticalsystemverified ✓
Ensure EPEL repository is not configured
epel-repos-absent · RHEL ≥ 8 · 1 impl
Description
Extra Packages for Enterprise Linux (EPEL) repositories must not be configured (enabled OR disabled) on RHEL systems. Only DoD-approved repositories should be configured.
Rationale
EPEL packages are community-maintained and not covered by Red Hat's security response process. Installing packages from EPEL bypasses the verified software supply chain required for DoD systems.
Check → Remediate
Checkcommand
# Any configured EPEL repo — enabled OR disabled — is a finding. if dnf repolist --all 2>/dev/null | grep -qi epel; then echo "FAIL: an EPEL repository is configured (repolist)"; exit 1 fi if grep -riqE '(^\\[|baseurl|metalink).*epel' /etc/yum.repos.d/ 2>/dev/null; then echo "FAIL: an EPEL repository is present in /etc/yum.repos.d/"; exit 1 fi echo "OK: no EPEL repository configured"; exit 0
- expected_exit:
- 0
Remediatecommand_exec
dnf config-manager --disable epel 2>/dev/null || true; find /etc/yum.repos.d/ -name '*epel*' -exec rm -f {} +Framework references
STIG
V-257830 / RHEL-09-215035V-230492 / RHEL-08-040010
NIST 800-53
CM-7SI-7SA-12
Live verification
rhel8:check
#repository#package#supply-chain#attack-surface