highsystemunverified
Ensure gpgcheck is enabled for all configured repositories
gpgcheck-per-repo · RHEL ≥ 8 · 1 impl
Description
Every repository defined under /etc/yum.repos.d/ must have gpgcheck=1 so packages from each repo have their signatures verified.
Rationale
A repo with gpgcheck disabled can serve unsigned or tampered packages, bypassing the supply-chain trust the global setting provides.
Check → Remediate
Checkcommand
# STIG V-257822: EVERY repo stanza must set gpgcheck=1. A stanza that
# sets it to 0/false/no OR omits it entirely is a finding (not just an
# explicit disable).
fail=0
for f in /etc/yum.repos.d/*.repo; do
[ -f "$f" ] || continue
out=$(awk '
function chk() { if (sect != "" && gc != 1) { print " " file " [" sect "] gpgcheck not =1"; bad=1 } }
/^[[:space:]]*\[/ { chk(); sect=$0; gsub(/[][]/,"",sect); gc=0; next }
/^[[:space:]]*gpgcheck[[:space:]]*=[[:space:]]*1([[:space:]]|$)/ { gc=1 }
/^[[:space:]]*gpgcheck[[:space:]]*=[[:space:]]*(0|false|no)([[:space:]]|$)/ { gc=0 }
END { chk(); exit bad }
' file="$f" "$f") || { echo "FAIL: repo stanzas missing gpgcheck=1:"; echo "$out"; fail=1; }
done
if [ "$fail" -eq 0 ]; then echo "OK: every repository stanza sets gpgcheck=1"; exit 0; fi
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Set gpgcheck=1 in each /etc/yum.repos.d/*.repo stanza that has it disabled.
Framework references
STIG
V-280934 / RHEL-10-001050V-257822 / RHEL-09-214025
NIST 800-53
CM-5SI-7
#dnf#gpg#repositories#stig