I've run into the same problem. I go with setting the global yum.conf
as DISA says and then override the setting in a repos.d file for the
repos that really need repo_gpgcheck to be off.
I think this was a back-ported requirement from DISA, not something
originating from SSG.
--
Paul Arnold, CISSP
Cole Engineering Services, Inc.
On 11/13/2017 02:37 PM, Trevor Vaughan wrote:
Hi All,
I've been re-roaming through the SSG and this is probably the first of
a many part thread regarding different checks.
TL;DR; The potential risk caused by enabling 'repo_gpgcheck' outweighs
any potential benefit if TLS is enabled.
In my opinion, the following check should *only* be enabled if all of
your repositories are internally managed
xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata.
The reason for this is that YUM presently does not (to my knowledge)
have any way to differentiate between package signing GPG keys and
repo signing GPG keys.
This means that if, for instance, I host my packages via some shared
Nexus, then I have to add the Nexus GPG key to my trust list for the repo.
I fundamentally do *not* want to do this! I shouldn't be allowing my
Nexus maintainer to potentially install software on my system without
my explicit knowledge.
You should use TLS, and the repo should have a trusted certificate
there and that should be sufficient for the metadata until RPM can
tell the difference between these two certificates.
Please let me know if I've missed something, but I don't remember
seeing options to split out the two sets of certs.
Additionally, this is marked as 'high' severity and that seems to be
massive overkill considering that 1) the packages are still signed and
validated and 2) TLS is required.
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --