Details
Verify authenticity of the packages before installing them in the image.
Rationale:
Verifying authenticity of the packages is essential for building a secure container image. Tampered packages could potentially be malicious or have some known vulnerabilities that could be exploited.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Use GPG keys for downloading and verifying packages or any other secure package distribution mechanism of your choice.
Impact:
None
Default Value:
Not Applicable
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.