Details
The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package’s signature is checked prior to its installation.
Rationale:
It is important to ensure that an RPM’s package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.
Solution
Edit /etc/yum.conf and set ‘gpgcheck=1’ in the [main] section.
Example: vim /etc/yum.conf
Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to ‘1’.
Notes:
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-71977
Rule ID: SV-86601r2_rule
STIG ID: RHEL-07-020050
Severity: CAT I
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.