Details

Red Hat cryptographically signs updates with a GPG key to verify that they are valid.

Rationale:

It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system.

Solution

Compare the GPG fingerprint with the one from Red Hat’s web site at http://www.redhat.com/security/team/key. The following command can be used to print the installed release key’s fingerprint, which is actually contained in the file referenced below:

# gpg –quiet –with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

More information on package signing is also available at https://access.redhat.com/security/team/key.

Default Value:

OS Default: N/A

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3096

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.

References

• 800-53|SI-2c.
• CSCv7|3.4
• CSCv7|3.5

Source

• Tenable.com/audits