STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.

DISA Rule

SV-219543r603263_rule

Vulnerability Number

V-219543

Group Title

SRG-OS-000366

Rule Version

OL6-00-000008

Severity

CAT I

CCI(s)

• CCI-001749 - The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Weight

10

Fix Recommendation

To ensure the system can cryptographically verify the software packages come from the operating system vendor (and connect to the vendor's network software repository to receive them if desired), the vendor GPG key must properly be installed. To ensure the GPG key is installed, run:

# wget http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6
# rpm --import RPM-GPG-KEY-oracle-ol6

Check Contents

To ensure that the GPG key is installed, run:

# rpm -qi gpg-pubkey-ec551f03 | gpg --keyid-format long | grep oracle.com | cut -f3 -d" " |cut -f2 -d"/"

The command should return the string below:

72F97B74EC551F03

If the operating system vendor GPG Key is not installed, this is a finding.

Vulnerability Number

V-219543

Documentable

False

Rule Version

OL6-00-000008

Severity Override Guidance

To ensure that the GPG key is installed, run:

# rpm -qi gpg-pubkey-ec551f03 | gpg --keyid-format long | grep oracle.com | cut -f3 -d" " |cut -f2 -d"/"

The command should return the string below:

72F97B74EC551F03

If the operating system vendor GPG Key is not installed, this is a finding.

Check Content Reference

M

Target Key

2928

Comments