Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.

From Oracle Linux 6 Security Technical Implementation Guide

Part of SRG-OS-000090

Associated with: CCI-000352

SV-64895r3_rule Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.

Vulnerability discussion

This key is necessary to cryptographically verify packages that packages are from the operating system vendor.

Check content

To ensure that the GPG key is installed, run: # rpm -qi gpg-pubkey-ec551f03 | gpg --keyid-format long | grep oracle.com | cut -f3 -d" " |cut -f2 -d"/" The command should return the string below: 72F97B74EC551F03 If the operating system vendor GPG Key is not installed, this is a finding.

Fix text

To ensure the system can cryptographically verify the software packages come from the operating system vendor (and connect to the vendor's network software repository to receive them if desired), the vendor GPG key must properly be installed. To ensure the GPG key is installed, run: # wget http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6 # rpm --import RPM-GPG-KEY-oracle-ol6

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer