AlmaLinux OS 9 must ensure cryptographic verification of vendor software packages.

STIG ID: ALMA-09-009700  |  SRG: SRG-OS-000366-GPOS-00153 |  Severity: high |  CCI: CCI-003992 |  Vulnerability Id: V-269164

Vulnerability Discussion

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are not allowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA).

Check

Confirm AlmaLinux and TuxCare package-signing keys are installed on the system and verify their fingerprints match vendor values.

The keys are stored as "RPM-GPG-KEY-AlmaLinux-9" and "RPM-GPG-KEY-TuxCare" inside the "/etc/pki/rpm-gpg/" directory.

List GPG keys installed on the system using the following command:

$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey

TuxCare (Software Signing Key) <packager@tuxcare.com> public key
AlmaLinux OS 9 <packager@almalinux.org> public key

If the AlmaLinux and TuxCare GPG keys are not installed, this is a finding.

List key fingerprints of installed GPG keys using the following commands:

$ gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9

pub rsa4096/B86B3716 2022-01-18 [SC]
Key fingerprint = BF18 AC28 7617 8908 D6E7 1267 D36C B86C B86B 3716
uid AlmaLinux OS 9 <packager@almalinux.org>
sub rsa4096/C9BA6CAA 2022-01-18 [E]

$ gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-TuxCare

pub rsa4096/8D50EB66 2023-03-06 [SC]
Key fingerprint = FAD7 8590 81D0 738B 7A82 8496 D07B F2A0 8D50 EB66
uid TuxCare (Software Signing Key) <packager@tuxcare.com>
sub rsa4096/A9C70659 2023-03-06 [E]

If either "/etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9" or "/etc/pki/rpm-gpg/RPM-GPG-KEY-TuxCare" key files are missing, this is a finding.

Compare key fingerprints of installed AlmaLinux and TuxCare GPG keys with fingerprints listed at

https://almalinux.org/security/

https://docs.tuxcare.com/enterprise-support-for-almalinux/#gnupg-keys

If the key fingerprints do not match, this is a finding.

Fix

Install AlmaLinux and TuxCare package-signing keys on the system and verify their fingerprints match vendor values.

$ curl https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-9 -o /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9

$ curl https://repo.tuxcare.com/tuxcare/RPM-GPG-KEY-TuxCare -o /etc/pki/rpm-gpg/RPM-GPG-KEY-TuxCare

$ rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-9

$ rpm --import https://repo.tuxcare.com/tuxcare/RPM-GPG-KEY-TuxCare

Using the steps listed in the Check, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.