Puppet Class: cis_security_hardening::rules::yum_gpgcheck

Defined in:
manifests/rules/yum_gpgcheck.pp

Summary

Ensure gpgcheck is globally activated

Overview

The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package’s signature is checked prior to its installation.

Rationale: It is important to ensure that an RPM’s package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Examples:

class { 'cis_security_hardening::rules::yum_gpgcheck':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'manifests/rules/yum_gpgcheck.pp', line 20

class cis_security_hardening::rules::yum_gpgcheck (
  Boolean $enforce = false,
) {
  if $enforce and $facts['os']['family'].downcase() == 'redhat' {
    file_line { 'yum_gpgcheck':
      ensure => present,
      path   => '/etc/yum.conf',
      line   => 'gpgcheck=1',
      match  => '^gpgcheck',
    }

    if $facts['os']['release']['major'] > '7' {
      file_line { 'yum_gpgcheck dnf':
        ensure => present,
        path   => '/etc/dnf/dnf.conf',
        line   => 'gpgcheck=1',
        match  => '^gpgcheck',
      }
    }
  }
}