Puppet Class: cis_security_hardening::rules::zypper_gpgcheck

Defined in:
manifests/rules/zypper_gpgcheck.pp

Summary

Ensure gpgcheck is globally activated

Overview

The gpgcheck option, found in the main section of the /etc/zypp/zypp.conf and individual /etc/zypp/repos.d/*.repo files determine if an RPM package’s signature is checked prior to its installation.

Rationale: It is important to ensure that an RPM’s package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Examples:

class { 'cis_security_hardening::rules::zypper_gpgcheck':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'manifests/rules/zypper_gpgcheck.pp', line 21

class cis_security_hardening::rules::zypper_gpgcheck (
  Boolean $enforce = false,
) {
  if $enforce {
    ini_setting { 'enable ggpcheck':
      ensure  => present,
      path    => '/etc/zypp/zypp.conf',
      section => 'main',
      setting => 'gpgcheck',
      value   => '1',
    }
  }
}