6.11. YUM Repo Issues¶
This FAQ covers various issues that relate to YUM repositories and SIMP systems.
6.11.1. Global repo_gpgcheck=1¶
Warning
Disabling repo_gpgcheck
should only be done against repositories that
you ultimately trust. Doing otherwise could allow untrusted repository
maintainers to compromise your system.
More information can be found on this SCAP Security Guide Mailing List Thread.
The DISA STIG requires that the repo_gpgcheck
setting be set to
1
globally on EL systems.
When SIMP is set into STIG enforcing mode using the SIMP Compliance Engine,
it will automatically flip the global repo_gpgcheck
setting to 1
in
accordance with the STIG.
Unfortunately, this will break repositories such as EPEL and the commercial RHEL repositories.
To mitigate this, you can modify the global settings by changing the
appropriate value in the yum::config_options
Hash. However, doing this will
show as a finding during STIG compliance scans.
Alternatively, you can update each repository that is having issues and disable GPG checking for just that repository using the yumrepo puppet resource.