Rule ID
SV-273995r1119973_rule
Version
V1R3
CCIs
CCI-003992
Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Amazon Linux cryptographically signs all software packages, which includes updates, with a GPG key to Verify they are valid.
Verify Amazon Linux 2023 package-signing keys are installed on the system and verify their fingerprints match vendor values.
Note: For Amazon Linux 2023 software packages, AWS uses GPG keys defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" by default.
List Amazon Linux GPG keys installed on the system:
$ sudo rpm -q gpg-pubkey --qf "%{NAME}-%{VERSION}-%{RELEASE} %{SUMMARY}\n"
gpg-pubkey-d832c631-6515c85e Amazon Linux <amazon-linux@amazon.com> public key
If there is no Amazon Linux GPG key installed, this is a finding.
Extract the fingerprint from the key with this command:
$ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
pub rsa4096/D832C631 2022-12-08 [SC]
Key fingerprint = B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631
uid Amazon Linux <amazon-linux@amazon.com>
Compare the Key fingerprint with the key fingerprint from Amazon Documentation and instructions at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-keys.html
If key fingerprints do not match, or the key file is missing, this is a finding.Configure Amazon Linux 2023 to have the public key for verifying RPM packages to be installed with the "system-release" package. Install the system-release installation with the following command: $ sudo dnf install -y system-release Ensure cryptographic verification of software packages is enabled by editing /etc/dnf/dnf.conf and under '[main]' in the configuration file add: gpgcheck=1