Skip to content

Add ensure_redhat_gpgkey_installed to RHEL CIS #14531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mab879 merged 3 commits into from
Mar 9, 2026
Merged

Add ensure_redhat_gpgkey_installed to RHEL CIS #14531

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
aa233ec
Add ensure_redhat_gpgkey_installed to RHEL 9 CIS
jan-cerny Mar 5, 2026
be0be6b
Add ensure_redhat_gpgkey_installed to RHEL 8 and 10 CIS
jan-cerny Mar 5, 2026
4bd86ef
Add ensure_fedora_gpgkey_installed to Fedora CIS
jan-cerny Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions controls/cis_fedora.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -369,9 +369,14 @@ controls:
levels:
- l1_server
- l1_workstation
status: manual
related_rules:
status: partial
rules:
- ensure_fedora_gpgkey_installed
notes: >
In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
But, add the rule ensure_fedora_gpgkey_installed to the profile because the requirement 1.2.1.2
adds ensure_gpgcheck_globally_activated which requires GPG key checking. If the Fedora
GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.

- id: 1.2.1.2
title: Ensure gpgcheck is configured (Automated)
Expand Down
9 changes: 7 additions & 2 deletions products/rhel10/controls/cis_rhel10.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -366,9 +366,14 @@ controls:
levels:
- l1_server
- l1_workstation
status: manual
related_rules:
status: partial
rules:
- ensure_redhat_gpgkey_installed
notes: >
In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.

- id: 1.2.1.2
title: Ensure gpgcheck is configured (Automated)
Expand Down
9 changes: 7 additions & 2 deletions products/rhel8/controls/cis_rhel8.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -379,9 +379,14 @@ controls:
levels:
- l1_server
- l1_workstation
status: manual
related_rules:
status: partial
rules:
- ensure_redhat_gpgkey_installed
notes: >
In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.

- id: 1.2.1.2
title: Ensure gpgcheck is configured (Automated)
Expand Down
9 changes: 7 additions & 2 deletions products/rhel9/controls/cis_rhel9.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -361,9 +361,14 @@ controls:
levels:
- l1_server
- l1_workstation
status: manual
related_rules:
status: partial
rules:
- ensure_redhat_gpgkey_installed
notes: >
In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.

- id: 1.2.1.2
title: Ensure gpgcheck is globally activated (Automated)
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel10/cis.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ disable_weak_deps
ensure_gpgcheck_globally_activated
ensure_journald_and_rsyslog_not_active_together
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel10/cis_server_l1.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ disable_users_coredumps
ensure_gpgcheck_globally_activated
ensure_journald_and_rsyslog_not_active_together
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel10/cis_workstation_l1.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ disable_users_coredumps
ensure_gpgcheck_globally_activated
ensure_journald_and_rsyslog_not_active_together
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel10/cis_workstation_l2.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ disable_weak_deps
ensure_gpgcheck_globally_activated
ensure_journald_and_rsyslog_not_active_together
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel8/cis.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ enable_authselect
ensure_gpgcheck_globally_activated
ensure_gpgcheck_never_disabled
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel8/cis_server_l1.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ enable_authselect
ensure_gpgcheck_globally_activated
ensure_gpgcheck_never_disabled
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel8/cis_workstation_l1.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ enable_authselect
ensure_gpgcheck_globally_activated
ensure_gpgcheck_never_disabled
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel8/cis_workstation_l2.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ enable_authselect
ensure_gpgcheck_globally_activated
ensure_gpgcheck_never_disabled
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel9/cis.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ enable_authselect
ensure_gpgcheck_globally_activated
ensure_gpgcheck_never_disabled
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel9/cis_server_l1.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ enable_authselect
ensure_gpgcheck_globally_activated
ensure_gpgcheck_never_disabled
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel9/cis_workstation_l1.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ enable_authselect
ensure_gpgcheck_globally_activated
ensure_gpgcheck_never_disabled
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel9/cis_workstation_l2.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ enable_authselect
ensure_gpgcheck_globally_activated
ensure_gpgcheck_never_disabled
ensure_pam_wheel_group_empty
ensure_redhat_gpgkey_installed
ensure_root_password_configured
file_at_allow_exists
file_at_deny_not_exist
Expand Down
Loading