V-38462 - Package management tool must verify authenticity of packages

Bug #1655714 reported by Marc Gariépy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Won't Fix
Low
Major Hayden

Bug Description

the check is failing because of of the rdo-testing.repo not having gpgcheck=1.
It would be better to have it failed when gpgcheck is not set for enabled repos.

TASK [openstack-ansible-security : V-38462 - Package management tool must verify authenticity of packages] ***
task path: /etc/ansible/roles/openstack-ansible-security/tasks/rhel6stig/rpm.yml:80
container_name: "aio1"
physical_hostname: "aio1"
fatal: [aio1]: FAILED! => {
    "changed": false,
    "failed": true,
    "invocation": {
        "module_args": {
            "msg": "Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set."
        },
        "module_name": "fail"
    },
    "msg": "Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set."
}

[root@centos2 playbooks]# cat /etc/yum.repos.d/rdo-testing.repo
[openstack-newton-testing]
name=OpenStack Newton Testing
baseurl=http://buildlogs.centos.org/centos/7/cloud/$basearch/openstack-newton/
gpgcheck=0
enabled=0

[openstack-newton-pending]
# The pending repository should only be enabled under specific testing circumstances
name=OpenStack Newton Pending
baseurl=http://cbs.centos.org/repos/cloud7-openstack-common-pending/$basearch/os/
gpgcheck=0
enabled=0

[rdo-trunk-newton-tested]
name=OpenStack Newton Trunk Tested
baseurl=http://buildlogs.centos.org/centos/7/cloud/$basearch/rdo-trunk-newton-tested/
gpgcheck=0
enabled=0

Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
Changed in openstack-ansible:
status: New → In Progress
importance: Undecided → Low
Revision history for this message
Major Hayden (rackerhacker) wrote :

This is corrected with the work done in the RHEL 7 STIG.

Changed in openstack-ansible:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.