ACK, and I will now push for you. However, please stop copy editing / language modifications until the content is complete. We'll save these adjustments for the copy editing stage, and with the assent of the editor.
On 09/26/2012 05:54 PM, David Smith wrote: > > Signed-off-by: David Smith <[email protected]> > --- > RHEL6/input/system/accounts/banners.xml | 12 ++++++ > RHEL6/input/system/accounts/pam.xml | 31 ++++++++++++---- > RHEL6/input/system/accounts/physical.xml | 27 +++++++++----- > .../accounts/restrictions/password_expiration.xml | 10 +++--- > RHEL6/input/system/logging.xml | 39 > +++++++++----------- > RHEL6/input/system/network/ipv6.xml | 11 +++--- > RHEL6/input/system/selinux.xml | 6 ++-- > RHEL6/input/system/software/updating.xml | 7 ++-- > 8 files changed, 87 insertions(+), 56 deletions(-) > > diff --git a/RHEL6/input/system/accounts/banners.xml > b/RHEL6/input/system/accounts/banners.xml > index 708ca75..9e3439b 100644 > --- a/RHEL6/input/system/accounts/banners.xml > +++ b/RHEL6/input/system/accounts/banners.xml > @@ -86,6 +86,12 @@ Display Manager's login screen, run the following command: > To display a banner, this setting must be enabled and then > banner text must also be set. > </description> > +<ocil clause="it is not"> > +To ensure a login warning banner is enabled, open the following file: > +<pre>/etc/gconf/schemas/gdm-simple-greeter.schemas</pre> > +Search for the <tt>banner_message_enable</tt> schema. > +If properly configured, the <tt>default</tt> value should be <tt>true</tt>. > +</ocil> > <rationale> > Although unlikely to dissuade a serious attacker, the warning message > reinforces policy awareness during the logon process. > @@ -109,6 +115,12 @@ to begin and end the string with <tt>"</tt>. This > command writes > directly to the file > <tt>/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml</tt>, > and this file can later be edited directly if necessary. > </description> > +<ocil clause="it does not"> > +To ensure login warning banner text is properly set, open the following file: > +<pre>/etc/gconf/schemas/gdm-simple-greeter.schemas</pre> > +Search for the <tt>banner_message_text</tt> schema. > +If properly configured, the proper banner text will appear within this > schema. > +</ocil> > <rationale> > Although unlikely to dissuade a serious attacker, the warning message > reinforces policy awareness during the logon process. > diff --git a/RHEL6/input/system/accounts/pam.xml > b/RHEL6/input/system/accounts/pam.xml > index 569489c..59df7ed 100644 > --- a/RHEL6/input/system/accounts/pam.xml > +++ b/RHEL6/input/system/accounts/pam.xml > @@ -177,10 +177,13 @@ operator="equals" interactive="0"> > <Rule id="password_retry"> > <title>Set Password Retry Prompts Permitted Per-session</title> > <description>The pam_cracklib module's <tt>retry=</tt> parameter controls > how many times a program > -will re-prompt a user after an incorrect password entry, on a per-session > basis. > +will re-prompt a user after an incorrect password entry, on a per-session > basis. To configure this, open: > +<pre>/etc/pam.d/system-auth</pre> > +Locate the <tt>retry=</tt> parameter, the DoD required value is 3. > </description> > <ocil clause="it is not the required value"> > -To check the number of password retry attempts permitted, run the following > command: > +The system must disable after three consecutive and unsuccessful login > attempts. > +To ensure this is the case, run the following command: > <pre>$ grep retry /etc/pam.d/system-auth</pre> > </ocil> > <rationale> > @@ -202,7 +205,8 @@ contain that many digits. When set to a positive number, > pam_cracklib will grant > length credit for each digit. > </description> > <ocil clause="it is not the required value"> > -To check the minimum required number of digits, run the following command: > +The DoD requires at least one digit in a password. > +To verify this requirement is being met, run the following command: > <pre>$ grep dcredit /etc/pam.d/system-auth</pre> > </ocil> > <rationale> > @@ -222,7 +226,8 @@ contain that many uppercase characters. When set to a > positive number, pam_crack > length credit for each uppercase character. > </description> > <ocil clause="it is not the required value"> > -To check the required number of uppercase characters, run the following > command: > +The DoD requires at least one uppercase character in a password. > +To verify this requirement is being met, run the following command: > <pre>$ grep ucredit /etc/pam.d/system-auth</pre> > </ocil> > <rationale> > @@ -242,7 +247,8 @@ contain that many special characters. When set to a > positive number, pam_crackli > length credit for each special character. > </description> > <ocil clause="it is not the required value"> > -To check the required number of special characters, run the following > command: > +The DoD requires at least one special character in a password. > +To verify this requirement is being met, run the following command: > <pre>$ grep ocredit /etc/pam.d/system-auth</pre> > </ocil> > <rationale> > @@ -262,7 +268,8 @@ contain that many lowercase characters. When set to a > positive number, pam_crack > length credit for each lowercase character. > </description> > <ocil clause="it is not the required value"> > -To check the required number of lowercase characters, run the following > command: > +The DoD requires at least one lowercase character in a password. > +To verify this requirement is being met, run the following command: > <pre>$ grep lcredit /etc/pam.d/system-auth</pre> > </ocil> > <rationale> > @@ -280,7 +287,8 @@ more difficult by ensuring a larger search space. > usage of different characters during a password change. > </description> > <ocil clause="it is not the required value"> > -To check the required number of minimum different characters, run the > following command: > +During a password change, the DoD requires at least four characters be > different between the old and new passwords. > +To verify this requirement is being met, run the following command: > <pre>$ grep difok /etc/pam.d/system-auth</pre> > </ocil> > <rationale> > @@ -365,7 +373,7 @@ prevents direct password guessing attacks. > <description>The system's default algorithm for storing password hashes in > <tt>/etc/shadow</tt> is SHA-512. > In order to ensure the system is still configured to use SHA-512 algorithm, > -ensure that the following line appears in <tt>/etc/login.defs</tt>: > +the following line must appear in <tt>/etc/login.defs</tt>: > <pre>ENCRYPT_METHOD SHA512</pre> > Also ensure that the <tt>pam_unix.so</tt> module in the <tt>password</tt> > section in > <tt>/etc/pam.d/system-auth</tt> includes the argument <tt>sha512</tt>. > @@ -378,6 +386,13 @@ will be generated using the SHA-512 algorithm. > need to perform a password change in order to upgrade the stored > hashes to the stronger algorithm. --> > </description> > +<ocil clause="either of these are not the case"> > +To ensure the system is configured to store password hashes using the > SHA-512 algorithm, two conditions must be met. > +First, ensure the following line appears in <tt>/etc/login.defs</tt>: > +<pre>ENCRYPT_METHOD SHA512</pre> > +Also, ensure the <tt>pam_unix.so</tt> module in the <tt>password</tt> > section of <tt>/etc/pam.d/system-auth</tt> includes > +the argument <tt>sha512</tt>. > +</ocil> > <rationale> > Using a stronger hashing algorithm makes password cracking attacks more > difficult. > </rationale> > diff --git a/RHEL6/input/system/accounts/physical.xml > b/RHEL6/input/system/accounts/physical.xml > index f67e766..11ddc1b 100644 > --- a/RHEL6/input/system/accounts/physical.xml > +++ b/RHEL6/input/system/accounts/physical.xml > @@ -82,6 +82,7 @@ parameters. > enabled to protect boot-time settings. > To do so, select a password and then generate a hash from it by running: > <pre># grub-crypt --sha-512</pre> > +You will then be prompted to enter a password. > Insert the following line into <tt>/etc/grub.conf</tt> immediately > after the header comments. (Use the output from <tt>grub-crypt</tt> as the > value of <b>password-hash</b>): > @@ -243,7 +244,10 @@ enabled > --type bool \ > --set /apps/gnome-screensaver/idle_activation_enabled true</pre> > </description> > -<ocil>To check the screensaver mandatory use status, open the following > file: <pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> Search for the > <tt>idle_activation_enabled</tt> schema. If properly configured, the > <tt>default</tt> value should be <tt>TRUE</tt>. If it is not, this is a > finding. > +<ocil>To check the screensaver mandatory use status, open the following file: > +<pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> > +Search for the <tt>idle_activation_enabled</tt> schema. > +If properly configured, the <tt>default</tt> value should be <tt>TRUE</tt>. > If it is not, this is a finding. > </ocil> > <rationale> > Enabling idle activation of the screen saver ensures that the > @@ -257,7 +261,7 @@ screensaver will be activated after the idle delay. > <Rule id="enable_screensaver_password_lock"> > <title>Enable Screen Lock Activation After Idle Period</title> > <description>Idle activation of the screen lock should be > -enabled > +enabled. > <pre># gconftool-2 --direct \ > --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ > --type bool \ > @@ -278,7 +282,7 @@ access the system, preventing access by passersby. > <Rule id="set_blank_screensaver"> > <title>Implement Blank Screen Saver</title> > <description> > -The screen saver should be blank > +The screen saver should be blank. > <pre># gconftool-2 > --direct \ > --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ > @@ -307,7 +311,7 @@ contents of the display from passersby. > <title>Configure Console Screen Locking</title> > <description> > A console screen locking mechanism is provided in the > -<tt>vlock package</tt>, which is not installed by default. > +vlock package, which is not installed by default. > </description> > > <Rule id="install_vlock_package"> > @@ -321,6 +325,9 @@ to prevent passersby from abusing their login: > The <tt>-a</tt> option can be used to prevent switching to other > virtual consoles. > </description> > +<ocil clause="there is a command not found error"> > +To check whether vlock has been installed, simply invoke the <tt>vlock</tt> > command. > +</ocil> > <rationale> > Installing vlock ensures that a console locking capability is available > for users who may need to suspend console logins. > @@ -334,21 +341,21 @@ for users who may need to suspend console logins. > <Group id="smart_card_login"> > <title>Using Smart Cards for System Login</title> > <description> > -The use of Smart Cards, like Common Access Cards (CAC), for system login > +The use of smart cards, like Common Access Cards (CAC), for system login > provides stronger, two-factor authentication than using a username/password. > -Smart Cards take advantage of Public Key Infrastructure (PKI) to store > +Smart cards take advantage of Public Key Infrastructure (PKI) to store > encrypted digital certificates that can be used to authenticate the card > owner. > <br /><br /> > -In Red Hat Enterprise Linux servers and workstations, Smart Card login > +In Red Hat Enterprise Linux servers and workstations, smart card login > is not enabled by default and must be enabled in the system settings. > -Detailed procedures on how to configure a system to use Smart Card > +Detailed procedures on how to configure a system to use smart card > authentication for login can be found in the Red Hat Documentation web site: > <ul> > > <li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html</li> > </ul> > -It is recommended to use Smart Cards wherever feasible as part of a > multifactor > -authentication system > +It is recommended to use smart cards wherever feasible as part of a > multifactor > +authentication system. > </description> > <ref disa="765,766,767,768,771,772,884" /> > </Group> > diff --git a/RHEL6/input/system/accounts/restrictions/password_expiration.xml > b/RHEL6/input/system/accounts/restrictions/password_expiration.xml > index 93fc1d8..2512c37 100644 > --- a/RHEL6/input/system/accounts/restrictions/password_expiration.xml > +++ b/RHEL6/input/system/accounts/restrictions/password_expiration.xml > @@ -113,12 +113,12 @@ behavior that may result. > edit the file <tt>/etc/login.defs</tt> > and add or correct the following line, replacing <i>DAYS</i> appropriately: > <pre>PASS_MIN_DAYS <i>DAYS</i></pre> > -The DoD requirement is <tt>7</tt>. > +The DoD requirement is 7. > </description> > <ocil clause="it is not set to the required value"> > To check the minimum password age, run the command: > <pre>$ grep PASS_MIN_DAYS /etc/login.defs</pre> > -The DoD requirement is <tt>7</tt>. > +The DoD requirement is 7. > </ocil> > <rationale> > Setting the minimum password age protects against > @@ -138,13 +138,13 @@ edit the file <tt>/etc/login.defs</tt> > and add or correct the following line, replacing <i>DAYS</i> appropriately: > <pre>PASS_MAX_DAYS <i>DAYS</i><!-- <sub > idref="password_max_age_login_defs_value" /> --></pre> > A value of 180 days is sufficient for many environments. > -The DoD requirement is <tt>60</tt>. > +The DoD requirement is 60. > </description> > <ocil clause="it is not set to the required value"> > To check the maximum password age, run the command: > <pre>$ grep PASS_MAX_DAYS /etc/login.defs</pre> > A value of 180 days is sufficient for many environments. > -The DoD requirement is <tt>60</tt>. > +The DoD requirement is 60. > </ocil> > <rationale> > Setting the password maximum age ensures that users are required to > @@ -173,7 +173,7 @@ environments. > To check the password warning age, run the command: > <pre>$ grep PASS_WARN_DAYS /etc/login.defs</pre> > A value of 7 days is sufficient for many environments. > -The DoD requirement is <tt>7</tt>. > +The DoD requirement is 7. > </ocil> > <rationale> > Setting the password warning age enables users to > diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml > index 854409d..c089888 100644 > --- a/RHEL6/input/system/logging.xml > +++ b/RHEL6/input/system/logging.xml > @@ -21,7 +21,7 @@ monitor logs.</description> > <title>Ensure rsyslog is Installed</title> > <description> > Rsyslog is installed by default. > -<package-install-macro service="rsyslog" /> > +<package-install-macro package="rsyslog" /> > </description> > <ocil> > <package-check-macro package="rsyslog" /> > @@ -37,14 +37,14 @@ system logging services. > > > <Rule id="service_rsyslog_enabled"> > -<title>Enable Rsyslog Service (rsyslog)</title> > -<description>The <tt>rsyslog</tt> service provides syslog-style logging by > default on RHEL 6. > +<title>Enable rsyslog Service</title> > +<description>The rsyslog service provides syslog-style logging by default on > RHEL 6. > <service-enable-macro service="rsyslog" /> > </description> > <ocil> > <service-enable-check-macro service="rsyslog" /> > </ocil> > -<rationale>The <tt>rsyslog</tt> service must be running in order to provide > +<rationale>The rsyslog service must be running in order to provide > logging services, which are essential to system administration. > </rationale> > <ident cce="17698-2" /> > @@ -97,7 +97,7 @@ operator="equals" interactive="0"> > <Rule id="rsyslog_logfiles_exist"> > <title>Ensure Log Files Exist</title> > <description> > -The log files written by <tt>rsyslog</tt> are determined by the second part > of each rule line in > +The log files written by rsyslog are determined by the second part of each > rule line in > <tt>/etc/rsyslog.conf</tt>. These typically all appear in <tt>/var/log</tt>. > For any log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt> > which > does not already exist the following commands will create it and apply proper > @@ -106,7 +106,7 @@ permissions: > # chown root:root <i>LOGFILE</i> > # chmod 0600 <i>LOGFILE</i></pre> > </description> > -<rationale>If a log file referenced by <tt>rsyslog</tt> does not exist, > rsyslog > +<rationale>If a log file referenced by rsyslog does not exist, rsyslog > will not create it and important log messages can be lost. > </rationale> > <ident cce="18095-0" /> > @@ -116,7 +116,7 @@ will not create it and important log messages can be lost. > <Rule id="userowner_rsyslog_files"> > <title>Ensure Log Files Are Owned By Appropriate User</title> > <description>The owner of all log files written by > -<tt>rsyslog</tt> should be root. > +rsyslog should be root. > These log files are determined by the second part of each Rule line in > <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. > For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>, > @@ -141,7 +141,7 @@ protected from unauthorized access.</rationale> > <Rule id="groupowner_rsyslog_files"> > <title>Ensure Log Files Are Owned By Appropriate Group</title> > <description>The group-owner of all log files written by > -<tt>rsyslog</tt> should be root. > +rsyslog should be root. > These log files are determined by the second part of each Rule line in > <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. > For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>, > @@ -167,8 +167,7 @@ protected from unauthorized access.</rationale> > <Rule id="rsyslog_file_permissions"> > <title>Ensure System Log Files Have Correct Permissions</title> > <description>The file permissions for all log files written by > -<tt>rsyslog</tt> should be > -set to 600 or more restrictive. > +rsyslog should be set to 600, or more restrictive. > These log files are determined by the second part of each Rule line in > <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. > For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>, > @@ -194,7 +193,7 @@ users could change the logged data, eliminaating their > foresive value. > </Group> > > <Group id="rsyslog_sending_messages"> > -<title>Rsyslog Logs Sent To Remote Host</title> > +<title>rsyslog Logs Sent To Remote Host</title> > <description> > If system logs are to be useful in detecting malicious > activities, it is necessary to send logs to a remote server. An > @@ -204,11 +203,11 @@ before they are seen by an administrator. > <br /><br /> > However, it is recommended that logs be stored on the local > host in addition to being sent to the loghost, especially if > -<tt>rsyslog</tt> has been configured to use the UDP protocol to send > +rsyslog has been configured to use the UDP protocol to send > messages over a network. UDP does not guarantee reliable delivery, > and moderately busy sites will lose log messages occasionally, > especially in periods of high traffic which may be the result of an > -attack. In addition, remote <tt>rsyslog</tt> messages are not > +attack. In addition, remote rsyslog messages are not > authenticated in any way by default, so it is easy for an attacker to > introduce spurious messages to the central log server. Also, some > problems cause loss of network connectivity, which will prevent the > @@ -227,10 +226,9 @@ Along with these other directives, the system can be > configured > to forward its logs to a particular log server by > adding or correcting one of the following lines, > substituting <tt><i>loghost.example.com</i></tt> appropriately. > -The choice > -of protocol depends on the environment of the system; although TCP and RELP > -provide more reliable message delivery, they may not be supported in all > -environments. > +The choice of protocol depends on the environment of the system; > +although TCP and RELP provide more reliable message delivery, > +they may not be supported in all environments. > <br/> > To use UDP for log message delivery: > <pre>*.* @<i>loghost.example.com</i></pre> > @@ -264,9 +262,9 @@ place to view the status of multiple hosts within the > enterprise. > </Group> > > <Group id="rsyslog_accepting_remote_messages"> > -<title>Configure <tt>rsyslogd</tt> to Accept Remote Messages If Acting as a > Log Server</title> > +<title>Configure rsyslogd to Accept Remote Messages If Acting as a Log > Server</title> > <description> > -By default, RHEL6's <tt>rsyslog</tt> does not listen over the network > +By default, RHEL6's rsyslog does not listen over the network > for log messages. If needed, modules can be enabled to allow > the rsyslog daemon to receive messages from other systems and for the system > thus to act as a log server. > @@ -277,8 +275,7 @@ should remain commented out. > > <Rule id="rsyslog_accept_remote_messages_none"> > <title>Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log > Server</title> > -<description>The <tt>rsyslog</tt> daemon should not accept remote messages > -unless the system acts as a log server. > +<description>The rsyslog daemon should not accept remote messages unless the > system acts as a log server. > To ensure that it is not listening on the network, ensure the following > lines are > <i>not</i> found in <tt>/etc/rsyslog.conf</tt>: > <pre>$ModLoad imtcp.so > diff --git a/RHEL6/input/system/network/ipv6.xml > b/RHEL6/input/system/network/ipv6.xml > index cc6fd2f..fa18c96 100644 > --- a/RHEL6/input/system/network/ipv6.xml > +++ b/RHEL6/input/system/network/ipv6.xml > @@ -39,9 +39,7 @@ and the deprecated <tt>/etc/modprobe.conf</tt>: > <pre xml:space="preserve">$ grep -r ipv6 /etc/modprobe.conf > /etc/modprobe.d</pre> > </ocil> > <rationale> > -Any networking stack, including IPv6, that does not need to be active should > be > -disabled in order to reduce the system's vulnerability > -to exploitation of any implementation flaws. > +Any unnecessary network stacks - including IPv6 - should be disabled, to > reduce the vulnerability to exploitation. > </rationale> > <ident cce="CCE-3562-6" /> > <oval id="kernel_module_ipv6_option_disabled" /> > @@ -53,7 +51,7 @@ to exploitation of any implementation flaws. > <description>To prevent configuration of IPv6 for all interfaces, add or > correct the following lines in <tt>/etc/sysconfig/network</tt>: > <pre>NETWORKING_IPV6=no > IPV6INIT=no</pre> > -For each network interface IFACE , add or correct the following lines in > <tt>/etc/sysconfig/network-scripts/</tt> ifcfg-IFACE as an additional > prevention mechanism: > +For each network interface <i>IFACE</i> , add or correct the following lines > in <tt>/etc/sysconfig/network-scripts/</tt> ifcfg-<i>IFACE</i> as an > additional prevention mechanism: > <pre>IPV6INIT=no</pre> > </description> > <ref nist="CM-6, CM-7" /> > @@ -136,6 +134,9 @@ advertisements should be: <tt><sub > idref="sysctl_net_ipv6_conf_default_accept_ra > To ensure IPv6 redirects are disabled, run the following command: > <pre># grep ipv6 /etc/sysctl.conf</pre> > </ocil> > +<rationale> > +An illicit ICMP redirect message could result in a man-in-the-middle attack. > +</rationale> > <ident cce="CCE-4313-3" /> > <oval id="sysctl_net_ipv6_conf_default_accept_redirects" > value="sysctl_net_ipv6_conf_default_accept_redirects_value" /> > <ref nist="CM-6, CM-7" /> > @@ -165,7 +166,7 @@ Automatically-generated IPv6 addresses are based on the > underlying hardware (e.g > > <Rule id="network_ipv6_default_gateway"> > <title>Manually Assign IPv6 Router Address</title> > -<description>Edit the file > <tt>/etc/sysconfig/network-scripts/ifcfg-IFACE</tt>, and add or correct the > following line (substituting your gateway IP as appropriate): > +<description>Edit the file > <tt>/etc/sysconfig/network-scripts/ifcfg-<i>IFACE</i></tt>, and add or > correct the following line (substituting your gateway IP as appropriate): > <pre>IPV6_DEFAULTGW=2001:0DB8::0001</pre> > Router addresses should be manually set and not accepted via any > autoconfiguration or router advertisement.</description> > <!--<ident cce="CCE-3842-2" />--> > diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml > index b2c660d..286f324 100644 > --- a/RHEL6/input/system/selinux.xml > +++ b/RHEL6/input/system/selinux.xml > @@ -95,9 +95,9 @@ in the kernel boot arguments. Presences of > <tt>selinux=0</tt> indicates > that SELinux is disabled at boot time. > </ocil> > <rationale> > -Disabling a major host protection feature such as SELinux at boot time > prevents > -it from confining system services at boot time, and increases > -the chances that it remain off during system operation. > +Disabling a major host protection feature, such as SELinux, at boot time > prevents > +it from confining system services at boot time. Further, it increases > +the chances that it will remain off during system operation. > </rationale> > <ident cce="3977-6" /> > <oval id="selinux_bootloader_notdisabled" /> > diff --git a/RHEL6/input/system/software/updating.xml > b/RHEL6/input/system/software/updating.xml > index 0ec2f32..ca9c2a3 100644 > --- a/RHEL6/input/system/software/updating.xml > +++ b/RHEL6/input/system/software/updating.xml > @@ -23,12 +23,11 @@ for this reason, their use is strongly encouraged. > <description> > To ensure that the system can cryptographically verify base software > packages come from Red Hat (and to connect to the Red Hat Network to > -receive them if desired), the Red Hat GPG key must properly be installed. > -Run the following command to install the Red Hat GPG key, of which Red Hat > -uses to sign. To ensure that the GPG Key is isntalled, run: > +receive them if desired), the Red Hat GPG key must properly be installed. > +To ensure that the GPG key is installed, run: > <pre># rhn_register</pre> > </description> > -<ocil clause="the Red Hat GPG Key isn't installed">To ensure that the GPG > Key is isntalled, run: > +<ocil clause="the Red Hat GPG Key isn't installed">To ensure that the GPG > key is isntalled, run: > <pre>$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</pre> > The command should return the string: > <pre>gpg(Red Hat, Inc. (release key <[email protected]>)</pre> _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
