From aa233ecef0bca8d4e7a47a2e8246df3c9a2d5a64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 5 Mar 2026 09:29:30 +0100 Subject: [PATCH 1/3] Add ensure_redhat_gpgkey_installed to RHEL 9 CIS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We have discovered that after hardening a RHEL 9 system with CIS profile people can't install any RPM packages using dnf. Originally, we thought that the problem was caused by the recent PR https://github.com/ComplianceAsCode/content/pull/14316 but it isn't caused by that because the problem is reproducible also with the latest released version 0.1.79.  The actual reason is that the profile requires GPG checks everywhere but the GPG key isn't installed because the CIS profile doesn't contain rule `ensure_redhat_gpgkey_installed` that would install the GPG key. The rule is listed in the CIS RHEL9 control file but the requirement is manual. This is a bad user experience. In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. But, add the rule `ensure_redhat_gpgkey_installed` to the profile because the requirement 1.2.1.2 adds `ensure_gpgcheck_never_disabled` which requires GPG key checking. If the Red Hat GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. Therefore, we will add the rule `ensure_redhat_gpgkey_installed` to RHEL 9 CIS. --- products/rhel9/controls/cis_rhel9.yml | 9 +++++++-- tests/data/profile_stability/rhel9/cis.profile | 1 + tests/data/profile_stability/rhel9/cis_server_l1.profile | 1 + .../profile_stability/rhel9/cis_workstation_l1.profile | 1 + .../profile_stability/rhel9/cis_workstation_l2.profile | 1 + 5 files changed, 11 insertions(+), 2 deletions(-) diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index afc2df9a3be7..d96d8ad21fed 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -361,9 +361,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is globally activated (Automated) diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index 6a5d215dcd14..a2f7813238af 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -137,6 +137,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index 3592f0f99e85..fb24601f97fe 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -65,6 +65,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index d6f2aaf4a60b..799da33423e1 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -63,6 +63,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index ec0bfe8d2be8..4e0da9c5fe6a 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -137,6 +137,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist From be0be6bf776626716f44a8742084be152c9f6647 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 5 Mar 2026 11:38:48 +0100 Subject: [PATCH 2/3] Add ensure_redhat_gpgkey_installed to RHEL 8 and 10 CIS Add rule ensure_redhat_gpgkey_installed to RHEL 8 CIS and RHEL 10 CIS profiles. Similar to previous commit --- products/rhel10/controls/cis_rhel10.yml | 9 +++++++-- products/rhel8/controls/cis_rhel8.yml | 9 +++++++-- tests/data/profile_stability/rhel10/cis.profile | 1 + .../data/profile_stability/rhel10/cis_server_l1.profile | 1 + .../profile_stability/rhel10/cis_workstation_l1.profile | 1 + .../profile_stability/rhel10/cis_workstation_l2.profile | 1 + tests/data/profile_stability/rhel8/cis.profile | 1 + tests/data/profile_stability/rhel8/cis_server_l1.profile | 1 + .../profile_stability/rhel8/cis_workstation_l1.profile | 1 + .../profile_stability/rhel8/cis_workstation_l2.profile | 1 + 10 files changed, 22 insertions(+), 4 deletions(-) diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml index 5873a002486d..9ab136c4be7a 100644 --- a/products/rhel10/controls/cis_rhel10.yml +++ b/products/rhel10/controls/cis_rhel10.yml @@ -366,9 +366,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is configured (Automated) diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml index 9b8c5aa06bb2..69773b6030d3 100644 --- a/products/rhel8/controls/cis_rhel8.yml +++ b/products/rhel8/controls/cis_rhel8.yml @@ -379,9 +379,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is configured (Automated) diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile index 2854ceaf8c8c..d59c4fb53bde 100644 --- a/tests/data/profile_stability/rhel10/cis.profile +++ b/tests/data/profile_stability/rhel10/cis.profile @@ -153,6 +153,7 @@ disable_weak_deps ensure_gpgcheck_globally_activated ensure_journald_and_rsyslog_not_active_together ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile index e7202ee09736..4eb3eeccf11e 100644 --- a/tests/data/profile_stability/rhel10/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile @@ -74,6 +74,7 @@ disable_users_coredumps ensure_gpgcheck_globally_activated ensure_journald_and_rsyslog_not_active_together ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile index 422c2734e667..ee18ebf6b8ed 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile @@ -72,6 +72,7 @@ disable_users_coredumps ensure_gpgcheck_globally_activated ensure_journald_and_rsyslog_not_active_together ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile index 4305d8353fef..44b0fc37e7ec 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile @@ -153,6 +153,7 @@ disable_weak_deps ensure_gpgcheck_globally_activated ensure_journald_and_rsyslog_not_active_together ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index d57ea698141e..bd44b63338dc 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -141,6 +141,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index 7dbac7629c95..02e03741db9a 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -72,6 +72,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index 3850f302bb71..2576b980b21d 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -70,6 +70,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index 45cd14d4e218..165fa1148947 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -141,6 +141,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist From 4bd86ef417951b9325d44e032cd4f182e27c3cf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 5 Mar 2026 11:42:41 +0100 Subject: [PATCH 3/3] Add ensure_fedora_gpgkey_installed to Fedora CIS --- controls/cis_fedora.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml index 8821c83a893d..b22ccfbd7f1c 100644 --- a/controls/cis_fedora.yml +++ b/controls/cis_fedora.yml @@ -369,9 +369,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_fedora_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_fedora_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_globally_activated which requires GPG key checking. If the Fedora + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is configured (Automated)