openstack-ansible-security/doc/metadata/rhel6/V-38462.rst
Major Hayden 3c19f00a7f [Docs] Metadata cleanup
This patch adds the right tags to each piece of metadata and corrects
small errors found in the deployer notes.

Closes-bug: 1595669
Change-Id: Ic04aaad85ebf111be5a0bdb01a350442fdea1433
2016-09-12 14:27:49 -05:00

1000 B

---id: V-38462 status: implemented tag: package ---

All versions of Ubuntu and CentOS supported by the role verify packages against GPG signatures by default.

Deployers can disable GPG verification for all packages in Ubuntu by setting the AllowUnauthenticated configuration option in a file within /etc/apt/apt.conf.d/. The Ansible tasks will search for this configuration option and will stop the playbook execution if the option is set. Note that users can pass an argument on the apt command line to bypass the checks as well, but that's outside the scope of this check and remediation.

In CentOS, deployers can set gpgcheck=0 within individual yum repository files in /etc/yum.repos.d/ to disable GPG signature checking. The Ansible tasks will check for this configuration option in those files and stop the playbook execution.

Deployers can use --skip-tags V-38462 to omit these tasks when applying the security role on systems where GPG verification must be disabled.