Detections
Analytics

1.2.1.1 Ensure the source.list and .source files use the Signed-By option

Information

sources.list - List of configured APT data sources

The source list /etc/apt/sources.list and the files contained in /etc/apt/sources.list.d/ are designed to support any number of active sources and a variety of source media.

Signed-By ( signed-by ) is an option to require a repository to pass apt-secure(8) verification with a certain set of keys rather than all trusted keys apt has configured. It is specified as a list of absolute paths to keyring files (have to be accessible and readable for the _apt system user, so ensure everyone has read-permissions on the file) and fingerprints of keys to select from these keyrings. The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator. If no keyring files are specified, the default is the trusted.gpg keyring and all keyrings in the trusted.gpg.d/ directory. If no fingerprint is specified all keys in the keyrings are selected. A fingerprint will accept also all signatures by a subkey of this key, if this isn't desired an exclamation mark ( ! ) can be appended to the fingerprint to disable this behaviour. The option defaults to the value of the option with the same name if set in the previously acquired Release file of this repository (only fingerprints can be specified there through). Otherwise, all keys in the trusted keyrings are considered valid signers for this repository. The option may also be set directly to an embedded GPG public key block.

Verifying that updates originate from a trusted and authenticated source helps mitigate the risk of spoofing attacks, which could otherwise lead to the inadvertent installation of malicious or compromised software.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Update the file sources.list and any .sources files found in the /etc/apt/sources.list.d/ directory in accordance with site policy.

Note:

 - The suggested filename for new systems is /etc/apt/sources.list.d/vendor.sources, where vendor is the result of dpkg-vendor --query Vendor | tr A-Z a-z, in deb822-style format. For example, Ubuntu uses /etc/apt/sources.list.d/ubuntu.sources.
 - It is important to list sources in order of preference, with the most preferred source listed first. Typically, this will result in sorting by speed from fastest to slowest (CD-ROM followed by hosts on a local network, followed by distant Internet hosts, for example).

Impact:

apt-key list is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).With the deprecation of apt-key it is recommended to use the Signed-By option in sources.list to require a repository to pass apt-secure(8) verification with a certain set of keys rather than all trusted keys apt has configured.

It is important to list sources in order of preference, with the most preferred source listed first. Typically, this will result in sorting by speed from fastest to slowest (CD-ROM followed by hosts on a local network, followed by distant Internet hosts, for example).

See Also

https://workbench.cisecurity.org/benchmarks/24932

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 15d50e9cb837035bbe7d5fab67e70a479a81b9c99887d13dba3806b81651851b