From b0344663b370ff674900e83995cd9aadc67cb23f Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Fri, 5 Jun 2026 21:14:30 +0100 Subject: [PATCH 1/2] Add APT repository security rules (CIS 1.3.x) Add 23 new rules covering ownership, group ownership, and permissions for APT configuration directories and files: Directories (owner root, group root, mode 0755): - directory_owner/groupowner/permissions_apt_sources_list_d - directory_owner/groupowner/permissions_apt_auth_conf_d - directory_owner/groupowner/permissions_apt_trusted_gpg_d - directory_owner/groupowner/permissions_usr_share_keyrings Files (owner root, group root, mode 0644): - file_owner/groupowner/permissions_apt_sources_list_d - file_owner/groupowner/permissions_apt_auth_conf_d - file_owner/groupowner/permissions_apt_gpg_keys (for /usr/share/keyrings/) Additional: - apt_disable_weak_dependencies: ensure APT::Install-Recommends and APT::Install-Suggests are set to "0" in apt.conf.d/ All ownership and permission rules use the file_owner, file_groupowner, file_permissions, directory_owner, directory_groupowner, and directory_permissions templates. Map all new rules to the apt component. Co-Authored-By: Claude Sonnet 4.6 --- components/apt.yml | 22 ++++++++++ .../bash/shared.sh | 7 ++++ .../oval/shared.xml | 40 +++++++++++++++++++ .../apt_disable_weak_dependencies/rule.yml | 27 +++++++++++++ .../rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../directory_owner_apt_auth_conf_d/rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../rule.yml | 24 +++++++++++ .../file_groupowner_apt_auth_conf_d/rule.yml | 25 ++++++++++++ .../apt/file_groupowner_apt_gpg_keys/rule.yml | 29 ++++++++++++++ .../rule.yml | 25 ++++++++++++ .../apt/file_owner_apt_auth_conf_d/rule.yml | 25 ++++++++++++ .../apt/file_owner_apt_gpg_keys/rule.yml | 29 ++++++++++++++ .../file_owner_apt_sources_list_d/rule.yml | 25 ++++++++++++ .../file_permissions_apt_auth_conf_d/rule.yml | 25 ++++++++++++ .../file_permissions_apt_gpg_keys/rule.yml | 29 ++++++++++++++ .../rule.yml | 25 ++++++++++++ 25 files changed, 621 insertions(+) create mode 100644 linux_os/guide/services/apt/apt_disable_weak_dependencies/bash/shared.sh create mode 100644 linux_os/guide/services/apt/apt_disable_weak_dependencies/oval/shared.xml create mode 100644 linux_os/guide/services/apt/apt_disable_weak_dependencies/rule.yml create mode 100644 linux_os/guide/services/apt/directory_groupowner_apt_auth_conf_d/rule.yml create mode 100644 linux_os/guide/services/apt/directory_groupowner_apt_sources_list_d/rule.yml create mode 100644 linux_os/guide/services/apt/directory_groupowner_apt_trusted_gpg_d/rule.yml create mode 100644 linux_os/guide/services/apt/directory_groupowner_usr_share_keyrings/rule.yml create mode 100644 linux_os/guide/services/apt/directory_owner_apt_auth_conf_d/rule.yml create mode 100644 linux_os/guide/services/apt/directory_owner_apt_sources_list_d/rule.yml create mode 100644 linux_os/guide/services/apt/directory_owner_apt_trusted_gpg_d/rule.yml create mode 100644 linux_os/guide/services/apt/directory_owner_usr_share_keyrings/rule.yml create mode 100644 linux_os/guide/services/apt/directory_permissions_apt_auth_conf_d/rule.yml create mode 100644 linux_os/guide/services/apt/directory_permissions_apt_sources_list_d/rule.yml create mode 100644 linux_os/guide/services/apt/directory_permissions_apt_trusted_gpg_d/rule.yml create mode 100644 linux_os/guide/services/apt/directory_permissions_usr_share_keyrings/rule.yml create mode 100644 linux_os/guide/services/apt/file_groupowner_apt_auth_conf_d/rule.yml create mode 100644 linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml create mode 100644 linux_os/guide/services/apt/file_groupowner_apt_sources_list_d/rule.yml create mode 100644 linux_os/guide/services/apt/file_owner_apt_auth_conf_d/rule.yml create mode 100644 linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml create mode 100644 linux_os/guide/services/apt/file_owner_apt_sources_list_d/rule.yml create mode 100644 linux_os/guide/services/apt/file_permissions_apt_auth_conf_d/rule.yml create mode 100644 linux_os/guide/services/apt/file_permissions_apt_gpg_keys/rule.yml create mode 100644 linux_os/guide/services/apt/file_permissions_apt_sources_list_d/rule.yml diff --git a/components/apt.yml b/components/apt.yml index cb1cbd476842..8148a2d7df81 100644 --- a/components/apt.yml +++ b/components/apt.yml @@ -5,4 +5,26 @@ packages: - apt rules: - apt_conf_disallow_unauthenticated +- apt_disable_weak_dependencies - apt_sources_list_official +- directory_groupowner_apt_auth_conf_d +- directory_groupowner_apt_sources_list_d +- directory_groupowner_apt_trusted_gpg_d +- directory_groupowner_usr_share_keyrings +- directory_owner_apt_auth_conf_d +- directory_owner_apt_sources_list_d +- directory_owner_apt_trusted_gpg_d +- directory_owner_usr_share_keyrings +- directory_permissions_apt_auth_conf_d +- directory_permissions_apt_sources_list_d +- directory_permissions_apt_trusted_gpg_d +- directory_permissions_usr_share_keyrings +- file_groupowner_apt_auth_conf_d +- file_groupowner_apt_gpg_keys +- file_groupowner_apt_sources_list_d +- file_owner_apt_auth_conf_d +- file_owner_apt_gpg_keys +- file_owner_apt_sources_list_d +- file_permissions_apt_auth_conf_d +- file_permissions_apt_gpg_keys +- file_permissions_apt_sources_list_d diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/bash/shared.sh b/linux_os/guide/services/apt/apt_disable_weak_dependencies/bash/shared.sh new file mode 100644 index 000000000000..fcbbdc590eed --- /dev/null +++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_debian + +mkdir -p /etc/apt/apt.conf.d +cat > /etc/apt/apt.conf.d/60-no-weak-dependencies <<'EOF' +APT::Install-Recommends "0"; +APT::Install-Suggests "0"; +EOF diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/oval/shared.xml b/linux_os/guide/services/apt/apt_disable_weak_dependencies/oval/shared.xml new file mode 100644 index 000000000000..158bdeb8d6e2 --- /dev/null +++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/oval/shared.xml @@ -0,0 +1,40 @@ + + + {{{ oval_metadata("APT weak dependencies should be disabled.", rule_title=rule_title) }}} + + + + + + + + + + + + + + + + + + + /etc/apt/apt.conf(\.d/.*)?$ + ^[\s]*(?i)APT::Install-Recommends(?-i)[\s]+(.*)$ + 1 + + + + /etc/apt/apt.conf(\.d/.*)?$ + ^[\s]*(?i)APT::Install-Suggests(?-i)[\s]+(.*)$ + 1 + + + + ^"0";[\s]*$ + + diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/rule.yml b/linux_os/guide/services/apt/apt_disable_weak_dependencies/rule.yml new file mode 100644 index 000000000000..5e0287ec9f65 --- /dev/null +++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +title: 'Disable APT Weak Dependencies' + +description: |- + APT should be configured to avoid installing packages listed only as + Recommends or Suggests dependencies. + +rationale: |- + Unless a system specifically requires the additional capabilities provided by + weak dependencies, those packages should not be installed in order to reduce + the potential attack surface. + +severity: medium + +ocil_clause: 'APT weak dependency options are not disabled' + +ocil: |- + Run the following command: + 
$ apt-config dump | grep "APT::Install-"
+ The output should include: + 
APT::Install-Recommends "0";
+    APT::Install-Suggests "0";
+ +fixtext: |- + Create an APT configuration file that disables weak dependencies: + 
# printf '%s\n%s\n' 'APT::Install-Recommends "0";' 'APT::Install-Suggests "0";' > /etc/apt/apt.conf.d/60-no-weak-dependencies
diff --git a/linux_os/guide/services/apt/directory_groupowner_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/directory_groupowner_apt_auth_conf_d/rule.yml new file mode 100644 index 000000000000..9a22110abd85 --- /dev/null +++ b/linux_os/guide/services/apt/directory_groupowner_apt_auth_conf_d/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Group Owner on /etc/apt/auth.conf.d Directory' + +description: '{{{ describe_directory_group_owner(directory="/etc/apt/auth.conf.d", group="root") }}}' + +rationale: |- + The /etc/apt/auth.conf.d directory should be group-owned by root to prevent + unauthorized changes to APT authentication configuration. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/apt/auth.conf.d", group="root") }}}' + +ocil: |- + {{{ ocil_directory_group_owner(directory="/etc/apt/auth.conf.d", group="root") }}} + +fixtext: '{{{ fixtext_directory_group_owner(file="/etc/apt/auth.conf.d", group="root") }}}' + +template: + name: file_groupowner + vars: + filepath: /etc/apt/auth.conf.d/ + gid_or_name: '0' diff --git a/linux_os/guide/services/apt/directory_groupowner_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/directory_groupowner_apt_sources_list_d/rule.yml new file mode 100644 index 000000000000..1fdacf66293d --- /dev/null +++ b/linux_os/guide/services/apt/directory_groupowner_apt_sources_list_d/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Group Owner on /etc/apt/sources.list.d Directory' + +description: '{{{ describe_directory_group_owner(directory="/etc/apt/sources.list.d", group="root") }}}' + +rationale: |- + The /etc/apt/sources.list.d directory should be group-owned by root to + prevent unauthorized changes to APT repository configuration. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/apt/sources.list.d", group="root") }}}' + +ocil: |- + {{{ ocil_directory_group_owner(directory="/etc/apt/sources.list.d", group="root") }}} + +fixtext: '{{{ fixtext_directory_group_owner(file="/etc/apt/sources.list.d", group="root") }}}' + +template: + name: file_groupowner + vars: + filepath: /etc/apt/sources.list.d/ + gid_or_name: '0' diff --git a/linux_os/guide/services/apt/directory_groupowner_apt_trusted_gpg_d/rule.yml b/linux_os/guide/services/apt/directory_groupowner_apt_trusted_gpg_d/rule.yml new file mode 100644 index 000000000000..a2d798e3c0a0 --- /dev/null +++ b/linux_os/guide/services/apt/directory_groupowner_apt_trusted_gpg_d/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Group Owner on /etc/apt/trusted.gpg.d Directory' + +description: '{{{ describe_directory_group_owner(directory="/etc/apt/trusted.gpg.d", group="root") }}}' + +rationale: |- + The /etc/apt/trusted.gpg.d directory should be group-owned by root to prevent + unauthorized changes to APT trusted keys. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/apt/trusted.gpg.d", group="root") }}}' + +ocil: |- + {{{ ocil_directory_group_owner(directory="/etc/apt/trusted.gpg.d", group="root") }}} + +fixtext: '{{{ fixtext_directory_group_owner(file="/etc/apt/trusted.gpg.d", group="root") }}}' + +template: + name: file_groupowner + vars: + filepath: /etc/apt/trusted.gpg.d/ + gid_or_name: '0' diff --git a/linux_os/guide/services/apt/directory_groupowner_usr_share_keyrings/rule.yml b/linux_os/guide/services/apt/directory_groupowner_usr_share_keyrings/rule.yml new file mode 100644 index 000000000000..af0af4b0bafa --- /dev/null +++ b/linux_os/guide/services/apt/directory_groupowner_usr_share_keyrings/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Group Owner on /usr/share/keyrings Directory' + +description: '{{{ describe_directory_group_owner(directory="/usr/share/keyrings", group="root") }}}' + +rationale: |- + The /usr/share/keyrings directory should be group-owned by root to prevent + unauthorized changes to package repository keys. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/usr/share/keyrings", group="root") }}}' + +ocil: |- + {{{ ocil_directory_group_owner(directory="/usr/share/keyrings", group="root") }}} + +fixtext: '{{{ fixtext_directory_group_owner(file="/usr/share/keyrings", group="root") }}}' + +template: + name: file_groupowner + vars: + filepath: /usr/share/keyrings/ + gid_or_name: '0' diff --git a/linux_os/guide/services/apt/directory_owner_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/directory_owner_apt_auth_conf_d/rule.yml new file mode 100644 index 000000000000..5bcdd7b2ca30 --- /dev/null +++ b/linux_os/guide/services/apt/directory_owner_apt_auth_conf_d/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Owner on /etc/apt/auth.conf.d Directory' + +description: '{{{ describe_directory_owner(directory="/etc/apt/auth.conf.d", owner="root") }}}' + +rationale: |- + The /etc/apt/auth.conf.d directory should be owned by root to prevent + unauthorized changes to APT authentication configuration. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/apt/auth.conf.d", owner="root") }}}' + +ocil: |- + {{{ ocil_directory_owner(directory="/etc/apt/auth.conf.d", owner="root") }}} + +fixtext: '{{{ fixtext_directory_owner(file="/etc/apt/auth.conf.d", owner="root") }}}' + +template: + name: file_owner + vars: + filepath: /etc/apt/auth.conf.d/ + uid_or_name: '0' diff --git a/linux_os/guide/services/apt/directory_owner_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/directory_owner_apt_sources_list_d/rule.yml new file mode 100644 index 000000000000..9054c089900b --- /dev/null +++ b/linux_os/guide/services/apt/directory_owner_apt_sources_list_d/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Owner on /etc/apt/sources.list.d Directory' + +description: '{{{ describe_directory_owner(directory="/etc/apt/sources.list.d", owner="root") }}}' + +rationale: |- + The /etc/apt/sources.list.d directory should be owned by root to prevent + unauthorized changes to APT repository configuration. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/apt/sources.list.d", owner="root") }}}' + +ocil: |- + {{{ ocil_directory_owner(directory="/etc/apt/sources.list.d", owner="root") }}} + +fixtext: '{{{ fixtext_directory_owner(file="/etc/apt/sources.list.d", owner="root") }}}' + +template: + name: file_owner + vars: + filepath: /etc/apt/sources.list.d/ + uid_or_name: '0' diff --git a/linux_os/guide/services/apt/directory_owner_apt_trusted_gpg_d/rule.yml b/linux_os/guide/services/apt/directory_owner_apt_trusted_gpg_d/rule.yml new file mode 100644 index 000000000000..8e0214d54055 --- /dev/null +++ b/linux_os/guide/services/apt/directory_owner_apt_trusted_gpg_d/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Owner on /etc/apt/trusted.gpg.d Directory' + +description: '{{{ describe_directory_owner(directory="/etc/apt/trusted.gpg.d", owner="root") }}}' + +rationale: |- + The /etc/apt/trusted.gpg.d directory should be owned by root to prevent + unauthorized changes to APT trusted keys. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/apt/trusted.gpg.d", owner="root") }}}' + +ocil: |- + {{{ ocil_directory_owner(directory="/etc/apt/trusted.gpg.d", owner="root") }}} + +fixtext: '{{{ fixtext_directory_owner(file="/etc/apt/trusted.gpg.d", owner="root") }}}' + +template: + name: file_owner + vars: + filepath: /etc/apt/trusted.gpg.d/ + uid_or_name: '0' diff --git a/linux_os/guide/services/apt/directory_owner_usr_share_keyrings/rule.yml b/linux_os/guide/services/apt/directory_owner_usr_share_keyrings/rule.yml new file mode 100644 index 000000000000..f82849fb4fdd --- /dev/null +++ b/linux_os/guide/services/apt/directory_owner_usr_share_keyrings/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Owner on /usr/share/keyrings Directory' + +description: '{{{ describe_directory_owner(directory="/usr/share/keyrings", owner="root") }}}' + +rationale: |- + The /usr/share/keyrings directory should be owned by root to prevent + unauthorized changes to package repository keys. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_owner(directory="/usr/share/keyrings", owner="root") }}}' + +ocil: |- + {{{ ocil_directory_owner(directory="/usr/share/keyrings", owner="root") }}} + +fixtext: '{{{ fixtext_directory_owner(file="/usr/share/keyrings", owner="root") }}}' + +template: + name: file_owner + vars: + filepath: /usr/share/keyrings/ + uid_or_name: '0' diff --git a/linux_os/guide/services/apt/directory_permissions_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/directory_permissions_apt_auth_conf_d/rule.yml new file mode 100644 index 000000000000..e85e1f2b28e2 --- /dev/null +++ b/linux_os/guide/services/apt/directory_permissions_apt_auth_conf_d/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Permissions on /etc/apt/auth.conf.d Directory' + +description: '{{{ describe_directory_permissions(directory="/etc/apt/auth.conf.d", perms="0755") }}}' + +rationale: |- + The /etc/apt/auth.conf.d directory contains configuration that may include + repository credentials. Its permissions should prevent unauthorized changes. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/apt/auth.conf.d", perms="drwxr-xr-x") }}}' + +ocil: |- + {{{ ocil_directory_permissions(directory="/etc/apt/auth.conf.d", perms="drwxr-xr-x") }}} + +fixtext: '{{{ fixtext_directory_permissions(file="/etc/apt/auth.conf.d", mode="0755") }}}' + +template: + name: file_permissions + vars: + filepath: /etc/apt/auth.conf.d/ + filemode: '0755' diff --git a/linux_os/guide/services/apt/directory_permissions_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/directory_permissions_apt_sources_list_d/rule.yml new file mode 100644 index 000000000000..fcc107e5d7d8 --- /dev/null +++ b/linux_os/guide/services/apt/directory_permissions_apt_sources_list_d/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Permissions on /etc/apt/sources.list.d Directory' + +description: '{{{ describe_directory_permissions(directory="/etc/apt/sources.list.d", perms="0755") }}}' + +rationale: |- + A non-root user should not be able to add or remove APT repository + configuration from /etc/apt/sources.list.d. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/apt/sources.list.d", perms="drwxr-xr-x") }}}' + +ocil: |- + {{{ ocil_directory_permissions(directory="/etc/apt/sources.list.d", perms="drwxr-xr-x") }}} + +fixtext: '{{{ fixtext_directory_permissions(file="/etc/apt/sources.list.d", mode="0755") }}}' + +template: + name: file_permissions + vars: + filepath: /etc/apt/sources.list.d/ + filemode: '0755' diff --git a/linux_os/guide/services/apt/directory_permissions_apt_trusted_gpg_d/rule.yml b/linux_os/guide/services/apt/directory_permissions_apt_trusted_gpg_d/rule.yml new file mode 100644 index 000000000000..592d5898f04f --- /dev/null +++ b/linux_os/guide/services/apt/directory_permissions_apt_trusted_gpg_d/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Permissions on /etc/apt/trusted.gpg.d Directory' + +description: '{{{ describe_directory_permissions(directory="/etc/apt/trusted.gpg.d", perms="0755") }}}' + +rationale: |- + A non-privileged user with write access to /etc/apt/trusted.gpg.d can + compromise the APT chain of trust by adding trusted keys. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/apt/trusted.gpg.d", perms="drwxr-xr-x") }}}' + +ocil: |- + {{{ ocil_directory_permissions(directory="/etc/apt/trusted.gpg.d", perms="drwxr-xr-x") }}} + +fixtext: '{{{ fixtext_directory_permissions(file="/etc/apt/trusted.gpg.d", mode="0755") }}}' + +template: + name: file_permissions + vars: + filepath: /etc/apt/trusted.gpg.d/ + filemode: '0755' diff --git a/linux_os/guide/services/apt/directory_permissions_usr_share_keyrings/rule.yml b/linux_os/guide/services/apt/directory_permissions_usr_share_keyrings/rule.yml new file mode 100644 index 000000000000..6aee15082740 --- /dev/null +++ b/linux_os/guide/services/apt/directory_permissions_usr_share_keyrings/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Verify Permissions on /usr/share/keyrings Directory' + +description: '{{{ describe_directory_permissions(directory="/usr/share/keyrings", perms="0755") }}}' + +rationale: |- + A non-root user should not be able to add or remove package repository keys + from /usr/share/keyrings. + +severity: medium + +ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/usr/share/keyrings", perms="drwxr-xr-x") }}}' + +ocil: |- + {{{ ocil_directory_permissions(directory="/usr/share/keyrings", perms="drwxr-xr-x") }}} + +fixtext: '{{{ fixtext_directory_permissions(file="/usr/share/keyrings", mode="0755") }}}' + +template: + name: file_permissions + vars: + filepath: /usr/share/keyrings/ + filemode: '0755' diff --git a/linux_os/guide/services/apt/file_groupowner_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/file_groupowner_apt_auth_conf_d/rule.yml new file mode 100644 index 000000000000..63df18aa1d77 --- /dev/null +++ b/linux_os/guide/services/apt/file_groupowner_apt_auth_conf_d/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Verify Group Owner on Files in /etc/apt/auth.conf.d' + +description: '{{{ describe_file_group_owner(file="/etc/apt/auth.conf.d/*.conf", group="root") }}}' + +rationale: |- + Files in /etc/apt/auth.conf.d should be group-owned by root to prevent + unauthorized changes to APT authentication configuration. + +severity: medium + +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/apt/auth.conf.d/*.conf", group="root") }}}' + +ocil: |- + {{{ ocil_file_group_owner(file="/etc/apt/auth.conf.d/*.conf", group="root") }}} + +fixtext: '{{{ fixtext_file_group_owner(file="/etc/apt/auth.conf.d/*.conf", group="root") }}}' + +template: + name: file_groupowner + vars: + filepath: /etc/apt/auth.conf.d/ + file_regex: ^.*\.conf$ + gid_or_name: '0' diff --git a/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml b/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml new file mode 100644 index 000000000000..6cd97b38ef6b --- /dev/null +++ b/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml @@ -0,0 +1,29 @@ +documentation_complete: true + +title: 'Verify Group Owner on APT GPG Key Files' + +description: '{{{ describe_file_group_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", group="root") }}}' + +rationale: |- + APT GPG key files should be group-owned by root to prevent unauthorized + modification of package trust anchors. + +severity: medium + +ocil_clause: 'APT GPG key files are not group-owned by root' + +ocil: |- + {{{ ocil_file_group_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", group="root") }}} + +fixtext: '{{{ fixtext_file_group_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", group="root") }}}' + +template: + name: file_groupowner + vars: + filepath: + - /usr/share/keyrings/ + - /etc/apt/trusted.gpg.d/ + file_regex: + - ^.*gpg$ + - ^.*gpg$ + gid_or_name: '0' diff --git a/linux_os/guide/services/apt/file_groupowner_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/file_groupowner_apt_sources_list_d/rule.yml new file mode 100644 index 000000000000..8ec2d8392917 --- /dev/null +++ b/linux_os/guide/services/apt/file_groupowner_apt_sources_list_d/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Verify Group Owner on Files in /etc/apt/sources.list.d' + +description: '{{{ describe_file_group_owner(file="/etc/apt/sources.list.d/*", group="root") }}}' + +rationale: |- + Files in /etc/apt/sources.list.d should be group-owned by root to prevent + unauthorized changes to APT repository configuration. + +severity: medium + +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/apt/sources.list.d/*", group="root") }}}' + +ocil: |- + {{{ ocil_file_group_owner(file="/etc/apt/sources.list.d/*", group="root") }}} + +fixtext: '{{{ fixtext_file_group_owner(file="/etc/apt/sources.list.d/*", group="root") }}}' + +template: + name: file_groupowner + vars: + filepath: /etc/apt/sources.list.d/ + file_regex: ^.*$ + gid_or_name: '0' diff --git a/linux_os/guide/services/apt/file_owner_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/file_owner_apt_auth_conf_d/rule.yml new file mode 100644 index 000000000000..53fd3185eb9c --- /dev/null +++ b/linux_os/guide/services/apt/file_owner_apt_auth_conf_d/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Verify Owner on Files in /etc/apt/auth.conf.d' + +description: '{{{ describe_file_owner(file="/etc/apt/auth.conf.d/*.conf", owner="root") }}}' + +rationale: |- + Files in /etc/apt/auth.conf.d should be owned by root to prevent + unauthorized changes to APT authentication configuration. + +severity: medium + +ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/apt/auth.conf.d/*.conf", owner="root") }}}' + +ocil: |- + {{{ ocil_file_owner(file="/etc/apt/auth.conf.d/*.conf", owner="root") }}} + +fixtext: '{{{ fixtext_file_owner(file="/etc/apt/auth.conf.d/*.conf", owner="root") }}}' + +template: + name: file_owner + vars: + filepath: /etc/apt/auth.conf.d/ + file_regex: ^.*\.conf$ + uid_or_name: '0' diff --git a/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml b/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml new file mode 100644 index 000000000000..3555535c56d4 --- /dev/null +++ b/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml @@ -0,0 +1,29 @@ +documentation_complete: true + +title: 'Verify Owner on APT GPG Key Files' + +description: '{{{ describe_file_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", owner="root") }}}' + +rationale: |- + APT GPG key files should be owned by root to prevent unauthorized modification + of package trust anchors. + +severity: medium + +ocil_clause: 'APT GPG key files are not owned by root' + +ocil: |- + {{{ ocil_file_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", owner="root") }}} + +fixtext: '{{{ fixtext_file_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", owner="root") }}}' + +template: + name: file_owner + vars: + filepath: + - /usr/share/keyrings/ + - /etc/apt/trusted.gpg.d/ + file_regex: + - ^.*gpg$ + - ^.*gpg$ + uid_or_name: '0' diff --git a/linux_os/guide/services/apt/file_owner_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/file_owner_apt_sources_list_d/rule.yml new file mode 100644 index 000000000000..78ec88ee8e20 --- /dev/null +++ b/linux_os/guide/services/apt/file_owner_apt_sources_list_d/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Verify Owner on Files in /etc/apt/sources.list.d' + +description: '{{{ describe_file_owner(file="/etc/apt/sources.list.d/*", owner="root") }}}' + +rationale: |- + Files in /etc/apt/sources.list.d should be owned by root to prevent + unauthorized changes to APT repository configuration. + +severity: medium + +ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/apt/sources.list.d/*", owner="root") }}}' + +ocil: |- + {{{ ocil_file_owner(file="/etc/apt/sources.list.d/*", owner="root") }}} + +fixtext: '{{{ fixtext_file_owner(file="/etc/apt/sources.list.d/*", owner="root") }}}' + +template: + name: file_owner + vars: + filepath: /etc/apt/sources.list.d/ + file_regex: ^.*$ + uid_or_name: '0' diff --git a/linux_os/guide/services/apt/file_permissions_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/file_permissions_apt_auth_conf_d/rule.yml new file mode 100644 index 000000000000..5f005632d909 --- /dev/null +++ b/linux_os/guide/services/apt/file_permissions_apt_auth_conf_d/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Verify Permissions on Files in /etc/apt/auth.conf.d' + +description: '{{{ describe_file_permissions(file="/etc/apt/auth.conf.d/*.conf", perms="0640") }}}' + +rationale: |- + Files in /etc/apt/auth.conf.d may contain credentials for private + repositories or proxies and should not be readable by unauthorized users. + +severity: medium + +ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/apt/auth.conf.d/*.conf", perms="-rw-r-----") }}}' + +ocil: |- + {{{ ocil_file_permissions(file="/etc/apt/auth.conf.d/*.conf", perms="-rw-r-----") }}} + +fixtext: '{{{ fixtext_file_permissions(file="/etc/apt/auth.conf.d/*.conf", mode="0640") }}}' + +template: + name: file_permissions + vars: + filepath: /etc/apt/auth.conf.d/ + file_regex: ^.*\.conf$ + filemode: '0640' diff --git a/linux_os/guide/services/apt/file_permissions_apt_gpg_keys/rule.yml b/linux_os/guide/services/apt/file_permissions_apt_gpg_keys/rule.yml new file mode 100644 index 000000000000..3f1b5b0268ab --- /dev/null +++ b/linux_os/guide/services/apt/file_permissions_apt_gpg_keys/rule.yml @@ -0,0 +1,29 @@ +documentation_complete: true + +title: 'Verify Permissions on APT GPG Key Files' + +description: '{{{ describe_file_permissions(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", perms="0644") }}}' + +rationale: |- + APT GPG key files are used to verify package authenticity. Restricting their + permissions prevents unauthorized modification while keeping them readable by APT. + +severity: medium + +ocil_clause: 'APT GPG key files have permissions more permissive than 0644' + +ocil: |- + {{{ ocil_file_permissions(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", perms="-rw-r--r--") }}} + +fixtext: '{{{ fixtext_file_permissions(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", mode="0644") }}}' + +template: + name: file_permissions + vars: + filepath: + - /usr/share/keyrings/ + - /etc/apt/trusted.gpg.d/ + file_regex: + - ^.*gpg$ + - ^.*gpg$ + filemode: '0644' diff --git a/linux_os/guide/services/apt/file_permissions_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/file_permissions_apt_sources_list_d/rule.yml new file mode 100644 index 000000000000..be74a221f410 --- /dev/null +++ b/linux_os/guide/services/apt/file_permissions_apt_sources_list_d/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Verify Permissions on Files in /etc/apt/sources.list.d' + +description: '{{{ describe_file_permissions(file="/etc/apt/sources.list.d/*", perms="0644") }}}' + +rationale: |- + Files in /etc/apt/sources.list.d contain APT repository configuration. They + should not be writable by non-root users. + +severity: medium + +ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/apt/sources.list.d/*", perms="-rw-r--r--") }}}' + +ocil: |- + {{{ ocil_file_permissions(file="/etc/apt/sources.list.d/*", perms="-rw-r--r--") }}} + +fixtext: '{{{ fixtext_file_permissions(file="/etc/apt/sources.list.d/*", mode="0644") }}}' + +template: + name: file_permissions + vars: + filepath: /etc/apt/sources.list.d/ + file_regex: ^.*$ + filemode: '0644' From 21b4df88622c5ae7c54ae62294a2157504b60b82 Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Mon, 8 Jun 2026 19:41:32 +0100 Subject: [PATCH 2/2] Address review comments on APT repository security rules - Fix file_regex in file_owner_apt_gpg_keys and file_groupowner_apt_gpg_keys: change ^.*gpg$ to ^.*\.gpg$ so only files with a literal .gpg extension match, preventing false positives like 'notakeygpg' - Add test scenarios for apt_disable_weak_dependencies: both_disabled.pass, recommends_enabled.fail, suggests_enabled.fail, missing_config.fail Co-Authored-By: Claude Sonnet 4.6 --- .../tests/both_disabled.pass.sh | 9 +++++++++ .../tests/missing_config.fail.sh | 5 +++++ .../tests/recommends_enabled.fail.sh | 10 ++++++++++ .../tests/suggests_enabled.fail.sh | 10 ++++++++++ .../services/apt/file_groupowner_apt_gpg_keys/rule.yml | 4 ++-- .../services/apt/file_owner_apt_gpg_keys/rule.yml | 4 ++-- 6 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/both_disabled.pass.sh create mode 100644 linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/missing_config.fail.sh create mode 100644 linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/recommends_enabled.fail.sh create mode 100644 linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/suggests_enabled.fail.sh diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/both_disabled.pass.sh b/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/both_disabled.pass.sh new file mode 100644 index 000000000000..28e5623e8773 --- /dev/null +++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/both_disabled.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_debian + +find /etc/apt/apt.conf.d/ -type f -exec sed -i '/APT::Install-Recommends/Id;/APT::Install-Suggests/Id' {} \; + +cat > /etc/apt/apt.conf.d/60-no-weak-dependencies << 'EOF' +APT::Install-Recommends "0"; +APT::Install-Suggests "0"; +EOF diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/missing_config.fail.sh b/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/missing_config.fail.sh new file mode 100644 index 000000000000..ced1574ae24d --- /dev/null +++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/missing_config.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = multi_platform_debian +# remediation = none + +find /etc/apt/apt.conf.d/ -type f -exec sed -i '/APT::Install-Recommends/Id;/APT::Install-Suggests/Id' {} \; diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/recommends_enabled.fail.sh b/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/recommends_enabled.fail.sh new file mode 100644 index 000000000000..8ee4bdb37433 --- /dev/null +++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/recommends_enabled.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_debian +# remediation = none + +find /etc/apt/apt.conf.d/ -type f -exec sed -i '/APT::Install-Recommends/Id;/APT::Install-Suggests/Id' {} \; + +cat > /etc/apt/apt.conf.d/60-no-weak-dependencies << 'EOF' +APT::Install-Recommends "1"; +APT::Install-Suggests "0"; +EOF diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/suggests_enabled.fail.sh b/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/suggests_enabled.fail.sh new file mode 100644 index 000000000000..d70310df8155 --- /dev/null +++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/tests/suggests_enabled.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_debian +# remediation = none + +find /etc/apt/apt.conf.d/ -type f -exec sed -i '/APT::Install-Recommends/Id;/APT::Install-Suggests/Id' {} \; + +cat > /etc/apt/apt.conf.d/60-no-weak-dependencies << 'EOF' +APT::Install-Recommends "0"; +APT::Install-Suggests "1"; +EOF diff --git a/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml b/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml index 6cd97b38ef6b..737a6205738c 100644 --- a/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml +++ b/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml @@ -24,6 +24,6 @@ template: - /usr/share/keyrings/ - /etc/apt/trusted.gpg.d/ file_regex: - - ^.*gpg$ - - ^.*gpg$ + - ^.*\.gpg$ + - ^.*\.gpg$ gid_or_name: '0' diff --git a/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml b/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml index 3555535c56d4..0e5f2cbbd6f6 100644 --- a/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml +++ b/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml @@ -24,6 +24,6 @@ template: - /usr/share/keyrings/ - /etc/apt/trusted.gpg.d/ file_regex: - - ^.*gpg$ - - ^.*gpg$ + - ^.*\.gpg$ + - ^.*\.gpg$ uid_or_name: '0'