STIGQter STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

DISA Rule

SV-238359r654319_rule

Vulnerability Number

V-238359

Group Title

SRG-OS-000366-GPOS-00153

Rule Version

UBTU-20-010438

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure APT to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Remove/update any APT configuration files that contain the variable "AllowUnauthenticated" to "false", or remove "AllowUnauthenticated" entirely from each file. Below is an example of setting the "AllowUnauthenticated" variable to "false":

APT::Get::AllowUnauthenticated "false";

Check Contents

Verify that APT is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Check that the "AllowUnauthenticated" variable is not set at all or is set to "false" with the following command:

$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*
/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated "false";

If any of the files returned from the command with "AllowUnauthenticated" are set to "true", this is a finding.

Vulnerability Number

V-238359

Documentable

False

Rule Version

UBTU-20-010438

Severity Override Guidance

Verify that APT is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Check that the "AllowUnauthenticated" variable is not set at all or is set to "false" with the following command:

$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*
/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated "false";

If any of the files returned from the command with "AllowUnauthenticated" are set to "true", this is a finding.

Check Content Reference

M

Target Key

5318

Comments