Unauthenticated repositories should not be used for updates.
Repositories hosts all packages that will be installed on the system during update. If a repository is not authenticated, the associated packages can't be trusted, and then should not be installed locally.
APT should be configured to avoid installing packages listed only as Recommends or Suggests dependencies.
Unless a system specifically requires the additional capabilities provided by weak dependencies, those packages should not be installed in order to reduce the potential attack surface.
Check that official Debian repositories, including security repository, are configured in apt.
The Debian distribution deliver DSA (Debian Security Announce), through the official Debian security repository, to correct various vulnerabilities impacting the Debian packages. Using the official repositories is the best way to ensure that the Debian updates are integrated soon enough.
To properly set the group owner of /etc/apt/auth.conf.d, run the command:
$ sudo chgrp root /etc/apt/auth.conf.d
The /etc/apt/auth.conf.d directory should be group-owned by root to prevent unauthorized changes to APT authentication configuration.
To properly set the group owner of /etc/apt/sources.list.d, run the command:
$ sudo chgrp root /etc/apt/sources.list.d
The /etc/apt/sources.list.d directory should be group-owned by root to prevent unauthorized changes to APT repository configuration.
To properly set the group owner of /etc/apt/trusted.gpg.d, run the command:
$ sudo chgrp root /etc/apt/trusted.gpg.d
The /etc/apt/trusted.gpg.d directory should be group-owned by root to prevent unauthorized changes to APT trusted keys.
To properly set the owner of /etc/apt/auth.conf.d, run the command:
$ sudo chown root /etc/apt/auth.conf.d
The /etc/apt/auth.conf.d directory should be owned by root to prevent unauthorized changes to APT authentication configuration.
To properly set the owner of /etc/apt/sources.list.d, run the command:
$ sudo chown root /etc/apt/sources.list.d
The /etc/apt/sources.list.d directory should be owned by root to prevent unauthorized changes to APT repository configuration.
To properly set the owner of /etc/apt/trusted.gpg.d, run the command:
$ sudo chown root /etc/apt/trusted.gpg.d
The /etc/apt/trusted.gpg.d directory should be owned by root to prevent unauthorized changes to APT trusted keys.
To properly set the permissions of /etc/apt/auth.conf.d, run the command:
$ sudo chmod 0755 /etc/apt/auth.conf.d
The /etc/apt/auth.conf.d directory contains configuration that may include repository credentials. Its permissions should prevent unauthorized changes.
To properly set the permissions of /etc/apt/sources.list.d, run the command:
$ sudo chmod 0755 /etc/apt/sources.list.d
A non-root user should not be able to add or remove APT repository configuration from /etc/apt/sources.list.d.
To properly set the permissions of /etc/apt/trusted.gpg.d, run the command:
$ sudo chmod 0755 /etc/apt/trusted.gpg.d
A non-privileged user with write access to /etc/apt/trusted.gpg.d can compromise the APT chain of trust by adding trusted keys.
To properly set the group owner of /etc/apt/auth.conf.d/*.conf, run the command:
$ sudo chgrp root /etc/apt/auth.conf.d/*.conf
Files in /etc/apt/auth.conf.d should be group-owned by root to prevent unauthorized changes to APT authentication configuration.
To properly set the group owner of /usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg, run the command:
$ sudo chgrp root /usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg
APT GPG key files should be group-owned by root to prevent unauthorized modification of package trust anchors.
To properly set the group owner of /etc/apt/sources.list.d/*, run the command:
$ sudo chgrp root /etc/apt/sources.list.d/*
Files in /etc/apt/sources.list.d should be group-owned by root to prevent unauthorized changes to APT repository configuration.
To properly set the owner of /etc/apt/auth.conf.d/*.conf, run the command:
$ sudo chown root /etc/apt/auth.conf.d/*.conf
Files in /etc/apt/auth.conf.d should be owned by root to prevent unauthorized changes to APT authentication configuration.
To properly set the owner of /usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg, run the command:
$ sudo chown root /usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg
APT GPG key files should be owned by root to prevent unauthorized modification of package trust anchors.
To properly set the owner of /etc/apt/sources.list.d/*, run the command:
$ sudo chown root /etc/apt/sources.list.d/*
Files in /etc/apt/sources.list.d should be owned by root to prevent unauthorized changes to APT repository configuration.
To properly set the permissions of /etc/apt/auth.conf.d/*.conf, run the command:
$ sudo chmod 0640 /etc/apt/auth.conf.d/*.conf
Files in /etc/apt/auth.conf.d may contain credentials for private repositories or proxies and should not be readable by unauthorized users.
To properly set the permissions of /usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg, run the command:
$ sudo chmod 0644 /usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg
APT GPG key files are used to verify package authenticity. Restricting their permissions prevents unauthorized modification while keeping them readable by APT.
To properly set the permissions of /etc/apt/sources.list.d/*, run the command:
$ sudo chmod 0644 /etc/apt/sources.list.d/*
Files in /etc/apt/sources.list.d contain APT repository configuration. They should not be writable by non-root users.