@test "Verify APT AllowRedirect" {
run bash -c "grep '^Acquire::http::AllowRedirect \"false\";$' /etc/apt/apt.conf.d/*"
[ "$status" -eq 0 ]
}Ensure APT do not allow AllowRedirect
Description
Acquire::http::AllowRedirect controls whether APT will follow redirects, which
is enabled by default.
Rationale
Acquire::http::AllowRedirect has been exploited to allows a network
man-in-the-middle, and should be disabled if not needed.
Audit
Remediation
shell
if ! grep '^Acquire::http::AllowRedirect' /etc/apt/apt.conf.d/* ; then
echo 'Acquire::http::AllowRedirect "false";' >> /etc/apt/apt.conf.d/01-vendor-ubuntu
else
sed -i 's/.*Acquire::http::AllowRedirect*/Acquire::http::AllowRedirect "false";/g' "$(grep -l 'Acquire::http::AllowRedirect' /etc/apt/apt.conf.d/*)"
fiAnsible
---
- name: configure apt
become: 'yes'
become_method: sudo
lineinfile:
dest: /etc/apt/apt.conf.d/98apt-conf
mode: 0644
state: present
create: 'yes'
line: ""
with_items:
- 'Acquire::http::AllowRedirect "false";'
when: ansible_os_family == "Debian"
tags:
- apt
- security
...