Choose style:

Author Topic: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS  (Read 2489 times)

0 Members and 1 Guest are viewing this topic.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 23898
  • Karma: 2645
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
I've never really been bothered about any of these if they require local access .. I've never considered my data safe from local access anyway.
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4801
  • Karma: 880
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
24-AUG-2018 UPDATE

Code: [Select]
vindsl@Boogaloo-6 ~ $ inxi -SM
System:    Host: Boogaloo-6 Kernel: 4.18.5-041805-generic x86_64 bits: 64
           Desktop: N/A Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: OptiPlex 7010 v: 01 serial: N/A
           Mobo: Dell model: 0GXM1W v: A02 serial: N/A
           UEFI: Dell v: A29 date: 06/28/2018
Code: [Select]
vindsl@Boogaloo-6 ~ $ [ -d /sys/firmware/efi ] && echo YES UEFI || echo NOPE BIOS
YES UEFI
Code: [Select]
vindsl@Boogaloo-6 ~ $ mokutil --sb-state
SecureBoot enabled
Come on in. The water's fine!  :D

Offline esjay

  • Jr. Member
  • **
  • Posts: 29
  • Karma: 1
  • New Forum User
    • View Profile
  • Peppermint version(s): 9
Nowhere in that patch does it mention the issue is with the "flatpak runtime", it could equally be saying there's a problem with the "epiphany runtime" (as contained in the flatpak version).

Unless you have confirmation from elsewhere that it's the "flatpak runtime" that's opening the rest of the system to a security issue ?

Or is this that they think the flatpak version of epiphany isn't secured properly .. which may not be a flatpak issue at all, and more about epiphany itself ?

My point is, there's too little info here to draw any meaningful conclusions.

Don't take this as me defending flatpak/snap, I hate the things for plenty of other reasons (including from a security standpoint when compared to repos with oversight), but if I'm gonna go off shouting about security issues a little information would be nice.

A liitle bit too late, sorry for that, but busy times...

You are right and it is better to avoid conclusions without any good infos. That is why I have asked here if someone is knowing more than I do (and I still know nothing new). Sorry.

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4801
  • Karma: 880
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #33 on: September 07, 2018, 07:19:06 pm »
The recent GRUB update bit me in the butt, last night.

NOTE TO SELF

Don't try to upgrade to a new signed kernel module, without purging the old one first. They'll lock horns, in a death match.


Haven't experienced a crash like that in a while. LoL  ::)




« Last Edit: September 07, 2018, 08:52:21 pm by VinDSL, Reason: Redacted »

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 23898
  • Karma: 2645
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #34 on: September 07, 2018, 07:51:36 pm »
No problem here .. but I'm betting you're using a custom kernel ?
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4801
  • Karma: 880
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #35 on: September 07, 2018, 08:23:09 pm »
Maybe I'll try it again. Could have been a fluke, I suppose.

EDIT

Hey, I think it worked. No circle jerk this time   :)

Code: [Select]
Selecting previously unselected package linux-modules-4.18.0-7-generic.
(Reading database ... 304614 files and directories currently installed.)
Preparing to unpack .../0-linux-modules-4.18.0-7-generic_4.18.0-7.8_amd64.deb ...
Unpacking linux-modules-4.18.0-7-generic (4.18.0-7.8) ...
Preparing to unpack .../1-linux-image-4.18.0-7-generic_4.18.0-7.8_amd64.deb ...
Unpacking linux-image-4.18.0-7-generic (4.18.0-7.8) ...
Selecting previously unselected package linux-modules-extra-4.18.0-7-generic.
Preparing to unpack .../2-linux-modules-extra-4.18.0-7-generic_4.18.0-7.8_amd64.deb ...
Unpacking linux-modules-extra-4.18.0-7-generic (4.18.0-7.8) ...
Selecting previously unselected package amd64-microcode.
Preparing to unpack .../3-amd64-microcode_3.20180524.1~ubuntu0.18.04.2_amd64.deb ...
Unpacking amd64-microcode (3.20180524.1~ubuntu0.18.04.2) ...
Selecting previously unselected package linux-image-generic.
Preparing to unpack .../4-linux-image-generic_4.18.0.7.8_amd64.deb ...
Unpacking linux-image-generic (4.18.0.7.8) ...
Selecting previously unselected package linux-signed-image-generic.
Preparing to unpack .../5-linux-signed-image-generic_4.18.0.7.8_amd64.deb ...
Unpacking linux-signed-image-generic (4.18.0.7.8) ...
Selecting previously unselected package thermald.
Preparing to unpack .../6-thermald_1.7.0-5ubuntu1_amd64.deb ...
Unpacking thermald (1.7.0-5ubuntu1) ...
Setting up thermald (1.7.0-5ubuntu1) ...
Created symlink /etc/systemd/system/dbus-org.freedesktop.thermald.service → /lib/systemd/system/thermald.service.
Created symlink /etc/systemd/system/multi-user.target.wants/thermald.service → /lib/systemd/system/thermald.service.
Setting up linux-modules-4.18.0-7-generic (4.18.0-7.8) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up linux-image-4.18.0-7-generic (4.18.0-7.8) ...
I: /vmlinuz is now a symlink to boot/vmlinuz-4.18.0-7-generic
I: /initrd.img is now a symlink to boot/initrd.img-4.18.0-7-generic
Processing triggers for dbus (1.12.2-1ubuntu1) ...
Setting up linux-modules-extra-4.18.0-7-generic (4.18.0-7.8) ...
Setting up amd64-microcode (3.20180524.1~ubuntu0.18.04.2) ...
update-initramfs: deferring update (trigger activated)
amd64-microcode: microcode will be updated at next boot
Setting up linux-image-generic (4.18.0.7.8) ...
Setting up linux-signed-image-generic (4.18.0.7.8) ...
Processing triggers for linux-image-4.18.0-7-generic (4.18.0-7.8) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.18.0-7-generic
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found background image: grub-background.png
Found linux image: /boot/vmlinuz-4.18.0-7-generic
Found initrd image: /boot/initrd.img-4.18.0-7-generic
Found linux image: /boot/vmlinuz-4.15.0-34-generic
Found initrd image: /boot/initrd.img-4.15.0-34-generic
Found Windows Boot Manager on /dev/sda2@/EFI/Microsoft/Boot/bootmgfw.efi
Adding boot menu entry for EFI firmware configuration
done
Processing triggers for initramfs-tools (0.130ubuntu3.1) ...
update-initramfs: Generating /boot/initrd.img-4.18.0-7-generic

If it survives a reboot, I 'll strikethrough the note to self...
« Last Edit: September 07, 2018, 08:34:49 pm by VinDSL, Reason: Addendum »

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4801
  • Karma: 880
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #36 on: September 07, 2018, 08:50:23 pm »
YES!  Must have been a hiccup  :)

Love this Cosmic kernel, BTW. Works great in Peppermint 9.

Code: [Select]
╭─vindsl@Boogaloo-6 ~  
╰─$ inxi -SM               
System:    Host: Boogaloo-6 Kernel: 4.18.0-7-generic x86_64 bits: 64 Desktop: N/A
           Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: OptiPlex 7010 v: 01 serial: N/A
           Mobo: Dell model: 0GXM1W v: A02 serial: N/A
           UEFI: Dell v: A29 date: 06/28/2018

╭─vindsl@Boogaloo-6 ~ 
╰─$ apt-cache policy grub2-common   
grub2-common:
  Installed: 2.02-2ubuntu8.4
  Candidate: 2.02-2ubuntu8.4
  Version table:
 *** 2.02-2ubuntu8.4 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.02-2ubuntu8 500
        500 http://mirrors.namecheap.com/ubuntu bionic/main amd64 Packages

╭─vindsl@Boogaloo-6 ~ 
╰─$ [ -d /sys/firmware/efi ] && echo YUP UEFI || echo NOPE BIOS
YUP UEFI

╭─vindsl@Boogaloo-6 ~ 
╰─$ mokutil --sb-state                                         
SecureBoot enabled

Onward & Upward...







Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 23898
  • Karma: 2645
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #37 on: September 07, 2018, 09:11:12 pm »
Yeah I've never had a problem with a signed kernel update.

You know what's gonna happen now I've said that right ?
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4801
  • Karma: 880
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #38 on: September 07, 2018, 09:42:41 pm »
Bwahahahahaha!

Die Tücke Der Dinge ;D

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4801
  • Karma: 880
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #39 on: September 07, 2018, 09:56:17 pm »
Well, whatever happened; they're both playing nicely together now.

 
Code: [Select]
╭─vindsl@Boogaloo-6 ~  
╰─$ dpkg -S /boot/vmlinuz-*
linux-image-4.15.0-34-generic: /boot/vmlinuz-4.15.0-34-generic
linux-image-4.18.0-7-generic: /boot/vmlinuz-4.18.0-7-generic

Go figure

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4801
  • Karma: 880
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #40 on: September 08, 2018, 11:20:39 am »
I'll tell ya what...

I love these 'Cosmic' 4.18 kernels. They work on every machine I've tried them on - 32bit & 64bit - regardless of vintage and age

Example: My formerly 'higher-end' 32bit Peppermint 7 DFI LANParty PRO875B gamer machine, hailing from the turn of the century:

Code: [Select]
╭─vindsl@Boogaloo-6 ~  
╰─➤  sudo inxi -CDMSfm
System:    Host: Boogaloo-6 Kernel: 4.18.6-041806-generic i686 (32 bit)
           Desktop: N/A Distro: Peppermint Seven
Machine:   Mobo: N/A model: Canterwood
           Bios: Phoenix v: 6.00 PG date: 04/09/2004
CPU:       Single core Intel Pentium 4 (-HT-) cache: 2048 KB
           clock speeds: max: 3407 MHz 1: 3407 MHz 2: 3407 MHz
           CPU Flags: acpi apic bts cid clflush cmov cpuid cx8 de dts fpu fxsr
           ht mca mce mmx msr mtrr pae pat pbe pebs pge pse pse36 sep ss sse
           sse2 tm tsc vme xtpr
Memory:    Array-1 capacity: 4 GB devices: 4 EC: None
           Device-1: A0 size: 512 MB speed: N/A type: SDRAM
           Device-2: A1 size: 512 MB speed: N/A type: SDRAM
           Device-3: A2 size: 512 MB speed: N/A type: SDRAM
           Device-4: A3 size: 512 MB speed: N/A type: SDRAM
Drives:    HDD Total Size: 1000.2GB (13.7% used)
           ID-1: /dev/sda model: SAMSUNG_HD103SJ size: 1000.2GB



Can't wait to see what the devs do with Linux 4.19 ...  8)

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 23898
  • Karma: 2645
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #41 on: September 08, 2018, 12:09:06 pm »
Never understood the need for the latest kernel myself unless you have new hardware that requires it .. or they've added some new must have feature (such as better power management, etc.).

In fact using a kernel other than the default can introduce problems, where the other software in the repos isn't compatible with it.

Fine if you know how to dig yourself out of a hole .. but not advisable for new users.
« Last Edit: September 08, 2018, 12:11:32 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline pin

  • Trusted User
  • Veteran
  • *****
  • Posts: 1636
  • Karma: 229
    • View Profile
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #42 on: September 08, 2018, 12:18:11 pm »
Just for fun and to see if anything breaks  ;)

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4801
  • Karma: 880
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #43 on: September 08, 2018, 12:32:03 pm »
Just for fun and to see if anything breaks  ;)

Exactly!

I'm a bug chaser. Breakage is what it's all about, for me.

If you figure that one out, let me know  :)

Moving down the line, just upgraded this 'low-end' 32bit Peppermint 9 doorstop Dell machine.

Code: [Select]
╭─vindsl@Fenris-2 ~  
╰─$ sudo inxi -CDMSfm
System:    Host: Fenris-2 Kernel: 4.18.6-041806-generic i686 bits: 32
           Console: tty 0 Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: Dimension 3000 serial: CKYBY51
           Mobo: Dell model: 0N6381 serial: ..CN4811148L04H2.
           BIOS: Dell v: A03 date: 01/05/2006
CPU:       Single core Intel Pentium 4 (-MT-) cache: 1024 KB
           clock speeds: max: 2992 MHz 1: 2992 MHz 2: 2992 MHz
           CPU Flags: acpi apic bts cid clflush cmov constant_tsc cpuid cx8 de
           ds_cpl dtes64 dts fpu fxsr ht mca mce mmx monitor msr mtrr pae pat pbe
           pebs pge pni pse pse36 sep ss sse sse2 tm tsc vme xtpr
Memory:    Used/Total: 698.3/2010.1MB
           Array-1 capacity: 4 GB devices: 2 EC: None
           Device-1: DIMM_1 size: 1 GB speed: 400 MT/s type: SDRAM
           Device-2: DIMM_2 size: 1 GB speed: 400 MT/s type: SDRAM
Drives:    HDD Total Size: 60.0GB (10.2% used)
           ID-1: /dev/sda model: Patriot_Flare size: 60.0GB

Doorstop HP desktop machine next ...

Offline pin

  • Trusted User
  • Veteran
  • *****
  • Posts: 1636
  • Karma: 229
    • View Profile
Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
« Reply #44 on: September 08, 2018, 12:48:07 pm »
Also, if no one would test it, how were we suppose to know it was stable across different hardware?
I don't mind testing stuff, actually I like to test new things  :)