Choose style:

Author Topic: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS  (Read 3230 times)

0 Members and 1 Guest are viewing this topic.

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5130
  • Karma: 936
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Securing Ubuntu Linux to meet the twelve EUD principles: https://goo.gl/PNJRFG

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25103
  • Karma: 2779
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
That's handy .. not that I fully agree with it all, but it does contain some useful stuff :)
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5130
  • Karma: 936
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
I agree with it more than the copy n' paste tripe that I read on US sites ...  ::)

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25103
  • Karma: 2779
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
I'm not saying they're "wrong", more that I don't think it's all "necessary" or is phrased in a way that may make certain things **seem** weaker that they are .. but I guess if you're looking at it from an "as secure as possible" standpoint it's got some useful stuff in there.

The little things I'm not overly convinced about are things like AppArmor profiles .. unless you make them yourself.

And though it's title suggests it's about 18.04, it mentions gksudo and gksu .. these are not available in 18.04, I had to add them back into our repos for Peppermint 9
(18.04 is now fully pkexec .. I added gksu back because not having it would exclude some older software people may want to run)

It's just little things, I'm not saying it's not a useful article.

[EDIT]

And in overlooking 18.04 not having gksu they've overlooked pkexec/PolicyKit policies.

[EDIT2]

They also suggest "Several third-party anti-malware products exist which attempt to detect malicious code for this platform" .. I don't see these as necessary or beneficial, and they may be an attack vector in their own right.

And then there's "Enable secure boot" .....
« Last Edit: August 01, 2018, 07:20:14 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 1922
  • Karma: 335
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Would you be happy entrusting your cyber security to GCHQ anyway?

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3813
  • Karma: 299
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Securing Ubuntu Linux to meet the twelve EUD principles: https://goo.gl/PNJRFG

Overall Ubuntu and Pepprmint look to me like tight ships.  The existence of the Apport feature in Ubuntu catches my eye, though I've never seen any equivalent feature to Ubuntu's Apport in Peppermint.  Practically speaking however, to the average end user of Ubuntu,  I doubt Apport would pose much of a risk either.  Still this is still good info to be aware of.  Thank you, VinDSL. :)   
We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5130
  • Karma: 936
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
And then there's "Enable secure boot" .....

Just when I was getting a real burn going against Linux 4.15.0-29.31

Look what I found - a signed kernel image  ...  8)

Code: [Select]
vindsl@Boogaloo-6 ~ $ inxi -SM
System:    Host: Boogaloo-6 Kernel: 4.15.0-29-generic x86_64 bits: 64 Desktop: N/A
           Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: OptiPlex 7010 v: 01 serial: N/A
           Mobo: Dell model: 0GXM1W v: A02 serial: N/A
           UEFI: Dell v: A28 date: 02/22/2018
Code: [Select]
vindsl@Boogaloo-6 ~ $ [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS
UEFI
Code: [Select]
vindsl@Boogaloo-6 ~ $ mokutil --sb-state
SecureBoot enabled

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5130
  • Karma: 936
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Now that I have UEFI/Secure Boot working, and I'm thinking about security ...

I enabled the 'Uncomplicared Firewall' (disabled by default):

Code: [Select]
sudo ufw enable
Sanity Test #1
vindsl@Boogaloo-6 ~ $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
vindsl@Boogaloo-6 ~ $
[close]

And, I (re)set the root password (locked by default) :

Code: [Select]
sudo passwd
Sanity Test #2
vindsl@Boogaloo-6 ~ $ su -
Password:
root@Boogaloo-6 ~ #
[close]

Been working fine for hours. That's good enough for now, I suppose.

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5130
  • Karma: 936
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Still this is still good info to be aware of.  Thank you, VinDSL. :)   

You're welcome, perk  ;)

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25103
  • Karma: 2779
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
I'm not convinced activating a root password is a good idea .. personally I think the hashed one even you don't know (but elevate privileges via a time limited sudo) is safer ;)
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5130
  • Karma: 936
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
I've set the 'UNIX password', off n' on, over the years. Sometimes, I actually need root auth for something I'm doing, but it's rare. I don't do it out of rote. I guess it wouldn't make any difference, from a security standpoint, unless someone had physical access to a machine, like a laptop for instance, and booted with root auth via the recovery mode. What are the chances of that? Most thieves are winders users.

Dittos for the firewall. My LAN is behind a NAT router (which mimics a firewall). Good luck finding a machine behind a NAT. So, really, what difference does it make?

I'm still in a 'testing mode', I guess, seeing what works and what doesn't. That said, I always use Secure Boot, when given the opportunity, so I'm tickled pink having it working in 4.15, even if it is a haxor.

Speaking of which, I stripped that signed image out of a meta package, and installed it manually. Synaptic bulks at it - wants to downgrade to the unsigned image that it replaced. So, I don't recommend anyone trying this, just yet.

I was thinking about this signed/unsigned situation, while I was sleeping last night, and the Canonical Kernel Team has been designating signed kernel in the file name, in the past. Now, it *seems* that they've swung the opposite direction, and started designating unsigned kernels in the name.

I *wonder* (and wander) if they are going to make all future kernels signed, e.g. the new norm.

Hrm   :-\

Anyway, I ran across that signed kernel image purely by chance.  I didn't realize it was signed until Synaptic went nutz.

I configured/enabled Secure Boot in BIOS, and it's all good. Even Belarc Advisor is happy - no more warnings  ;D

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25103
  • Karma: 2779
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
I think that's the plan as a signed kernel will still work on a non UEFI system .. otherwise you'd need 2 kernels on a LiveUSB (which they used to have, now they only have one, it's not designated "signed" but it is).
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5130
  • Karma: 936
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
As fate would have it, Linux 4.15.-31.33 (including signed) just hit the Canonical Kernel Team PPA  ;D

We'll see how it goes ...

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5130
  • Karma: 936
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Interesting. Never seen these dialogs before ... 8)







Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5130
  • Karma: 936
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Well, how cool is that?!? I just generated/installed my own custom Secure Boot key @ first boot.

Code: [Select]
vindsl@Boogaloo-6 ~ $ inxi -SM
System:    Host: Boogaloo-6 Kernel: 4.15.0-31-generic x86_64 bits: 64 Desktop: N/A Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: OptiPlex 7010 v: 01 serial: N/A
           Mobo: Dell model: 0GXM1W v: A02 serial: N/A UEFI: Dell v: A28 date: 02/22/2018
Code: [Select]
vindsl@Boogaloo-6 ~ $ [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS
UEFI
Code: [Select]
vindsl@Boogaloo-6 ~ $ mokutil --sb-state
SecureBoot enabled
Looks like the devs are getting keen on securing Ubuntu Peppermint  ;D