Choose style:

Author Topic: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS  (Read 1570 times)

0 Members and 1 Guest are viewing this topic.

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3463
  • Karma: 271
  • Soy un huevo que adora Peppermint.
    • View Profile
  • Peppermint version(s): Peppermint 9 (64-bit)
Well, how cool is that?!? I just generated/installed my own custom Secure Boot key @ first boot.

Very cool.

Looks like the devs are getting keen on securing Ubuntu Peppermint  ;D

That's right! ;)
We're all Peppermint users and that's what matters  ;). -- AndyInMokum

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4299
  • Karma: 801
  • Peppermint Mod
    • View Profile
Hey, look. I got to use my new root auth toy already ...  :)

Code: [Select]
vindsl@Boogaloo-6 ~ $ sudo update-initramfs -u
[sudo] password for vindsl:
update-initramfs: Generating /boot/initrd.img-4.15.0-31-generic
I: The initramfs will attempt to resume from /dev/sda7
I: (UUID=289c5499-19c1-4d2c-9288-cc866746bceb)
I: Set the RESUME variable to override this.
Code: [Select]
vindsl@Boogaloo-6 ~ $ su -
Password:
root@Boogaloo-6 ~ # blkid
/dev/sda5: LABEL="Root" UUID="04907484-8ecf-478b-a6ce-69c00cf4093e" TYPE="ext4" PARTLABEL="Peppermint Nine" PARTUUID="91137193-0a3d-440c-bbcb-2a44ac591074"
/dev/sda7: LABEL="Swap" UUID="289c5499-19c1-4d2c-9288-cc866746bceb" TYPE="swap" PARTLABEL="Peppermint Nine" PARTUUID="66c40df8-fad8-4dd9-8d4d-f823ec089e52"
/dev/sda1: LABEL="Recovery" UUID="AAD267C4D26792FD" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="cbe46bf2-3009-4432-a48b-a5cf25111797"
/dev/sda2: LABEL="UEFI" UUID="8468-5554" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="a583f9fb-db9b-43b2-8e10-51a772a04e86"
/dev/sda3: PARTLABEL="Microsoft reserved partition" PARTUUID="730453ba-1c4d-4272-8d97-ff6ec74bd3c2"
/dev/sda4: UUID="A00A9C140A9BE616" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="ab8f11b2-5790-4c6d-bd4a-cc3afa8fba42"
/dev/sda6: LABEL="Home" UUID="88061e59-af3a-4c7c-959b-627424ac1298" TYPE="ext4" PARTLABEL="Peppermint Nine" PARTUUID="8a5ba702-ada5-4748-b42a-c8907a57f98d"
/dev/sdb: UUID="58328914-6c59-4abf-99cb-9feb196df4e3" TYPE="ext4"
Code: [Select]
root@Boogaloo-6 ~ # cat /etc/initramfs-tools/conf.d/resume
cat: /etc/initramfs-tools/conf.d/resume: No such file or directory
Code: [Select]
root@Boogaloo-6 ~ # xed /etc/initramfs-tools/conf.d/resume
Code: [Select]
root@Boogaloo-6 ~ # cat /etc/initramfs-tools/conf.d/resume
RESUME=UUID=289c5499-19c1-4d2c-9288-cc866746bceb
Code: [Select]
root@Boogaloo-6 ~ # update-initramfs -u -k all
update-initramfs: Generating /boot/initrd.img-4.15.0-31-generic
Code: [Select]
root@Boogaloo-6 ~ # exit
logout
Code: [Select]
vindsl@Boogaloo-6 ~ $ sudo update-initramfs -u
[sudo] password for vindsl:
update-initramfs: Generating /boot/initrd.img-4.15.0-31-generic

vindsl@Boogaloo-6 ~ $
« Last Edit: August 06, 2018, 07:35:31 pm by VinDSL, Reason: Clarification »

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 22492
  • Karma: 2510
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R and 9
IMHO SecureBoot is (and always was) a joke...

https://www.ghacks.net/2016/08/10/secure-boot-bypass-revealed/
and
http://securityaffairs.co/wordpress/50182/hacking/backdoor-keys-uefi-secure-boot.html

Ya gotta love this...

Quote from: Therac
The very term secure in relation to x86 architecture is always relative .. [snip] .. The efforts to secure x86 are akin to plugging every hole on a sieve to make it seaworthy - with the proviso that every plug must open automatically when some legacy feature depends on the sieve's original function of letting water through.
source:
https://security.stackexchange.com/questions/180907/is-secure-boot-really-secure
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4299
  • Karma: 801
  • Peppermint Mod
    • View Profile
But, wait. It's got SECURE in the name. Come on!

Bwahahahahahahaha  :D

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 22492
  • Karma: 2510
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R and 9
Oh yeah you're right .. my mistake :-[

[EDIT]

Then again it also has "Boot" in the name, and it has nothing to do with "booting" :-\
(except in as far as it can stop it)
« Last Edit: August 06, 2018, 08:12:04 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline esjay

  • Jr. Member
  • **
  • Posts: 29
  • Karma: 1
  • New Forum User
    • View Profile
  • Peppermint version(s): 9
Considering secure boot I am still waiting for enlightenment, the WOW-effect that it makes my life better. I can imagine a situation that this might happen but right now - nothing around here.

I think the NCSC has given good advice and I am looking to follow up. By the way, at the moment I am a big fan of firejail and snaps (Chromium beta).   

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4299
  • Karma: 801
  • Peppermint Mod
    • View Profile
Considering secure boot I am still waiting for enlightenment, the WOW-effect that it makes my life better.

Truth-be-told, the only reason I run Secure Boot on Linux machines is because most ppl *think* it's impossible to implement and/or limiting in some way.

I have a contrarian disposition, by nature, and it gives me some sort of satisfaction proving skeptics wrong. I suppose that's the reason I run Linux et. al.

Anyway, I judge it doesn't hurt anything, so why not? Plus, it  makes the winders (dual-boot) warnings go away.  ;)




Offline esjay

  • Jr. Member
  • **
  • Posts: 29
  • Karma: 1
  • New Forum User
    • View Profile
  • Peppermint version(s): 9
That is true. To sum up, Peppermint with its LTS base is a fine system. Apparmor, Snaps, firejail, ufw and more - quite a lot to feel good at all.

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 22492
  • Karma: 2510
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R and 9
It's already worthless and you watch given a year or two it'll become an attack vector / vulnerability in its own right (if it isn't already).

On most my Dells it slows down network connections just enough so one of my NFS mounts isn't active by the time I get to the desktop .. sure I could probably tweak the mount stanza, but as SecureBoot's useless it's easier to just disable it.

I'm a big fan of UEFI, but SecureBoot is pointless, and already broken.
(Peppermint will continue to support it, but that doesn't mean I have to use it where it causes issues for no benefit)
« Last Edit: August 14, 2018, 11:12:18 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline esjay

  • Jr. Member
  • **
  • Posts: 29
  • Karma: 1
  • New Forum User
    • View Profile
  • Peppermint version(s): 9
I have disabled Secure Boot on all my laptops as well.

To whom it may concern: We are talking about security. This was my yesterday shocker, what do you think about this:

https://github.com/GNOME/epiphany/commit/8f26b7ff3b7d4cec5c752bc00cae7c8e8c8b0ce4

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 22492
  • Karma: 2510
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R and 9
So what's the problem here? .. an issue with epiphany, or a problem with flatpak's as a whole?

Which "runtime" are they talking about?
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline esjay

  • Jr. Member
  • **
  • Posts: 29
  • Karma: 1
  • New Forum User
    • View Profile
  • Peppermint version(s): 9

"So what's the problem here? .. an issue with epiphany, or a problem with flatpak's as a whole?

Which "runtime" are they talking about? "

I have no idea what this means. But the sentence "Flathub downloads are currently not recommended due to major
security problems discovered in the application runtime" (sic!) indicates that this is something fundamental, because all flatpak apps are connected with a so called runtime environment which is specific for all flatpaks to make them work in every linux distribution, no matter which one. If I am right, this is a good and a bad news. Bad, because flatpaks (and snaps) were introduced as state of the art for security fans and now we have to realize once again that security is wishful thinking. Good, because there is always someone who makes a good job...
« Last Edit: August 15, 2018, 01:18:32 pm by esjay »

Offline pin

  • Trusted User
  • Veteran
  • *****
  • Posts: 1356
  • Karma: 174
  • Peppermint - Void - NetBSD
    • View Profile
  • Peppermint version(s): Peppermint 7 Respin (64bit)
Quote
flatpaks (and snaps) were introduced as state of the art for security fans
:D  :D
That was good one  :D

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 22492
  • Karma: 2510
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R and 9
Nowhere in that patch does it mention the issue is with the "flatpak runtime", it could equally be saying there's a problem with the "epiphany runtime" (as contained in the flatpak version).

Unless you have confirmation from elsewhere that it's the "flatpak runtime" that's opening the rest of the system to a security issue ?

Or is this that they think the flatpak version of epiphany isn't secured properly .. which may not be a flatpak issue at all, and more about epiphany itself ?

My point is, there's too little info here to draw any meaningful conclusions.

Don't take this as me defending flatpak/snap, I hate the things for plenty of other reasons (including from a security standpoint when compared to repos with oversight), but if I'm gonna go off shouting about security issues a little information would be nice.
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Online VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 4299
  • Karma: 801
  • Peppermint Mod
    • View Profile
In other news, Intel has discovered even more security flaws in their processors.

Here's the latest list of the CPUs affected (14-AUG-2018): https://goo.gl/ENGwu6