Peppermint OS Community Forum

General => GNU/Linux Discussion => Topic started by: VinDSL on August 01, 2018, 06:57:23 am

Title: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 01, 2018, 06:57:23 am
Securing Ubuntu Linux to meet the twelve EUD principles: https://goo.gl/PNJRFG
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 01, 2018, 07:25:21 am
That's handy .. not that I fully agree with it all, but it does contain some useful stuff :)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 01, 2018, 06:39:45 pm
I agree with it more than the copy n' paste tripe that I read on US sites ...  ::)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 01, 2018, 06:58:19 pm
I'm not saying they're "wrong", more that I don't think it's all "necessary" or is phrased in a way that may make certain things **seem** weaker that they are .. but I guess if you're looking at it from an "as secure as possible" standpoint it's got some useful stuff in there.

The little things I'm not overly convinced about are things like AppArmor profiles .. unless you make them yourself.

And though it's title suggests it's about 18.04, it mentions gksudo and gksu .. these are not available in 18.04, I had to add them back into our repos for Peppermint 9
(18.04 is now fully pkexec .. I added gksu back because not having it would exclude some older software people may want to run)

It's just little things, I'm not saying it's not a useful article.

[EDIT]

And in overlooking 18.04 not having gksu they've overlooked pkexec/PolicyKit policies.

[EDIT2]

They also suggest "Several third-party anti-malware products exist which attempt to detect malicious code for this platform" .. I don't see these as necessary or beneficial, and they may be an attack vector in their own right.

And then there's "Enable secure boot" .....
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: murraymint on August 01, 2018, 08:06:26 pm
Would you be happy entrusting your cyber security to GCHQ anyway?
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: perknh on August 02, 2018, 12:46:20 pm
Securing Ubuntu Linux to meet the twelve EUD principles: https://goo.gl/PNJRFG

Overall Ubuntu and Pepprmint look to me like tight ships.  The existence of the Apport (https://wiki.ubuntu.com/Apport) feature in Ubuntu catches my eye, though I've never seen any equivalent feature to Ubuntu's Apport in Peppermint.  Practically speaking however, to the average end user of Ubuntu,  I doubt Apport would pose much of a risk either.  Still this is still good info to be aware of.  Thank you, VinDSL. :)   
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 05, 2018, 08:35:36 pm
And then there's "Enable secure boot" .....

Just when I was getting a real burn going against Linux 4.15.0-29.31

Look what I found - a signed kernel image  ...  8)

Code: [Select]
vindsl@Boogaloo-6 ~ $ inxi -SM
System:    Host: Boogaloo-6 Kernel: 4.15.0-29-generic x86_64 bits: 64 Desktop: N/A
           Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: OptiPlex 7010 v: 01 serial: N/A
           Mobo: Dell model: 0GXM1W v: A02 serial: N/A
           UEFI: Dell v: A28 date: 02/22/2018
Code: [Select]
vindsl@Boogaloo-6 ~ $ [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS
UEFI
Code: [Select]
vindsl@Boogaloo-6 ~ $ mokutil --sb-state
SecureBoot enabled
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 06, 2018, 03:32:02 am
Now that I have UEFI/Secure Boot working, and I'm thinking about security ...

I enabled the 'Uncomplicared Firewall' (disabled by default):

Code: [Select]
sudo ufw enable
Sanity Test #1
vindsl@Boogaloo-6 ~ $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
vindsl@Boogaloo-6 ~ $
[close]

And, I (re)set the root password (locked by default) :

Code: [Select]
sudo passwd
Sanity Test #2
vindsl@Boogaloo-6 ~ $ su -
Password:
root@Boogaloo-6 ~ #
[close]

Been working fine for hours. That's good enough for now, I suppose.
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 06, 2018, 03:35:07 am
Still this is still good info to be aware of.  Thank you, VinDSL. :)   

You're welcome, perk  ;)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 06, 2018, 07:16:45 am
I'm not convinced activating a root password is a good idea .. personally I think the hashed one even you don't know (but elevate privileges via a time limited sudo) is safer ;)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 06, 2018, 12:47:54 pm
I've set the 'UNIX password', off n' on, over the years. Sometimes, I actually need root auth for something I'm doing, but it's rare. I don't do it out of rote. I guess it wouldn't make any difference, from a security standpoint, unless someone had physical access to a machine, like a laptop for instance, and booted with root auth via the recovery mode. What are the chances of that? Most thieves are winders users.

Dittos for the firewall. My LAN is behind a NAT router (which mimics a firewall). Good luck finding a machine behind a NAT. So, really, what difference does it make?

I'm still in a 'testing mode', I guess, seeing what works and what doesn't. That said, I always use Secure Boot, when given the opportunity, so I'm tickled pink having it working in 4.15, even if it is a haxor.

Speaking of which, I stripped that signed image out of a meta package, and installed it manually. Synaptic bulks at it - wants to downgrade to the unsigned image that it replaced. So, I don't recommend anyone trying this, just yet.

I was thinking about this signed/unsigned situation, while I was sleeping last night, and the Canonical Kernel Team has been designating signed kernel in the file name, in the past. Now, it *seems* that they've swung the opposite direction, and started designating unsigned kernels in the name.

I *wonder* (and wander) if they are going to make all future kernels signed, e.g. the new norm.

Hrm   :-\

Anyway, I ran across that signed kernel image purely by chance.  I didn't realize it was signed until Synaptic went nutz.

I configured/enabled Secure Boot in BIOS, and it's all good. Even Belarc Advisor is happy - no more warnings  ;D
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 06, 2018, 02:21:19 pm
I think that's the plan as a signed kernel will still work on a non UEFI system .. otherwise you'd need 2 kernels on a LiveUSB (which they used to have, now they only have one, it's not designated "signed" but it is).
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 06, 2018, 05:27:25 pm
As fate would have it, Linux 4.15.-31.33 (including signed) just hit the Canonical Kernel Team PPA  ;D

We'll see how it goes ...
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 06, 2018, 05:40:49 pm
Interesting. Never seen these dialogs before ... 8)


(http://vindsl.com/images/VinDSL-Windowshot_2018-08-06_14:31:08.png)


(http://vindsl.com/images/VinDSL-Windowshot_2018-08-06_14:31:50.png)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 06, 2018, 05:55:58 pm
Well, how cool is that?!? I just generated/installed my own custom Secure Boot key @ first boot.

Code: [Select]
vindsl@Boogaloo-6 ~ $ inxi -SM
System:    Host: Boogaloo-6 Kernel: 4.15.0-31-generic x86_64 bits: 64 Desktop: N/A Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: OptiPlex 7010 v: 01 serial: N/A
           Mobo: Dell model: 0GXM1W v: A02 serial: N/A UEFI: Dell v: A28 date: 02/22/2018
Code: [Select]
vindsl@Boogaloo-6 ~ $ [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS
UEFI
Code: [Select]
vindsl@Boogaloo-6 ~ $ mokutil --sb-state
SecureBoot enabled
Looks like the devs are getting keen on securing Ubuntu Peppermint  ;D
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: perknh on August 06, 2018, 06:08:35 pm
Well, how cool is that?!? I just generated/installed my own custom Secure Boot key @ first boot.

Very cool.

Looks like the devs are getting keen on securing Ubuntu Peppermint  ;D

That's right! ;)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 06, 2018, 07:32:50 pm
Hey, look. I got to use my new root auth toy already ...  :)

Code: [Select]
vindsl@Boogaloo-6 ~ $ sudo update-initramfs -u
[sudo] password for vindsl:
update-initramfs: Generating /boot/initrd.img-4.15.0-31-generic
I: The initramfs will attempt to resume from /dev/sda7
I: (UUID=289c5499-19c1-4d2c-9288-cc866746bceb)
I: Set the RESUME variable to override this.
Code: [Select]
vindsl@Boogaloo-6 ~ $ su -
Password:
root@Boogaloo-6 ~ # blkid
/dev/sda5: LABEL="Root" UUID="04907484-8ecf-478b-a6ce-69c00cf4093e" TYPE="ext4" PARTLABEL="Peppermint Nine" PARTUUID="91137193-0a3d-440c-bbcb-2a44ac591074"
/dev/sda7: LABEL="Swap" UUID="289c5499-19c1-4d2c-9288-cc866746bceb" TYPE="swap" PARTLABEL="Peppermint Nine" PARTUUID="66c40df8-fad8-4dd9-8d4d-f823ec089e52"
/dev/sda1: LABEL="Recovery" UUID="AAD267C4D26792FD" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="cbe46bf2-3009-4432-a48b-a5cf25111797"
/dev/sda2: LABEL="UEFI" UUID="8468-5554" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="a583f9fb-db9b-43b2-8e10-51a772a04e86"
/dev/sda3: PARTLABEL="Microsoft reserved partition" PARTUUID="730453ba-1c4d-4272-8d97-ff6ec74bd3c2"
/dev/sda4: UUID="A00A9C140A9BE616" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="ab8f11b2-5790-4c6d-bd4a-cc3afa8fba42"
/dev/sda6: LABEL="Home" UUID="88061e59-af3a-4c7c-959b-627424ac1298" TYPE="ext4" PARTLABEL="Peppermint Nine" PARTUUID="8a5ba702-ada5-4748-b42a-c8907a57f98d"
/dev/sdb: UUID="58328914-6c59-4abf-99cb-9feb196df4e3" TYPE="ext4"
Code: [Select]
root@Boogaloo-6 ~ # cat /etc/initramfs-tools/conf.d/resume
cat: /etc/initramfs-tools/conf.d/resume: No such file or directory
Code: [Select]
root@Boogaloo-6 ~ # xed /etc/initramfs-tools/conf.d/resume
Code: [Select]
root@Boogaloo-6 ~ # cat /etc/initramfs-tools/conf.d/resume
RESUME=UUID=289c5499-19c1-4d2c-9288-cc866746bceb
Code: [Select]
root@Boogaloo-6 ~ # update-initramfs -u -k all
update-initramfs: Generating /boot/initrd.img-4.15.0-31-generic
Code: [Select]
root@Boogaloo-6 ~ # exit
logout
Code: [Select]
vindsl@Boogaloo-6 ~ $ sudo update-initramfs -u
[sudo] password for vindsl:
update-initramfs: Generating /boot/initrd.img-4.15.0-31-generic

vindsl@Boogaloo-6 ~ $
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 06, 2018, 07:57:45 pm
IMHO SecureBoot is (and always was) a joke...

https://www.ghacks.net/2016/08/10/secure-boot-bypass-revealed/
and
http://securityaffairs.co/wordpress/50182/hacking/backdoor-keys-uefi-secure-boot.html

Ya gotta love this...

Quote from: Therac
The very term secure in relation to x86 architecture is always relative .. [snip] .. The efforts to secure x86 are akin to plugging every hole on a sieve to make it seaworthy - with the proviso that every plug must open automatically when some legacy feature depends on the sieve's original function of letting water through.
source:
https://security.stackexchange.com/questions/180907/is-secure-boot-really-secure
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 06, 2018, 08:04:32 pm
But, wait. It's got SECURE in the name. Come on!

Bwahahahahahahaha  :D
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 06, 2018, 08:07:51 pm
Oh yeah you're right .. my mistake :-[

[EDIT]

Then again it also has "Boot" in the name, and it has nothing to do with "booting" :-\
(except in as far as it can stop it)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: esjay on August 13, 2018, 10:32:28 am
Considering secure boot I am still waiting for enlightenment, the WOW-effect that it makes my life better. I can imagine a situation that this might happen but right now - nothing around here.

I think the NCSC has given good advice and I am looking to follow up. By the way, at the moment I am a big fan of firejail and snaps (Chromium beta).   
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 13, 2018, 11:32:20 am
Considering secure boot I am still waiting for enlightenment, the WOW-effect that it makes my life better.

Truth-be-told, the only reason I run Secure Boot on Linux machines is because most ppl *think* it's impossible to implement and/or limiting in some way.

I have a contrarian disposition, by nature, and it gives me some sort of satisfaction proving skeptics wrong. I suppose that's the reason I run Linux et. al.

Anyway, I judge it doesn't hurt anything, so why not? Plus, it  makes the winders (dual-boot) warnings go away.  ;)



Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: esjay on August 14, 2018, 02:25:11 am
That is true. To sum up, Peppermint with its LTS base is a fine system. Apparmor, Snaps, firejail, ufw and more - quite a lot to feel good at all.
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 14, 2018, 11:04:40 am
It's already worthless and you watch given a year or two it'll become an attack vector / vulnerability in its own right (if it isn't already).

On most my Dells it slows down network connections just enough so one of my NFS mounts isn't active by the time I get to the desktop .. sure I could probably tweak the mount stanza, but as SecureBoot's useless it's easier to just disable it.

I'm a big fan of UEFI, but SecureBoot is pointless, and already broken.
(Peppermint will continue to support it, but that doesn't mean I have to use it where it causes issues for no benefit)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: esjay on August 15, 2018, 08:28:15 am
I have disabled Secure Boot on all my laptops as well.

To whom it may concern: We are talking about security. This was my yesterday shocker, what do you think about this:

https://github.com/GNOME/epiphany/commit/8f26b7ff3b7d4cec5c752bc00cae7c8e8c8b0ce4
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 15, 2018, 10:06:57 am
So what's the problem here? .. an issue with epiphany, or a problem with flatpak's as a whole?

Which "runtime" are they talking about?
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: esjay on August 15, 2018, 01:16:45 pm

"So what's the problem here? .. an issue with epiphany, or a problem with flatpak's as a whole?

Which "runtime" are they talking about? "

I have no idea what this means. But the sentence "Flathub downloads are currently not recommended due to major
security problems discovered in the application runtime" (sic!) indicates that this is something fundamental, because all flatpak apps are connected with a so called runtime environment which is specific for all flatpaks to make them work in every linux distribution, no matter which one. If I am right, this is a good and a bad news. Bad, because flatpaks (and snaps) were introduced as state of the art for security fans and now we have to realize once again that security is wishful thinking. Good, because there is always someone who makes a good job...
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: pin on August 15, 2018, 02:17:03 pm
Quote
flatpaks (and snaps) were introduced as state of the art for security fans
:D  :D
That was good one  :D
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 15, 2018, 04:31:45 pm
Nowhere in that patch does it mention the issue is with the "flatpak runtime", it could equally be saying there's a problem with the "epiphany runtime" (as contained in the flatpak version).

Unless you have confirmation from elsewhere that it's the "flatpak runtime" that's opening the rest of the system to a security issue ?

Or is this that they think the flatpak version of epiphany isn't secured properly .. which may not be a flatpak issue at all, and more about epiphany itself ?

My point is, there's too little info here to draw any meaningful conclusions.

Don't take this as me defending flatpak/snap, I hate the things for plenty of other reasons (including from a security standpoint when compared to repos with oversight), but if I'm gonna go off shouting about security issues a little information would be nice.
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 15, 2018, 06:50:27 pm
In other news, Intel has discovered even more security flaws in their processors.

Here's the latest list of the CPUs affected (14-AUG-2018): https://goo.gl/ENGwu6
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on August 15, 2018, 09:06:11 pm
I've never really been bothered about any of these if they require local access .. I've never considered my data safe from local access anyway.
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on August 25, 2018, 12:19:00 am
24-AUG-2018 UPDATE

Code: [Select]
vindsl@Boogaloo-6 ~ $ inxi -SM
System:    Host: Boogaloo-6 Kernel: 4.18.5-041805-generic x86_64 bits: 64
           Desktop: N/A Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: OptiPlex 7010 v: 01 serial: N/A
           Mobo: Dell model: 0GXM1W v: A02 serial: N/A
           UEFI: Dell v: A29 date: 06/28/2018
Code: [Select]
vindsl@Boogaloo-6 ~ $ [ -d /sys/firmware/efi ] && echo YES UEFI || echo NOPE BIOS
YES UEFI
Code: [Select]
vindsl@Boogaloo-6 ~ $ mokutil --sb-state
SecureBoot enabled
Come on in. The water's fine!  :D
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: esjay on August 30, 2018, 10:55:00 am
Nowhere in that patch does it mention the issue is with the "flatpak runtime", it could equally be saying there's a problem with the "epiphany runtime" (as contained in the flatpak version).

Unless you have confirmation from elsewhere that it's the "flatpak runtime" that's opening the rest of the system to a security issue ?

Or is this that they think the flatpak version of epiphany isn't secured properly .. which may not be a flatpak issue at all, and more about epiphany itself ?

My point is, there's too little info here to draw any meaningful conclusions.

Don't take this as me defending flatpak/snap, I hate the things for plenty of other reasons (including from a security standpoint when compared to repos with oversight), but if I'm gonna go off shouting about security issues a little information would be nice.

A liitle bit too late, sorry for that, but busy times...

You are right and it is better to avoid conclusions without any good infos. That is why I have asked here if someone is knowing more than I do (and I still know nothing new). Sorry.
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 07, 2018, 07:19:06 pm
The recent GRUB update bit me in the butt, last night.

NOTE TO SELF

Don't try to upgrade to a new signed kernel module, without purging the old one first. They'll lock horns, in a death match.


Haven't experienced a crash like that in a while. LoL  ::)


https://youtu.be/0ExOH1Yp4SE

Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on September 07, 2018, 07:51:36 pm
No problem here .. but I'm betting you're using a custom kernel ?
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 07, 2018, 08:23:09 pm
Maybe I'll try it again. Could have been a fluke, I suppose.

EDIT

Hey, I think it worked. No circle jerk this time   :)

Code: [Select]
Selecting previously unselected package linux-modules-4.18.0-7-generic.
(Reading database ... 304614 files and directories currently installed.)
Preparing to unpack .../0-linux-modules-4.18.0-7-generic_4.18.0-7.8_amd64.deb ...
Unpacking linux-modules-4.18.0-7-generic (4.18.0-7.8) ...
Preparing to unpack .../1-linux-image-4.18.0-7-generic_4.18.0-7.8_amd64.deb ...
Unpacking linux-image-4.18.0-7-generic (4.18.0-7.8) ...
Selecting previously unselected package linux-modules-extra-4.18.0-7-generic.
Preparing to unpack .../2-linux-modules-extra-4.18.0-7-generic_4.18.0-7.8_amd64.deb ...
Unpacking linux-modules-extra-4.18.0-7-generic (4.18.0-7.8) ...
Selecting previously unselected package amd64-microcode.
Preparing to unpack .../3-amd64-microcode_3.20180524.1~ubuntu0.18.04.2_amd64.deb ...
Unpacking amd64-microcode (3.20180524.1~ubuntu0.18.04.2) ...
Selecting previously unselected package linux-image-generic.
Preparing to unpack .../4-linux-image-generic_4.18.0.7.8_amd64.deb ...
Unpacking linux-image-generic (4.18.0.7.8) ...
Selecting previously unselected package linux-signed-image-generic.
Preparing to unpack .../5-linux-signed-image-generic_4.18.0.7.8_amd64.deb ...
Unpacking linux-signed-image-generic (4.18.0.7.8) ...
Selecting previously unselected package thermald.
Preparing to unpack .../6-thermald_1.7.0-5ubuntu1_amd64.deb ...
Unpacking thermald (1.7.0-5ubuntu1) ...
Setting up thermald (1.7.0-5ubuntu1) ...
Created symlink /etc/systemd/system/dbus-org.freedesktop.thermald.service → /lib/systemd/system/thermald.service.
Created symlink /etc/systemd/system/multi-user.target.wants/thermald.service → /lib/systemd/system/thermald.service.
Setting up linux-modules-4.18.0-7-generic (4.18.0-7.8) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up linux-image-4.18.0-7-generic (4.18.0-7.8) ...
I: /vmlinuz is now a symlink to boot/vmlinuz-4.18.0-7-generic
I: /initrd.img is now a symlink to boot/initrd.img-4.18.0-7-generic
Processing triggers for dbus (1.12.2-1ubuntu1) ...
Setting up linux-modules-extra-4.18.0-7-generic (4.18.0-7.8) ...
Setting up amd64-microcode (3.20180524.1~ubuntu0.18.04.2) ...
update-initramfs: deferring update (trigger activated)
amd64-microcode: microcode will be updated at next boot
Setting up linux-image-generic (4.18.0.7.8) ...
Setting up linux-signed-image-generic (4.18.0.7.8) ...
Processing triggers for linux-image-4.18.0-7-generic (4.18.0-7.8) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.18.0-7-generic
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found background image: grub-background.png
Found linux image: /boot/vmlinuz-4.18.0-7-generic
Found initrd image: /boot/initrd.img-4.18.0-7-generic
Found linux image: /boot/vmlinuz-4.15.0-34-generic
Found initrd image: /boot/initrd.img-4.15.0-34-generic
Found Windows Boot Manager on /dev/sda2@/EFI/Microsoft/Boot/bootmgfw.efi
Adding boot menu entry for EFI firmware configuration
done
Processing triggers for initramfs-tools (0.130ubuntu3.1) ...
update-initramfs: Generating /boot/initrd.img-4.18.0-7-generic

If it survives a reboot, I 'll strikethrough the note to self...
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 07, 2018, 08:50:23 pm
YES!  Must have been a hiccup  :)

Love this Cosmic kernel, BTW. Works great in Peppermint 9.

Code: [Select]
╭─vindsl@Boogaloo-6 ~  
╰─$ inxi -SM               
System:    Host: Boogaloo-6 Kernel: 4.18.0-7-generic x86_64 bits: 64 Desktop: N/A
           Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: OptiPlex 7010 v: 01 serial: N/A
           Mobo: Dell model: 0GXM1W v: A02 serial: N/A
           UEFI: Dell v: A29 date: 06/28/2018

╭─vindsl@Boogaloo-6 ~ 
╰─$ apt-cache policy grub2-common   
grub2-common:
  Installed: 2.02-2ubuntu8.4
  Candidate: 2.02-2ubuntu8.4
  Version table:
 *** 2.02-2ubuntu8.4 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.02-2ubuntu8 500
        500 http://mirrors.namecheap.com/ubuntu bionic/main amd64 Packages

╭─vindsl@Boogaloo-6 ~ 
╰─$ [ -d /sys/firmware/efi ] && echo YUP UEFI || echo NOPE BIOS
YUP UEFI

╭─vindsl@Boogaloo-6 ~ 
╰─$ mokutil --sb-state                                         
SecureBoot enabled

Onward & Upward...






Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on September 07, 2018, 09:11:12 pm
Yeah I've never had a problem with a signed kernel update.

You know what's gonna happen now I've said that right ?
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 07, 2018, 09:42:41 pm
Bwahahahahaha!

Die Tücke Der Dinge ;D
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 07, 2018, 09:56:17 pm
Well, whatever happened; they're both playing nicely together now.

 
Code: [Select]
╭─vindsl@Boogaloo-6 ~  
╰─$ dpkg -S /boot/vmlinuz-*
linux-image-4.15.0-34-generic: /boot/vmlinuz-4.15.0-34-generic
linux-image-4.18.0-7-generic: /boot/vmlinuz-4.18.0-7-generic

Go figure
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 08, 2018, 11:20:39 am
I'll tell ya what...

I love these 'Cosmic' 4.18 kernels. They work on every machine I've tried them on - 32bit & 64bit - regardless of vintage and age

Example: My formerly 'higher-end' 32bit Peppermint 7 DFI LANParty PRO875B (http://www.pcstats.com/articleview.cfm?articleID=1547) gamer machine, hailing from the turn of the century:

Code: [Select]
╭─vindsl@Boogaloo-6 ~  
╰─➤  sudo inxi -CDMSfm
System:    Host: Boogaloo-6 Kernel: 4.18.6-041806-generic i686 (32 bit)
           Desktop: N/A Distro: Peppermint Seven
Machine:   Mobo: N/A model: Canterwood
           Bios: Phoenix v: 6.00 PG date: 04/09/2004
CPU:       Single core Intel Pentium 4 (-HT-) cache: 2048 KB
           clock speeds: max: 3407 MHz 1: 3407 MHz 2: 3407 MHz
           CPU Flags: acpi apic bts cid clflush cmov cpuid cx8 de dts fpu fxsr
           ht mca mce mmx msr mtrr pae pat pbe pebs pge pse pse36 sep ss sse
           sse2 tm tsc vme xtpr
Memory:    Array-1 capacity: 4 GB devices: 4 EC: None
           Device-1: A0 size: 512 MB speed: N/A type: SDRAM
           Device-2: A1 size: 512 MB speed: N/A type: SDRAM
           Device-3: A2 size: 512 MB speed: N/A type: SDRAM
           Device-4: A3 size: 512 MB speed: N/A type: SDRAM
Drives:    HDD Total Size: 1000.2GB (13.7% used)
           ID-1: /dev/sda model: SAMSUNG_HD103SJ size: 1000.2GB

(http://vindsl.com/images/VinDSL-Screenshot_2018-09-08_07:58:30.png)

Can't wait to see what the devs do with Linux 4.19 ...  8)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on September 08, 2018, 12:09:06 pm
Never understood the need for the latest kernel myself unless you have new hardware that requires it .. or they've added some new must have feature (such as better power management, etc.).

In fact using a kernel other than the default can introduce problems, where the other software in the repos isn't compatible with it.

Fine if you know how to dig yourself out of a hole .. but not advisable for new users.
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: pin on September 08, 2018, 12:18:11 pm
Just for fun and to see if anything breaks  ;)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 08, 2018, 12:32:03 pm
Just for fun and to see if anything breaks  ;)

Exactly!

I'm a bug chaser. Breakage is what it's all about, for me.

If you figure that one out, let me know  :)

Moving down the line, just upgraded this 'low-end' 32bit Peppermint 9 doorstop Dell machine.

Code: [Select]
╭─vindsl@Fenris-2 ~  
╰─$ sudo inxi -CDMSfm
System:    Host: Fenris-2 Kernel: 4.18.6-041806-generic i686 bits: 32
           Console: tty 0 Distro: Peppermint Nine
Machine:   Device: desktop System: Dell product: Dimension 3000 serial: CKYBY51
           Mobo: Dell model: 0N6381 serial: ..CN4811148L04H2.
           BIOS: Dell v: A03 date: 01/05/2006
CPU:       Single core Intel Pentium 4 (-MT-) cache: 1024 KB
           clock speeds: max: 2992 MHz 1: 2992 MHz 2: 2992 MHz
           CPU Flags: acpi apic bts cid clflush cmov constant_tsc cpuid cx8 de
           ds_cpl dtes64 dts fpu fxsr ht mca mce mmx monitor msr mtrr pae pat pbe
           pebs pge pni pse pse36 sep ss sse sse2 tm tsc vme xtpr
Memory:    Used/Total: 698.3/2010.1MB
           Array-1 capacity: 4 GB devices: 2 EC: None
           Device-1: DIMM_1 size: 1 GB speed: 400 MT/s type: SDRAM
           Device-2: DIMM_2 size: 1 GB speed: 400 MT/s type: SDRAM
Drives:    HDD Total Size: 60.0GB (10.2% used)
           ID-1: /dev/sda model: Patriot_Flare size: 60.0GB

Doorstop HP desktop machine next ...
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: pin on September 08, 2018, 12:48:07 pm
Also, if no one would test it, how were we suppose to know it was stable across different hardware?
I don't mind testing stuff, actually I like to test new things  :)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on September 08, 2018, 01:05:06 pm
I'm not saying don't do it if you understand the implications and know how to dig yourself out of a hole, but this topic is on a public board and I wanted to remind newer users there's little point to this if everything is working, and stability is a goal.

In other words - For most users (unless there's a specific reason) Team Peppermint DO NOT advise switching from the default kernel.
(just because team members do it, doesn't mean it's the smart thing to do .. if it were, we'd make sure you got it via normal updates)

I don't want new users seeing Team Peppermint members doing this and wondering if it's something they should be doing.

Hey, it's my job to point these things out right ;)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: pin on September 08, 2018, 01:11:40 pm
Ops  :(
Sorry...
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: PCNetSpec on September 08, 2018, 01:14:35 pm
No worries my mate, just making sure people understand :)
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 08, 2018, 01:21:04 pm
Got it, Chief.

This thread took a strange twist, but you can't unring the bell (https://en.wikipedia.org/wiki/Unring_the_bell), once it's been rung.

I guess they got a little 'inside baseball' here.  :)

Anyway, yes, please don't play around with stuff like this, unless you know how to dig yourself out of a hole.


https://youtu.be/7PppDtIBM2o
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: pin on September 08, 2018, 01:28:58 pm
 :D
Do you have a video for everything??
 :D
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 08, 2018, 02:30:05 pm
Worth 1000 words, you know? 

What better way to demonstrate that one can dig themselves out of a hole by digging more? It's counter-intuitive.

Anyway, to demonstrate what PCNoSleep was saying, the HP is turning out to be a little more problematic.

This is the sort of stuff one occasionally runs into. Wonder how a noob would handle it, eh what?   :)

Code: [Select]
vindsl@Nurgot ~ $ sudo dmesg | grep -i "error\|warn\|fail\|disable\|sign"
[    0.000000] NX (Execute Disable) protection: active
[    0.000000]   3 disabled
[    0.000000]   4 disabled
[    0.000000]   5 disabled
[    0.000000]   6 disabled
[    0.000000] ACPI: Early table checksum verification disabled
[    0.000000] ACPI BIOS Warning (bug): Optional FADT field Pm2ControlBlock has valid Address but zero Length: 0x0000000000000050/0x0 (20180531/tbfadt-624)
[    0.000000] ACPI BIOS Warning (bug): Invalid length for FADT/Pm2ControlBlock: 0, using default 8 (20180531/tbfadt-674)
[    0.044396] audit: initializing netlink subsys (disabled)
[    0.061519] ACPI BIOS Error (bug): \_SB.PCI0._OSC: Excess arguments - ASL declared 5, ACPI requires 4 (20180531/nsarguments-164)
[    0.061597] ACPI BIOS Error (bug): Failure creating [\_SB.PCI0._OSC.CAPD], AE_ALREADY_EXISTS (20180531/dsfield-179)
[    0.061638] ACPI Error: Method parse/execution failed \_SB.PCI0._OSC, AE_ALREADY_EXISTS (20180531/psparse-516)
[    0.061650] acpi PNP0A08:00: _OSC failed (AE_ALREADY_EXISTS); disabling ASPM
[    0.066886] ACPI: PCI Interrupt Link [LNKH] (IRQs 3 4 5 6 7 10 11 14 15) *0, disabled.
[    0.091654] pci 0000:00:1c.0: BAR 14: assigned [mem 0xf8000000-0xf81fffff]
[    0.091659] pci 0000:00:1c.0: BAR 15: assigned [mem 0xf8200000-0xf83fffff 64bit pref]
[    0.091660] pci 0000:00:1c.1: BAR 14: assigned [mem 0xf8400000-0xf85fffff]
[    0.091664] pci 0000:00:1c.1: BAR 15: assigned [mem 0xf8600000-0xf87fffff 64bit pref]
[    0.091666] pci 0000:00:1c.0: BAR 13: assigned [io  0x2000-0x2fff]
[    0.091668] pci 0000:00:1c.1: BAR 13: assigned [io  0x3000-0x3fff]
[    1.060762] tpm tpm0: A TPM error (7) occurred attempting to read a pcr value
[    1.061047] tpm tpm0: TPM is disabled/deactivated (0x7)
[    1.066239] tpm tpm0: A TPM error (7) occurred attempting get random
[    1.068715] ehci-pci 0000:00:1a.7: new USB bus registered, assigned bus number 1
[    1.088944] ehci-pci 0000:00:1d.7: new USB bus registered, assigned bus number 2
[    1.108984] uhci_hcd 0000:00:1a.0: new USB bus registered, assigned bus number 3
[    1.109393] uhci_hcd 0000:00:1a.1: new USB bus registered, assigned bus number 4
[    1.109803] uhci_hcd 0000:00:1a.2: new USB bus registered, assigned bus number 5
[    1.110212] uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 6
[    1.110618] uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 7
[    1.111026] uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 8
[    1.118766] RAS: Correctable Errors collector initialized.
[    1.129593] tpm tpm0: A TPM error (7) occurred attempting to read a pcr value
[    1.315151] [drm] RC6 disabled, disabling runtime PM support
[    2.877133] EXT4-fs (sda5): re-mounted. Opts: errors=remount-ro
[    3.619958] kvm: disabled by bios
[    6.428027] random: 7 urandom warning(s) missed due to ratelimiting
vindsl@Nurgot ~ $

Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: pin on September 08, 2018, 02:35:07 pm
Hmm!
BIOS uppdate??

EDIT: Hp's are a PITA to update outside Windows, but if I understood you right you're dual-booting everywhere.
I bricked a hp two months ago trying to update the BIOS using a FreeDOS bootable usb  :(
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 08, 2018, 04:12:28 pm
Correct on all counts...


(http://vindsl.com/images/VinDSL-Screenshot_2018-09-08_13:03:07.png)


We are in concurrence  ;D
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: pin on September 09, 2018, 05:17:10 am
...and, did it solved the problem?  :-\
Title: Re: UK's National Cyber Security Centre Gives Advice on Securing Ubuntu 18.04 LTS
Post by: VinDSL on September 09, 2018, 06:41:07 pm
Evidently, I must have updated the BIOS, at some point, and forgot about it.

I downloaded the most recent file (11-Nov-2015) and started to flash it, but I got a message saying it was the same version that was already installed, and asked if I was sure I wanted to continue, blah, blah, blah.

It's booting and running fine. If I hadn't queried the logs, I wouldn't even know there's a problem. So, I'm gonna let it ride.

All I use this machine for is word processing, scanning documents (hence, the portrait mode display)... and a battery charger for my cell phone. LoL

I figure the HP has a cleaner power supply than those $0.99 adapters that one plugs into wall sockets.