Secure Ubuntu?

James Wilkinson ubuntu at westexe.demon.co.uk
Thu Apr 21 23:08:44 UTC 2005 

David Teague wrote:
> 
> An article I just read talks about hardening Linux. Here is a link
> http://www-128.ibm.com/developerworks/linux/library/l-seclnx3/?ca=dgr-lnxw63SecLinP3
> 
> In this article they state that "these steps are generally referred to as
> hardening Linux:
<snip>
> Is any of this already done in Ubuntu?
> How much of this is necessary?
> Is all (or any) of this desirable on a single person's desk top?

Well, the issues were
>   a.. Securing the boot process
Realistically, this should be "physically secure the computer". If the
computer isn't secure, anyone physically local can edit stuff on the PC.

You can prevent this the same way as you prevent people stealing the
computer and hard drive.

>   b.. Securing services and daemons
The article seems to be talking about those daemons that listen to the 
network. Ubuntu has all those turned off.

Still, it would be a Good Idea anyway to take a look at what your system
is running, and work out whether you need it or not. You may not make
any changes, but you'll have a better idea of the way Ubuntu works.

>   c.. Securing local filesystems
The article is suggesting mounting appropriate filesystems "nosuid,
nodev". [1] This does have security benefits, but they're pretty
theoretical unless you have untrusted local users. They *might* slow
down an attacker who already has some local privileges.

Of course, to make this work, you actually have to have separate local
filesystems: if you put everything on /, that filesystem does need SUID
binaries and device nodes.

>   d.. Enforcing quotas and limits
The article actually admits that these only prevent certain denial of
service attacks (filling up your filesystems, for example with e-mails
or system logs). As wanton Internet vandalism goes, these attacks are a
lot of work for very little reward. I shouldn't bother on a single user
computer.

>   e.. Enabling Mandatory Access Control
SELinux. To the best of my knowledge, the main distributions with
SELinux included and enabled are FC3 and RHEL4. There SELinux has been
enabled to limit a number of Internet daemons (e.g. httpd, ntpd,
portmap, etc). Even so, it's taken a good year to get this functionality
settled down, with the help of a number of NSA staff. [2]

The main problem has been writing a suitably restrictive policy that
actually allows people to use the system effectively.

It's a *lot* of work, and only gives you any benefits once the system
has already been compromised.

>   f.. Updating and adding security patches

This, of course, is the big one. apt-get upgrade or use Synaptic to
upgrade whenever you see the update alert next to the clock. Or just run
one or the other occasionally on general principles.

> I was concerned about not seeing firewalls here. I see this under
> securing services and daemons.

http://www.ubuntulinux.org/support/documentation/faq/firewall

I'm not that impressed with the article. I'm not sure what I'd recommend
instead, though...

James.

[1] It doesn't actually mention "nodev" in the article. I'm not sure why
not...

[2] I *know* the NSA have been reading some of the e-mail I've been
sending: they've replied to it. That feels spooky...

-- 
E-mail address: james | "Now I've got the bead on you with MY disintegrating
@westexe.demon.co.uk  | gun.  And when it disintegrates, it disintegrates.
                      | (pulls trigger)  Well, what you do know,
                      | it disintegrated."  -- Daffy Duck

More information about the ubuntu-users mailing list