Once you've installed Ubuntu with security in mind and reduced the possibility of network attacks on your system, you can start thinking about security on an application level. In the event that a malicious file is opened on your system, will an attacker be able to access every file on the computer? The chances are much slimmer if you put the proper defenses in place.
In this third part to our mini-series on strengthening your primary Ubuntu installation, you'll learn how Ubuntu package repositories work, which repos you should avoid, and how to update. Also, you'll see how to import additional AppArmor profiles to limit resources that apps can use, as well as create sandboxes to completely isolate unsafe applications from the operating system.
If you missed the beginning of this article series, you should check out the first part to learn more about my motivations for starting this four-part guide.
Part of keeping your system secured is simply ensuring the latest package and application updates are installed.
If you're coming from Windows 10, you'll be used to downloading and installing new applications from random websites. This practice is inherently unsafe. Unsigned, unverified applications distributed by one source creates the potential for supply chain attacks.
Linux handles installing software differently. Ubuntu uses several repositories (servers) that contain packages (software and dependencies) audited by Canonical, Ubuntu developers, and the security team. Not all of the Ubuntu's repositories are audited by the Ubuntu team, however.
The Ubuntu repositories are set up in the following categories:
- Main: The main component contains applications that are free software, can be freely redistributed, and are fully supported by the Ubuntu team. This includes the most popular and most reliable open-source applications available, many of which are included by default when we install Ubuntu. Software in Main includes a hand-selected list of applications that the Ubuntu developers, community, and users feel are most important, and that the Ubuntu security team are willing to support. When we install software from the Main repository, we're assured that the software will come with security updates and that support is available from Canonical.
- Universe: The Universe repository is a collection of the free, open-source software. It houses almost every piece of open-source software, all built from a range of public sources. Canonical will provide regular security updates for software in the Universe repo when they are made available by the community. Popular or well-supported pieces of software will move from Universe into Main if they are backed by maintainers willing to meet the standards set by the Ubuntu team.
- Restricted: Ubuntu's commitment is to only promote free software, i.e., software available under a free license. However, they make exceptions for a small set of tools and drivers that make it possible to install Ubuntu and its free applications on everyday hardware. These proprietary drivers are kept in the Restricted repository. Please note that it may not be possible to provide complete support for this software because Ubuntu developers are not able to fix the software, they can only forward problem reports to the actual authors. Ubuntu developers will only use non-open-source software when there is no other way to install Ubuntu. The Ubuntu team works with vendors to accelerate the open-sourcing of their software to ensure that as much software as possible is available under a free license.
- Multiverse: The Multiverse repository contains software that is not free, which means the licensing requirements of this software do not meet the Ubuntu license policy. The responsibility is on you to verify your rights to use this software and comply with the licensing terms of the copyright holder. This software is not supported and usually cannot be fixed or updated. Use it at your own risk.
Before updating any packages, open the "Software & Updates" window and disable the "multiverse" and "restricted" repositories in the "Ubuntu Software" tab. These repositories distribute closed-source software, can't be audited, and sometimes require non-free (paid) user licenses.
Then, head over to the "Other Software" tab and uncheck the "Canonical Partners" options.
Backports offers a way to selectively provide newer versions of software for older Ubuntu releases. Most commonly, the Backports team will provide new versions of standalone applications which can be safely updated without impacting the rest of the system. However, the Ubuntu security team does not update packages in Backports. For that reason, disabling backports is recommended. In the "Update" tab, make sure "bionic-backports" is unchecked.
By default, Ubuntu should download and update security updates automatically on a daily basis.
To check for updates manually, use the sudo apt-get update && sudo apt-get dist-upgrade command.
sudo apt-get update && sudo apt-get dist-upgrade Hit:1 http://nz.archive.ubuntu.com/ubuntu bionic InRelease Hit:2 http://nz.archive.ubuntu.com/ubuntu bionic-updates InRelease Hit:3 http://security.ubuntu.com/ubuntu bionic-security InRelease Reading package lists... Done Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
AppArmor is a kernel enhancement that confines applications and programs to a limited set of resources. For example, using AppArmor, it's possible to restrict a PDF viewer from accessing the internet and predefined directories on the OS. If a malicious PDF is opened, it won't be allowed to view certain directories or exfiltrate data the attacker's server. AppArmor is already installed and enabled in every Ubuntu installation. This can be verified using the below command.
Use the sudo apt-get install apparmor-profiles apparmor-utils command to add more AppArmor profiles.
sudo apt-get install apparmor-profiles apparmor-utils Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: python3-apparmor (2.12-4ubuntu5) python3-libapparmor (2.12-4ubuntu5) Suggested packages: vim-addon-manager (0.5.7) The following NEW packages will be installed: apparmor-profiles (2.12-4ubuntu5) apparmor-utils (2.12-4ubuntu5) python3-apparmor (2.12-4ubuntu5) python3-libapparmor (2.12-4ubuntu5) 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 189 kB of archives. After this operation, 1,329 kB of additional disk space will be used. Do you want to continue? [Y/n] y
Then, use the following aa-enforce command to enable all of the newly added profiles.
sudo aa-enforce /etc/apparmor.d/* Profile for /etc/apparmor.d/abstractions not found, skipping Profile for /etc/apparmor.d/apache2.d not found, skipping Setting /etc/apparmor.d/bin.ping to enforce mode. Profile for /etc/apparmor.d/cache not found, skipping Profile for /etc/apparmor.d/disable not found, skipping Profile for /etc/apparmor.d/force-complain not found, skipping Profile for /etc/apparmor.d/local not found, skipping Setting /etc/apparmor.d/sbin.dhclient to enforce mode. Setting /etc/apparmor.d/sbin.klogd to enforce mode. Setting /etc/apparmor.d/sbin.syslogd to enforce mode. Setting /etc/apparmor.d/sbin.syslog-ng to enforce mode. Setting /etc/apparmor.d/snap.core.4830.usr.lib.snapd.snap-confine to enforce mode. Profile for /etc/apparmor.d/tunables not found, skipping Setting /etc/apparmor.d/usr.bin.chromium-browser to enforce mode. Setting /etc/apparmor.d/usr.bin.evince to enforce mode. Setting /etc/apparmor.d/usr.bin.firefox to enforce mode. Setting /etc/apparmor.d/usr.bin.man to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.anvil to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.auth to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.config to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.deliver to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.dict to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.dovecot-auth to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.dovecot-lda to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.imap to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.imap-login to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.lmtp to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.log to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.managesieve to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.managesieve-login to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.pop3 to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.pop3-login to enforce mode. Setting /etc/apparmor.d/usr.lib.dovecot.ssl-params to enforce mode. Setting /etc/apparmor.d/usr.lib.snapd.snap-confine.real to enforce mode. Setting /etc/apparmor.d/usr.sbin.avahi-daemon to enforce mode. Setting /etc/apparmor.d/usr.sbin.cups-browsed to enforce mode. Setting /etc/apparmor.d/usr.sbin.cupsd to enforce mode. Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. Setting /etc/apparmor.d/usr.sbin.dovecot to enforce mode. Setting /etc/apparmor.d/usr.sbin.identd to enforce mode. Setting /etc/apparmor.d/usr.sbin.ippusbxd to enforce mode. Setting /etc/apparmor.d/usr.sbin.mdnsd to enforce mode. Setting /etc/apparmor.d/usr.sbin.nmbd to enforce mode. Setting /etc/apparmor.d/usr.sbin.nscd to enforce mode. Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode. Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode. Setting /etc/apparmor.d/usr.sbin.smbldap-useradd to enforce mode. Setting /etc/apparmor.d/usr.sbin.tcpdump to enforce mode. Setting /etc/apparmor.d/usr.sbin.traceroute to enforce mode.
man apparmor man aa-status man aa-enforce
Firejail, created by netblue30, reduces the risk of security breaches by using a lightweight visualization technology to isolate applications and restrict them to sandboxed (container) environments. Below is a GIF of Evince, Ubuntu's default PDF reader, opening an unsafe file in a heavily sandboxed environment.
Both Firejail and AppArmor can be used together (cooperatively) or independently of each other. If one of them failed to restrict a certain file or directory, it would be possible for the other to compensate and contain the vulnerability.
Firejail container's support a number of features:
- Blacklisting: Deny access to specific files and directories. Access attempts are reported to syslog.
- Whitelisting: Allow only files and directories specified by the user.
- Temporary filesystem: Mount a temporary filesystem on top of a directory.
- Private: Mount copies of files and directories and discard them when the sandbox is closed.
- Restricted home: Only the current user /home directory is available inside the sandbox.
- Reduced system information leakage: Restrict access to sensitive directories such as /boot, /proc, and /sys.
Head over to the download page and grab the latest stable version of Firejail and the .asc file. At the time of this writing, the latest version is "firejail_0.9.54_1_amd64.deb." Then, open a new terminal, change into the Downloads/ directory using cd and view its contents using the ls command.
tokyoneon@nullbyte:~$ cd Downloads/ tokyoneon@nullbyte:~/Downloads$ ls firejail_0.9.54_1_amd64.deb firejail-0.9.54.asc tokyoneon@nullbyte:~/Downloads$
The downloaded firejail-0.9.54.asc file contains the secure cryptographic hashes used to verify the .deb download hasn't been tampered with by SourgeForge or any third-parties. Download netblue30's public key from a PGP keyserver and import it into your GPG keyring.
wget -O- 'https://pgp.mit.edu/pks/lookup?op=get&search=0x2CCB36ADFC5849A7' | gpg --import ---- https://pgp.mit.edu/pks/lookup?op=get&search=0x2CCB36ADFC5849A7 Resolving pgp.mit.edu (pgp.mit.edu)... 126.96.36.199 Connecting to pgp.mit.edu (pgp.mit.edu)|188.8.131.52|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2341 (2.3K) [text/html] Saving to: ‘STDOUT’ - 100%[==============>] 2.29K --.-KB/s in 0s gpg: key 2CCB36ADFC5849A7: public key "netblue (firejail key) <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1
Then, to verify the .asc file, use the gpg --verify firejail-0.9.54.asc command.
gpg --verify firejail-0.9.54.asc gpg: Signature made Wed 16 May 2018 06:50:24 AM PDT gpg: using RSA key F951164995F5C4006A73411E2CCB36ADFC5849A7 gpg: Good signature from "netblue (firejail key) <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F951 1649 95F5 C400 6A73 411E 2CCB 36AD FC58 49A7
Notice the "Good signature" line above. This is verification that the .asc file is legitimate. We can now view the contents of the file using the cat command. If you do not see the good signature line, don't panic. It's possible the Firejail .asc was malformed during the download. Try downloading it again.
cat firejail-0.9.54.asc 1 -----BEGIN PGP SIGNED MESSAGE----- 2 Hash: SHA256 3 4 08698324685adac8a2d3935e7f493f527cbd5ae792ac21226728a42dd9f84c3f firejail-0.9.54-1.x86_64.rpm 5 ce996854278863f3e91ff185198c7cc1377fb70053d37a43e3b1ef1021c57756 firejail-0.9.54.tar.xz 6 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54_1_amd64.deb 7 080f72ab8467570e70953910d9001c1dce43be5c5b932a2bed3cd213af44351b firejail_0.9.54_1_i386.deb 8 -----BEGIN PGP SIGNATURE----- 9 10 iQEzBAEBCAAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAlr8NyAACgkQLMs2rfxY 11 Sae8UAf+IkDv99oiTc+ihmhq6rrFrV/41Tb92jMIJJW8hfEZFJFWd0ZHhmZv/7Fz 12 nW6W+gKrPf9MhC9bVmhOeU/UwcIUBlR5yQs+frJbHE8zuBzBGWZqgKGj78hlrkov 13 7Xyab/jrSOm4FgpvKAqBh5nLWYyLtZKTT1DGswl2XpsXncMVdNFPnYjVOb1l5aDl 14 ga2VHVKbGkrOY+8r7Vuhc0G+B+mugMt7jwUWMJgo84H4fY+Bpl/+6qS7RzJZw2Ew 15 JlH/RADxbiFMGqBlk0hWY8jhJhE6R79Ea2+5bsCzJIbI89PgbUuyvlwCtVv38hsN 16 C72d/NJJ6QrafBqWUWjTQPWSdMBt3g== 17 =IEak 18 -----END PGP SIGNATURE-----
Copy the hash on line #6, the one that starts "0e92d90..." and then use the below grep command to find the SHA256 hash of the .deb and compare it to the hash in the .asc.
sha256sum firejail_0.9.54_1_amd64.deb | grep '0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9'
If all went well, the command will produce the following result.
tokyoneon@nullbyte:~/Downloads$ ; tokyoneon@nullbyte:~/Downloads$ sha256sum sha256sum firejail_0.9.54_1_amd64.deb | grep '0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9' 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54_1_amd64.deb tokyoneon@nullbyte:~/Downloads$
Finally, install the .deb using the sudo dpkg -i firejail0.9.541_amd64.deb command.
sudo dpkg -i firejail_0.9.54_1_amd64.deb Selecting previously unselected package firejail. (Reading database ... 170565 files and directories currently installed.) Preparing to unpack firejail_0.9.54_1_amd64.deb ... Unpacking firejail (0.9.54-1) ... Setting up firejail (0.9.54-1) ... Processing triggers for man-db (2.8.3-2) ...
Use the --help argument to view Firejail's available options and verify it was installed correctly.
Firejail has too many features to cover in this article, so I'll show two practical uses.
One of Firejail's greatest features is its ability to create temporary, offline sandboxes that are disposed of when the application is closed. Use the below command to create a strict temporary sandbox configuration.
firejail --seccomp --nonewprivs --private --private-dev --private-tmp --net=none --x11 --whitelist=/tmp/unsafe.pdf evince /tmp/unsafe.pdf
There a lot going on in the above command, so I'll breakdown each argument one by one.
- --seccomp: Seccomp (secure computing mode) is enabled by default, but I included it in the command because it's one of Firejail's best features. Seccomp is a computer security facility in the Linux kernel and allows a process to make a one-way transition into a "secure" state where it cannot make any system calls. Should an application inside the sandbox attempt any other system calls, the kernel will aggressively terminate the process.
- --nonewprivs: This option allows you to restrict processes from gaining new privileges inside the container. This ensures that child processes cannot acquire new privileges using the execve system call.
- --private: Create a new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is closed.
- --private-dev: The /dev directory generally contains sensitive device files. Using the --private-dev argument, Firejail will create a new (temporary) /dev directory isolated from the operating systems actual /dev.
- --private-tmp: The /tmp directory in an Ubuntu operating system usually contains temporary storage files created by running applications. Data in these files may be sensitive and should be isolated from sandboxed applications.
- --net=none: The only interface available in the sandbox is a new loopback interface (lo). Use this option to deny network access to programs that don't really need internet access.
- --x11: Sandbox the application using Xephyr. The sandbox prevents screenshot and keylogger applications started inside the sandbox from accessing clients running outside the sandbox.
- --whitelist: Whitelist directory or file. Modifications to whitelisted files are persistent, everything else is discarded when the sandbox is closed.
- evince /tmp/unsafe.pdf: This final bit of the command calls the Evince PDF reader and the opens the specified file.
For a more lenient set of sandboxing rules, use the below command.
firejail --seccomp --nonewprivs --private --private-tmp firefox
This will open Firefox in a sandboxed environment and dispose of files saved in the temporary /home directories created by the --private argument.
To conclude this series on locking down your Ubuntu system, we'll get into auditing the system for vulnerabilities using (free) professional software, using antivirus software that respects your privacy, and effectively monitoring system logs for abnormalities.