قالب وردپرس درنا توس
Home / Tips and Tricks / Using Ubuntu as your primary operating system, Part 3 (Application Hardening & Sandboxing) «Zero Byte :: WonderHowTo

Using Ubuntu as your primary operating system, Part 3 (Application Hardening & Sandboxing) «Zero Byte :: WonderHowTo



Once you have installed Ubuntu with security in mind and reduced the possibility of network attacks on your system, you can start thinking about application-level security. If a malicious file opens in your system, will an attacker be able to access all files on your computer? The chances are much narrower if you put the right defense in place.

In the third part of our mini-series on strengthening your primary Ubuntu installation, you will learn how Ubuntu package repositories work, which repos you should avoid and how to update. You'll also see how to import additional AppArmor profiles to limit resources that apps can use, as well as create sandboxes to completely isolate insecure applications from the operating system.

If you missed the beginning of this article series, you should check out the first section to learn more about my motives for starting this four-part guide.

Step 1: Install the latest system updates

Part of keeping your system secure is simply to make sure that the latest package and application updates are installed.

If you are coming from Windows 10, you will be used to download and install new applications from random websites. This practice is inherently uncertain. Unsigned, unverified applications distributed by one source create the potential for supply chain attack.

Linux handles software installation in various ways. Ubuntu uses multiple repositories (servers) that contain packages (software and dependencies) that are reviewed by Canonical, Ubuntu developers, and the security team. However, not all Ubuntu layers are reviewed by the Ubuntu team.

Ubuntu storage is set to the following categories:

  • Main : The main component contains applications that are free software, freely redistributed and fully supported by the Ubuntu team. This includes the most popular and most reliable open source applications available, many of which are included as standard when installing Ubuntu. The main software contains a hand-selected list of applications that Ubuntu developers, community and users think are most important and which the Ubuntu security team is willing to support. When we install software from the main repository, we are sure that the software comes with security updates and that support is available from Canonical.
  • Universe : The Universe repository is a collection of free, open source software. It contains almost every open source program, all built from a variety of public sources. Canonical will provide regular security updates for Universum repo software when made available by the community. Popular or well-supported software will move from Universe to Main if supported by entertainers willing to meet the standards set by the Ubuntu team.
  • Restricted : Ubuntu's commitment is to only market free software, ie software available under a free license. However, they make exceptions for a small set of tools and drivers that allow Ubuntu and its free applications to be installed on everyday goods. These own drivers are stored in the restricted storage. Note that it may not be possible to provide complete support for this software because Ubuntu developers are unable to fix the software, they can only forward problem reports to the actual authors. Ubuntu developers only use non-open source software when there is no other way to install Ubuntu. The Ubuntu team works with suppliers to accelerate open sourcing of their software to ensure that as much software as possible is available under a free license.
  • Multiverse : The Multiverse repository contains non-free software, which means the licensing requirements for this software do not comply with the Ubuntu licensing policy. It is your responsibility to verify your rights to use this software and to comply with the license terms of the copyright owner. This software is not supported and usually cannot be fixed or updated. Use it at your own risk.

Disabling Unsafe Storage Locations

Before updating any packages, open the "Software & Updates" window and disable the "multiverse" and "restricted" layers in the "Ubuntu Software" tab. These repositories distribute closed source software, cannot be reviewed and sometimes require non-free (paid) user licenses.

Disabling Backports

Backports offers a way to selectively provide newer versions of older software Ubuntu releases Usually, the Backports team will provide new versions of standalone applications that can be securely updated without affecting the rest of the system, but the Ubuntu security team does not update packages in Backports, so it is recommended to disable backports. make sure "bionic-backports" is unchecked.

By default, Ubuntu should automatically download and update security updates daily.

Manual Checking for Updates

To check for updates manually, use sudo apt-get update && sudo apt-get dist-upgrade .

  ~ $ sudo apt-get update && sudo apt-get dist-upgrade

Hit: 1 http://nz.archive.ubuntu.com/ubuntu bionic InRelease
Hit: 2 http://nz.archive.ubuntu.com/ubuntu bionic updates InRelease
Hit: 3 http://security.ubuntu.com/ubuntu bionic-security InRelease
Reading Package Lists ... Ready
Reading Package Lists ... Ready
Building dependent trees
Reading information about the state ... Ready
Calculating upgrade ... Ready
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 

Step 2: Use AppArmor profiles

AppArmor is a core enhancement that limits applications and applications to a limited set of resources. With AppArmor, for example, it is possible to restrict a PDF view from accessing the Internet and predefined directories on the operating system. If a malicious PDF is opened, it will not be allowed to view certain directories or filter out the attacker's server. AppArmor is already installed and enabled in every Ubuntu installation. This can be verified with the command below.

  ~ $ sudo aa status 

Install additional AppAmrmor profiles

Use sudo apt-get install apparmor-profiles apparmor-utils to add more AppArmor profiles.

  ~ $ sudo apt-get install apparmor-profiles apparmor-utils

Reading Package Lists ... Ready
Building dependent trees
Reading information about the state ... Ready
The following additional packages will be installed:
python3 apparmor (2.12-4ubuntu5)
python3 libapparmor (2.12-4ubuntu5)
Suggested packages:
vim-addon-manager (0.5.7)
The following NEW packages will be installed:
apparmor profiles (2.12-4ubuntu5)
apparmor-utils (2.12-4ubuntu5)
python3 apparmor (2.12-4ubuntu5)
python3 libapparmor (2.12-4ubuntu5)
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 189 KB archive.
After this operation, 1,329 kB of extra disk space will be used.
Do you want to continue? [Y/n] y 

Activate each profile

Then use the following command aa-force to activate all the newly added profiles.

  ~ $ sudo aa-force / etc / apparmor .d / *

Profile of /etc/apparmor.d/abstractions not found, skipping
Profile of /etc/apparmor.d/apache2.d not found, skipping
Sets /etc/apparmor.d/bin.ping to execute the mode.
Profile of /etc/apparmor.d/cache not found, skipping
Profile of /etc/apparmor.d/ could not be found, skipping
Profile of /etc/apparmor.d/force-complain not found, skipping
Profile of /etc/apparmor.d/local not found, skipping
Sets /etc/apparmor.d/sbin.dhclient to execute the mode.
Sets /etc/apparmor.d/sbin.klogd to execute the mode.
Sets /etc/apparmor.d/sbin.syslogd to execute the mode.
Sets /etc/apparmor.d/sbin.syslog-ng to execute the mode.
Sets /etc/apparmor.d/snap.core.4830.usr.lib.snapd.snap-confine to execute the mode.
Profile of /etc/apparmor.d/tunables not found, skipping
Set /etc/apparmor.d/usr.bin.chromium-browser to execute the mode.
Set /etc/apparmor.d/usr.bin.evince to execute the mode.
Set /etc/apparmor.d/usr.bin.firefox to execute the mode.
Set /etc/apparmor.d/usr.bin.man to execute the mode.
Sets /etc/apparmor.d/usr.lib.dovecot.anvil to execute the mode.
Sets /etc/apparmor.d/usr.lib.dovecot.auth to execute the mode.
Sets /etc/apparmor.d/usr.lib.dovecot.config to execute the mode.
Sets /etc/apparmor.d/usr.lib.dovecot.deliver to execute the mode.
Set /etc/apparmor.d/usr.lib.dovecot.dict to execute the mode.
Set /etc/apparmor.d/usr.lib.dovecot.dovecot-auth to execute the mode.
Sets /etc/apparmor.d/usr.lib.dovecot.dovecot-lda to execute the mode.
Set /etc/apparmor.d/usr.lib.dovecot.imap to execute the mode.
Sets the /etc/apparmor.d/usr.lib.dovecot.imap-login to execute the mode.
Sets /etc/apparmor.d/usr.lib.dovecot.lmtp to execute the mode.
Sets /etc/apparmor.d/usr.lib.dovecot.log to execute the mode.
To set /etc/apparmor.d/usr.lib.dovecot.manages to execute the mode.
Set the /etc/apparmor.d/usr.lib.dovecot.managesieve-login to execute the mode.
Sets /etc/apparmor.d/usr.lib.dovecot.pop3 to execute the mode.
Sets the /etc/apparmor.d/usr.lib.dovecot.pop3 login to execute the mode.
Set /etc/apparmor.d/usr.lib.dovecot.ssl-params to execute the mode.
Sets /etc/apparmor.d/usr.lib.snapd.snap-confine.real to execute the mode.
Sets /etc/apparmor.d/usr.sbin.avahi- daemon to execute the mode.
Sets /etc/apparmor.d/usr.sbin.cups-browed to execute the mode.
Sets /etc/apparmor.d/usr.sbin.cupsd to execute the mode.
Sets /etc/apparmor.d/usr.sbin.dnsmasq to execute the mode.
Sets /etc/apparmor.d/usr.sbin.dovecot to execute the mode.
Sets /etc/apparmor.d/usr.sbin.identd to execute the mode.
Sets /etc/apparmor.d/usr.sbin.ippusbxd to execute the mode.
Sets /etc/apparmor.d/usr.sbin.mdnsd to execute the mode.
Sets /etc/apparmor.d/usr.sbin.nmbd to execute the mode.
Sets /etc/apparmor.d/usr.sbin.nscd to execute the mode.
Sets /etc/apparmor.d/usr.sbin.rsyslogd to execute the mode.
Sets /etc/apparmor.d/usr.sbin.smbd to execute the mode.
Sets /etc/apparmor.d/usr.sbin.smbldap-useradd to execute the mode.
Sets /etc/apparmor.d/usr.sbin.tcpdump to execute the mode.
Set /etc/apparmor.d/usr.sbin.traceroute to execute mode. 

It is also possible to create script profiles for all applications on the OS. For a comprehensive look at AppArmor, use the man command to view the manuals.

  ~ $ man apparmor
~ $ man aa status
~ $ man aa-force 

Step 3: Isolate files and apps in a sandy environment

Firejail, created by netblue30, reduces the risk of security breaches by using a light visualization technology to isolate applications and limit them to sandboxes (container) environments. Below is a GIF of Evince, Ubuntu's standard PDF reader, which opens an insecure file in a heavily sandy environment.

Both Firejail and AppArmor can be used together (cooperatively) or independently. If one of them failed to restrict a particular file or directory, it would be possible for the other to compensate and contain the vulnerability.

Firejail container support for a number of functions:

2. Import the developer public key

The downloaded firejail-0.9.54.asc file contains the secure cryptographic hashes that are used to verify the .deb download has not been tampered with by SourgeForge or any third party. Download netblue30's public key from a PGP key server and import it into your GPG keychain.

  ~ $ wget -O- & # 39; https: //pgp.mit.edu/pks/lookup? Op = get & search = 0x2CCB36ADFC5849A7 & # 39; | gpg import

---- https://pgp.mit.edu/pks/lookup?op=get&search=0x2CCB36ADFC5849A7
Solving pgp.mit.edu (pgp.mit.edu) ... 18.9.60.141
Connects to pgp.mit.edu (pgp.mit.edu) | 18.9.60.141 |: 443 ... connected.
HTTP request sent, waiting for response ... 200 OK
Length: 2341 (2.3K) [text/html]
Saves to: & # 39; STDOUT & # 39;

- 100% [==============>] 2.29K --.- KB / s of 0s

gpg: key 2CCB36ADFC5849A7: public key "netblue (firejail key) " imported
gpg: Total processed: 1
gpg: imported: 1 

3. Verify Hashes

Then, to verify the .asc file, use gpg – verify firejail-0.9.54.asc .

  ~ $ gpg - verify firejail-0.9.54 .asc

gpg: Signature made Wed May 16, 2018 06:50:24 AM PDT
gpg: with RSA key F951164995F5C4006A73411E2CCB36ADFC5849A7
gpg: Good signature from "netblue (firejail key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is nothing to indicate that the signature belongs to the owner.
Primary Key Fingerprint: F951 1649 95F5 C400 6A73 411E 2CCB 36AD FC58 49A7 

Note the line "Good signature" above. This is verification that the .asc file is legitimate. We can now see the contents of the file with the command cat . If you do not see the good signature line, do not panic. It's possible that Firejail .asc was malformed during the download. Try to download it again.

  ~ $ cat firejail-0.9.54.asc

1 ----- BEGIN PGP signed the message -----
2 Hash: SHA256
3
4 08698324685adac8a2d3935e7f493f527cbd5ae792ac21226728a42dd9f84c3f firejail-0.9.54-1.x86_64.rpm
5 ce996854278863f3e91ff185198c7cc1377fb70053d37a43e3b1ef1021c57756 firejail-0.9.54.tar.xz
6 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54_1_amd64.deb
7 080f72ab8467570e70953910d9001c1dce43be5c5b932a2bed3cd213af44351b firejail_0.9.54_1_i386.deb
8 ----- START PGP SIGNATURE -----
9
10 iQEzBAEBCAAdFiEE + VEWSZX1xABqc0EeLMs2rfxYSacFAlr8NyAACgkQLMs2rfxY
11 Sae8UAf + IkDv99oiTc + ihmhq6rrFrV / 41Tb92jMIJJW8hfEZFJFWd0ZHhmZv / 7Fz
12 nW6W + gKrPf9MhC9bVmhOeU / UwcIUBlR5yQs + frJbHE8zuBzBGWZqgKGj78hlrkov
13 7Xyab / yrSOm4FgpvKAqBh5nLWYyLtZKTT1DGswl2XpsXncMVdNFPnYjVOb1l5aDl
14 ga2VHVKbGkrOY + 8r7Vuhc0G + B + muggMt7jwUWMJgo84H4fY + Bpl / + 6qS7RzJZw2Ew
15 JlH / RADxbiFMGqBlk0hWY8jhJhE6R79Ea2 + 5bsCzJIbI89PgbUuyvlwCtVv38hsN
16 C72d / NJJ6QrafBqWUWjTQPWSdMBt3g ==
17 = IEak
18 ----- END PGP SIGNATURE ----- 

Copy hash on line # 6 and use the grep command below to compare SHA256 hash for .deb with .asc. If all went well, the command will produce the following results.

  ~ / Downloads $ sha256sum firejail_0.9.54_1_amd64.deb | grep & # 39; 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 & # 39;

0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54_1_amd64.deb 

4. Install Firejail

Finally, install .deb with the command dpkg below.

  ~ $ sudo dpkg -i firejail_0.9.54_1_amd64.deb

Select previously unselected package firejail.
(Reading database ... 170565 files and directories currently installed.)
Preparing to unpack firejail_0.9.54_1_amd64.deb ...
Unpacking the prison (0.9.54-1) ...
Setting firejail (0.9.54-1) ...
Processing man-db triggers (2.8.3-2) ... 

Use argument – help to view FireJail's available options and verify that it was installed correctly.

  ~ $ firejail Help 

Firejail has too many features to cover in this article, so I'll show you two practical uses.

Sandboxing Insecure PDF files found on the internet

One of Firejail's greatest features is its ability to create temporary, offline sandboxes that are disposed of when the application is closed. Use the command below to create a strictly temporary sandbox configuration.

  ~ $ firejail --seccomp --nonewprivs --private --private-dev --private-tmp --net = none --x11 --whitelist = / tmp / unsafe.pdf evince /tmp/unsafe.pdfebrit19659034 ?? A lot happens in the command above, so I will split each argument one by one. 

Next Up: Auditing, Antivirus & Monitoring

To end this series of locking down your Ubuntu system, we will review the vulnerability system with (free) professional software, use antivirus software that respects your privacy and effectively monitor system logs for deviations.

Cover image by Justin Meyers / Null Byte; Screenshots of tokyoneon / Zero Byte

Source link