Once you have installed Ubuntu with security in mind and reduced the possibility of network attacks on your system, you can start thinking about application-level security. If a malicious file opens in your system, will an attacker be able to access all files on your computer? The chances are much narrower if you put the right defense in place.
In the third part of our mini-series on strengthening your primary Ubuntu installation, you will learn how Ubuntu package repositories work, which repos you should avoid and how to update. You'll also see how to import additional AppArmor profiles to limit resources that apps can use, as well as create sandboxes to completely isolate insecure applications from the operating system.
If you missed the beginning of this article series, you should check out the first section to learn more about my motives for starting this four-part guide.
Step 1: Install the latest system updates
Part of keeping your system secure is simply to make sure that the latest package and application updates are installed.
If you are coming from Windows 10, you will be used to download and install new applications from random websites. This practice is inherently uncertain. Unsigned, unverified applications distributed by one source create the potential for supply chain attack.
Linux handles software installation in various ways. Ubuntu uses multiple repositories (servers) that contain packages (software and dependencies) that are reviewed by Canonical, Ubuntu developers, and the security team. However, not all Ubuntu layers are reviewed by the Ubuntu team.
Ubuntu storage is set to the following categories:
Main : The main component contains applications that are free software, freely redistributed and fully supported by the Ubuntu team. This includes the most popular and most reliable open source applications available, many of which are included as standard when installing Ubuntu. The main software contains a hand-selected list of applications that Ubuntu developers, community and users think are most important and which the Ubuntu security team is willing to support. When we install software from the main repository, we are sure that the software comes with security updates and that support is available from Canonical.
Universe : The Universe repository is a collection of free, open source software. It contains almost every open source program, all built from a variety of public sources. Canonical will provide regular security updates for Universum repo software when made available by the community. Popular or well-supported software will move from Universe to Main if supported by entertainers willing to meet the standards set by the Ubuntu team.
Restricted : Ubuntu's commitment is to only market free software, ie software available under a free license. However, they make exceptions for a small set of tools and drivers that allow Ubuntu and its free applications to be installed on everyday goods. These own drivers are stored in the restricted storage. Note that it may not be possible to provide complete support for this software because Ubuntu developers are unable to fix the software, they can only forward problem reports to the actual authors. Ubuntu developers only use non-open source software when there is no other way to install Ubuntu. The Ubuntu team works with suppliers to accelerate open sourcing of their software to ensure that as much software as possible is available under a free license.
Multiverse : The Multiverse repository contains non-free software, which means the licensing requirements for this software do not comply with the Ubuntu licensing policy. It is your responsibility to verify your rights to use this software and to comply with the license terms of the copyright owner. This software is not supported and usually cannot be fixed or updated. Use it at your own risk.
Disabling Unsafe Storage Locations
Before updating any packages, open the "Software & Updates" window and disable the "multiverse" and "restricted" layers in the "Ubuntu Software" tab. These repositories distribute closed source software, cannot be reviewed and sometimes require non-free (paid) user licenses.