قالب وردپرس درنا توس
Home / Tips and Tricks / Using Ubuntu as your primary operating system, part 3 (Application hardening and sandboxing) «Null Byte :: WonderHowTo

Using Ubuntu as your primary operating system, part 3 (Application hardening and sandboxing) «Null Byte :: WonderHowTo



After installing Ubuntu for security and reducing the possibility of network attacks on your system, you can start thinking about security at the application level. If a malicious file is opened on your system, does an attacker have access to any file on the computer? The chances are much slimmer if you install the correct defenses.

In this third part of our mini-series on strengthening your primary Ubuntu installation, you learn how Ubuntu package repositories work, which repositories you should avoid and how to update. You will also see how you can import additional AppArmor profiles to limit the resources that apps can use, and how to create sandboxes to completely isolate unsafe applications from the operating system.

If you have missed the start of this series of articles, you should view the first part to find out more about my motivations for starting this four-part manual.

Step 1: Install the latest system updates

Part of keeping your system secure is simply ensuring that the latest package and application updates are installed.

If you are from Windows 10, you are used to downloading and installing new applications from random websites. This practice is inherently unsafe. Unsigned, unverified applications that are distributed by one source create the potential for supply chain attacks.

Linux treats software installation differently. Ubuntu uses various repositories (servers) that contain packages (software and dependencies) that have been checked by Canonical, Ubuntu developers and the security team. However, not all Ubuntu repository & # 39; s are controlled by the Ubuntu team.

The Ubuntu & # 39; s repository is divided into the following categories:

  • Main : The main part contains applications that are free software, can be freely redistributed and are fully supported by the Ubuntu team. This includes the most popular and reliable open-source applications that are available, many of which are included as standard with the installation of Ubuntu. Software in Main contains a hand-selected list of applications that Ubuntu developers, the community, and users find most important and that the Ubuntu security team are willing to support. When we install software from the main repository, we know for sure that the software will contain security updates and that support is available through Canonical.
  • Universe : the Universe repository is a collection of free, open-source software. It houses almost every piece of open-source software, all built from a series of public sources. Canonical regularly provides security updates for software in the Universe repo when it is made available by the community. Popular or well-supported pieces of software are moved from Universe to Main if they are supported by maintainers who want to meet the Ubuntu team standards.
  • Limited : Ubuntu strives to promote only free software, ie software available under a free license. However, they make exceptions for a small set of tools & # 39; s and drivers & # 39; s that allow Ubuntu and the free applications to be installed on daily hardware. These own drivers are stored in the Restricted Repository. Please note that it may not be possible to provide full support for this software because Ubuntu developers cannot repair the software, they can only send problem reports to the actual authors. Ubuntu developers only use non-open-source software if there is no other way to install Ubuntu. The Ubuntu team works with suppliers to accelerate the open sourcing of their software to ensure that as much software as possible is available under a free license.
  • Multiverse : The Multiverse repository contains software that is not free, which means that the license requirements of this software do not comply with Ubuntu's licensing policy. It is your responsibility to verify your rights to use this software and to comply with the license terms of the copyright holder. This software is not supported and usually cannot be restored or updated. Use it at your own risk.

Disable unsafe storage locations

Before updating packages, open the "Software & Updates" window and disable the "multiverse" and "restricted" storage locations on the "Ubuntu Software" tab. These repositories distribute closed-source software, cannot be checked and sometimes require non-free (paid) user licenses.

Disabling Backports

Backports provides a way to selectively offer newer software versions for older ones Ubuntu releases – Usually the Backports team will provide new versions of standalone applications that can be securely updated without affecting the rest of the system, but the Ubuntu security team does not update packages in Backports, which is why disabling backports aa recommended. On the "Update" tab, make sure that "bionic-backports" is not checked.

Ubuntu must by default download and update security updates daily automatically.

Manually check for updates

Use the command sudo apt-get update && sudo apt-get dist-upgrade to check for updates.

  ~ $ sudo apt-get update && sudo apt-get dist-upgrade

Hit: 1 http://nz.archive.ubuntu.com/ubuntu bionic InRelease
Hit: 2 http://nz.archive.ubuntu.com/ubuntu bionic updates InRelease
Hit: 3 http://security.ubuntu.com/ubuntu bionic-security InRelease
Read package lists ... Ready
Read package lists ... Ready
Build dependency structure
Read status information ... Done
Calculate upgrade ... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 

Step 2: Using AppArmor Profiles

AppArmor is a kernel enhancement that limits applications and programs to a limited set of resources. With AppArmor, for example, it is possible to restrict a PDF viewer access to the internet and predefined folders on the operating system. If a malicious PDF is opened, you are not allowed to view certain folders or to filter data from the attacker's server. AppArmor is already installed and enabled in every Ubuntu installation. This can be verified with the command below.

  ~ $ sudo aa-status 

Installing additional AppAmrmor profiles

Use the sudo apt-get install apparmor profiles apparmor-utils to add more AppArmor profiles.

  ~ $ sudo apt-get install apparmor-profiles apparmor-utils

Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following additional packages are installed:
python3 apparmor (2.12-4ubuntu5)
python3-libapparmor (2.12-4ubuntu5)
Suggested packages:
vim addon manager (0.5.7)
The following NEW packages are installed:
apparmor profiles (2.12-4ubuntu5)
apparmor-utils (2.12-4ubuntu5)
python3 apparmor (2.12-4ubuntu5)
python3-libapparmor (2.12-4ubuntu5)
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Must receive 189 kB of archives.
After this operation, an additional 1,329 KB of disk space is used.
Do you want to continue? [Y/n] y 

Enable each profile

Then use the following aa-Force command to enable all newly added profiles.

  ~ $ sudo aa-Force /// apparmor.d/ *

Profile for /etc/apparmor.d/abstractions not found, is skipped
Profile for /etc/apparmor.d/apache2.d not found, is skipped
/Etc/apparmor.d/bin.ping to force the mode.
Profile for /etc/apparmor.d/cache not found is skipped
Profile for /etc/apparmor.d/disable not found is skipped
Profile for /etc/apparmor.d/force-complain not found, is skipped
Profile for /etc/apparmor.d/local not found is skipped
Set /Etc/apparmor.d/sbin.dhclient to force the mode.
Set /Etc/apparmor.d/sbin.klogd to force the mode.
Set /Etc/apparmor.d/sbin.syslogd to force the mode.
/Etc/apparmor.d/sbin.syslog-ng set to force the mode.
/Etc/apparmor.d/snap.core.4830.usr.lib.snapd.snap-confine to enforce the mode.
Profile for /etc/apparmor.d/tunables not found is skipped
/Etc/apparmor.d/usr.bin.chromium browser to set the mode.
Setting of /etc/apparmor.d/usr.bin. to force the mode.
/Etc/apparmor.d/usr.bin.firefox set to force the mode.
/Etc/apparmor.d/usr.bin.man to force the mode.
/Etc/apparmor.d/usr.lib.dovecot.anvil set to force the mode.
Set /Etc/apparmor.d/usr.lib.dovecot.auth to force the mode.
Set /Etc/apparmor.d/usr.lib.dovecot.config to force the mode.
Set /Etc/apparmor.d/usr.lib.dovecot.deliver to force the mode.
Set /Etc/apparmor.d/usr.lib.dovecot.dict to force the mode.
/Etc/apparmor.d/usr.lib.dovecot.dovecot-auth to set the mode.
/Etc/apparmor.d/usr.lib.dovecot.dovecot-lda to enforce the mode.
Setting of /etc/apparmor.d/usr.lib.dovecot.imap to force the mode.
/Etc/apparmor.d/usr.lib.dovecot.imap-login set to force the mode.
Set /Etc/apparmor.d/usr.lib.dovecot.lmtp to force the mode.
Set /Etc/apparmor.d/usr.lib.dovecot.log to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.managesieve to force the mode.
Setting /etc/apparmor.d/usr.lib.dovecot.managesieve-login to force the mode.
Set /Etc/apparmor.d/usr.lib.dovecot.pop3 to force the mode.
/Etc/apparmor.d/usr.lib.dovecot.pop3-login to enforce the mode.
/Etc/apparmor.d/usr.lib.dovecot.ssl-params to set the mode.
/Etc/apparmor.d/usr.lib.snapd.snap-confine.real to force the mode.
/Etc/apparmor.d/usr.sbin.avahi-daemon set to force the mode.
/Etc/apparmor.d/usr.sbin.cups-browsed set to force the mode.
/Etc/apparmor.d/usr.sbin.cupsd set to force the mode.
/Etc/apparmor.d/usr.sbin.dnsmasq to force the mode.
Set /Etc/apparmor.d/usr.sbin.dovecot to force the mode.
Set /etc/apparmor.d/usr.sbin.identd to force the mode.
/Etc/apparmor.d/usr.sbin.ippusbxd to force the mode.
/Etc/apparmor.d/usr.sbin.mdnsd to force the mode.
/Etc/apparmor.d/usr.sbin.nmbd to force the mode.
Set /Etc/apparmor.d/usr.sbin.nscd to force the mode.
/Etc/apparmor.d/usr.sbin.rsyslogd to force the mode.
/Etc/apparmor.d/usr.sbin.smbd set to force the mode.
/Etc/apparmor.d/usr.sbin.smbldap-useradd to force the mode.
/Etc/apparmor.d/usr.sbin.tcpdump set to force the mode.
/Etc/apparmor.d/usr.sbin.traceroute set to force the mode. 

It is also possible to create script profiles for every application on the operating system. For a comprehensive overview of AppArmor, use the command man to view the manuals.

  ~ $ man apparmor
~ $ man AA status
~ $ man aa -force 

Step 3: isolate files and apps in a sandbox environment

Firejail, created by netblue30, reduces the risk of security breaches by using a lightweight visualization technology to isolate and isolate applications limit to sandboxed (container) environments. Below is a GIF from Evince, the standard PDF reader from Ubuntu, which opens an unsafe file in an environment with many sandboxes.

Both Firejail and AppArmor can be used together (cooperatively) or independently. If one of them could not limit a certain file or folder, the other could compensate and contain the vulnerability.

Firejail container supports a number of functions:

2. Import the developer's public key

The downloaded firejail-0.9.54.asc file contains the protected cryptographic hashes that are used to verify that the .deb download has not been tampered with by SourgeForge or third parties. Download the netblue30 public key from a PGP key server and import it into your GPG key ring.

  ~ $ wget -O- & # 39; https: //pgp.mit.edu/pks/lookup? Op = get & search = 0x2CCB36ADFC5849A7 & # 39; | gpg --import

---- https://pgp.mit.edu/pks/lookup?op=get&search=0x2CCB36ADFC5849A7
Fix pgp.mit.edu (pgp.mit.edu) ... 18.9.60.141
Connect with pgp.mit.edu (pgp.mit.edu) | 18.9.60.141 |: 443 ... connected.
HTTP request sent, awaiting response ... 200 OK
Length: 2341 (2.3K) [text/html]
Save to: "STDOUT"

100% [==============>] 2.29K - KB / s in 0s

gpg: key 2CCB36ADFC5849A7: public key "netblue (firejail key) " imported
gpg: total processed number: 1
gpg: imported: 1 

3. Verify the hash

Next, to verify the .asc file, use the command gpg –verify firejail-0.9.54.asc .

  ~ $ gpg - verify firejail-0.9.54 .asc

gpg: Signature made wed May 16, 2018 06:50:24 PDT
gpg: using RSA key F951164995F5C4006A73411E2CCB36ADFC5849A7
gpg: Good signature from "netblue (firejail key) " [unknown]
gpg: WARNING: this key is not certified with a trusted signature!
gpg: There is no indication that the signature is the owner's.
Primary fingerprint: F951 1649 95F5 C400 6A73 411E 2CCB 36AD FC58 49A7 

See the "Good signature" line above. This is a verification that the .asc file is legitimate. We can now view the contents of the file with the command cat . Don't panic if you don't see the right signature line. It is possible that the Firejail .asc was incorrectly formatted during the download. Try downloading again.

  ~ $ firejail-0.9.54.asc

1 ----- START PGP SIGNED MESSAGE -----
2 Hash: SHA256
3
4 08698324685adac8a2d3935e7f493f527cbd5ae792ac21226728a42dd9f84c3f firejail-0.9.54-1.x86_64.rpm
5 ce996854278863f3e91ff185198c7cc1377fb70053d37a43e3b1ef1021c57756 firejail-0.9.54.tar.xz
6 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54_1_amd64.deb
7 080f72ab8467570e70953910d9001c1dce43be5c5b932a2bed3cd213af44351b firejail_0.9.54_1_i386.deb
8 ----- START PGP SIGNATURE -----
9
10 iQEzBAEBCAAdFiEE + VEWSZX1xABqc0EeLMs2rfxYSacFAlr8NyAACgkQLMs2rfxY
11 Sae8UAf + IkDv99oiTc + ihmhq6rrFrV / 41Tb92jMIJJW8hfEZFJFWd0ZHhmZv / 7Fz
12 nW6W + gKrPf9MhC9bVmhOeU / UwcIUBlR5yQs + frJbHE8zuBzBGWZqgKGj78hlrkov
13 7Xyab / yrSOm4FgpvKAqBh5nLWYyLtZKTT1DGswl2XpsXncMVdNFPnYyVOb1l5aDl
14 ga2VHVKbGkrOY + 8r7Vuhc0G + B + mugMt7ywUWMJgo84H4fY + Bpl / + 6qS7RzJZw2Ew
15 YlH / RADxbiFMGqBlk0hWY8jhJhE6R79Ea2 + 5bsCzJIbI89PgbUuyvlwCtVv38hsN
16 C72d / NJJ6QrafBqWUWjTQPWSdMBt3g ==
17 = IEak
18 ----- END PGP SIGNATURE ----- 

Copy the hash on line # 6 and use the grep command below to compare the SHA256 hash of the .deb with the .asc. If everything went well, the command will produce the following result:

  ~ / Downloads $ sha256sum firejail_0.9.54_1_amd64.deb | grep & # 39; 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 & # 39;

0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54_1_amd64.deb 

4. Install Firejail

Finally install the .deb using the command below dpkg .

  ~ $ sudo dpkg -i firejail_0.9.54_1_amd64.deb

Select previously selected firejail package.
(Read database ... 170565 files and folders that are currently installed.)
Preparation for unpacking firejail_0.9.54_1_amd64.deb ...
Extracting Firejail (0.9.54-1) ...
Configuring Firejail (0.9.54-1) ...
Processing triggers for man-db (2.8.3-2) ... 

Use the argument – help to view the available options of Firejail and to check if it is installed correctly.

  ~ $ firejail help 

Firejail has too many functions to cover in this article, so I will show two practical applications.

Unsafe PDF & # 39; s sandboxes found on the internet

One of the biggest functions of Firejail is the ability to create temporary, offline sandboxes that are deleted when the application is closed. Use the command below to create a strict temporary sandbox configuration.

  ~ $ firejail --seccomp --nonewprivs --private --private-dev --private-tmp --net = none --x11 --whitelist = / tmp / unsafe.pdf evince /tmp/unsafe.pdf [19659034ibilityThereisalotgoingonintheabovecommandmodeandIwillbreakdowntheargumentonebyone

Next: Auditing, Antivirus & Monitoring

To complete this series on locking your Ubuntu system, we will check the system for vulnerabilities using (free) professional software, using antivirus software that respect your privacy and effectively check system logs for deviations.

Cover image of Justin Meyers / Null Byte; Screenshots from tokyoneon / Null Byte

Source link