After installing Ubuntu for security and reducing the possibility of network attacks on your system, you can start thinking about security at the application level. If a malicious file is opened on your system, does an attacker have access to any file on the computer? The chances are much slimmer if you install the correct defenses.
In this third part of our mini-series on strengthening your primary Ubuntu installation, you learn how Ubuntu package repositories work, which repositories you should avoid and how to update. You will also see how you can import additional AppArmor profiles to limit the resources that apps can use, and how to create sandboxes to completely isolate unsafe applications from the operating system.
If you have missed the start of this series of articles, you should view the first part to find out more about my motivations for starting this four-part manual.
Step 1: Install the latest system updates
Part of keeping your system secure is simply ensuring that the latest package and application updates are installed.
If you are from Windows 10, you are used to downloading and installing new applications from random websites. This practice is inherently unsafe. Unsigned, unverified applications that are distributed by one source create the potential for supply chain attacks.
Linux treats software installation differently. Ubuntu uses various repositories (servers) that contain packages (software and dependencies) that have been checked by Canonical, Ubuntu developers and the security team. However, not all Ubuntu repository & # 39; s are controlled by the Ubuntu team.
The Ubuntu & # 39; s repository is divided into the following categories:
Main : The main part contains applications that are free software, can be freely redistributed and are fully supported by the Ubuntu team. This includes the most popular and reliable open-source applications that are available, many of which are included as standard with the installation of Ubuntu. Software in Main contains a hand-selected list of applications that Ubuntu developers, the community, and users find most important and that the Ubuntu security team are willing to support. When we install software from the main repository, we know for sure that the software will contain security updates and that support is available through Canonical.
Universe : the Universe repository is a collection of free, open-source software. It houses almost every piece of open-source software, all built from a series of public sources. Canonical regularly provides security updates for software in the Universe repo when it is made available by the community. Popular or well-supported pieces of software are moved from Universe to Main if they are supported by maintainers who want to meet the Ubuntu team standards.
Limited : Ubuntu strives to promote only free software, ie software available under a free license. However, they make exceptions for a small set of tools & # 39; s and drivers & # 39; s that allow Ubuntu and the free applications to be installed on daily hardware. These own drivers are stored in the Restricted Repository. Please note that it may not be possible to provide full support for this software because Ubuntu developers cannot repair the software, they can only send problem reports to the actual authors. Ubuntu developers only use non-open-source software if there is no other way to install Ubuntu. The Ubuntu team works with suppliers to accelerate the open sourcing of their software to ensure that as much software as possible is available under a free license.
Multiverse : The Multiverse repository contains software that is not free, which means that the license requirements of this software do not comply with Ubuntu's licensing policy. It is your responsibility to verify your rights to use this software and to comply with the license terms of the copyright holder. This software is not supported and usually cannot be restored or updated. Use it at your own risk.
Disable unsafe storage locations
Before updating packages, open the "Software & Updates" window and disable the "multiverse" and "restricted" storage locations on the "Ubuntu Software" tab. These repositories distribute closed-source software, cannot be checked and sometimes require non-free (paid) user licenses.