Once you've installed Ubuntu with confidence and reduced the possibility of network attacks on your system, you can worry about application-level security. If a malicious folder is opened on your system, can an attacker access any file on the computer? Chances are much lower if you use the right defense mechanisms.
In this third installment of our miniseries to strengthen your primary Ubuntu installation, you'll learn how Ubuntu package repositories work, which repos you should avoid, and how to update. You'll also learn how to import additional AppArmor profiles to limit the resources that apps can use and sandboxes to completely isolate insecure applications from the operating system.
If You Missed the Beginning of This Series of Articles, You Should Do It Read the first part to learn more about my motivation to start this four-part manual.
: Install the Latest System Updates
Part of the security of your system is to make sure that the latest package and application updates are installed
If you're using Windows 10, you're used to new applications to download and install from any website. This approach is inherently uncertain. Unsigned, unverified applications distributed through a single source offer the potential for supply chain attacks.
Linux handles the installation of software in other ways. Ubuntu uses multiple repositories (servers) that contain packages (software and dependencies) that are audited by Canonical, Ubuntu developers, and the security team. However, not all Ubuntu repositories are audited by the Ubuntu team
The Ubuntu repositories fall into the following categories:
Main : The main component contains applications that are free software that can be redistributed and distributed are fully supported by the Ubuntu team. These include the most popular and reliable open source applications available, many of which are included by default when you install Ubuntu. Software in Main includes a handpicked list of applications that Ubuntu developers, community, and users consider most important and that the Ubuntu security team wants to support. When we install software from the main repository, we can be sure that the software comes with security updates and support from Canonical is available.
Universe : The Universe repository is a collection of free, open source software software. It contains almost every open source software that comes from various public sources. Canonical regularly provides security updates for software in the Universe repo when made available by the community. Popular or well-supported software will switch from Universe to Main if supported by supervisors willing to meet the standards of the Ubuntu team.
Limited : Ubuntu's commitment is to promote only free software available under a free license. However, they make exceptions to a small set of tools and drivers that allow you to install Ubuntu and its free applications on everyday hardware. These proprietary drivers are kept in the restricted repository. Please note that it may not be possible to provide full support for this software as Ubuntu developers can not repair the software, they can only forward problem reports to the actual authors. Ubuntu developers only use non-open source software when there is no other way to install Ubuntu. The Ubuntu team works with vendors to accelerate the open sourcing of their software to ensure that as much software as possible is available under a free license.
Multiverse : The Multiverse Repository Contains Software That Is Not Free The licensing requirements of this software do not comply with the Ubuntu License Policies. It is your responsibility to verify your rights to use this software and to comply with the license terms of the copyright holder. This software is not supported and usually can not be repaired or updated. Use it at your own risk.
Disabling Insecure Repositories
Before updating packages, open the Software & Updates window and disable the multiverse and restricted repositories on the Ubuntu Software tab. These repositories distribute closed-source software, can not be audited, and sometimes require non-free (paid) user licenses.