قالب وردپرس درنا توس
Home / Tips and Tricks / Using Ubuntu as Your Primary Operating System, Part 3 (Application Hardening & Sandboxing) «Null Byte :: WonderHowTo

Using Ubuntu as Your Primary Operating System, Part 3 (Application Hardening & Sandboxing) «Null Byte :: WonderHowTo



Once you've installed Ubuntu with confidence and reduced the possibility of network attacks on your system, you can worry about application-level security. If a malicious folder is opened on your system, can an attacker access any file on the computer? Chances are much lower if you use the right defense mechanisms.

In this third installment of our miniseries to strengthen your primary Ubuntu installation, you'll learn how Ubuntu package repositories work, which repos you should avoid, and how to update. You'll also learn how to import additional AppArmor profiles to limit the resources that apps can use and sandboxes to completely isolate insecure applications from the operating system.

If You Missed the Beginning of This Series of Articles, You Should Do It Read the first part to learn more about my motivation to start this four-part manual.

Step 1
: Install the Latest System Updates

Part of the security of your system is to make sure that the latest package and application updates are installed

If you're using Windows 10, you're used to new applications to download and install from any website. This approach is inherently uncertain. Unsigned, unverified applications distributed through a single source offer the potential for supply chain attacks.

Linux handles the installation of software in other ways. Ubuntu uses multiple repositories (servers) that contain packages (software and dependencies) that are audited by Canonical, Ubuntu developers, and the security team. However, not all Ubuntu repositories are audited by the Ubuntu team

The Ubuntu repositories fall into the following categories:

  • Main : The main component contains applications that are free software that can be redistributed and distributed are fully supported by the Ubuntu team. These include the most popular and reliable open source applications available, many of which are included by default when you install Ubuntu. Software in Main includes a handpicked list of applications that Ubuntu developers, community, and users consider most important and that the Ubuntu security team wants to support. When we install software from the main repository, we can be sure that the software comes with security updates and support from Canonical is available.
  • Universe : The Universe repository is a collection of free, open source software software. It contains almost every open source software that comes from various public sources. Canonical regularly provides security updates for software in the Universe repo when made available by the community. Popular or well-supported software will switch from Universe to Main if supported by supervisors willing to meet the standards of the Ubuntu team.
  • Limited : Ubuntu's commitment is to promote only free software available under a free license. However, they make exceptions to a small set of tools and drivers that allow you to install Ubuntu and its free applications on everyday hardware. These proprietary drivers are kept in the restricted repository. Please note that it may not be possible to provide full support for this software as Ubuntu developers can not repair the software, they can only forward problem reports to the actual authors. Ubuntu developers only use non-open source software when there is no other way to install Ubuntu. The Ubuntu team works with vendors to accelerate the open sourcing of their software to ensure that as much software as possible is available under a free license.
  • Multiverse : The Multiverse Repository Contains Software That Is Not Free The licensing requirements of this software do not comply with the Ubuntu License Policies. It is your responsibility to verify your rights to use this software and to comply with the license terms of the copyright holder. This software is not supported and usually can not be repaired or updated. Use it at your own risk.

Disabling Insecure Repositories

Before updating packages, open the Software & Updates window and disable the multiverse and restricted repositories on the Ubuntu Software tab. These repositories distribute closed-source software, can not be audited, and sometimes require non-free (paid) user licenses.

Disabling Backports

Backports provides a way to get newer versions of software for Most often, the backports team will provide new versions of standalone applications that can be safely upgraded without affecting the rest of the system, but the Ubuntu security team does not update packages in backports Reason is recommended to disable backports. Make sure that "bionic-backports" is disabled.

By default, Ubuntu should be downloaded and updated Security updates are automatically updated daily.

Manually Checking for Updates

To manually check for updates, use the [sudoapt-getupdate&&sudoapt-getdist-upgrade command from . sudo apt-get update && sudo apt-get dist-upgrade

Hits: 1 http://nz.archive.ubuntu.com/ubuntu bionic InRelease
Hit: 2 http://nz.archive.ubuntu.com/ubuntu bionic updates InRelease
Hits: 3 http://security.ubuntu.com/ubuntu bionic-security InRelease
Read package lists … Done
Read package lists … Done
Create dependency structure
Read status information … Done
Upgrade charge … Done
0 updated, 0 reinstalled, 0 removed and 0 not updated.

Step 2: Using AppArmor Profiles

AppArmor is a kernel extension that limits applications and programs to a limited number of resources. For example, with AppArmor, you can prevent a PDF viewer from accessing the Internet and predefined directories on the operating system. When a malicious PDF file is opened, it is not allowed to view specific directories or to exfiltrate data on the server of the attacker. AppArmor is already installed and enabled in every Ubuntu installation. This can be verified by using the following command.

  sudo aa-status 

Installing additional AppAmrmor profiles

Use the sudo apt-get install apparmor-profile apparmor-utils command to add more AppArmor profiles.

  sudo apt-get install apparmor-profiles apparmor-utils

Read package lists ... Done
Create dependency structure
Read status information ... Done
The following additional packages will be installed:
python3-apparmor (2.12-4ubuntu5)
python3-libapparmor (2.12-4ubuntu5)
Recommended packages:
vim addon manager (0.5.7)
The following NEW packages will be installed:
apparmor-profile (2.12-4ubuntu5)
apparmor-utils (2.12-4ubuntu5)
python3-apparmor (2.12-4ubuntu5)
python3-libapparmor (2.12-4ubuntu5)
0 updated, 4 reinstalled, 0 removed and 0 not updated.
Need 189 kB archives.
After this operation, 1,329 KB of additional memory will be used.
Do you want to continue? [Y / n] y 

Enabling Each Profile

Next, use the following command aa-enforce to enable all newly added profiles.

  sudo aa-enforce / etc /apparmor.d / *

Profile for /etc/apparmor.d/abstractions not found, skip
Profile for /etc/apparmor.d/apache2.d not found, skip
Set /etc/apparmor.d/bin.ping to force the mode.
Profile for /etc/apparmor.d/cache not found, skip
Profile for /etc/apparmor.d/disable not found, skip
Profile for /etc/apparmor.d/force-complain not found, skip
Profile for /etc/apparmor.d/local not found, skip
Set /etc/apparmor.d/sbin.dhclient to force the mode.
Set /etc/apparmor.d/sbin.klogd to force the mode.
Set /etc/apparmor.d/sbin.syslogd to force the mode.
Set /etc/apparmor.d/sbin.syslog-ng to force the mode.
Set /etc/apparmor.d/snap.core.4830.usr.lib.snapd.snap-confine to force the mode.
Profile for /etc/apparmor.d/tunables not found, skip
Set /etc/apparmor.d/usr.bin.chromium-browser to force the mode.
Set /etc/apparmor.d/usr.bin.evince to force the mode.
Set /etc/apparmor.d/usr.bin.firefox to force the mode.
Put /etc/apparmor.d/usr.bin.man on the mode to force.
Set /etc/apparmor.d/usr.lib.dovecot.anvil to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.auth to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.config to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.deliver to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.dict to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.dovecot-auth to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.dovecot-lda to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.imap to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.imap-login to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.lmtp to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.log to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.managesieve to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.managesieve-login to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.pop3 to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.pop3-login to force the mode.
Set /etc/apparmor.d/usr.lib.dovecot.ssl-params to force the mode.
Set /etc/apparmor.d/usr.lib.snapd.snap-confine.real to enforce mode.
Set /etc/apparmor.d/usr.sbin.avahi-daemon to Force Mode.
Set /etc/apparmor.d/usr.sbin.cups-browse to force the mode.
Set /etc/apparmor.d/usr.sbin.cupsd to force the mode.
Set /etc/apparmor.d/usr.sbin.dnsmasq to force the mode.
Set /etc/apparmor.d/usr.sbin.dovecot to force the mode.
Set /etc/apparmor.d/usr.sbin.identd to Enforcement mode.
Set /etc/apparmor.d/usr.sbin.ippusbxd to force the mode.
Set /etc/apparmor.d/usr.sbin.mdnsd to force the mode.
Set /etc/apparmor.d/usr.sbin.nmbd to force the mode.
Set /etc/apparmor.d/usr.sbin.nscd to force the mode.
Set /etc/apparmor.d/usr.sbin.rsyslogd to force the mode.
Insert /etc/apparmor.d/usr.sbin.smbd to force the mode.
Set /etc/apparmor.d/usr.sbin.smbldap-useradd to force the mode.
Set /etc/apparmor.d/usr.sbin.tcpdump to force the mode.
Set /etc/apparmor.d/usr.sbin.traceroute to force the mode. 

It is also possible to create script profiles for any application on the operating system. For a comprehensive overview of AppArmor, use the command man to view the manuals.

  man apparmor
Man aa status
aa-enforce 

Step 3: Isolate Files and Applications in a Sandbox Environment

Firejail, created by netblue30, reduces the risk of security breaches by using a lightweight visualization technology to isolate and deploy applications Sandboxing to restrict (container) environments. Below is a GIF from Evince, Ubuntu's default PDF reader, which opens an insecure file in a heavily sandboxed environment.

Both FireJail and AppArmor can be used together (cooperatively) or independently. If one of them was unable to restrict a particular file or directory, the other could correct and mitigate the vulnerability.

The Firejail container supports a number of features:

  • blacklisting : access to certain deny files and directories. Access attempts are reported to syslog.
  • Whitelisting : Allow only user-specified files and directories.
  • Temporary file system : Providing a temporary file system on top of a directory.
  • Private : Copy copies of files and directories and discard them when the sandbox is closed.
  • Restricted home : Only the current user / home directory is available in the sandbox.
  • Reduced system information loss : Restrict access to sensitive directories such as / boot, / proc, and /sys.

1. Download Firejail

Go to the download page and get the latest stable version of Firejail and the .asc file. At the time of writing this article, the latest version is "firejail_0.9.54_1_amd64.deb". Then open a new terminal, change to [Downloads] with cd and see its contents with the command ls .

  tokyoneon @ nullbyte: ~ $ cd Downloads /
tokyoneon @ nullbyte: ~ / Downloads $ ls
firejail_0.9.54_1_amd64.deb firejail-0.9.54.asc
tokyoneon @ nullbyte: ~ / Downloads $ 

2. Importing the developer's public key

The downloaded firewjail-0.9.54.asc file contains the secure cryptographic hashes that were used to verify that the .deb download was compromised by SourgeForge or third-party vendors. Download the netblue30 public key from a PGP key server and import it into your GPG keychain.

  wget -O- # https: //pgp.mit.edu/pks/lookup?op=get&search=0x2CCB36ADFC5849A7& #; | gpg - Import

---- https://pgp.mit.edu/pks/lookup?op=get&search=0x2CCB36ADFC5849A7
Resolving pgp.mit.edu (pgp.mit.edu) ... 18.9.60.141
Connection with pgp.mit.edu (pgp.mit.edu) | 18.9.60.141 |: 443 ... connected.
HTTP request sent, answer waiting ... 200 OK
Length: 2341 (2.3K) [text/html]
Save as: & # 39; STDOUT & # 39;

- 100% [==============>] 2.29K --.- KB / s in 0s

gpg: Key 2CCB36ADFC5849A7: Public key "netblue (fire hunt key) " imported
gpg: Total number of processed data: 1
gpg: imported: 1 

3. Verify the Hashes

Then use the command gpg –verify firejail-0.9.54.asc to verify the .asc file.

  gpg --verify firejail-0.9.54.asc

gpg: Signature made Wednesday, May 16, 2018 06:50:24 PDT
gpg: with RSA key F951164995F5C4006A73411E2CCB36ADFC5849A7
gpg: Good signature from "Netblue (Fire Hunt Key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F951 1649 95F5 C400 6A73 411E 2CCB 36AD FC58 49A7 

Note the above line "Good Signature". This is a check that the ASC file is legitimate. We can now view the contents of the file with the command cat . If you do not see the good signature line, do not panic. It is possible that the Firejail .asc was broken during the download. Try to download it again.

  cat firejail-0.9.54.asc

1 ----- BEGIN PGP SIGNED MESSAGE -----
2 hash: SHA256
3
4 08698324685adac8a2d3935e7f493f527cbd5ae792ac21226728a42dd9f84c3f firejail-0.9.54-1.x86_64.rpm
5 ce996854278863f3e91ff185198c7cc1377fb70053d37a43e3b1ef1021c57756 firejail-0.9.54.tar.xz
6 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54_1_amd64.deb
7 080f72ab8467570e70953910d9001c1dce43be5c5b932a2bed3cd213af44351b firejail_0.9.54_1_i386.deb
8 ----- BEGIN PGP SIGNATURE -----
9
10 iQEzBAEBCAAdFiEE + VEWSZX1xABqc0EeLMs2rfxYSacFAlr8NyAACgkQLMs2rfxY
11 Sae8UAf + IkDv99oiTc + himhq6rrFrV / 41Tb92jMIJJW8hfEZFJFWd0ZHhmZv / 7Fz
12 nW6W + gKrPf9MhC9bVmhOeU / UwcIUBlR5yQs + frJbHE8zuBzBGWZqgKGj78hlrkov
13 7Xyab / jrSOm4FgpvKAqBh5nLWYyLtZKTT1DGswl2XpsXncMVdNFPnYjVOb1l5aDl
14 ga2VHVKbGkrOY + 8r7Vuhc0G + B + cupMt7jwUWMJgo84H4fY + Bpl / + 6qS7RzJZw2Ew
15 JIH / RADxbiFMGqBlk0hWY8jhJhE6R79Ea2 + 5bsCzJIbI89PgbUuyvlwCtVv38hsN
16 C72d / NJJ6QrafBqWUWjTQPWSdMBt3g ==
17 = IEak
18 ----- END PGP SIGNATURE ----- 

Copy the hash in line 6, starting with "0e92d90 …", and then find the hash using the following command grep SHA256 hash of .deb and compare it with the hash in .asc.

  sha256sum fireyjail_0.9.54_1_amd64.deb | grep & # 39; 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 & # 39; 

If all went well, the command will return the following result.

  tokyoneon @ nullbyte: ~ / downloads $;
tokyoneon @ nullbyte: ~ / Downloads $ sha256sum sha256sum firejail_0.9.54_1_amd64.deb | grep & # 39; 0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 & # 39;
0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54_1_amd64.deb
tokyoneon @ nullbyte: ~ / Downloads $ 

4. Install Firejail

Finally install the .deb with the command sudo dpkg -i firejail 0.9.54 1_amd64.deb Command.

  sudo dpkg -i firejail_0.9.54_1_amd64. deb

Select the previously unselected firecajail package.
(Reading the database ... 170565 Files and directories are currently installed.)
Preparing to Unpack Firejail_0.9.54_1_amd64.deb ...
Unpack Firejail (0.9.54-1) ...
Setting up a fire hunt (0.9.54-1) ...
Processing trigger for man-db (2.8.3-2) ... 

Use the argument – help to display the available Firejail options and to see if they have been installed correctly.

  firejail --help 

Firejail has too many features to cover in this article, so I'll show two handy applications.

Sandboxing Unsafe PDFs Found on the Internet

One of Firejail's biggest features is the ability to create temporary off-line sandboxes that are discarded when the application is closed. Use the following command to create a strict temporary sandbox configuration.

  firejail --seccomp --nonewprivs --private --private-dev --private-tmp --net = none --x11 --whitelist = / tmp / unsafe.pdf evince /tmp/unsafe.pdf[19659069] There is a lot going on in the above command, so I break each argument one by one. 

Next Up: Auditing, Antivirus & Monitoring

To conclude this series on blocking your Ubuntu system, we'll look at it. Checking the system for vulnerabilities with (free) professional software, using antivirus software that's yours Respecting privacy, and effectively monitoring system logs for deviations.

Cover Picture by Justin Meyers / Null Byte; Screenshots of tokyoneon / zero byte

Source link