Setup Idea Ubuntu Hardening

Last updated
Aug 23, 2024
How it's used?
For home and private use
Operating system
Linux
On-device encryption
Other full-disk drive encryption software
Log-in security
    • Basic account password (insecure)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
Real-time security
clamav (linux free AV)
Firewall security
Built-in Firewall for Mac/Linux
About custom security
this is what the article is about
Periodic malware scanners
clamav
Malware sample testing
I do not participate in malware testing
Environment for malware testing
n/a
Browser(s) and extensions
firefox
Secure DNS
quad9
Desktop VPN
proton vpn free
Password manager
firefox built-in password manager
File and Photo backup
deja-dup (built-in backup app)
System recovery
clonzilla
Risk factors
    • Browsing to popular websites
Computer specs
ASUS Vivobook 2021 model
Recommended for
  1. All types of users

Victor M

Level 12
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
557
if you already mentioned that.
No I didn't. Thanks for bringing that up.

One thing to note, when you create a second account, it doesn't have rights to issue sudo commands until it is granted via visudo or adding her to the admin group. And that's a good thing, as the attacker cannot gain root privileges when he attacks anything that is run by that account.
 
Last edited:

Spiff

Level 1
Jul 20, 2023
32
Ubuntu hardening. Not a script. Just follow along and paste in the commands.

[...]
### Enable Ubuntu One LivePatch, which provides live patches prior to updates becoming available
sudo pro attach
What is the source that says Ubuntu Livepatch provides live patches prior to updates becoming available?
To my knowledge, Ubuntu Pro offers Expanded Security Maintenance (ESM), and Live kernel updates, the Livepatch service. Livepatch patches critical and high-severity kernel vulnerabilities while the system runs, eliminating the need for unplanned reboots.
I don't have any source that says Livepatch provides live patches prior to updates becoming available.
https://ubuntu.com/pro
https://ubuntu.com/security/livepatch

Also, to my knowledge, the command to attach your Ubuntu LTS machine to an Ubuntu Pro subscription is not: sudo pro attach, but it is:
sudo pro attach [YOUR_TOKEN]
in which [YOUR_TOKEN] must be replaced with the token that is in your Ubuntu Pro dashboard.
https://ubuntu.com/pro/tutorial
 

Victor M

Level 12
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
557
I don't have any source that says Livepatch provides live patches prior to updates becoming available
That is only my guess. I should have checked before posting. My bad. I guess the benefit of LivePatch is that you maintain up-time and can patch before your regular scheduled patching. Thanks for the explanation.
sudo pro attach [YOUR_TOKEN]
Doing it without the token, it displays the token to you in the terminal. And it gives you a link. You navigate to the link using your browser, copy the token displayed, and paste it into the field in that web form. Then it replies that you have subscribed. I've always done it that way.
 
Last edited:

Spiff

Level 1
Jul 20, 2023
32
That is only my guess. I should have checked before posting. My bad. Thanks for the explanation.
Ah, I understand. No problem at all.

Doing it without the token, it displays the token to you in the terminal. And it gives you a link. You navigate to the link using your browser, copy the token displayed token from terminal, and paste it into the field in that web form. I've always done it that way.
Hey, that's handy. I didn't know that. Thanks for the information.
 

simmerskool

Level 35
Verified
Top Poster
Well-known
Apr 16, 2017
2,469
There is a typo in the line:
sudo nano /etc/firefox-common.profile

It should be:
sudo nano /etc/firejail/firefox-common.profile
I'm rusty with my Linux skills (to the extent I had any), running Zorin (a fork of Ubuntu IIRC) I installed Brave browser from Zorin's software package but it doesn't automagically add Brave to firejail profile. Is there a link that explains how to use firejail, set config / profiles etc...
 
  • Like
Reactions: [correlate]

Victor M

Level 12
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
557
but it doesn't automagically add Brave to firejail profile
Actually, you run Firejail and indirectly call Brave. As in "firejail brave" . You can try it at the terminal.

All the icons are at /usr/share/applications/ in desktop files. And there would be something like 'brave.desktop' These .desktop files are text files. So you open it with nano. Then you find the line(s) inside which says "Exec=brave". And change them to "Exec=firejail brave".

A firejail profile is the compartmentalization settings for a particular program. Brave has a profile already made. All the firejail profiles are in /etc/firejail/ .
 
Last edited:

simmerskool

Level 35
Verified
Top Poster
Well-known
Apr 16, 2017
2,469
Actually, you run Firejail and indirectly call Brave. As in "firejail brave" . You can try it at the terminal.

All the icons are at /usr/share/applications/ in desktop files. And there would be something like 'brave.desktop' These .desktop files are text files. So you open it with nano. Then you find the line(s) inside which says "Exec=brave". And change them to "Exec=firejail brave".

A firejail profile is the compartmentalization settings for a particular program. Brave has a profile already made. All the firejail profiles are in /etc/firejail/ .
well, I think that's how it is supposed to work BUT I did run firejail brave in terminal and it did not happen. Unfortunately I did not keep a copy of the exact error message and I'm not running Linux today. Will update next time I run Zorin.
 
  • Like
Reactions: [correlate]

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
619
Hi @simmerskool ,

I haven't used Firejail in a long time, nor have I ever used it to sandbox Brave, but the built-in sandboxing of Brave running on Linux is quite strong. Try entering in the address bar: brave://sandbox and see what it outputs. the attached shows the sandboxing types, the strongest of which is the seccomp-BPF. If you can't get Brave firejailed successfully, you still have a strong sandbox running it on Linux.

brave sandbox-linux.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top