Ubuntu hardening. Not a script. Just follow along and paste in the commands.
Last edited:
Ubuntu Hardening
- Thread starter Victor M
- Start date
Web site updated today. Private-etc firejail option is not compatible with Ubuntu 25 - you won't be able to connect to the inet.
Last edited:
@Victor M chatGPT mentioned an app to me yesterday, FlatSeal, might have some relevance for Ubuntu hardening?? I haven't installed it yet...
Yes FlatSeal is useful if you use Flatpaks. FlatSeal can let you minimize the connections between the flatpak and the outside world. You can freely experiment/disable what you see listed because there is a 'reset' button for when things don't work out.
Yes I installed Flatseal, and made some permission tweaks for one flatpak, so far
fapolicyd is file access policy daemon. It is an Applcation Control kind of security like Windows WDAC. It is good against malware because it restrictwhat can run to those things installed via apt. Any hackware or RAT put in your system by an adversary won't run. This one is a VERY BIG DEAL.
You install it using apt install fapolicyd.
When first installed a rules.d directory was not premade for you. You do: mkdir -P /etc/fapolicyd/rules.d
Then you copy the rules from /usr/share/fapolicyd/sample-rules to the rules.d directory. And then you rm 22-buldroot.rules which is a sample that does not compile, placed there just so you learn to read thru the rules.
Read through the man fapolicyd.rules page, you will need modify or create rules.
There are 3 commmands: faplicyd-cli, fagenrules, fapolicyd. After modifying rules, you run fagenrules --check and then fagenrules --load . And then systemctl restart fapolicyd for good measure.
The rules are loaded from the rules.d directory in alphabetical order. So 55-xxx.rules loads first and 95-xxx.rules loads later. And the rules are evaluated from top down.
The rule format is:
Note: You CAN lock yourself out by making a wrong rule.
The built in rules are not complete. They don't handle scripts of the form "bash myScript.txt"
So I made 71-a-script.rules :
The next 5 lines disallows non-trusted x-shellscript in temporary directories which do not belong to any apt package.( x-shellscript are those files that have a beginning line: #!/bin/bash )
The last line disallows non-trusted plain text files when running against bash.
In common with the way security is done in Windows, no scripts should be able to run inside /home by default because an attacker landing in your standard account will be able to modify any of your scripts or add scripts to do his bidding. By modifying your bash scripts he will have stealthily obtained persistence, perhaps call home to his C2 server, and stay on your box for a long time, without obtaining root.
You can add a file to the trust database by using sudo fapolicyd-cli --file add <filename>. That will add the file size and file hash also. Then issue sudo fagenrules –load . So now you add /home/<youraccount>/.bashrc and also add the /etc/bashrc to the trust db. And that will narrowly add the required scripting that a normal terminal uses. Note that if you change .bashrc you will have to add it again since the hash is used. If an attacker changes your .bashrc, then it will no longer be usable and you will notice it because your terminal prompt is then non-colored and won’t show the current path.
Note: the 71 script cannot be used as is on Fedora 44 KDE, the machine will hang at log in. The script as is has only been tested to run on Ubuntu 26. On Fedora I had to add a uid=<accountName> to the subject of the last rule. And it needed another few rules or else Logout and Restart wouldn't work.
You install it using apt install fapolicyd.
When first installed a rules.d directory was not premade for you. You do: mkdir -P /etc/fapolicyd/rules.d
Then you copy the rules from /usr/share/fapolicyd/sample-rules to the rules.d directory. And then you rm 22-buldroot.rules which is a sample that does not compile, placed there just so you learn to read thru the rules.
Read through the man fapolicyd.rules page, you will need modify or create rules.
There are 3 commmands: faplicyd-cli, fagenrules, fapolicyd. After modifying rules, you run fagenrules --check and then fagenrules --load . And then systemctl restart fapolicyd for good measure.
The rules are loaded from the rules.d directory in alphabetical order. So 55-xxx.rules loads first and 95-xxx.rules loads later. And the rules are evaluated from top down.
The rule format is:
Not all possible syntax included in above diagram. Read the man file.
Note: You CAN lock yourself out by making a wrong rule.
The built in rules are not complete. They don't handle scripts of the form "bash myScript.txt"
So I made 71-a-script.rules :
The first 2 lines disallows non-trusted python and perl scripts which do not belong to any apt package.
The next 5 lines disallows non-trusted x-shellscript in temporary directories which do not belong to any apt package.( x-shellscript are those files that have a beginning line: #!/bin/bash )
The last line disallows non-trusted plain text files when running against bash.
In common with the way security is done in Windows, no scripts should be able to run inside /home by default because an attacker landing in your standard account will be able to modify any of your scripts or add scripts to do his bidding. By modifying your bash scripts he will have stealthily obtained persistence, perhaps call home to his C2 server, and stay on your box for a long time, without obtaining root.
You can add a file to the trust database by using sudo fapolicyd-cli --file add <filename>. That will add the file size and file hash also. Then issue sudo fagenrules –load . So now you add /home/<youraccount>/.bashrc and also add the /etc/bashrc to the trust db. And that will narrowly add the required scripting that a normal terminal uses. Note that if you change .bashrc you will have to add it again since the hash is used. If an attacker changes your .bashrc, then it will no longer be usable and you will notice it because your terminal prompt is then non-colored and won’t show the current path.
Note: the 71 script cannot be used as is on Fedora 44 KDE, the machine will hang at log in. The script as is has only been tested to run on Ubuntu 26. On Fedora I had to add a uid=<accountName> to the subject of the last rule. And it needed another few rules or else Logout and Restart wouldn't work.
Last edited:
Thanks but too much this and that to apply. My Ubuntu is running fine as is....
And in case i can just restore back.
And in case i can just restore back.
I used to do that - image restore upon trouble. But then I realized that without Adding improved security that Matters, I would end up playing the game where I would restore and the attackers just returns again and again using the same attack method deploying different payloads. And my PC becomes their playground. WDAC App Control / fapolilcyd is a key defense that shackles the attacker from deploying hackware or any foreign exe. I know my red team has several attacks up their sleeve. But when they can't deploy their payload then I stay safe.
Last edited:
You may also like...
-
TuxTalk - Ubuntu 26.04 LTS - Tuxified !- Started by TuxTalk
- Replies: 40
-
Ubuntu MATE’s founder is stepping back after 12 years- Started by lokamoka820
- Replies: 1
-
Victor M Fedora 44 KDE Configuration- Started by Victor M
- Replies: 17
-
FUbuntu 26.04 LTS Leads Over Windows 11 In Creator Workstation Performance
- Started by ForgottenSeer 116559
- Replies: 3
-