Paranoid Penguin - Security Features in Ubuntu Server

Use old-school administration skills to benefit from modern tools on Ubuntu Server.
Novell AppArmor in Ubuntu

As I discussed last month, the Ubuntu port of Novell AppArmor is installed by default in Ubuntu systems. This is true of both Server and Desktop. In Ubuntu Server, however, AppArmor is present but not configured; you'll need to activate any policies you want to enforce manually (AppArmor profiles reside in /etc/apparmor.d).

If you're unfamiliar with AppArmor, it's a powerful means of running applications in contained environments, such that applications' access to local resources is kept to a minimum. It's similar to SELinux, but less comprehensive and, therefore, easier to understand and administer.

However, on Ubuntu, no graphical tools are provided for this purpose, even in Ubuntu Desktop. What's more, the only Ubuntu documentation (besides man pages) is the AppArmor page on the Ubuntu User Community Wiki (see Resources), which is little more than a listing of commands and their command-line syntax; no HOWTOs or other introductory material are provided.

For the time being, it appears AppArmor on Ubuntu Server is for expert users only.

Conclusion

I've discussed Ubuntu's sensible omission of the X Window System in its default installations, enumerated security features in the Ubuntu Sever installer, pondered the merits of the disabled root account, listed some security-enhancing software packages available in Ubuntu Server and considered Ubuntu's fledgling AppArmor support.

My overall opinion? Ubuntu Server 7.10 is a remarkably compact, straightforward, command-line-oriented Linux distribution with a reasonably secure set of default configurations and an impressive array of fully supported, security-related software packages. (Fewer than Debian, but many more than CentOS or RHEL.) If you're an intermediate-to-advanced Linux system administrator, depending on what you need to do, Ubuntu Server may be worth checking out.

If you're a Linux newbie looking for a gentle introduction to the Linux experience, Ubuntu Desktop is a much better choice, even if you want practice setting up server applications.

That's it for now. Until next time, be safe!

Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Server Security

JJ's picture

Hello,

I am in the process of re-vamping an NGO's IT setup and have a few questions. We want to configure a file server that will have shared folders and user backups. As data security is vital for this NGO, I was wondering if Ubuntu server (or perhaps eBox) would be secure enough to have open to the internet. Are Novell, Red Hat, or Microsoft any better? Or, would it be better to keep this server off the net, but have it be accessible through VPN? There will be around 40 LAN clients and only 1-2 remote clients.

Thank you very much for any help.
JJ

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix