Home

Paranoid Penguin - Security Features in Ubuntu Server

Issue 168

From Issue #168
April 2008

Apr 01, 2008  By Mick Bauer
 in
Use old-school administration skills to benefit from modern tools on Ubuntu Server.
Novell AppArmor in Ubuntu

As I discussed last month, the Ubuntu port of Novell AppArmor is installed by default in Ubuntu systems. This is true of both Server and Desktop. In Ubuntu Server, however, AppArmor is present but not configured; you'll need to activate any policies you want to enforce manually (AppArmor profiles reside in /etc/apparmor.d).

If you're unfamiliar with AppArmor, it's a powerful means of running applications in contained environments, such that applications' access to local resources is kept to a minimum. It's similar to SELinux, but less comprehensive and, therefore, easier to understand and administer.

However, on Ubuntu, no graphical tools are provided for this purpose, even in Ubuntu Desktop. What's more, the only Ubuntu documentation (besides man pages) is the AppArmor page on the Ubuntu User Community Wiki (see Resources), which is little more than a listing of commands and their command-line syntax; no HOWTOs or other introductory material are provided.

For the time being, it appears AppArmor on Ubuntu Server is for expert users only.

Conclusion

I've discussed Ubuntu's sensible omission of the X Window System in its default installations, enumerated security features in the Ubuntu Sever installer, pondered the merits of the disabled root account, listed some security-enhancing software packages available in Ubuntu Server and considered Ubuntu's fledgling AppArmor support.

My overall opinion? Ubuntu Server 7.10 is a remarkably compact, straightforward, command-line-oriented Linux distribution with a reasonably secure set of default configurations and an impressive array of fully supported, security-related software packages. (Fewer than Debian, but many more than CentOS or RHEL.) If you're an intermediate-to-advanced Linux system administrator, depending on what you need to do, Ubuntu Server may be worth checking out.

If you're a Linux newbie looking for a gentle introduction to the Linux experience, Ubuntu Desktop is a much better choice, even if you want practice setting up server applications.

That's it for now. Until next time, be safe!

Resources

The Official Ubuntu Home Page: www.ubuntu.com

Ubuntu Server Guide: https://help.ubuntu.com/7.10/server/C/index.html

Christer Edwards' blog, which consists almost entirely of handy Ubuntu HOWTOs: ubuntu-tutorials.com

“Ubuntu Server: Considering Kernel Configuration” by Carla Schroder: www.enterprisenetworkingplanet.com/netos/article.php/3710641

Home Page for Webmin, a Free Web-based GUI for Remote Server Management: www.webmin.com

The Ubuntu RootSudo Page, Describing Ubuntu's sudo Implementation in Detail: https://help.ubuntu.com/community/RootSudo

Security Pages on the Ubuntu User Community's Wiki: https://help.ubuntu.com/community/Security

AppArmor Page on the Ubuntu User Community's Wiki: https://help.ubuntu.com/community/AppArmor

The “Securing Debian Manual”, Indirectly Applicable to Ubuntu: www.debian.org/doc/manuals/securing-debian-howto/index.en.html

Bauer, Michael D. Linux Server Security, 2nd ed. Sebastopol, CA: O'Reilly Media, 2005. Provides detailed procedures for securing popular server applications.

Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Server Security

JJ's picture
Submitted by JJ (not verified) on Tue, 08/05/2008 - 00:48.

Hello,

I am in the process of re-vamping an NGO's IT setup and have a few questions. We want to configure a file server that will have shared folders and user backups. As data security is vital for this NGO, I was wondering if Ubuntu server (or perhaps eBox) would be secure enough to have open to the internet. Are Novell, Red Hat, or Microsoft any better? Or, would it be better to keep this server off the net, but have it be accessible through VPN? There will be around 40 LAN clients and only 1-2 remote clients.

Thank you very much for any help.
JJ

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions