Paranoid Penguin - Security Features in Ubuntu
Once you've installed a bunch of software, keeping it patched is easy. To configure automatic updates, run the Software Sources applet, and select the Updates tab (Figure 3). These settings determine the behavior of the Update Manager applet.
The Update Manager applet runs automatically in the background, but you also can start it manually from the System menu in the Administration section. You can configure it (from Software Sources) to do any of the following: 1) notify you of updates, 2) download patches automatically and notify you when they're ready for installation, or 3) download and install patches automatically.
Remember back in my August 2006 article “An Introduction to Novell AppArmor”, when I commented that despite its SUSE roots, AppArmor probably would be ported to other distributions soon? (No? Well, I did say that—you can look it up!) Sure enough, not only does Ubuntu have a port of AppArmor, but it's also installed and enabled by default.
If you're unfamiliar with it, AppArmor is an implementation of Type Enforcement, a type of Mandatory Access Control. What this means in English is that AppArmor lets you restrict the activities of system dæmons—what files they can read, which directories they can access, which devices they can write to or read from and so on. It is a powerful means of containing the effects if a protected dæmon is compromised—even if attackers succeed in hijacking a given process, they can't use it to execute arbitrary commands, read arbitrary files and so forth.
Perhaps surprisingly, given Ubuntu's very slick look and feel, AppArmor is configurable in Ubuntu only via the command line, using the aa tools (aa-status, aa-genprof and so on) in the apparmor-utils package. Visit the Ubuntu AppArmor page for more information (see Resources).
In the root/sudo discussion above, I mentioned the Users and Groups applet. This applet is deceptively simple to use. It's actually one of the more sophisticated front ends to adduser, addgroup and so on that I've seen. If you select a user, click Properties, and click the User Privileges tab, you can not only grant that user the right to “Administer the system” (that is, to execute commands as root using sudo), you also can select from a long list of other system privileges (Figure 4).
If you're an old-school sysadmin like me, you know that none of these privileges are handled directly by tools like adduser; the settings in this part of the applet simply determine to which groups the user belongs—groups that the Ubuntu team carefully has configured to correspond with real-world system administration-related commands and objects. This is a clever and simple way to manage administrative functions, especially in combination with sudo.
As you can see, Ubuntu's ease of use doesn't come at the cost of security—it has Debian's abundance of security-related software packages combined with straightforward but effective security design decisions, such as disabled root and AppArmor, and easy update management.
Official Ubuntu Home Page: www.ubuntu.com
Ubuntu RootSudo Page, describing Ubuntu's sudo implementation in detail: https://help.ubuntu.com/community/RootSudo
“Keeping Your Computer Safe”—simple security tips from Ubuntu 7.10's official documentation: https://help.ubuntu.com/7.10/keeping-safe/C/index.html
Security Pages in the Ubuntu User Community's Wiki: https://help.ubuntu.com/community/Security
AppArmor Page in the Ubuntu User Community's Wiki: https://help.ubuntu.com/community/AppArmor
The “Securing Debian Manual”, indirectly applicable to Ubuntu: www.debian.org/doc/manuals/securing-debian-howto/index.en.html
Mick Bauer (email@example.com) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.
- Readers' Choice Awards 2013
- Mars Needs Women
- RSS Feeds
- Sublime Text: One Editor to Rule Them All?
- Raspberry Pi: the Perfect Home Server
- December 2013 Issue of Linux Journal: Readers' Choice
- IBM Will Minimize Impact of Future Disasters
- Tech Tip: Really Simple HTTP Server with Python
- Linux Systems Administrator
- Senior Perl Developer
43 min 51 sec ago
- This should be very helpful
1 hour 57 min ago
- As much as I share your point
4 hours 17 min ago
- So girls had it better ?
7 hours 49 min ago
- Reply to comment | Linux Journal
8 hours 9 min ago
- why is GNOME 3 in the fifth position at 14.1 %?
13 hours 41 min ago
- Sublime Is Brilliant!
18 hours 44 min ago
19 hours 3 min ago
- Rapid[Disk,Cache] better than native ram caching?
19 hours 28 min ago
- Nothing is perfect
19 hours 42 min ago