Additional Ubuntu Hardening
-
I'm planning to colo a small server to host my cloudron, and want to make sure I've got it secure enough without getting in the way of Cloudron. I'm going to follow most of the advice in the Cloudron security guide. Beyond that, there are a few other things I can think of:
- Enable livepatch
- Run something like this Ansible hardening role. I need to know if any of these things would conflict with Cloudron:
- Allowing only signed packages
- Removing a few packages
- Removing setuid bits from a few binaries
During setup, does Cloudron already do any of those steps anyways, and / or would they conflict with Cloudron (e.g. does it rely on any unsigned PPAs)? As much as possible, I'd love to rely on Cloudron to handle this so I don't have to think about it.
-
Generally doing any additional system configuration or removing/adding other ubuntu packages to the system is not supported, since we cannot test such variations for updates.
Cloudron already only installs signed packages. Enabling livepatch should be ok to do.
For all the other things happening through that ansible role, we would have to go through them one by one and test accordingly. We will not support running such hardening scripts automatically, there are too many of these out there. So if there are really good reasons to disable/configure system components for security we can investigate. Often security roles don't even apply to Cloudron if the corresponding components are not even used.
-
-
@girish it does, but it's about minimizing reboots, not removing a necessity to reboot altogether (https://ubuntu.com/security/livepatch/docs/faq).
That's why I'm asking if there are any best practices...
-
@potemkin_ai ah got it Sorry, not aware of any best practices around this.
-
@potemkin_ai I personally haven't used ubuntu live patch anywhere so far, but according to https://askubuntu.com/questions/1248091/why-am-i-being-asked-to-restart-system-even-though-i-have-canonical-livepatch it seems that this is to be expected if other packages besides the kernel require a reboot.
Maybe someone here in the forum has more hands on experience with what canonical has built there?
-