Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Additional Ubuntu Hardening

Additional Ubuntu Hardening

Scheduled Pinned Locked Moved Solved Support
10 Posts 4 Posters 2.0k Views 5 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O Offline
    O Offline
    ochoseis
    wrote on last edited by
    #1

    I'm planning to colo a small server to host my cloudron, and want to make sure I've got it secure enough without getting in the way of Cloudron. I'm going to follow most of the advice in the Cloudron security guide. Beyond that, there are a few other things I can think of:

    • Enable livepatch
    • Run something like this Ansible hardening role. I need to know if any of these things would conflict with Cloudron:
      • Allowing only signed packages
      • Removing a few packages
      • Removing setuid bits from a few binaries

    During setup, does Cloudron already do any of those steps anyways, and / or would they conflict with Cloudron (e.g. does it rely on any unsigned PPAs)? As much as possible, I'd love to rely on Cloudron to handle this so I don't have to think about it.

    1 Reply Last reply
    1
    • nebulonN Offline
      nebulonN Offline
      nebulon
      Staff
      wrote on last edited by
      #2

      Generally doing any additional system configuration or removing/adding other ubuntu packages to the system is not supported, since we cannot test such variations for updates.

      Cloudron already only installs signed packages. Enabling livepatch should be ok to do.

      For all the other things happening through that ansible role, we would have to go through them one by one and test accordingly. We will not support running such hardening scripts automatically, there are too many of these out there. So if there are really good reasons to disable/configure system components for security we can investigate. Often security roles don't even apply to Cloudron if the corresponding components are not even used.

      potemkin_aiP 1 Reply Last reply
      0
      • nebulonN nebulon

        Generally doing any additional system configuration or removing/adding other ubuntu packages to the system is not supported, since we cannot test such variations for updates.

        Cloudron already only installs signed packages. Enabling livepatch should be ok to do.

        For all the other things happening through that ansible role, we would have to go through them one by one and test accordingly. We will not support running such hardening scripts automatically, there are too many of these out there. So if there are really good reasons to disable/configure system components for security we can investigate. Often security roles don't even apply to Cloudron if the corresponding components are not even used.

        potemkin_aiP Offline
        potemkin_aiP Offline
        potemkin_ai
        wrote on last edited by
        #3

        @nebulon is there any recommendations on reboot frequency with livepatch enabled?

        1 Reply Last reply
        0
        • girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #4

          Isn't the intent of livepatch to minimize reboots?

          potemkin_aiP 1 Reply Last reply
          1
          • girishG girish has marked this topic as solved on
          • girishG girish

            Isn't the intent of livepatch to minimize reboots?

            potemkin_aiP Offline
            potemkin_aiP Offline
            potemkin_ai
            wrote on last edited by
            #5

            @girish it does, but it's about minimizing reboots, not removing a necessity to reboot altogether (https://ubuntu.com/security/livepatch/docs/faq).

            That's why I'm asking if there are any best practices...

            girishG 1 Reply Last reply
            1
            • potemkin_aiP potemkin_ai

              @girish it does, but it's about minimizing reboots, not removing a necessity to reboot altogether (https://ubuntu.com/security/livepatch/docs/faq).

              That's why I'm asking if there are any best practices...

              girishG Offline
              girishG Offline
              girish
              Staff
              wrote on last edited by
              #6

              @potemkin_ai ah got it 🙂 Sorry, not aware of any best practices around this.

              1 Reply Last reply
              0
              • nebulonN Offline
                nebulonN Offline
                nebulon
                Staff
                wrote on last edited by
                #7

                On Ubuntu, if a reboot is required, then the file at /var/run/reboot-required exists. This is also what Cloudron uses to raise the reboot required notification.

                potemkin_aiP 1 Reply Last reply
                0
                • nebulonN nebulon

                  On Ubuntu, if a reboot is required, then the file at /var/run/reboot-required exists. This is also what Cloudron uses to raise the reboot required notification.

                  potemkin_aiP Offline
                  potemkin_aiP Offline
                  potemkin_ai
                  wrote on last edited by
                  #8

                  @nebulon thank you.
                  I don't believe it's exactly that way with livepatch enabled, as a reboot flag (file) is created within dpkg that is not aware if livepatch is enabled and if it covers the flow that it patched...

                  nebulonN 1 Reply Last reply
                  0
                  • potemkin_aiP potemkin_ai

                    @nebulon thank you.
                    I don't believe it's exactly that way with livepatch enabled, as a reboot flag (file) is created within dpkg that is not aware if livepatch is enabled and if it covers the flow that it patched...

                    nebulonN Offline
                    nebulonN Offline
                    nebulon
                    Staff
                    wrote on last edited by
                    #9

                    @potemkin_ai I personally haven't used ubuntu live patch anywhere so far, but according to https://askubuntu.com/questions/1248091/why-am-i-being-asked-to-restart-system-even-though-i-have-canonical-livepatch it seems that this is to be expected if other packages besides the kernel require a reboot.

                    Maybe someone here in the forum has more hands on experience with what canonical has built there?

                    potemkin_aiP 1 Reply Last reply
                    0
                    • nebulonN nebulon

                      @potemkin_ai I personally haven't used ubuntu live patch anywhere so far, but according to https://askubuntu.com/questions/1248091/why-am-i-being-asked-to-restart-system-even-though-i-have-canonical-livepatch it seems that this is to be expected if other packages besides the kernel require a reboot.

                      Maybe someone here in the forum has more hands on experience with what canonical has built there?

                      potemkin_aiP Offline
                      potemkin_aiP Offline
                      potemkin_ai
                      wrote on last edited by
                      #10

                      @nebulon thank you, hope to hear some wisdom from the community

                      1 Reply Last reply
                      0
                      • necrevistonnezrN necrevistonnezr referenced this topic on
                      Reply
                      • Reply as topic
                      Log in to reply
                      • Oldest to Newest
                      • Newest to Oldest
                      • Most Votes


                      • Login

                      • Don't have an account? Register

                      • Login or register to search.
                      • First post
                        Last post
                      0
                      • Categories
                      • Recent
                      • Tags
                      • Popular
                      • Bookmarks
                      • Search