Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Additional Ubuntu Hardening

    Support
    4
    10
    505
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ochoseis last edited by

      I'm planning to colo a small server to host my cloudron, and want to make sure I've got it secure enough without getting in the way of Cloudron. I'm going to follow most of the advice in the Cloudron security guide. Beyond that, there are a few other things I can think of:

      • Enable livepatch
      • Run something like this Ansible hardening role. I need to know if any of these things would conflict with Cloudron:
        • Allowing only signed packages
        • Removing a few packages
        • Removing setuid bits from a few binaries

      During setup, does Cloudron already do any of those steps anyways, and / or would they conflict with Cloudron (e.g. does it rely on any unsigned PPAs)? As much as possible, I'd love to rely on Cloudron to handle this so I don't have to think about it.

      1 Reply Last reply Reply Quote 1
      • nebulon
        nebulon Staff last edited by

        Generally doing any additional system configuration or removing/adding other ubuntu packages to the system is not supported, since we cannot test such variations for updates.

        Cloudron already only installs signed packages. Enabling livepatch should be ok to do.

        For all the other things happening through that ansible role, we would have to go through them one by one and test accordingly. We will not support running such hardening scripts automatically, there are too many of these out there. So if there are really good reasons to disable/configure system components for security we can investigate. Often security roles don't even apply to Cloudron if the corresponding components are not even used.

        potemkin_ai 1 Reply Last reply Reply Quote 0
        • potemkin_ai
          potemkin_ai @nebulon last edited by

          @nebulon is there any recommendations on reboot frequency with livepatch enabled?

          1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by

            Isn't the intent of livepatch to minimize reboots?

            potemkin_ai 1 Reply Last reply Reply Quote 1
            • Topic has been marked as solved  girish girish 
            • potemkin_ai
              potemkin_ai @girish last edited by

              @girish it does, but it's about minimizing reboots, not removing a necessity to reboot altogether (https://ubuntu.com/security/livepatch/docs/faq).

              That's why I'm asking if there are any best practices...

              girish 1 Reply Last reply Reply Quote 1
              • girish
                girish Staff @potemkin_ai last edited by

                @potemkin_ai ah got it 🙂 Sorry, not aware of any best practices around this.

                1 Reply Last reply Reply Quote 0
                • nebulon
                  nebulon Staff last edited by

                  On Ubuntu, if a reboot is required, then the file at /var/run/reboot-required exists. This is also what Cloudron uses to raise the reboot required notification.

                  potemkin_ai 1 Reply Last reply Reply Quote 0
                  • potemkin_ai
                    potemkin_ai @nebulon last edited by

                    @nebulon thank you.
                    I don't believe it's exactly that way with livepatch enabled, as a reboot flag (file) is created within dpkg that is not aware if livepatch is enabled and if it covers the flow that it patched...

                    nebulon 1 Reply Last reply Reply Quote 0
                    • nebulon
                      nebulon Staff @potemkin_ai last edited by

                      @potemkin_ai I personally haven't used ubuntu live patch anywhere so far, but according to https://askubuntu.com/questions/1248091/why-am-i-being-asked-to-restart-system-even-though-i-have-canonical-livepatch it seems that this is to be expected if other packages besides the kernel require a reboot.

                      Maybe someone here in the forum has more hands on experience with what canonical has built there?

                      potemkin_ai 1 Reply Last reply Reply Quote 0
                      • potemkin_ai
                        potemkin_ai @nebulon last edited by

                        @nebulon thank you, hope to hear some wisdom from the community

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Powered by NodeBB