[WIP] Add security intro #95
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,79 @@ | ||
| (introduction-to-security)= | ||
| # Introduction to security | ||
|
|
||
| Security should always be considered when installing, deploying, and using any | ||
| Ubuntu system. Although a fresh installation of Ubuntu is relatively safe for | ||
| immediate use, it is important to have a balanced understanding of your | ||
| system's security posture based on how it will be used after deployment. It's | ||
| important to take a layered approach so that your system's security is not | ||
| dependent on a single | ||
|
|
||
| ## Server security guidance | ||
|
|
||
| Since Ubuntu is so endlessly customizable, a full guide to security hardening | ||
| is beyond the scope of this documentation. | ||
| However, there are good practices and security-related packages that could be | ||
| applied to almost any Ubuntu system. See our | ||
| {ref}`security suggestions <security-suggestions>` page for an overview of the | ||
| good habits and practices that can be adopted by anyone running an Ubuntu | ||
| system to make it more secure. It's not necessary to apply every suggestion -- | ||
| and the list is not exhaustive by any means -- but each one used creates an | ||
| extra layer of security. | ||
|
|
||
| In a more advanced or complex setup, you may need to go further in your | ||
| security outlook. There are specific packages available for your Server | ||
| that will help with this, and we suggest some in the | ||
| {ref}`advanced security <advanced-security>` section that you might want to | ||
| consider for your use-case. Again, the list is not intended to be exhaustive, | ||
| but rather a starting point. | ||
|
|
||
| For a more thorough treatment of security in Ubuntu, we recommend checking | ||
|
There was a problem hiding this comment. "we also recommend" otherwise it sounds like read here is you ar not serious but there if you are. There was a problem hiding this comment. And sadly - as we know and as of today - there people find mostly marketing and not so much actionable |
||
| out the [Ubuntu Security documentation](https://ubuntu.com/security). | ||
|
|
||
| ## Ubuntu Pro | ||
|
|
||
| Canonical offers security, compliance and support services through the | ||
| [Ubuntu Pro](https://ubuntu.com/pro) subscription. Ubuntu Pro is available | ||
| for free on up to 5 machines (for business or personal use). Although the | ||
| compliance and certification features of Ubuntu Pro are likely to be of more | ||
| interest to enterprise users, the security patching features are great for | ||
|
There was a problem hiding this comment. That sounds odd, how about "security patching features" -> "enhanced security coverage" |
||
| anyone using Ubuntu. | ||
|
|
||
| All of the Ubuntu Pro features can be managed on the command line via the | ||
| [Ubuntu Pro Client](https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/) | ||
| utility, which also has an API for easier automation. | ||
|
|
||
| ### Vulnerability management | ||
|
|
||
| In a standard Ubuntu LTS release, security support is provided for packages in | ||
| the Main repository for 5 years. With Ubuntu Pro, this is expanded to 10 years, | ||
|
There was a problem hiding this comment. is this mentioning of main worth a link to the page explaining the components? |
||
| and also includes patching for medium, high and critival severity | ||
| [vulnerabilities](https://ubuntu.com/security/cves/about) for the Universe | ||
| repository. | ||
|
|
||
| This service, known as Expanded Security Maintenance (ESM), is recommended for | ||
| every Ubuntu system. Learn more [about ESM](https://ubuntu.com/security/esm). | ||
|
|
||
| ### Kernel application hardening | ||
|
|
||
| The second service recommended for every Ubuntu system is Canonical's Livepatch | ||
| service, which applies kernel patches for high and critical severity | ||
| vulnerabilities while the system is running, and without the need for an | ||
| immediate reboot -- reducing downtime. Learn more | ||
| [about Livepatch](https://ubuntu.com/security/livepatch). | ||
|
|
||
| ### Security Compliance and Certification | ||
|
|
||
| For enterprise users who must ensure compliance with specific standards, such as | ||
| [FIPS](https://ubuntu.com/security/certifications/docs/fips), | ||
| [CIS](https://ubuntu.com/security/certifications/docs/usg) and | ||
| [DISA STIG](https://ubuntu.com/security/certifications/docs/disa-stig), Ubuntu | ||
| also provides profile benchmarking. See our | ||
| [security and compliance documentation](https://ubuntu.com/security/certifications/docs) | ||
| for more details. | ||
|
|
||
| ## Reporting vulnerabilities | ||
|
|
||
| If you need to report a security issue, refer to the security | ||
| [disclosure policy](https://ubuntu.com/security/disclosure-policy). | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,177 @@ | ||
| (security-suggestions)= | ||
| # Security suggestions | ||
|
|
||
| Although a fresh install of Ubuntu is relatively safe for immediate use on the | ||
| Internet, in this guide we’ll take a look at some steps you can take to help | ||
| keep your Ubuntu system safe and secure. | ||
|
|
||
| ## For any Ubuntu system | ||
|
|
||
| The following suggestions are applicable generally to most Ubuntu systems. It | ||
| is not necessary to use all of these steps -- use the ones that are most | ||
| relevant for your setup. | ||
|
|
||
| ### Keep your system up-to-date | ||
|
|
||
| 1. **Regularly update** your Ubuntu system to keep it protected from known | ||
| vulnerabilities. Run the following command periodically to update your | ||
| system software: | ||
|
|
||
| ```bash | ||
| sudo apt update && sudo apt upgrade | ||
| ``` | ||
|
|
||
| You may want to use the `unattended-upgrade` package to fetch and install | ||
| security updates and bug fixes automatically: | ||
|
|
||
| ``` | ||
| sudo apt install unattended-upgrades | ||
| ``` | ||
|
|
||
| By default, `unattended-upgrade` runs daily, but this can be configured. See | ||
| the `unattended-upgrade` | ||
| [manual page](https://manpages.ubuntu.com/manpages/noble/en/man8/unattended-upgrades.8.html) | ||
| for details. | ||
|
|
||
| 1. **Manage your software**: | ||
|
|
||
| * Remove packages you don't need, to minimise the potential attack surface | ||
| you are exposing. See our article on | ||
| {ref}`Package management <package-management>` for more details. | ||
|
|
||
| * Avoid using third party repositories. If you need to download a package | ||
| from a third party repository, make sure you | ||
| {ref}`understand the risks and how to minimize them. <third-party-repository-usage>`. | ||
|
|
||
| 1. **Use the most up-to-date release** of Ubuntu. If you are on an older Ubuntu | ||
| release we have instructions on {ref}`how to upgrade <upgrade-your-release>`. | ||
|
|
||
| 1. **Use [Ubuntu Pro](https://ubuntu.com/pro)**, particularly if you are on an | ||
| older release of Ubuntu. Pro provides Enterprise-level security patching, | ||
| but is free for personal/business use on up to 5 machines. The most useful | ||
| Pro features for *any* Ubuntu Server are: | ||
|
|
||
| * [Expanded Security Maintenance (ESM)](https://ubuntu.com/security/esm) | ||
| which expands the Ubuntu LTS commitment on packages in Main from 5 years | ||
| to 10 years -- and now also covers packages in Ubuntu Universe. | ||
|
|
||
| * [Livepatch](https://ubuntu.com/security/livepatch) applies kernel patches | ||
| for high and critical severity vulnerabilities while the system is running. | ||
| This avoids the need for an immediate reboot. | ||
|
|
||
| Most security patches can be fetched and applied automatically through the | ||
| `unattended-upgrade` package. For more details on using and monitoring | ||
| Ubuntu Pro via the command line, refer to the | ||
| [official documentation](https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/). | ||
|
|
||
| ### Access Control | ||
|
|
||
| 1. **Use and enforce** the | ||
| [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege): | ||
|
|
||
| * This means creating non-root user accounts with as few privileges as possible. | ||
| * Not using `sudo` (root access) except for administration tasks. | ||
| * For more details on basic access control, see our {ref}`guide on user management <user-management>`. | ||
|
|
||
| ### Network security | ||
|
|
||
| 1. **Use a firewall**. In Ubuntu, the uncomplicated firewall (`ufw`) tool is | ||
| used to configure firewalls. `ufw` is a wrapper around the `iptables` utility | ||
| (which experienced system admins may prefer to use directly). To get started | ||
| with `ufw`, check out our {ref}`firewalls` guide. | ||
|
|
||
| 1. **Use the Secure Shell (SSH)** protocol to secure remote access. In Ubuntu, | ||
|
There was a problem hiding this comment. Using ssh is fine, the art is doing it well. We sadly lack content here on the pages to suggest proper key types and sizes, use passphrases, potentially suggest storing the private key securely as well as something like two factor like http://www.justgohome.co.uk/blog/2013/07/better-two-factor-ssh-authentication-on-ubuntu.html |
||
| this is managed through OpenSSH. For details on setting up OpenSSH, refer to | ||
| our {ref}`guide to OpenSSH <openssh-server>`. | ||
|
|
||
| ### Physical security | ||
|
|
||
| There are also steps you can take to protect the physical security of your | ||
| system. These how-to guides will help you set up these additional precautions: | ||
|
|
||
| * {ref}`Smart card authentication <smart-card-authentication>`. | ||
| * {ref}`Smart card authentication with SSH <smart-card-authentication-with-ssh>`. | ||
| * {ref}`Console security <console-security>`. | ||
|
|
||
|
|
||
| (advanced-security)= | ||
| ## Suggestions for complex setups | ||
|
|
||
| The following section will help direct you to the security-related packages for | ||
| which we provide documentation. For more discussion about advanced security | ||
| considerations, refer to the [Ubuntu Security](https://ubuntu.com/security) | ||
| documentation. | ||
|
|
||
| ### Advanced Access Control | ||
|
|
||
| 1. **Lightweight Directory Access Protocol (LDAP)** is the usual way to gate | ||
| access control for larger or more complex setups. In Ubuntu, this is | ||
| implemented through OpenLDAP. Refer to our | ||
| {ref}`introduction to OpenLDAP <introduction-to-openldap>` | ||
| for more details, or see our section | ||
| {ref}`on how to set up OpenLDAP <how-to-openldap>`. | ||
| 1. **Kerberos** is a network authentication protocol that provides identity | ||
| verification for distributed environments, commonly used in enterprise | ||
| systems. Learn more in our | ||
| {ref}`introduction to Kerberos <introduction-to-kerberos>`, or see our | ||
| section on how to {ref}`set up and use Kerberos <how-to-kerberos>`. | ||
| 1. **System Security Services Daemon (SSSD)** is a collection of daemons that | ||
|
There was a problem hiding this comment. To be fair to all options, should we include integration into an active directory in this list? |
||
| handle authentication, authorisation and user/group information from | ||
| disparate network sources. It integrates with OpenLDAP, Kerberos, and | ||
| Active Directory as we discuss in more detail in our | ||
| {ref}`introduction to SSSD <introduction-to-network-user-authentication-with-sssd>` | ||
| or get started setting it up with our | ||
| {ref}`how-to section <how-to-network-user-authentication-with-sssd>`. | ||
|
|
||
| ### Virtual Private Networks (VPNs) | ||
|
|
||
| 1. **WireGuard VPN** | ||
|
|
||
| * {ref}`Introduction to WireGuard VPN <introduction-to-wireguard-vpn>` | ||
| * {ref}`How to set up WireGuard VPN <how-to-wireguard-vpn>` | ||
|
|
||
| 1. **OpenVPN** | ||
|
|
||
| * {ref}`About OpenVPN clients <openvpn-client-implementations>` | ||
| * {ref}`How to install OpenVPN <install-openvpn>` | ||
|
|
||
| ### Security of communications | ||
|
|
||
| 1. **TLS/SSL** for secure communication | ||
|
There was a problem hiding this comment. I think we need here a short "why you'd want transport security" in general, and can then refer to those examples - because in reality it is always different and depends on the solution they are setting up. Remiding users to use some transport level secuirty is fair without explaining all potential options. |
||
|
|
||
| <!--- We don't have specific pages on TLS or SSL individually, but we do have: | ||
| We don't have pages on TLS or SSL individually, but we do have: | ||
| How-to: LDAP: {ref}`LDAP and TLS <ldap-and-tls>` (this is the closest we have to a discussion of the topic, and it’s within the how-to LDAP section) | ||
| Explanation: Cryptography: {ref}`GnuTLS <gnutls>` | ||
| Explanation: Cryptography: {ref}`OpenSSL <openssl>` | ||
| Explanation: Cryptography: {ref}`Troubleshooting TLS/SSL <troubleshooting-tls>` | ||
| Explanation: security: {ref}`OpenVPN <openvpn-client-implementations>` which is a VPN in the SSL/TLS VPN stack (as opposed to an IPSec VPN) | ||
| ---> | ||
|
|
||
| ### Mandatory Access Controls (MAC) | ||
|
|
||
| 1. **AppArmor** | ||
|
|
||
| * {ref}`How to set up AppArmor <apparmor>` | ||
|
|
||
| ### Cryptography / cryptographic libraries | ||
|
|
||
| 1. **Crypto libraries** | ||
|
|
||
| * {ref}`introduction-to-crypto-libraries` | ||
| * {ref}`About crypto libraries <explanation-cryptography>` | ||
|
|
||
| 1. **Certificates** | ||
|
|
||
| * {ref}`About certificates <certificates>` | ||
| * {ref}`Install root CA certificate in the trust store <install-a-root-ca-certificate-in-the-trust-store>` | ||
|
|
||
| ### Compliance and auditing | ||
|
|
||
| If you need to adhere to specific industry standards, or are otherwise operating | ||
| in a high security environment, refer to the | ||
| [Ubuntu Security documentation](https://ubuntu.com/security/compliance-automation). | ||
|
|
||
|
|
||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
single what?