Professional Documents
Culture Documents
Locking Down Linux - Using Ubuntu As Your Primary OS, Part 3 (Application Hardening & Sandboxing) Null Byte - WonderHowTo
Locking Down Linux - Using Ubuntu As Your Primary OS, Part 3 (Application Hardening & Sandboxing) Null Byte - WonderHowTo
oxing) « Null…
NULL BYTE
LO C K I N G D OWN L I N U X
O nce you've installed Ubuntu with security in mind and reduced the possibility of network
attacks on your system, you can start thinking about security on an application level. If a
malicious file is opened on your system, will an attacker be able to access every file on the
computer? The chances are much slimmer if you put the proper defenses in place.
In this third part of our mini-series on strengthening your primary Ubuntu installation, you'll
learn how Ubuntu package repositories work, which repos you should avoid, and how to
update. You'll also see how to import additional AppArmor profiles to limit resources that apps
can use and create sandboxes to isolate unsafe applications from the operating system
completely.
If you missed the beginning of this article series, you should check out the first part to learn
more about my motivations for starting this four-part guide.
Part 2: Using Ubuntu as Your Primary OS, Part 2 (Network Attack Defense)
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 1/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
Step 1
If you're coming from Windows 10, you'll be used to downloading and installing new
applications from random websites. This practice is inherently unsafe. Unsigned, unverified
applications distributed by one source creates the potential for supply chain attacks.
Linux handles installing software differently. Ubuntu uses several repositories (servers) that
contain packages (software and dependencies) audited by Canonical, Ubuntu developers, and
the security team. Not all of Ubuntu's repositories are audited by the Ubuntu team, however.
Main: The main component contains applications that are free software, can be freely
redistributed, and are fully supported by the Ubuntu team. This includes the most popular
and most reliable open-source applications available, many of which are included by
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 2/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
default when installing Ubuntu. The software in Main includes a hand-selected list of
applications that the Ubuntu developers, community, and users feel are most important
and that the Ubuntu security team are willing to support. When we install software from
the Main repository, we're assured that the software will come with security updates and
that support is available from Canonical.
Universe: The Universe repository is a collection of free, open-source software. It houses
almost every piece of open-source software, all built from a range of public sources.
Canonical will provide regular security updates for software in the Universe repo when
made available by the community. Popular or well-supported pieces of software will move
from Universe into Main if they are backed by maintainers willing to meet the Ubuntu
team's standards.
Restricted: Ubuntu's commitment is only to promote free software, i.e., software available
under a free license. However, they make exceptions for a small set of tools and drivers
that make it possible to install Ubuntu and its free applications on everyday hardware.
These proprietary drivers are kept in the Restricted repository. Please note that it may not
be possible to provide complete support for this software because Ubuntu developers
cannot fix the software; they can only forward problem reports to the actual authors.
Ubuntu developers will only use non-open-source software when there is no other way to
install Ubuntu. The Ubuntu team works with vendors to accelerate the open-sourcing of
their software to ensure that as much software as possible is available under a free
license.
Multiverse: The Multiverse repository contains software that is not free, which means this
software's licensing requirements do not meet the Ubuntu license policy. The
responsibility is on you to verify your rights to use this software and comply with the
copyright holder's licensing terms. This software is not supported and usually cannot be
fixed or updated. Use it at your own risk.
Disabling Unsafe Repositories
Before updating any packages, open the "Software & Updates" window and disable the
"multiverse" and "restricted" repositories in the "Ubuntu Software" tab. These repositories
distribute closed-source software, can't be audited, and sometimes require non-free (paid) user
licenses.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 3/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
Then, head over to the "Other Software" tab and uncheck the "Canonical Partners" options.
Disabling Backports
Backports offers a way to selectively provide newer versions of software for older Ubuntu
releases. Most commonly, the Backports team will provide new versions of standalone
applications which can be safely updated without impacting the rest of the system. However,
the Ubuntu security team does not update packages in Backports. For that reason, disabling
backports is recommended. In the "Update" tab, make sure "bionic-backports" is unchecked.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 4/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
By default, Ubuntu should download and update security updates automatically on a daily
basis.
Manually Checking for Updates
To check for updates manually, use the sudo apt update && sudo apt dist-upgrade command.
Step 2
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 5/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
installed and enabled in every Ubuntu installation. This can be verified using the below
command.
~$ sudo aa-status
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 6/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
It's also possible to create script profiles for any application on the OS. For a comprehensive
look at AppArmor, use the man command to view the manuals.
~$ man apparmor
~$ man aa-status
~$ man aa-enforce
Step 3
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 7/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
Firejail, created by netblue30, reduces the risk of security breaches by using a lightweight
visualization technology to isolate applications and restrict them to sandboxed (container)
environments. Below is a GIF of Evince, Ubuntu's default PDF reader, opening an unsafe file in
a heavily sandboxed environment.
Both Firejail and AppArmor can be used together (cooperatively) or independently of each
other. If one of them failed to restrict a certain file or directory, it would be possible for the
other to compensate and contain the vulnerability.
Blacklisting: Deny access to specific files and directories. Access attempts are reported to
syslog.
Whitelisting: Allow only files and directories specified by the user.
Temporary filesystem: Mount a temporary filesystem on top of a directory.
Private: Mount copies of files and directories and discard them when the sandbox is
closed.
Restricted home: Only the current user /home directory is available inside the sandbox.
Reduced system information leakage: Restrict access to sensitive directories such as /boot,
/proc, and /sys.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 8/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
Download Firejail
Head over to the download page and grab the latest stable version of Firejail and the .asc file.
At the time of this writing, the latest version is "firejail_0.9.54_1_amd64.deb." Then, open a new
terminal, change into the Downloads/ directory using cd and view its contents using the ls
command.
~$ cd Downloads/
~/Downloads$ ls
firejail_0.9.54_1_amd64.deb firejail-0.9.54.asc
---- https://pgp.mit.edu/pks/lookup?op=get&search=0x2CCB36ADFC5849A7
Resolving pgp.mit.edu (pgp.mit.edu)... 18.9.60.141
Connecting to pgp.mit.edu (pgp.mit.edu)|18.9.60.141|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2341 (2.3K) [text/html]
Saving to: ‘STDOUT’
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-s… 9/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
Notice the "Good signature" line above. This is verification that the .asc file is legitimate. We
can now view the contents of the file using the cat command. If you do not see the good
signature line, don't panic. It's possible the Firejail .asc was malformed during the download.
Try downloading it again.
~$ cat firejail-0.9.54.asc
Copy the hash on line #6 and use the below grep command to compare the SHA256 hash of
the .deb to the .asc. If all went well, the command will produce the following result.
0e92d90d583b3fe549539a261a4f48ff2b3632ba6c1868bddaf09eaad2dcaaf9 firejail_0.9.54
Install Firejail
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-… 10/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
Use the --help argument to view Firejail's available options and verify it was installed correctly.
~$ firejail --help
Firejail has too many features to cover in this article, so I'll show two practical uses.
Sandboxing Unsafe PDFs Found on the Internet
One of Firejail's greatest features is its ability to create temporary, offline sandboxes that are
disposed of when the application is closed. Use the below command to create a strict
temporary sandbox configuration.
There a lot going on in the above command, so I'll breakdown each argument one by one.
This will open Firefox in a sandboxed environment and dispose of files saved in the temporary
/home directories created by the --private argument.
I've barely scratched the surface of what Firejail can do. For more, check out the official
documentation and Firetools, Firejail's optional graphical user interface.
Want to start making money as a white hat hacker? Jump-start your hacking career with our
2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and
get over 60 hours of training from cybersecurity professionals.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-… 12/13
26/07/2023, 17:22 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing) « Null…
97% off The Ultimate 2021 White Hat Hacker Certification Bundle
99% off The 2021 All-in-One Data Scientist Mega Bundle
98% off The 2021 Premium Learn To Code Certification Bundle
62% off MindMaster Mind Mapping Software: Perpetual License
Cover image by Justin Meyers/Null Byte; Screenshots by tokyoneon/Null Byte
Don't Miss:
All the New iOS 16.5 Features for iPhone You Need to Know About
Your iPhone Has a Secret Button That Can Run Hundreds of Actions
7 Hidden iPhone Apps You Didn’t Know Existed
You’re Taking Screenshots Wrong — Here Are Better Ways to Capture Your iPhone’s Screen
Keep Your Night Vision Sharp with the iPhone’s Hidden Red Screen
Your iPhone Finally Has a Feature That Macs Have Had for Almost 40 Years
If You Wear Headphones with Your iPhone, You Need to Know About This
By using this site you acknowledge and agree to our terms of use & privacy policy.
We do not sell personal information to 3rd parties.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-… 13/13