hardened image of ubuntu?

**sniper8752** · August 24th, 2019

I recently ran a oscap scan of ubuntu 16.04 server, and noticed there were a good amount of findings (like CAT I and II's). Are there any hardened images out there, of Ubuntu?

**sniper8752** · September 20th, 2019

*bump*

**uRock** · September 20th, 2019

Not that I know of. You can do it yourself though. There's plenty of How-Tos on the subject. Here's one; https://www.nuharborsecurity.com/ubu...ening-guide-2/
There's also loads of documentation in the Security subforum stickies.

**TheFu** · September 20th, 2019

Originally Posted by sniper8752

I recently ran a oscap scan of ubuntu 16.04 server, and noticed there were a good amount of findings (like CAT I and II's). Are there any hardened images out there, of Ubuntu?

Many of the claimed "best practices" aren't for Ubuntu or Debian. Slight differences in how permissions are setup makes a huge difference, as does the normal method of software deployment to the system. 20 yrs ago, I was trying to "harden" my servers and found that the tips had been crafted for different OSes and actually broke the distro I was running then. Check out Bob Toxen's Real World Linux Security book.

For people who need to follow some govt standard, I'd suggest sticking with the OS those standards were written especially for. CentOS/RHEL have lots of tools for that and lots of scanners to ensure SELinux is enabled and the 200+ other things validated.

For RHEL-based distros, there are STIGs. https://public.cyber.mil/?s=STIG Looks like there might be Ubuntu-specific versions now.

**CharlesA** · September 21st, 2019

Originally Posted by TheFu

Many of the claimed "best practices" aren't for Ubuntu or Debian. Slight differences in how permissions are setup makes a huge difference, as does the normal method of software deployment to the system. 20 yrs ago, I was trying to "harden" my servers and found that the tips had been crafted for different OSes and actually broke the distro I was running then. Check out Bob Toxen's Real World Linux Security book.

For people who need to follow some govt standard, I'd suggest sticking with the OS those standards were written especially for. CentOS/RHEL have lots of tools for that and lots of scanners to ensure SELinux is enabled and the 200+ other things validated.

I definitely agree with you.

There are even things like CIS Benchmarks for hardening, but they aren't a one-and-done deal. They need to be tailored to your environment.

**sniper8752** · October 9th, 2019

Thanks for recommending this book! I see it's from 2002 though... anything a little more recent? I'm sure most of it still applies.

**TheFu** · October 9th, 2019

Originally Posted by sniper8752

Thanks for recommending this book! I see it's from 2002 though... anything a little more recent? I'm sure most of it still applies.

If you seek a checklist and commands, nothing.
If you seek knowledge so you can create a modern checklist and commands for your specific installations, then the core ideas in that book will serve you well. And Bob is a really nice guy too.

O'Reilly and No Starch Press usually have excellent books, but they are out of date before the ink is dry. I still use my Unix System Security books from the mid-1990s as references for "ideas." They aren't cookbooks, however.