Results 1 to 7 of 7

Thread: hardened image of ubuntu?

  1. #1
    Join Date
    Dec 2010
    Beans
    315

    hardened image of ubuntu?

    I recently ran a oscap scan of ubuntu 16.04 server, and noticed there were a good amount of findings (like CAT I and II's). Are there any hardened images out there, of Ubuntu?

  2. #2
    Join Date
    Dec 2010
    Beans
    315

    Re: hardened image of ubuntu?

    *bump*

  3. #3
    Join Date
    Feb 2010
    Location
    South of the Maple Trees
    Beans
    Hidden!
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: hardened image of ubuntu?

    Not that I know of. You can do it yourself though. There's plenty of How-Tos on the subject. Here's one; https://www.nuharborsecurity.com/ubu...ening-guide-2/
    There's also loads of documentation in the Security subforum stickies.

  4. #4
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: hardened image of ubuntu?

    Quote Originally Posted by sniper8752 View Post
    I recently ran a oscap scan of ubuntu 16.04 server, and noticed there were a good amount of findings (like CAT I and II's). Are there any hardened images out there, of Ubuntu?
    Many of the claimed "best practices" aren't for Ubuntu or Debian. Slight differences in how permissions are setup makes a huge difference, as does the normal method of software deployment to the system. 20 yrs ago, I was trying to "harden" my servers and found that the tips had been crafted for different OSes and actually broke the distro I was running then. Check out Bob Toxen's Real World Linux Security book.

    For people who need to follow some govt standard, I'd suggest sticking with the OS those standards were written especially for. CentOS/RHEL have lots of tools for that and lots of scanners to ensure SELinux is enabled and the 200+ other things validated.

    For RHEL-based distros, there are STIGs. https://public.cyber.mil/?s=STIG Looks like there might be Ubuntu-specific versions now.
    Last edited by TheFu; September 21st, 2019 at 12:57 AM. Reason: STIGs.

  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: hardened image of ubuntu?

    Quote Originally Posted by TheFu View Post
    Many of the claimed "best practices" aren't for Ubuntu or Debian. Slight differences in how permissions are setup makes a huge difference, as does the normal method of software deployment to the system. 20 yrs ago, I was trying to "harden" my servers and found that the tips had been crafted for different OSes and actually broke the distro I was running then. Check out Bob Toxen's Real World Linux Security book.

    For people who need to follow some govt standard, I'd suggest sticking with the OS those standards were written especially for. CentOS/RHEL have lots of tools for that and lots of scanners to ensure SELinux is enabled and the 200+ other things validated.
    I definitely agree with you.

    There are even things like CIS Benchmarks for hardening, but they aren't a one-and-done deal. They need to be tailored to your environment.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Dec 2010
    Beans
    315

    Re: hardened image of ubuntu?

    Thanks for recommending this book! I see it's from 2002 though... anything a little more recent? I'm sure most of it still applies.

  7. #7
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: hardened image of ubuntu?

    Quote Originally Posted by sniper8752 View Post
    Thanks for recommending this book! I see it's from 2002 though... anything a little more recent? I'm sure most of it still applies.
    If you seek a checklist and commands, nothing.
    If you seek knowledge so you can create a modern checklist and commands for your specific installations, then the core ideas in that book will serve you well. And Bob is a really nice guy too.

    O'Reilly and No Starch Press usually have excellent books, but they are out of date before the ink is dry. I still use my Unix System Security books from the mid-1990s as references for "ideas." They aren't cookbooks, however.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •