𝙍𝙚𝙡𝙖𝙩𝙞𝙫𝙚𝙡𝙮 lightweight Ubuntu - are there install package preset options?

[TheFu]

Thank you for all the replies, definitely helpful! I'm using Lubuntu 20.04.2 LTS / LXQt. I'm not really concerned about disk storage requirements. I'm primarily concerned with CPU and RAM use. The intended use is essentially a single-function Rise Vision media player (digital signage). I'm aiming to keep OS overhead at a minimum without crippling capability of handling high resolution (2160p) video at 30 fps.

I'd use raspberry pi v4 boxes and a tiny OS specifically created for the system. No way would I run a full desktop. Don't make it easy for the crackers.

mpv for video playback. Plenty of controls.

For management, the safest way would be to swap in a new microSD card with OS updates and new data, but if you must have it networked, I'd use ssh-only with keys (never passwords) and ansible. Install fail2ban if you are unwilling to lock down the firewall to prevent 99.999999999% of the internet from any access. Only allow your management IPs access, not the world. Budget for new microSD media every year, though it won't be needed THAT often if you buy high endurance microSD storage. Expect to replace the Raspberry Pis every 3 yrs. budget for 1/3 every year to be safe.

But only you know the real requirements. I keep thinking of a huge sign in my metro area about 10 yrs ago showing an "inappropriate" image for about 5 hrs on one of the busiest streets here. They had poor security. A few years ago, the electronic speed-limit signs were cracked here too. Again, poor security.

[Regexaurus]

...I keep thinking of a huge sign in my metro area about 10 yrs ago showing an "inappropriate" image for about 5 hrs on one of the busiest streets here.

Oh, geez.
Thankfully, these are not high-traffic, high-profile signs, though the pay would/should be better...
They're for inside an office building of a nonprofit org. Still, I don't wish to be wiping egg off my face anytime soon.
I'm fairly security minded and have been considering some of the implications. The Rise Vision media players require Internet access, so must be networked. I'll likely end up putting them on an untrusted VLAN. I'm moderately concerned about physical access to the media player hardware. BIOS/UEFI admin is password protected, and I'm trying to find out how to disable boot for anything (e.g. network, USB) besides internal storage, or if that's possible. I did install openssh-server and considered configuring sshd to allow only keys for authentication. I don't think that would interfere with automatic local sign on...? Which brings up another point. For the Rise Vision media player to launch automatically "on boot", it requires a user to automatically sign on. To satisfy that requirement, during Lubuntu installation, I checked the option to automatically login. That seems like a big hole for local/physical access security, but I don't know of a way around it. As far as I know, there is no support for running the Rise Vision media player as a daemon/service that loads without a user first signing on.

[TheFu]

Well, create a separate user account that can only run the intended software, nothing else. Don't let it have a real shell.
There's lots of old-school Unix security techniques which have been forgotten. They still work, but you need to do the research.

Don't allow auto login to any account that provides a generic shell.
Physically secure the systems. Use a long video cable though a wall if you must.

Don't allow bluetooth or wifi. I've actually had a 24 hour old, fresh install AND freshly patched system with wifi disabled, no network cable connected, hacked over bluetooth. I didn't realize that Ubuntu enabled bluetooth without asking. Since then, I remove the bluetooth kernel modules from the systems.

Firewall everything to prevent inbound or outbound access except to the specific locations required to perform the exact tasks.

And don't run any Ubuntu desktop on this hardware. Use a specialized, stripped down, install.

VLANs aren't real security, unless all the unwanted VLAN IDs are filtered from the wires. VLANs are just suggestions.

And that sign was a billboard - probably 50 ft by 30 ft near an intersection that thousands of vehicles traversed every few minutes.