How to secure your Ubuntu 22.04 default installation with SELinux
02-MAR-2024- Written by Yves Soete — Blacksight LLC -visit us for our free security scanner on scanner.blacksight.io
Get notified when new articles drop — visit blacksight.io/blog to subscribe
Running the Ubuntu distro as a server or as a desktop as default might not be the smartest choice if you want to be as secure as possible. SELinux is a security enhancement to Linux based security sensitive projects. We advice installing SELinux op top of the default Ubuntu 22.04 server or desktop install.
The default Ubuntu install will setup AppArmor, a Linux application security system which is an ease to use setup, but SELinux might be a better solution for more secure demands, customer setups or infra standardization. Both AppArmor and SELinux work through the Linux Security Module (LSM) interface but Linux only permits a single LSM to be active at the same time.
- Stop and disable AppArmor at startup
sudo systemctl stop apparmor
sudo systemctl disable apparmor
2. Install SELinux & Enable SEL
sudo apt install policycoreutils selinux-basics selinux-utils -y
sudo selinux-activate
3. Check status of the install
getenforce
This should show the message Disabled.
sestatus
This should result in the status disabled
SELinux can be enabled in 2 states, Permissive or Enforcing, when setting it up initially it will be in the default permissive state.
Enforcing mode: SELinux will actively enforce the security policies, blocks any actions that violate the policy and logs the incident
Permissive mode: SELinux will log each system violation but will not enforce it, it is mostly used for debugging and testing policies created by SELinux
4. Reboot & Verify config status
Reboot the instance (remember to be able to access the server via the management console or make sure you can login with a user that has sudo access (no root remote ssh will be accessible with SELinux active) and after reboot check the config file.
- note this can take a while since SELinux will relabel your files and directories on first startup
cat /etc/selinux/config | grep SELINUX=permissive
check if it includes the line: SELINUX=permissive
4. Modify to enforcing
sudo nano /etc/selinux/config
Change the SELINUX=permissive to SELINUX=enforcing
5. Reboot and check status again
getenforce
Now you will see the system is set to Enforcing.
Congratulations, your system is hardened on NSA level protection with SELinux, if you need to dig deeper always check out the official documentation or project at https://github.com/SELinuxProject/selinux or contact us for help setting up your systems with SELinux at contact@blacksight.io
As a bonus use our free website vulnerability scanner at scanner.blacksight.io
Liked this article? Get notified when new articles drop! visit blacksight.io/blog to subscribe