Desktop Linux Security Review – Ubuntu
This post documents my testing results for the Desktop version of the Linux distro Ubuntu. I performed the same testing on the following distros:
- [13 points] Elementary OS (results)
- [13 points] Linux Mint (results)
- [12 points] Manjaro (results)
- [10 points] MX Linux (results)
- [10 points] Garuda Linux (results)
- [9 points] Pop!_OS (results)
- [9 points] Endeavour OS (results)
The results are based on the methodology described here:
Ubuntu collected 12 out of 18 possible points – A score that shows its maturity.
Distro Name: Ubuntu (https://ubuntu.com/desktop)
Tested Version: 21.10 (AMD64), downloaded on 2022-01-20
ISO MD5: d1fe2dc15a2b1de029f4c0dccb4106ae
Total Score: 12 / 18
Summary of Installer – Security Features:
- [Y] Does the Installer offer to fully encrypt the main disk?
- [Y] Does the installer indicate the strength of chosen passwords?
Ubuntu’s graphical installer makes it very easy to fully encrypt the disk. The installer also comes with a password strength indicator, which is being used for the disk encryption password and the password of the main user.
Score: 2 / 2
Summary of Firewall:
- [Y] Is a host firewall installed by default?
- [N] Is the host firewall enabled by default?
- [N] Does the host firewall block all incoming/ingress traffic by default?
- [N] Does the host firewall filter outgoing/egress traffic by default?
Ubuntu installs UFW per default. However, UFW is not enabled by default.
Score: 1 / 4
Summary of Automatic Updates:
- [Y] Are updates automatically downloaded during installation?
- [Y] Is the package manager configured to automatically download updates and notify the user about new updates being available?
- [Y] Are the package sources properly authenticated by default?
Ubuntu is the first distro I tested that downloads updates during installation. The Update Manager is configured to notify the user about available updates by default. Signature checking for packages is enabled by default as well.
Score: 3 / 3
Vulnerability Scanning Results:
- [5] How many critical vulnerabilities are present right after installation?
- [6] How many high vulnerabilities are present right after installation?
- [0] How many critical vulnerabilities are present after a full software update run?
- [0] How many high vulnerabilities are present after a full software update run?
Nessus scans identified 5 critical and 6 high vulnerabilities right after installation. After a round of updates have been applied, there were no vulnerabilities present anymore.
It is interesting that although the installer downloads updates during the installation of the OS, it is not actually installing the updates :–(
Score: 2 / 4
Summary of User Privileges:
- [Y] Is sudo required to use root privileges?
- [Y] Does sudo require a password?
Ubuntu is using sudo for admin task elevation and protects the use of sudo with a password.
Score: 2 / 2
Summary of Default Browser:
- [Y] Is the default browser updated regularly?
- [N] Does the default browser warn about the execution of downloaded files?
Ubuntu is installing Firefox as the default browser. It is regularly updated. However, it does not warn about the execution of downloaded files.
It should also be mentioned that Firefox is installed as a snap, which excludes it from updates when you run ‘apt update && apt upgrade’. You have to use the graphical software updater or also run update commands with snap.
Score: 1 / 2
Summary of Application Sand-boxing:
Ubuntu installs AppArmor by default and enables it. It also installs a great set of AppArmor profiles. Profiles for CUPS and LibreOffice are also included. Another good example of application sand-boxing usage to improve overall security.
Score: 1 / 1
Contact via Mastodon: @seb@ioc.exchange