The linux workstation security checklist

vr_anticipator · 16 April 2017 19:14

I’ve been using Ubuntu Mate 16.04 for quite some time and generally speaking, I love it. It is stable; no bluescreen or other problems since I’ve installed Ubuntu Mate. It is a lot easier to use than Ubuntu 16.04; necessary software is already installed, and there is rarely need for installing additional software. When I have to install a piece of software, it is very easy.

However, I’ve noticed that Ubuntu Mate and Ubuntu doesn’t fulfill “The linux workstation security checklist” completely:

github.com

lfit/itpol/blob/master/linux-workstation-security.md

# Linux workstation security checklist

Updated: 2017-12-15

*Status: CURRENT*

### Target audience

This document is aimed at teams of systems administrators who use Linux
workstations to access and manage your project's IT infrastructure.

If your systems administrators are remote workers, you may use this
set of guidelines to help ensure that their workstations pass core security
requirements in order to reduce the risk that they become attack vectors
against the rest of your IT infrastructure.

Even if your systems administrators are not remote workers, chances are that
they perform a lot of their work either from a portable laptop in a work
environment, or set up their home systems to access the work infrastructure
for after-hours/emergency support. In either case, you can adapt this set of

This file has been truncated. show original

I’m talking about these 2 checklists:

Publishes security bulletins (ESSENTIAL)
Provides timely security patches (ESSENTIAL)

I dislike the fact that Ubuntu doesn’t show a pop up informing you of new security updates. Furthermore, the automatic installation is not always working. Some old programs that represent vulnerabilities are installed that make the system compromised after a clean install. I hate the fact that Bluetooth starts by default with every new installation.

There is a link on more ways to secure Ubuntu than just a firewall, but it is so outdated. There should be this link above, not the years old Ubuntu security article. I understand that Canonical profits via providing security services for businesses, but these are the things that should be changed. Also, you should provide with an article on services that are not needed and that can be safely uninstalled to make Ubuntu faster and safer, such as TelNet.

There should be articles on how to lock your Ubuntu and article on how to keep Ubuntu moderately safe for ordinary users. Charging for security is ok as there are always people who don’t have the time nor energy to secure their computers fully.

I might be completely wrong as I am not a software engineer, but these things seem to be missing to the stable, user-friendly Ubuntu-Mate. I’m still a fan of Ubuntu Mate, and I will keep recommending Ubuntu mate to people. But as every OS there are pros and cons and the above-mentioned cons are pretty severe in my opinion. I am very grateful for the effort that is put in Ubuntu Mate, but if you could change these cons, Ubuntu Mate would be close to a perfect Linux distro. And I would be willing to pay for security customer service in the future if necessary.

ouroumov · 17 April 2017 19:41

https://www.ubuntu.com/usn/

Can you give some examples of that point not being respected?

It does, if you set the installation of security updates to “manual”, there’s not much point when it’s on “automatic”.

You can disable that easily enough.

There are no active services on a fresh install of an Ubuntu Desktop distribution.

Are you saying businesses get some kind of extra security patches that are voluntary withheld from everyone else? Where are you getting this information?

vr_anticipator · 17 April 2017 23:12

Not really.

I still keep the Windows mindset I guess. Good to know.[quote=“ouroumov, post:2, topic:12694”]
I hate the fact that Bluetooth starts by default with every new installation.

You can disable that easily enough.
[/quote]

It is not necessary to start with every fresh install and I would turn that off. I agree that can be easily turned off and it should be.[quote=“ouroumov, post:2, topic:12694”]
Also, you should provide with an article on services that are not needed and that can be safely uninstalled to make Ubuntu faster and safer, such as TelNet.

There are no active services on a fresh install of an Ubuntu Desktop distribution.
[/quote]

Some security guidelines on how to strengthen the security on Debian systems recommend uninstalling TelNet and other services. Apparently, these services could be misused if they are installed even if they are not used. I’m not going to get into detail on how it is done, but if TelNet is not necessary and if it’s not regularly used it shouldn’t be installed at all. I would like Ubuntu to have a special Wiki like Arch available with every install concerning security in detail. Though some of the guidelines I’ve been reading could be outdated and I could be completely wrong about this. Honestly, I hope I am.

No, I am not saying that, but LibreOffice doesn’t get automatic updates unless you click on Update in the Software Boutique. And if someone misses to do that, he/she might get infected and it could be too late. I’ve clearly been wrong about a lot of the things I wrote in the post, but there are still some things that should be improved. Note, I still like Ubuntu Mate and some of the “severe cons” I wrote could be as a result misinformation and ignorance on my part.