Ubuntu Security Components
Linux-Native Security Mechanisms for Endpoint Protection
Ubuntu Security Architecture
Ubuntu includes multiple layers of security mechanisms built into the Linux kernel and userspace. Understanding these components is essential for hardening systems and conducting security operations.
AppArmor
Mandatory Access Control (MAC) system using path-based profiles to restrict application capabilities.
UFW
Uncomplicated Firewall - user-friendly frontend for iptables host-based firewall.
auditd
Linux Audit Framework for monitoring security-relevant events and system calls.
PAM
Pluggable Authentication Modules - flexible authentication framework.
sudo
Privilege escalation control with granular command-level permissions.
LUKS
Linux Unified Key Setup - full disk encryption for data-at-rest protection.
Security Layers
Defense in Depth Strategy
- Kernel: seccomp, namespaces, cgroups, capabilities
- MAC: AppArmor profiles (default in Ubuntu)
- Network: UFW/iptables, nftables
- Authentication: PAM, sudo, SSH keys
- Auditing: auditd, syslog, journald
- Encryption: LUKS, eCryptfs, GPG
AppArmor Mandatory Access Control
AppArmor is Ubuntu's default MAC system. Unlike SELinux (used by RHEL/CentOS), AppArmor uses path-based access control rather than labels.
Profile Modes
- Enforce: Blocks and logs violations
- Complain: Logs violations but allows (audit mode)
- Disabled: Profile not loaded
Common Protected Applications
usr.sbin.mysqld- MySQL databaseusr.sbin.named- BIND DNS serverusr.bin.firefox- Firefox browserusr.lib.snapd.snap-confine- Snap packages
UFW (Uncomplicated Firewall)
UFW is Ubuntu's default firewall frontend, making iptables management more accessible.
Default Policies
- Incoming: Default deny (recommended)
- Outgoing: Default allow (typical)
- Routed: Default deny
iptables (Advanced)
UFW is a frontend for iptables. For complex rules, direct iptables manipulation may be required.
Linux Audit Framework (auditd)
The audit daemon monitors and logs security-relevant events including system calls, file access, and authentication.
Common Audit Rules
Security-Relevant Events to Monitor
/etc/passwd,/etc/shadow- User account changes/etc/sudoers- Privilege escalation configuration/etc/ssh/sshd_config- SSH configuration changes/var/log/auth.log- Authentication events- Executable changes in
/usr/bin,/usr/sbin
journalctl (systemd Logging)
Modern Ubuntu uses journald for centralized logging alongside traditional syslog.