ChatGPT for Hardening Ubuntu 22.04 Desktop
Every so often I reinstall my daily driver OS, this is a weird habit I've had for as long as I can remember. It's sort of like spring cleaning! It's so fast these days to get software installed, and all my data is baked up in my homelab so what do I have to lose? Hopefully just all the bloatware that I've hap-hazardly installed each year. The piece that is annoying for me is doing all the hardening steps required. I could of course go use a pre-hardened distro but I don't want all the other bloatware that comes with it. I also don't want to be completely hardcore and setup Arch so I'm starting from a minimal install of Ubuntu Desktop 22.04 LTS. I've been using ChatGPT at work to make some tasks a little easier, with varying levels of success. I was thinking ChatGPT could be perfect for this hardening task - if I were to do it manually it's essentially hours of searching google for best practices and procedures to meeting them. ChatGPT should be able to quickly get me the info I need, right? We'll see!
This isn't too bad at a high level - I think the only categories it missed was something to watch file integrity and anything about the general steps you'd immedately take to make the OS settings more secure. For file integrity I'll be using Wazuh with Security Onion. Let's ask ChatGPT to provide some initial settings for the OS.
That's more like it! Let's actually follow the procedure, it's fairly valid.
Ensure a strong password is used - check.
Ensure automatic lockout is configured - check:
'Password to screensaver' - check. All of these settings were sufficient out of the box.
The next item ChatGPT suggests we dive into is configuring our OpenSSH server. I don't plan on allowing ssh inbound to my workstation, so I just confirmed that openssh server is not running.
This one is more of an issue as we continue to use the system, other than doing things like locking down
/tmp? Perhaps there's more, let's ask!
These are all things we look for while doing privilege escalation. Let's have ChatGPT write us a script to look for these on our system.
So of course when we execute this is going to give us a ton of output, it'll take us quite a while to ponder over this. Instead I'll run linpeas.
This is another good suggestion! Let's ask if there are any additional options we should set. Let's peek at our defaults:
$ sudo -l [sudo] password for matt: Matching Defaults entries for matt on ubuntu-desktop-0: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User matt may run the following commands on ubuntu-desktop-0: (ALL : ALL) ALL
I'm going to take the stance that I don't mind logging in as root to preform an administrator action. As I continue using the system perhaps I'll want to add specific bin's here - but for now I'm going to disable everything and just allow the usage of
su to gain root.
Let's have ChatGPT explain the output of
We should check the permissions of the
secure_path to ensure I can't modify binaries there without first logging in as root.
ls -al /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /snap/bin
This dumped permissions of all the binaries accessible via
sudo. I confirmed I could not write to any of them or modify any of the directories.
Everything else here is fine, my user needs to get root on my system... so why restrict anything else? Does ChatGPT agree?
It does indeed! The key is to not just login as root and have a root session hanging around, stick to using
sudo and configure the timeouts correctly.
I did take ChatGPT's suggestion with the environment reset timer:
# install sudo apt install unattended-upgrades # Verify sudo systemctl status unattended-upgrades
On Ubuntu 22.04 this is installed by default, though. You should check your configuration to make sure you're happy with it.
/etc/apt/apt.conf.d/20auto-upgrades. By default this basically runs
apt update automatically every so often, and preforms
apt upgrade automatically.
etc/apt/apt.conf.d/50unattended-upgrades for fine grained control over what is actually updated.
That's actually exactly what I wanted! I handle the nitty-gritty with pfSense I just needed something simple.
I think for a Desktop environment, SELinux is overkill as it's going to be constantly changing. I'll eventually write a guide on how I configured
SELinux for my Proxmox docker nodes though.
For now, AppArmor is pre-installed on Ubuntu and it's easy enough for everyday use on my Desktop. I won't go through the details of how it works or how to use it, canonical's documentation is fully sufficient.
Most packages that are installed via
snap ship with a profile, which is quite nice!
Check out what's running
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 128 127.0.0.1:631 0.0.0.0:* LISTEN 0 128 [::1]:631 [::]:*
Port 53 is required for
resolved so that's fine. But
631 is a printer discover service! I don't use printers, so I can safely disable it.
$ systemctl stop cups Synchronizing state of cups.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable cups Removed /etc/systemd/system/sockets.target.wants/cups.socket. Removed /etc/systemd/system/multi-user.target.wants/cups.service. Removed /etc/systemd/system/multi-user.target.wants/cups.path/ Removed /etc/systemd/system/printer.target.wants/cups.service. $ systemctl disable cups $ss -antpl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
ChatGPT did a decent job at giving me a head start into the basics. Of course the other custom parts I need to deep dive on, like setting up all the agents for integration with SecurityOnion and whatnot but ChatGPT wouldn't know about that unless I told it! It made a few mistakes, but nothing detrimental.