New security features in Ubuntu 18.04 LTS

I’ve recently upgraded one of my servers to Ubuntu 18.04 LTS. (I’m a reluctant user of Ubuntu, having previously been a staunch Red Hat and Fedora Core user, disappointed by the lack of long term support in mainstream distros.)

There are some new features in the mix (both security and general functionality). Finding a succinct and complete list of new features is elusive, so here is one in case you are looking for the same:

  • Version 3.28 of the GNOME environment, with the associated improvements
  • XOrg. This is as it was in 16.04 LTS, but in the intervening non-LTS releases a dalliance with Wayland took place that has fortunately been reversed.
  • Minor GUI enhancements
  • Kernel 4.15 which is a considerable enhancement over the previous LTS 16.04 release 4.4 kernel. This was apparently a late-in-the-day decision, and a good one, as it made available security protections not available in 4.14. There are some very interesting features available from this transition, including Ext4 largedir feature, AMD RAM encryption support, KPTI, Meltdown vuln protection, Retpoline et al., AMD storage encryption, default SMB3 dialect, self-encrypting SSD and OPAL support, EFI reset attack protection, 4 Pb of RAM, improved BFQ scheduler, and Kernel live patching.
  • More comprehensive anon data collection, which you’ll probably want to disable.
  • Minimal installation option, allowing you to reduce the number of packages installed at install time. This is a good idea and has the potential to reduce installation overhead.
  • A new add-apt-repository command, which simplifies the addition of new repos to your installation
  • Welcome screen and faster boot speed making optimal use of Plymouth

The distribution-specific enhancements are relatively few compared to the significant capabilities and enhancements introduced in the 4.15 kernel release.

On the distribution front, the minimal installation option, allowing operators to reduce the number of packages installed at install time, is a sensible feature to include. This is a good idea but it’s not the same as some cut-down options in other distributions – it is still a working Ubuntu distro but missing some of the additional bloatware. It has the potential to speed up automated and interactive installs. The new add-apt-repository command, which simplifies the addition of new repos to your installation, is probably the other most significant distribution enhancement.

Most of the advantages of 18.04 LTS, in my mind, come from the newer kernel release.

The strengthened security in SMB is long-overdue (first introduced in Server 2012) and should feed into other applications of the kernel, such as NAS appliances.

SMB3 adds better in-flight encryption, including support for data integrity validation using AES-CMAC (in-progress for Samba). AES-CMAC has the additional benefit of widespread CPU support. Man in the middle detection is also a feature of SMB3.

Features such as RDMA, Multichannel and others should significantly enhance performance for a wide range of applications including VM remote storage.

If you’re using Samba, it helps to review the Samba configuration and put in place minimum protocol requirements to maintain security and performance levels (e.g. SMB2 or higher).

Of course, SMB3 is not Samba! Some features are not available in Samba at the time of writing, but in time we can expect these protocol features to be picked up in later releases of Samba.

Some of the AMD security capabilities look interesting, particularly RAM encryption. Increased RAM support, improved scheduling, KPTI, Meltdown protection, Retpoline et al. are all very good security enhancements (some of which were released in the 16.04 LTS kernel updates).

The most signficant feature is live patching in the kernel, which is a terrific innovation and will considerably enhance security of Linux hosts.

kpatch implements this capability, providing entire functional patching using an atomic approach to prevent system instability.

The downside is this is an ambitious technique, and I’d challenge anyone to look at the design diagrams for this and not feel a slight apprehension about the impact it could have if it did not work correctly!

There is a small risk of system instability or worse if a hot patch fails and some users advocate disabling live patching for precisely this reason, accepting the downtime of a system restart as a risk avoidance measure.

Ubuntu 18 introduces a more comprehensive data collection regime. Depending on your preferences, you might want to disable this. Here is the procedure:

  • Disable apport data collection. See /etc/defaults/apport and flip the boolean value in the file.
    • You can stop the service temporarily using “# service apport stop” and should then permanently disable the service.
  • Disable “popularity contest” reporting of installed packages.
    • Enter “# apt remove popularity-contest”

Some guides recommend removing the apport package entirely (sudo apt-get purge apport). I don’t recommend that, as I could imagine apport being re-installed inadvertently and potentially creating a new defaults file if removed or required. Maybe placing a package hold is the optimal solution here, to guarantee a fixed configuration.