Untitled design-Aug-24-2022-05-16-12-95-PM

Tim SmithFebruary 23, 20236 min read

Exploring the Latest Security Features in Ubuntu 22.10

mondoo-security-features-ubuntu

If you're a sysadmin considering updating your desktop deployments or running non-LTS builds on servers, this guide is for you. In this article, we will explore the latest security features in Ubuntu 22.10 (Kinetic Kudu), including upgrades to OpenSSH 9.0, Sudo 1.9.11, Systemd 251, and Kernel 5.19. While this release may not have many new security features, it includes some significant upgrades that make it worth exploring.

(Ubuntu 22.04 Server security features are reviewed here.)

(Ubuntu 23.04 Server security features are reviewed here.)

OpenSSH 9.0

One of the most significant changes in Ubuntu 22.10 is the inclusion of the new OpenSSH 9.0 release. This update introduces several security enhancements, including:

Stronger default key exchange method
Removal of the legacy SCP protocol
More secure execution of sshd

OpenSSH 9.0 uses the new Streamlined NTRU Prime + x25519 key exchange method, making it less vulnerable to future quantum computer attacks. This new key exchange method includes a fallback to the well-tested x25519 default introduced in previous OpenSSH releases. Additionally, the update removes the insecure SCP protocol, which has caused several CVEs over the years. The scp command will now use the newer and more secure SFTP protocol under the hood, maintaining backward compatibility as long as both client and server run OpenSSH 8.7 or later releases.

Sudo 1.9.11

Sudo 1.9.11, included in Ubuntu 22.10, has several useful security improvements that help users better control who can use sudo and how authentication behaves. Here are some of the key changes:

POSIX regular expressions are now supported in the sudoers file to replace unsafe * matches, which could allow users to execute commands not intended by administrators.
Custom sudo prompts can be used when also using the sudo Kerberos module.
Commands can be forced to run under AppArmor profiles that further lock down security with a new APPARMOR_PROFILE sudoers configuration option.

Systemd 251

Systemd, the heart of modern Linux systems, has a large impact on the overall security of hosts. The new release, systemd 251, includes several changes that make services more secure. Here are some of the key changes:

Limited filesystem and network access: New systemd unit configuration options allow users to limit the filesystem and network access of services. This is particularly useful in limiting the attack surface if a service is compromised by attackers.
Encrypted credentials: Credentials used by services at startup can now be encrypted and stored locally or within TPM2 chips using a systemd-creds command. These credentials are decrypted and made available to the service at startup but no longer need to be stored in configuration files that could be read by users.
Safe user data: For users sharing a system with multiple users, systemd-homed has been improved to keep user data safe between sessions. systemd-homed will now repeatedly attempt to unmount the user’s home directory on logout to prevent sensitive data from being accessible to the next user.

Kernel 5.19

Kernel 5.19 includes several small but significant security improvements that have landed between the previous kernel 5.15 and Ubuntu 22.10's kernel 5.19 release. Here are some of the key changes:

Secure virtualization with new CPU support from AMD and Intel, protecting guest VMs from hypervisor-based attacks. AMD’s Secure Nested Paging (SEV-SNP) provides memory integrity protection, and Intel’s Trust Domain Extensions (TDX) provides both memory integrity and encryption.
Better random number generation to not only improve cryptography but also increase performance.
Indirect Branch Tracking on Intel’s latest CPUs. Indirect Branch Tracking (IBT) is a new Control-Flow Enforcement Technology (CET) method that provides hardware-based protection against jump/call oriented programming (JOP / COP) attacks.
Straight-line speculation attack mitigation. Kernel level mitigation against the Spectre variant straight-line speculation CPU attack originally reported by ARM, but present in multiple CPUs.
netfilter egress hooks. Classify and potentially reroute traffic egressing your host based on rules to mitigate data exfiltration.

Upgrading to Ubuntu 22.10 using do-release-upgrade command

Ideally, we’d always provision new systems when a new operating system ships. But we don’t live in an ideal world. There always seem to be special snowflake servers, and reprovisioning user workstations impacts productivity. When we can’t provision fresh systems, we can always perform an upgrade using Canonical’s do-release-upgrade command:

# fully update and cleanup our existing 22.04 system
sudo apt-get update
sudo apt-get upgrade
sudo apt-get autoremove

# perform the upgrade
sudo apt-get install update-manager-core
sudo do-release-upgrade

How to further secure your system with hardening settings and Mondoo's security platform

In addition to the security updates that come with Ubuntu 22.10, there are further steps you can take to secure your system. One such step is applying hardening settings and ensuring that all critical packages are updated. You can use the open source cnspec tool from Mondoo and the Mondoo SaaS platform to scan and report on security best practices, package vulnerabilities, and CIS benchmarks. Mondoo is a hosted security platform that automates manual security processes for DevOps and security practitioners, helping users quickly find known vulnerabilities and misconfigurations.

How to scan your Ubuntu 22.10 system using Mondoo's cnspec

To scan your Ubuntu 22.10 system using Mondoo's cnspec tool, you will first need to install the cnspec package. You can do so by running the following command:

bash -c "$(curl -sSL https://install.mondoo.com/sh/cnspec)"

Once cnspec is installed, you can scan your system for misconfigurations. For instance, you can perform a local scan by running the following command:

cnspec scan

cnspec can scan a range of things, from cloud accounts to Kubernetes clusters, as well as SaaS services such as MS365 or Google Workspace.

When you run a local scan, cnspec will generate a report highlighting the security status of your system. The report includes the list of controls that passed and failed, with their associated scores.

How to perform advanced security scanning with the Mondoo platform and cnspec

If you authenticate cnspec with the Mondoo Platform, the tool can perform additional checks, such as scanning packages for CVEs, and CIS and BSI compliance policies. Results of the scan will be stored on the Mondoo Platform for analysis.

Mondoo platform console scan status

On the Mondoo platform console, you can view a high-level overview of the scan status of each policy and package vulnerability, as well as EOL data. For instance, you can check if the system is vulnerable to any known security threats, and see which packages need to be updated to ensure the best security practices.

Final Thoughts

If you're a sysadmin or security engineer, you know how tough it can be to keep up with all the security updates and patches required to protect your company's assets. But with the Mondoo platform, you can automate many of these tasks and stay on top of your security game. Plus, you'll have access to a community of like-minded professionals who can help you troubleshoot and share tips.

Don't waste any more time struggling with manual updates and outdated security protocols. Sign up for a free community account on Mondoo and see how easy security can be!

Tim Smith

Tim Smith is a Product Manager at Mondoo. He’s been working in web operations and software development roles since 2007, port scanning class As since 1994, and downloaded his first Linux distro on a 14.4 modem. He most recently held positions at Limelight Networks, Cozy Co, and Chef Software.