New Security Features in Ubuntu 22.04 Server

Canonical recently released their latest long-term support (LTS) version of Ubuntu with Ubuntu 22.04 codenamed Jammy Jellyfish. Ubuntu ships an LTS release every two years in April and supports them for a full five years (instead of the usual 18-month support cycles). This extended support cycle makes LTS releases ideal for servers. What exactly is new in Ubuntu 22.04, though? There are plenty of articles showing the latest logos, desktop backgrounds, and display drivers, but nothing that really informs sysadmins.

At Mondoo, we’re working to bring security to DevOps teams so that everyone can be part of building and maintaining secure systems. Part of security is understanding the impact new technologies have on safeguarding your infrastructure. To help, we’re going to dive deep into some of the great new security features you’ll find when upgrading your systems from Ubuntu 20.04 to 22.04. We’ll also show how you can quickly and easily scan your new system with Mondoo to identify even more opportunities to secure your infrastructure.

New Security Features

Sudo 1.9

It’s only appropriate to start with every sysadmin’s favorite command: sudo! sudo has received many new enhancements to improve your infrastructure security. Perhaps the best new feature for clumsy sysadmins like me is improved configuration parsing and error handling. A simple typo in your sudo configs will no longer result in sudo breaking completely. Instead, sudo will skip over faulty config lines, leaving you with a working system.

There have also been several great logging improvements in sudo 1.9. sudo’s default logging system can now output data in JSON format for easier parsing with popular log parsing tools. There’s also an entirely new logging daemon, sudo_logsrvd, that provides secure, centralized logging specifically for sudo. Systems securely communicate with the daemon using TLS, and you can even use the sudoreplay CLI tool to view a real-time recreation of each command typed in the sudo session.

If you’d like to extend sudo, there’s now support for writing plugins in Python 4 instead of just C. There are also two new types of plugins: audit and approval plugins. This makes it easier to write custom audit/approval workflow processes that match your business needs, tied directly into the sudo CLI.

OpenSSH 8.9

Like sudo, OpenSSH is one of those technologies sysadmins live by, and it’s received some very big security updates with OpenSSH 8.9 in Ubuntu 22.04. First off, there have been several updates to the out-of-the-box algorithms. RSA signatures using the insecure SHA-1 hash are now disabled by default, and a new hybrid Streamlined NTRU Prime + x25519 key exchange method has been added. This new standard, designed to protect against future quantum computing key attacks, will become the default key exchange method in OpenSSH 9.0. OpenSSH will now also prefer ED25519 host signatures over the traditional ECDSA signatures.

OpenSSH 8.9 also starts the process of removing the legacy SCP protocol. Don’t worry, though: you’ll still be able to SCP files between hosts. But instead of SCP, the command will utilize the SFTP protocol. You can opt into SFTP-based SCP transfers with a new scp -s flag for now, but OpenSSH 9.0 removes support for the legacy SCP protocol entirely.

Host key checking and updating have both seen significant new changes as well. The often frustrating CheckHostIP configuration is now disabled by default since it didn’t provide enough protection and made key rotation difficult. The UpdateHostkeys configuration option is now enabled by default, allowing sshd to provide additional trusted keys to clients after authentication. This automates one of the trickier parts of key management and hopefully paves the way for seamless key rotation in the future.

Last but not least, multi-factor authentication in OpenSSH took a giant leap forward with much-improved FIDO support. OpenSSH now supports FIDO devices with a pin and supports the web-based FIDO standard as well. To further protect resident keys OpenSSH also implements FIDO 2.1’s credProtect extension.

Bash 5.1

It might seem silly to include bash in a list of security updates, but bash 5.1 includes a great new feature for scripters concerned about security. A new SRANDOM environment variable provides secure random numbers from the system’s entropy engine instead of the existing RANDOM variable, which wasn’t so random after all.

OpenSSL 3

Ubuntu 22.04 is one of the first major Linux distributions to ship with the new OpenSSL 3 release. This release has been in development for the last three years and includes large-scale changes to the project structure that should make it easier to maintain and interface with.

One of the most exciting features in OpenSSL 3 is the built-in validated FIPS 140-2 module. The previous FIPS implementation was not built directly into the OpenSSL codebase and only worked with the now EOL OpenSSL 1.0.2. Ubuntu previously offered a custom implementation built on OpenSSL 1.1.1, requiring costly Ubuntu Advantage (UA) subscriptions.

OpenSSL 3 also uses the Linux kernel’s cryptographic APIs for some of its TLS operations. This results in improved performance and allows the use of hardware accelerator cards. This could be potentially interesting in the future to offload TLS work from web servers or load balancers.

Lastly, it wouldn’t be a new OpenSSL release without a large number of new supported algorithms:

  • KDF algorithms SINGLE STEP and SSH 
  • MAC algorithms GMAC and KMAC 
  • KEM algorithm RSASVE and Cipher Algorithm AES-SIV 
  • New schema support for PKCS#7 and PKCS#12
  • New PKCS signature verification algorithm support

LUKS2 Disk Encryption Support

Ubuntu 22.04 extends the previous Linux Unified Key Setup-on-disk-format (LUKS) support to include the new LUKS2 standard. LUKS allows users to encrypt an entire disk at the block level, protecting data if drives or entire systems are stolen. LUKS2 includes many important updates to the format, such as:

  • An increase in the number of decryption keys that can be stored from 8 to 32
  • An improved encryption method that is more difficult to crack
  • New external token plugins capability so vendors can write authentication plugins for volume decryption
  • Online disk LUKS to LUKS2 migration support

Nftables replaces iptables

This change may come as a shock to some sysadmins, but Ubuntu 22.04 replaces the venerable iptables with nftables as the default system firewall. Iptables was introduced back in 1998 and modernized how firewalls worked on Linux systems, but it’s time again for a leap forward. The nftables subsystem in the Linux kernel was introduced in Linux Kernel 3.13 way back in 2014 and has matured and stabilized since then. This new framework greatly improves performance on today’s high-speed interconnects and removes the need for separate firewall software stacks for ARP, IPv4, and IPV6. If you have existing iptables rules, you’ll want to read the nftpables wiki page Moving from iptables to nftables.

Linux Kernel 5.15

One of the most significant changes between Ubuntu 20.04 and 22.04 is Linux kernel 5.15, with hundreds of thousands of commits taking place over the last two years. Below are some of the largest and potentially impactful security changes between kernel 5.5 and 5.15. Keep in mind that Ubuntu allows you to update to newer non-LTS kernels. Many cloud vendors update their images with the later kernels as well. It’s possible that your Ubuntu 20.04 system is already running the 5.15 kernel if you’ve built or rebooted it recently.

CPU-Specific Changes

  • Support for Intel’s Software Guard Extensions (SGX) system allows applications to write data to secure enclaves that are hardware protected. This is ideal for storing sensitive data such as encryption or authorization keys. See the Intel SGX page for more information.
  • Improvements for use with AMD’s Secure Encryption Virtualization (SEV) system support encrypting virtualized guest registers so they cannot be read by the host (or other guests). See the AMD SEV Page for more information.

Memory Access

  • Support for randomizing the stack address offset in each syscall. See the Phoronix article for more information on enabling this feature.
  • New Kernel Concurrency Sanitizer (KCSAN) for detecting data races using compile-time memory access instrumentation supported in both GCC and Clang. See the kernel.org documentation for more details.

Process Isolation

  • New Landlock Linux Security Module allows process sandboxing by allowing processes to self-impose additional restrictions on top of those set at the system level. See the Landlock Linux Kernel Documentation for more information.

Filesystems

  • Google’s fscrypt project for hardware-accelerated full disk encryption on f2fs and ext4 filesystems was merged
  • The CIFS filesystem module no longer supports the weak LANMAN and NTLM protocols used by SMBv1.
  • NTFS support is now built-in, eliminating the need for 3rd party user-space NTFS drivers

SELinux

  • Improved SELinux performance with context caching
  • A new data structure cuts in half the policy disk space

Samba 4.15

While Samba is not an out-of-the box component on Ubuntu systems, it’s commonly used in organizations and has received a large number of security enhancements worth mentioning. Perhaps the most impactful change for some users is the removal of these insecure legacy protocols and algorithms:

  • NT4 style domain controllers support
  • SMBv1 and related legacy protocols
  • DES encryption keys in Kerberos
  • HEIM_WEAK_CRYPTO support
  • Legacy Apple Filing Protocol (AFP) compatibility via vfs_netatalk module

Samba also removed legacy encryption and compression code from their codebase and instead now uses zlib and GnuTLS. This removed insecure compression and encryption code and greatly sped up SMB3 file transfers.

Those using Samba for more than just filesharing will be happy to see some improvements to account and client management. The net CLI includes a new net offlinejoin subcommand, allowing admins to pre-join systems before they can connect to domain controllers. The support for Group Policy on Ubuntu hosts has also been enhanced to allow setting sudoers and cron configurations with Group Policy.

Upgrading Systems

Ideally, we’d always provision new systems when a new operating system ships. But we don’t live in an ideal world. There always seem to be special snowflake servers, and reprovisioning user workstations impacts productivity. When we can’t provision fresh systems, we can always perform an upgrade using Canonical’s do-release-upgrade command:

# fully update and cleanup our existing 20.04 system
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get autoremove

# perform the upgrade
sudo apt-get install update-manager-core
sudo do-release-upgrade

Securing Our Newly Updated Systems

Now that our system is running Ubuntu 22.04, we have all the security updates listed above. But that’s not all we can do. We can further secure our newly updated system by applying hardening settings. For that, we’ll use the Mondoo Platform to scan and report on security best practices. This includes baseline Linux security reports, CIS benchmarks, and package CVE detection. Mondoo is a hosted security platform for DevOps and Security practitioners. We help users quickly find known vulnerabilities and misconfigurations and automate manual security processes.

Get Started with Mondoo

Let’s start by heading to console.mondoo.com where we can sign in to Mondoo using a Google, GitHub, or Microsoft account.

login

Once we log in, we’ll name our organization in Mondoo and create our very first space. The organization manages users and their access to assets such as servers, cloud accounts, or Kubernetes clusters. We’ll use spaces to organize these assets and apply access controls. Once we’ve created the space, we’ll have a choice of how to set up our first system:

vast_emptiness

For our Ubuntu system we select “Try it locally.” This gives us a small code block to set up Mondoo. Running this script on our host sets up the Mondoo Apt repository, installs the Mondoo package, and registers our system in the Mondoo Platform.

install-1

Scan with Mondoo

With Mondoo installed, we can now scan our system with the default Mondoo baseline security policy by running mondoo scan. This command gives us scan result output directly in our shell and includes a link back to the Mondoo platform for more detailed results.

cli_scan-1

Following the link to the Mondoo Platform gives us an overview of each policy applied to our system by default. This includes:

  • A platform vulnerability policy, which looks for CVEs in outdated packages
  • An end-of-life policy, with plenty of time left since we’re on Ubuntu 22.04 now
  • A Linux Security Baseline, which includes best practices for security on Linux

asset-1

Overall our system has an A score, but our baseline security could use a bit of work. Clicking on that policy gives us a view of each query that Mondoo ran. We can now see where we can improve.

linux_baseline-1

From here we can dig into each of the failures and see what it would take to remediate these problems. A great example is the “Ensure AIDE is installed” query. This makes sure the Advanced Intrusion Detection Environment (AIDE) package is installed. The query includes a description of the benefits of the AIDE package and instructions for installing it on multiple platforms. We can install this package, run mondoo scan again, and refresh for an updated score.

query-1

Overall, It looks like we have our work cut out for us on securing this newly updated host. Thankfully, we can tackle these policy failures one issue at a time and track our progress with continuous security scanning using Mondoo.

New call-to-action