Your opinion about Ubuntu 24.04 security

lynx

Hello,
I always liked to read this community's opinion about desktop OS security. I was wondering what do you think about the new security features in Ubuntu 24.04, if it is worth a switch from a hardened Windows 11 Secured-core PC.
https://mondoo.com/blog/exploring-the-latest-security-features-in-ubuntu-24-04
https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts
Regards

FiscalPixel

lynx

Not sure about Ubuntu but the new fedora release looks solid, plus the silverblue version (alternative to fedora workstation) is an immutable version meaning its harder to tweak or infiltrate to modify any system files, further than that you can morph fedora silverblue into secureblue (kinoite) which is quite similar to grapheneos imo, it has hardened memory allocation, hardened chromium browser etc and is hardened out of the box. I'm no expert but I'm a security enthusiast, this is just the info that I know, probably loads people more knowledgeable than me on this forum.

Fedora is apparently more secure than Ubuntu out of the box as selinux is preinstalled and enabled, I'm sure with proper hardening and learning how to implement Linux's firewall you can make Ubuntu very secure, more secure and private than Windows for sure.

Viewpoint0232

FiscalPixel Fedora is apparently more secure than Ubuntu out of the box as selinux is preinstalled and enabled

Ubuntu has AppArmor instead (also used by Debian and OpenSUSE)

FiscalPixel

Viewpoint0232

https://www.reddit.com/r/linuxadmin/comments/12ara3h/selinux_vs_apparmor_go/

Looks like the verdict is SELinux being more secure but more complex thus hard to fully utilize for many people

.. but for sure apparmor is also good s*

Ammako

My opinion? Desktop is a lost cause in terms of security, especially Linux (and especially Ubuntu), and there's nothing Canonical could do to change that.

FiscalPixel

Ammako

I'm in agreement that its very vulnerable, but what makes you say especially Linux?

I'm curious and concerned because at the end of the day I'll need a PC for web development but obviously I am security conscious and web design on a pixel is hard

Scott

Ammako My opinion? Desktop is a lost cause in terms of security, especially Linux (and especially Ubuntu), and there's nothing Canonical could do to change that.

I am switching from macOS to Fedora Silverblue because of privacy.
This the wrong decision? I read many postings in GOS Forum that say something like this

wuseman

Scott
Of course it's not the wrong decision. Hardened Chromium is the most hardened browser you're gonna get without throwing up a VM.

DeletedUser95

Scott

It depends on your priorities to be honest.

In case of desktop Operating Systems unlike GrapheneOS they always seem to have a very big tradeoff somewhere.

For me I'm gonna chose likely a Ubuntu or Debian based Distro and make security improvements the best I can on those as best I can (advice from anyone is welcome as long as it's not unnecessarily complex in the technical sense. Recommendations are also very welcome.) cause silverblue broke a lot of things for me with me having no clue on why. Attempting to figure out why was rather frustrating I was considering fedora kinoite but I fear for my specific use cases it seems to not be very ideal either.

My threat model btw is not very high but despite that I do try to make security improvements wherever and whenever possible as long as they aren't extremely inconvenient or extremely complex to set up.

I also have considered using windows but I feel like that defeats the purpose of what I'm trying to achieve. Which is something that is at least somewhat simple and convenient to use that respects my privacy while also hoping to have good or at least decent security practices I can take.

Speeduser7533

@Ammako can you elaborate on why you say Ubuntu is insecure? I'm not arguing I'm genuinely curious.

I switched from Windows to Ubuntu years ago and I've always considered it (as a *nix variant) much more secure than Windows patch upon patch architecture but maybe I'm wrong.

Ammako

Speeduser7533 can you elaborate on why you say Ubuntu is insecure? I'm not arguing I'm genuinely curious.

I don't remember why I said especially Ubuntu, that was months ago. but Linux as a whole just doesn't have the level of exploit mitigations that both Windows and macOS have. ChromeOS is pretty good in terms of security too, due to how locked-down it is, but it's not as useable for a lot of desktop needs, and you have to worry about Google of course.

Both Windows and macOS are pretty serious about security, and Windows has a bunch of exploit mitigations you can enable in 10/11, but Windows has a problem where secure hardware just doesn't exist. So things like proper verified boot isn't happening for Windows, while Apple makes their own hardware that is much more secure and can at least provide proper verified boot. With Linux you can forget about verified boot too, and it doesn't have any of the exploit mitigations that Windows (and perhaps macOS) have.

See, Windows is backed by a multi-trillion dollar company, whose software is relied upon by millions of businesses, some more important than others (governments/defense contractors anybody?) Security is critical for a lot of businesses, and Microsoft has the resources to focus on that. But they don't make hardware, they just make the software.

Apple also happens to be a multi-trillion dollar company, except they also make their own hardware. They don't have the millions of business customers that Microsoft has, but they have the resources.

What does Linux have? Red Hat is valued at less than 1% what Apple and Microsoft are, and forget about Canonical. They don't own Linux either, all they can do is offer contributions to the kernel and sell support for their own flavor of Linux. Not every contribution is going to be accepted (Linus infamously thinks that usability is far more important than security, for example), and even if they did have complete control over kernel development, they just don't have the resources that Microsoft and Apple do to focus so much on hardening and exploit protections.

Secureblue is cool, but it means nothing if the hardware it's running on is insecure. And Canonical, lol, Canonical. They don't do much beyond selling customer support and licensing their OS to hardware manufacturers, and snaps are a complete joke. Ubuntu does get some credit for using Wayland by default, but Wayland alone isn't going to fix desktop security.

I hesitate to link this article because it's nearly 3 years old now, some of the problems mentioned might not be applicable anymore, but you can follow sources and look up more recent information on anything you might not be sure about.

You don't have to take my word for it though. GrapheneOS wants to move away from the Linux kernel eventually, and there is a reason for that. But GrapheneOS has even less resources than Canonical, it may take a very long time before a replacement comes. At least GrapheneOS has the advantage that Google themselves are very serious about security, and they are providing a very good base with AOSP and Pixel devices, for Graphene to further harden. I can't imagine that Google would do the work to move Android away from Linux, but they put a lot of resources into making secure hardware and software, and Graphene greatly benefits from it. There could be no GrapheneOS without Google.

Scott

wuseman Hardened Chromium is the most hardened browser you're gonna get without throwing up a VM.

please link to "Hardened Chromium". With Brave Seach I can only find an archived GitHub repo.

Update: this one? https://github.com/secureblue/hardened-chromium (only 66 stars on GitHub :-( )

horde

Scott yes

cloudcoroner

Scott

For Ubuntu users, Cromite on Ubuntu works well. I Published one of my private tools to install Cromite and keep it updated.

https://github.com/cloudcoroner/cromite_ubuntu

Edit: I use Cromite on GrapheneOS along side Vanadium. I have Cromite setup with specific settings so that it can be my default throw-away browser. Always private, never keeps anything. Vanadium is my browser of choice for trusted sites, banking apps and PWAs. Whick led me to use Cromite on Ubuntu.

re: Is Ubuntu secure? I am a long-time Ubuntu user. Any desktop, even Linux has an increased attack surface. One could argue Ubuntu Desktop's attack surface is larger than some other Linux Desktop variants because it is widely compatible with many enterprise tools and software clients. Compared to other Linux distro's, Ubuntu desktop is most likely to work out of the box with your corporate vpn and security clients, like Tanium, Crowdstrike, Palo Alto Global Protect, etc. and almost any web site using the bundled Firefox. That ease of use has a trade-off.

Fedora, Arch and some others are more secure out of the box. Ubuntu Desktop, with a few config changes, achieves a solid posture with more compatibility. On any *nix desktop, I still recommend a VPN client, enabling the default firewall and running DOH. I run Windscribe on both my GrapheneOS devices and my Ubuntu desktop. Privacy debate aside, a VPN adds a nice graphical way of configuring routing, split tunneling, DNS, and other options.

(BTW, long time listener, first time caller! Been on GrapheneOS for coming up on 4 years now.)

missing-root

Not good. Sudo user required to use the graphical updater

If you want a private linux distro, use Fedora Atomic Desktops, possibly Secureblue

Open_Source_Enjoyer

Ammako Secureblue is cool, but it means nothing if the hardware it's running on is insecure.

What dou yu mean with insecure hardware? If the hardware is tampered with in the fabric or if someone has physical access? In which scenarious is this important?

Open_Source_Enjoyer

Ammako I hesitate to link this article because it's nearly 3 years old now, some of the problems mentioned might not be applicable anymore, but you can follow sources and look up more recent information on anything you might not be sure about.

This article brings some good points and i will read it fully later, but they also present things like big problems even if there are easy to solve.
For example that they are critisising Flatpacks for giving home folder permission per default or giving X11 access, but they are not say that you can easy disable all this before the first start of a application and that the Flathub store warns you about any critical permission an app has per default before you even install it. Of course it would be better do not give such permissions per default, but this is not a fundamental problem. To fix this, its only need someone to program a Flatseal fork that automaticaly removes any critical permission from an installed app, and this would be solved.

de0u

Ammako Windows is backed by a multi-trillion dollar company, whose software is relied upon by millions of businesses, some more important than others (governments/defense contractors anybody?) Security is critical for a lot of businesses, and Microsoft has the resources to focus on that.

How those resources are deployed matters a lot. Some examples:

I recommend reading those articles for evidence of the security culture in effect inside Microsoft at those times. To their credit, Microsoft responded to the Outlook breach by declaring a company-wide increased focus on security. But that shift supports the notion that there had been significant issues with security culture.

DeletedUser64

Ubuntu, my gut reaction is, no thanks, not any more.
Last used on a Dell mini 9, when I jumped from Windows 2000 to a free Ubuntu CD from a computer magazine.

I use a Linux independent distribution hosting a VM with Whonix (live user).