mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2024-12-22 04:41:33 -05:00
Mention Ubuntu Pro (#149)
Update Desktop Linux Hardening.md Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
b58a5decf8
commit
8131129099
@ -176,6 +176,22 @@ Another option is [Kata Containers](https://katacontainers.io/) which masquerade
|
|||||||
|
|
||||||
![opensuse-computer.jpg](/images/opensuse-computer.jpg)
|
![opensuse-computer.jpg](/images/opensuse-computer.jpg)
|
||||||
|
|
||||||
|
### Ubuntu Pro
|
||||||
|
|
||||||
|
If you are using Ubuntu LTS, consider subscribing to [Ubuntu Pro](https://ubuntu.com/pro). Canonical currently allows up to 5 machines with the free subscription.
|
||||||
|
|
||||||
|
With Ubuntu Pro, you gain access to the [The Ubuntu Security Guide]([https://discourse.ubuntu.com/t/ubuntu-advantage-client/21788](https://ubuntu.com/security/certifications/docs/usg)), which allows for easy application of the CIS OpenSCAP profile:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo ua enable usg
|
||||||
|
sudo apt install -y usg
|
||||||
|
sudo usg fix cis_level2_workstation
|
||||||
|
```
|
||||||
|
|
||||||
|
You will also gain access to the [Canonical Livepatch Service](https://ubuntu.com/security/livepatch), which provides livepatching for [certain kernel variants](https://ubuntu.com/security/livepatch/docs/livepatch/reference/kernels). Note that the [Hardware Enablement (HWE)](https://ubuntu.com/kernel/lifecycle) kernel is not supported.
|
||||||
|
|
||||||
|
While livepatching is less than ideal and we still recommend regularly rebooting your computer, it is quite nice to have.
|
||||||
|
|
||||||
### Umask 077
|
### Umask 077
|
||||||
|
|
||||||
On distributions besides openSUSE, consider changing the default [umask](https://wiki.archlinux.org/title/Umask) for both root and regular users to `077` (symbolically, `u=rwx,g=,o=`). _On openSUSE, a umask of 077 can break snapper and is thus not recommended._
|
On distributions besides openSUSE, consider changing the default [umask](https://wiki.archlinux.org/title/Umask) for both root and regular users to `077` (symbolically, `u=rwx,g=,o=`). _On openSUSE, a umask of 077 can break snapper and is thus not recommended._
|
||||||
|
Loading…
Reference in New Issue
Block a user