Better kernel security for Ubuntu


Although Ubuntu ships with AppArmor, I like the kernel-level protection of Grsecurity.  Although grsecurity is a set-and-forget solution, installation is surprisingly difficult.  Fortunately, Zbyszek Zolkiewski has compiled a nice binary we can install with a single command.  Sweet!

Downgrade Ubuntu to a Base System


If you want to downgrade Ubuntu to a lean, minimalistic base system, run the following command as root:

[ $(id -u) = 0 ] && 
apt-get -qq -y remove cron && \
apt-get -qq -y install cron && \
(dpkg --get-selections | grep -v deinstall | cut -f1) > /var/local/full_system && \
(dpkg-query -Wf '${Package;-40}${Priority}\n' | awk '$2 ~ /required|important/ { print $1 }') > /var/local/base_system && \
apt-get -qq -y install debconf-utils && \
(debconf-get-selections | grep grub-pc) > ~/grubpc.debconf && \
export SUDO_FORCE_REMOVE=yes && \
export DEBIAN_FRONTEND=noninteractive && \
apt-get -qq -y purge $(dpkg-query -Wf '${Package;-40}${Priority}\n' | awk '$2 ~ /optional|extra|standard/ { print $1 }') && \
rm -r /var/cache/apt /var/lib/apt/lists && \
apt-get -qq update && \
apt-get -qq -y upgrade && \
debconf-set-selections < ~/grubpc.debconf && \
apt-get -qq -y install linux-image-$(uname -r) sudo upstart && \
apt-get -qq -y install dropbear && sed -i 's/DROPBEAR_EXTRA_ARGS=/DROPBEAR_EXTRA_ARGS="-w -s -g"/' /etc/default/dropbear && service dropbear restart && \
apt-get clean && \
grep ^PATH /etc/environment > /etc/profile.d/ && \
shutdown -r now

This will uninstall all packages except required and important (and their dependencies) as well as sudo, upstart, and dropbear (for SSH access).  The result is a lean Ubuntu that's half the size of the stock OS image!

Note: the temporary cron re-install in my command is due to a bug with some AWS Ubuntu AMIs.

To list the current packages, run:

dpkg-query -Wf '${Package;-40}${Priority}\n' | sort -b -k2,2 -k1,1

To find packages for missing files/commands, use the first result (usually) from the Ubuntu Package Search page.

To re-install the full or base system, run the applicable command as root:

apt-get install $(cat /var/local/full_system)
apt-get install $(cat /var/local/base_system)


P.S. If you need an SFTP server, use gesftpserver (far lighter than OpenSSH's SFTP server)