Secure configuration for Ubuntu - according the NCSC anyway

I am considering my obligations to get UK ‘Cyber Essentials’ that includes secure configuration of all servers and workstations. That means in broad terms to not install software or services that is not needed (to do your job), change default passwords, secure weaknesses etc etc. It’s good to not do stupid things, yes?

The UK National Cyber Security Centre (NCSC) have released a script to secure Ubuntu after initial installation. I wondered what folks here think of it?

https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/ubuntu-lts

The article refers to a Github page that hosts a bash script, which you can get directly to here:

https://github.com/ukncsc/Device-Security-Guidance-Configuration-Packs/blob/main/Linux/UbuntuLTS/Ubuntu-LTS-post-install.sh

It could be a discussion point for Tom’s weekly live stream, maybe?

That script looks alright. There is another project on GitHub about hardening using ansible or puppet.

I used this for my shared ubuntu family thinkpad laptop. It’s a sensible start for hardening and the autoupdate configuration for installing security patches is great. I also use the Canonical LivePatch service.

Some of the hardening has been backed off a bit - such as the permissions on the temp folder that prevent some third party things I need from installing correctly, such as the DisplayLink drivers.