subquity [REQ] hardened install option choice from start
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
subiquity (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Currently the Ubuntu Server 22.04 installer has it so that when it installs, all of the hardening has to be applied after the initial install.
This means that there's a period during which the server isn't hardened, so for a first server setup it will likely be vulnerable. Though a part of Redhat RHEL which really is good for a strong security footprint out of the box, is being able to apply a security profile from the first step or stage.
The profile affects the installer, to provide information, warnings and errors, depending on how the disk partitioning and account configuration is setup, as well as how the config files are setup and what packages are installed. So once the installer has completed the installation, it will be already hardened.
Drawing inspiration from this is it possible for Ubuntu Server installer (subquity) to gain a feature, where if the user attaches a Ubuntu Pro subscription and selects to install hardened it will install usg while allowing a selection from the usg profiles available.
The profiles will cause the installer to have the settings and installation from first reboot compliant with the select profile rules.
So for instance its required to have /var/log and /var/log/audit on separate partitions with rsyslog for one of the profiles with some profiles. This is something which you can't do after install or at least not easily.
What I expect to have happen or see is the ability to have a choice of an hardened install for first server during install out of the box (before the first restart for complete) rather than doing the hardening after the first reboot.
description: | updated |
description: | updated |
summary: |
- subquity hardened install option choice from start + subquity [REQ] hardened install option choice from start |
description: | updated |