Enabling Ransomware Protection on Ubuntu 22.04 and Later

To configure Ransomware Protection on Ubuntu 22.04 and later, follow the steps outlined below. This process involves disabling AppArmor, enabling SELinux, configuring permissions, and applying security policies. This ensures robust protection against unauthorized modifications and strengthens your Linux MediaAgent's security posture.

Before You Begin

• Ensure your system is running Ubuntu 22.04 or later.

• Ensure you have sudo or root privileges.

Procedure

1. Ubuntu 22.04+ typically uses AppArmor by default. To verify if it is running, execute:

   systemctl status apparmor
   

2. If AppArmor is active:

   1. Stop the AppArmor service:

      sudo systemctl stop apparmor
      

   2. Disable AppArmor to prevent it from starting at boot:

      sudo systemctl disable apparmor
      

3. Install the required SELinux components:

   sudo apt install policycoreutils selinux-basics selinux-utils -y
   

4. Enable SELinux:

   sudo selinux-activate
   

5. Verify activation of SELinux:

   getenforce
   

   If the output is Disabled, SELinux has been activated but is not yet enforcing.

6. Set SELinux to Permissive Mode

   1. Open the SELinux configuration file:

      sudo nano /etc/selinux/config
      

   2. Modify the line:

      SELINUX=disabled to:

      SELINUX=permissive

   3. Save the file and exit.

7. Reboot the host:

   sudo reboot
   

   Note

   The first reboot after enabling SELinux may trigger a file relabeling process. This can take some time.

8. After rebooting, confirm the SELinux mode:

   1. Execute the following command:

      cat /etc/selinux/config
      

   2. Ensure the line reads the following:

      SELINUX=permissive
      

9. Verify if auditd is running. If not, install and start the service:

   sudo apt install auditd
   
   sudo systemctl start auditd
   

10. Analyze and generate policy module

    1. Generate audit logs for denied operations:

       ausearch -m AVC | audit2allow -M mypolicy
       

    2. Install the generated policy:

       sudo semodule -i mypolicy.pp
       

11. Set SELinux to Enforcing mode

    1. Open the SELinux configuration file:

       sudo nano /etc/selinux/config
       

    2. Change:

       SELINUX=permissive to:

       SELINUX=enforcing

    3. Save and exit (Press CTRL+X, then Y, and then ENTER).

12. Reboot to apply enforcing mode:

    sudo reboot
    

    The reboot process may take longer than usual as SELinux performs a full filesystem relabeling.

13. After rebooting, confirm the SELinux mode is enforcing:

    1. Execute the following command:

       getenforce
       

    2. Ensure the output is:

       Enforcing

    3. You can also verify via the configuration file:

       cat /etc/selinux/config

14. Enable ransomware protection for the Linux MediaAgent. For instructions see, Configuring Ransomware Protection for a Linux MediaAgent.

15. Once SELinux is enforcing, run the following commands:

    sudo setsebool -P ssh_sysadm_login 1
    
    sudo setsebool -P allow_execstack 1