starred/hardening
1
0
Fork 0
mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-25 16:55:53 +03:00
Code Issues 6 Projects Releases 4 Packages Wiki Activity

[GH-ISSUE #612] [Improvement] Causes several issues #91

New issue
Open
opened 2026-03-03 14:29:27 +03:00 by kerem · 1 comment
kerem commented 2026-03-03 14:29:27 +03:00
Owner
Copy link

Originally created by @CaptainMorgan12 on GitHub (May 5, 2025).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/612

Originally assigned to: @konstruktoid on GitHub.

Running the script on a Ubuntu desktop, not server:

  1. aa_enforce appears to cause certain apps to not launch, Ubuntu Firefox .deb, geary .deb install for example> 
    26 processes are unconfined but have a profile defined. Maybe an option to ignore the unconfined profiles, if user confirms these are sortof ok.

/usr/lib/firefox/firefox-bin (10999) firefox
/usr/lib/firefox/firefox-bin (11109) firefox
/usr/lib/firefox/firefox-bin (11121) firefox
/usr/lib/firefox/firefox-bin (11126) firefox
/usr/lib/firefox/firefox-bin (11158) firefox
/usr/lib/firefox/firefox-bin (11253) firefox
/usr/lib/firefox/firefox-bin (11267) firefox
/usr/lib/firefox/firefox-bin (11512) firefox
/usr/lib/firefox/firefox-bin (11559) firefox
/usr/lib/firefox/firefox-bin (11598) firefox
/usr/lib/firefox/firefox-bin (20841) firefox
/usr/lib/firefox/firefox-bin (21035) firefox
/usr/lib/firefox/firefox-bin (21116) firefox
/usr/lib/firefox/firefox-bin (21170) firefox
/usr/bin/bwrap (15505) flatpak
/usr/bin/bwrap (15511) flatpak
/usr/bin/xdg-dbus-proxy (15512) flatpak
/usr/bin/bwrap (15515) flatpak
/app/bin/geary (15516) flatpak
/usr/libexec/webkit2gtk-4.1/WebKitNetworkProcess (15568) flatpak
/usr/bin/flatpak-spawn (15628) flatpak
/usr/bin/bwrap (15632) flatpak
/usr/bin/bwrap (15640) flatpak
/usr/bin/xdg-dbus-proxy (15641) flatpak
/usr/bin/bwrap (15646) flatpak
/usr/libexec/webkit2gtk-4.1/WebKitWebProcess (15647) flatpak

  1. why is it installing postfix if it isn't used on the system?
  2. ignore ssh if not used
  3. if user runs an older version non default kernel, messages shows that newer kernel should be run, however that might not be the one the user wants to run - in my case I was on a custom macT2 kernel
  4. flatpak apps were removed after running this, disappeared (option selected keep snap "Y", there wasn't an option keep "flatpak") #123 maybe related where a dependency causes removal of flatpak apps, in my case I actually don't have any snaps completely purged from Ubuntu
  5. aide seems to fail to run properly - it was running for 12-14 hours 74% CPU during init aide but no results shown
  6. can SSH setup be ignored if it isn't really used on system?
  7. can coredump be ignored if not installed?
  8. can journalctl be ignored if not installed?
Originally created by @CaptainMorgan12 on GitHub (May 5, 2025). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/612 Originally assigned to: @konstruktoid on GitHub. Running the script on a Ubuntu desktop, not server: 1. aa_enforce appears to cause certain apps to not launch, Ubuntu Firefox .deb, geary .deb install for example> <pre>26 processes are unconfined but have a profile defined. Maybe an option to ignore the unconfined profiles, if user confirms these are sortof ok. > /usr/lib/firefox/firefox-bin (10999) firefox > /usr/lib/firefox/firefox-bin (11109) firefox > /usr/lib/firefox/firefox-bin (11121) firefox > /usr/lib/firefox/firefox-bin (11126) firefox > /usr/lib/firefox/firefox-bin (11158) firefox > /usr/lib/firefox/firefox-bin (11253) firefox > /usr/lib/firefox/firefox-bin (11267) firefox > /usr/lib/firefox/firefox-bin (11512) firefox > /usr/lib/firefox/firefox-bin (11559) firefox > /usr/lib/firefox/firefox-bin (11598) firefox > /usr/lib/firefox/firefox-bin (20841) firefox > /usr/lib/firefox/firefox-bin (21035) firefox > /usr/lib/firefox/firefox-bin (21116) firefox > /usr/lib/firefox/firefox-bin (21170) firefox > /usr/bin/bwrap (15505) flatpak > /usr/bin/bwrap (15511) flatpak > /usr/bin/xdg-dbus-proxy (15512) flatpak > /usr/bin/bwrap (15515) flatpak > /app/bin/geary (15516) flatpak > /usr/libexec/webkit2gtk-4.1/WebKitNetworkProcess (15568) flatpak > /usr/bin/flatpak-spawn (15628) flatpak > /usr/bin/bwrap (15632) flatpak > /usr/bin/bwrap (15640) flatpak > /usr/bin/xdg-dbus-proxy (15641) flatpak > /usr/bin/bwrap (15646) flatpak > /usr/libexec/webkit2gtk-4.1/WebKitWebProcess (15647) flatpak > </pre> > 1. why is it installing postfix if it isn't used on the system? 2. ignore ssh if not used 3. if user runs an older version non default kernel, messages shows that newer kernel should be run, however that might not be the one the user wants to run - in my case I was on a custom macT2 kernel 4. flatpak apps were removed after running this, disappeared (option selected keep snap "Y", there wasn't an option keep "flatpak") #123 maybe related where a dependency causes removal of flatpak apps, in my case I actually don't have any snaps completely purged from Ubuntu 5. aide seems to fail to run properly - it was running for 12-14 hours 74% CPU during init aide but no results shown 6. can SSH setup be ignored if it isn't really used on system? 7. can coredump be ignored if not installed? 8. can journalctl be ignored if not installed?
kerem commented 2026-03-03 14:29:28 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (May 6, 2025):

Running the script on a Ubuntu desktop, not server:

That hasn't been tested, isn't support and will most surely cause a lot of issues.

  1. aa_enforce appears to cause certain apps to not launch, Ubuntu Firefox .deb, geary .deb install for example> 26 processes are unconfined but have a profile defined. Maybe an option to ignore the unconfined profiles, if user confirms these are sortof ok.

You'll need to update the apparmor policies, and firefox isn't really in focus on a server.

  1. why is it installing postfix if it isn't used on the system?

To handle generated internal messages.

  1. ignore ssh if not used

Did you mean "not installed"? The script can't really check if something is in use.

  1. if user runs an older version non default kernel, messages shows that newer kernel should be run, however that might not be the one the user wants to run - in my case I was on a custom macT2 kernel

If someone runs an older version non default kernel, then the user is responsible for updates and management. The message can then safely be ignored.

  1. flatpak apps were removed after running this, disappeared (option selected keep snap "Y", there wasn't an option keep "flatpak") Disabling Snap removal #123 maybe related where a dependency causes removal of flatpak apps, in my case I actually don't have any snaps completely purged from Ubuntu

I'll have a look regarding this.

  1. aide seems to fail to run properly - it was running for 12-14 hours 74% CPU during init aide but no results shown

That's not right, please send logs.

  1. can SSH setup be ignored if it isn't really used on system?

Did you mean "not installed"? The script can't really check if something is in use.

  1. can coredump be ignored if not installed?
  2. can journalctl be ignored if not installed?

These should be installed on a server.

<!-- gh-comment-id:2853470985 --> @konstruktoid commented on GitHub (May 6, 2025): > Running the script on a Ubuntu desktop, not server: That hasn't been tested, isn't support and will most surely cause a lot of issues. > 1. aa_enforce appears to cause certain apps to not launch, Ubuntu Firefox .deb, geary .deb install for example> 26 processes are unconfined but have a profile defined. Maybe an option to ignore the unconfined profiles, if user confirms these are sortof ok. You'll need to update the `apparmor` policies, and `firefox` isn't really in focus on a server. > 1. why is it installing postfix if it isn't used on the system? To handle generated internal messages. > 2. ignore ssh if not used Did you mean "not installed"? The script can't really check if something is in use. > 3. if user runs an older version non default kernel, messages shows that newer kernel should be run, however that might not be the one the user wants to run - in my case I was on a custom macT2 kernel If someone runs an older version non default kernel, then the user is responsible for updates and management. The message can then safely be ignored. > 4. flatpak apps were removed after running this, disappeared (option selected keep snap "Y", there wasn't an option keep "flatpak") [Disabling Snap removal #123](https://github.com/konstruktoid/hardening/issues/123) maybe related where a dependency causes removal of flatpak apps, in my case I actually don't have any snaps completely purged from Ubuntu I'll have a look regarding this. > 5. aide seems to fail to run properly - it was running for 12-14 hours 74% CPU during init aide but no results shown That's not right, please send logs. > 6. can SSH setup be ignored if it isn't really used on system? Did you mean "not installed"? The script can't really check if something is in use. > 7. can coredump be ignored if not installed? > 8. can journalctl be ignored if not installed? These should be installed on a server.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/github-codeql-action-4.x
v2.2.0
v2.1.0
v2.0.0
v1.0.0
v1.0
Labels
Clear labels   
Stale

   
bug

   
bug

   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
Stale
bug
bug
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hardening#91
No description provided.