Blocking Software Package Installation with Landscape

Key Value
Summary Granular software restrictions are a trivial activity with Landscape.
Categories landscape, security, server, desktop
Difficulty 1
Author Rajan Patel rajan.patel@canonical.com

Overview

Duration: 3:00

In this tutorial, you will learn how to restrict software packages from being installed on Ubuntu. If your use case requires you to forbid a package from being installed, it is possible to set apt preferences to remove the installation candidate entirely. This step can be skipped if installation is not problematic, because it is possible to use Landscape’s dashboard to define a package removal policy and enforce compliance.

Landscape is Canonical’s systems management and monitoring solution. It enables you to divide your Ubuntu estate into cross sections by tags, groups, annotations, and search queries that can also filter hardware and software metadata. Regardless of size, these cross-sections can be assigned different package removal policies.

Prerequisites

Duration: 5:00

To complete this tutorial, you will need a machine running Ubuntu with Landscape Client installed, and access to Landscape. More specifically, you will require:

  • Root access on your Ubuntu machine.
  • The Landscape Client must be installed and registered with either Landscape on-prem or Landscape SaaS.
  • The Landscape Client must be allowed to remotely execute scripts.

Configure Landscape

The Landscape quickstart deployment guide offers the shortest path to a functional Landscape Server instance and enrolling a machine to be managed by Landscape with Landscape Client. Signing up for Landscape SaaS eliminates the server installation step, and relieves you of any maintenance activities to keep Landscape up to date.

The Landscape Client steps from the quickstart deployment guide are accurate for both Landscape SaaS and Landscape on-premises users. During installation, Landscape Client will request permission for executing scripts remotely for all users.

Landscape has a feature which enables administrators to run
arbitrary scripts on machines under their control. By default this
feature is disabled in the client, disallowing any arbitrary script
execution. If enabled, the set of users that scripts may run as is
also configurable.

Enable script execution? [y/N]:

Answering yes to this Enable script execution question is required for this tutorial to work successfully.

By default, scripts are restricted to the 'landscape' and
'nobody' users. Please enter a comma-delimited list of users
that scripts will be restricted to. To allow scripts to be run
by any user, enter "ALL".

Script users: ALL

Answering ALL to the Script users prompt is necessary to complete this tutorial. To be maximally useful, Landscape Client should be able to execute scripts with elevated privileges (such as root) on an as-needed basis.

Prevent software installation with apt preferences

Running the apt-cache policy command shows which candidate for an application is available for installation.

Using the Audacity software package as an example, run the following command in your terminal:

apt-cache policy audacity

The output will reveal which candidate is available for installation.

audacity:
  Installed: (none)
  Candidate: 2.3.3-1build1
  Version table:
     2.3.3-1build1 500
        500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages

If the Audacity package has been blocked, the candidate version number would be replaced with (none). Blocking Audacity requires updates to apt preferences.

Where to define apt preferences

The apt preferences file /etc/apt/preferences and the fragment files in the /etc/apt/preferences.d/ folder can be used to control which versions of packages will be selected for installation. Fragment files should be defined with the .pref suffix. By default, the apt preferences file at /etc/apt/preferences will be empty, and the /etc/apt/preferences.d/ folder will be empty as well.

The manpage states the apt preferences file is where you would specify pinning: the preference to get certain packages from a different source, or a different version of a distribution. Apt preferences fragment files are where version preferences for applications can be defined. Blocking packages can be achieved through modifications of either the apt preferences file or through fragment files. The same configuration can be applied in both locations, and achieves the identical end result of blocking an application’s installation.

How to define apt preferences fragment files

While there are many ways to organise your apt preferences fragment files in the /etc/apt/preferences directory, the most obvious choice is to name the fragment file after the package name. Using Audacity again, as an example, create /etc/apt/preferences.d/audacity.pref with this command:

sudo bash -c 'cat <<EOF > /etc/apt/preferences.d/audacity.pref
Package: audacity
Pin: release *
Pin-Priority: -1
EOF'

Running this command will insert the following 3 lines into the file:

Package: audacity
Pin: release *
Pin-Priority: -1

The Pin-Priority value of -1 prevents the version from being installed, and you can verify there is no installable candidate using the same command earlier:

apt-cache policy audacity

The output will reveal which candidate is available for installation.

audacity:
  Installed: (none)
  Candidate: (none)
  Version table:
     2.3.3-1build1 500
        500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages

By using the application’s name as the filename of the apt preferences fragment file, we have a predictable and organised layout for apt preferences. This way, all the configurations for apt preferences are intuitive, human-readable, and uniform. These are desirable qualities for programmatically changing apt preferences at scale using tools like Landscape.

Apply apt preferences through Landscape

Duration: 5:00

When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organised. Once there, click Add Script.

Add a script to block

Title: Block Installation - Audacity

Code:

#!/bin/bash
bash -c 'cat <<EOF > /etc/apt/preferences.d/audacity.pref
Package: audacity
Pin: release *
Pin-Priority: -1
EOF'

Run as user: root

Time limit (seconds): 300

Access group: Global access

Run the Block Installation - Audacity script

Which physical and virtual machines need Audacity blocked? It is possible to run the script on-demand, across any cross-section of your Ubuntu estate.

  1. Within the Landscape dashboard, click Computers in the primary navigation.
  2. Select all the computers whose FIPS configuration needs to be identified.
  3. Click Scripts in the secondary navigation menu.
  4. Click the Block Installation - Audacity radio button. Then click Next.
  5. Confirm the script reads correctly, choose when you want the script to be delivered, and click Run.

The script will be queued and will be executed at your chosen time when the Landscape Client on the selected machines checks in with Landscape Server.

You do not need to refresh the page, it will update automatically to reveal when the script is being run.

The dashboard provides a granular view of each computer’s status and notifies you when the script has been completed successfully.

Enforce policies with Package Profiles

Duration: 5:00

When blocking the installation of a package, it’s also important to establish and enforce a policy to remove the software if it is ever detected on the machine. These policies can be defined through Landscape’s Profile Management.

  1. From the Landscape Dashboard’s homepage, click Profiles to reach the Profile Management page
  2. From the Profile Management page click Package Profiles to manage package configurations on computers
  3. Click Add a package profile

Title: Remove Audacity

Description: Remove Audacity

Access Group: Global access

Package constraints: Manually add constraints

The first drop-down should be Conflicts with. The input field should be the package name, in our case, audacity. The following drop-down selection can remain as any, to match any version number.

  1. Click Save.
  2. On the next screen, you have to select All computers or the appropriate Tags, otherwise, your policy will not be associated with any machines.

In our example, we defined the Access Group to be Global access because we accept that any machine in the estate should have the removal policy available to it. Additional tags can be associated with the Remove Audacity Package Profile, to define a cross section of machines by group and tag.

From the Landscape Dashboard’s homepage, click Activities to see if your Package Profile needs to be approved. Once approved, the status will reflect In Progress.

It may take several minutes to remove packages, but once the policy has been successfully applied, the status will read Succeeded.

The Event Log will reveal when the group activity succeeded on every single machine.

Summary and next steps

Congratulations! You have applied hard and soft package restrictions on your Ubuntu machines. Hard restrictions prevent the software from being installed, through modifications to apt preferences. Soft restrictions through Landscape enforce restrictions by periodically checking for the presence of an application, and removing it if it is found.

A combination of blocking installation and periodic scans with automated software removal should provide complete coverage for your organisation’s software compliance requirements.

1 Like