Essential Eight on Linux, Part 7 of 8: User Application Hardening on Ubuntu 26.04 LTS Source

May 4, 2026 Markdown source

1---
2title: "Essential Eight on Linux, Part 7 of 8: User Application Hardening on Ubuntu 26.04 LTS"
3date: "2026-05-04"
4published: true
5tags: ["essential-eight", "asd", "ism", "ubuntu", "linux", "firefox", "apparmor", "browser-isolation", "security"]
6author: "Gavin Jackson"
7excerpt: "Part 7 of an 8-part series on implementing the Essential Eight on Ubuntu 26.04 LTS, covering browser and user application hardening with Firefox policies, snap confinement, AppArmor, and isolation controls."
8---
9
10# Essential Eight on Linux, Part 7 of 8: User Application Hardening on Ubuntu 26.04 LTS
11
12Of all the Essential Eight mitigations, this one is probably the most naturally adaptable to Linux.
13
14The reason is simple: the underlying security idea is not Windows-specific at all. Harden the software users attack with first. That is just as relevant on Ubuntu 26.04 LTS as anywhere else.
15
16Browsers, PDF readers, email clients, collaboration tools, and document handlers are all part of the frontline.
17
18## What ASD is trying to achieve
19
20The Essential Eight user application hardening mitigation is about reducing unnecessary functionality in common user-facing software so attackers have fewer ways to execute code, pivot, or deliver payloads.
21
22On Linux, that mostly becomes:
23
24- browser hardening
25- document viewer hardening
26- script and plugin reduction
27- stronger defaults for content handling
28- isolation for risky applications
29
30## Ubuntu 26.04 LTS reference implementation
31
32### Resolute Raccoon highlights
33
34Ubuntu 26.04 LTS is actually a nice step forward for this mitigation:
35
36- GNOME 50 on Wayland reduces some legacy X11 desktop attack patterns, especially around global input and screen access
37- application permission prompting is improved, with early integration into the **Security Center**
38
39None of that replaces hardening policy, but it gives you a cleaner base desktop than Ubuntu 24.04 LTS did.
40
41### 1. Start with the browser
42
43Ubuntu 26.04 ships Firefox as a snap, which is already a helpful default because you get:
44
45- confinement
46- central update channels
47- a cleaner packaging model
48
49But that is only the start. For managed environments, use enterprise browser policies to enforce settings such as:
50
51- extension allowlists
52- password manager decisions
53- telemetry or privacy settings consistent with policy
54- download restrictions
55- homepage and safe browsing controls
56
57For Chromium-based browsers on Linux, the same principle applies. The platform is not the hard bit. The discipline is.
58
59### How to implement enterprise browser policies on Ubuntu
60
61This is the part that often gets hand-waved away.
62
63On Linux, the practical pattern is usually:
64
651. define your browser standards in JSON
662. deploy them with your configuration management tool
673. verify enforcement on endpoints
684. keep the package source for the browser under central control
69
70For **Firefox**, Mozilla supports cross-platform policy management through `policies.json`.
71
72On Linux, the usual system-wide location is:
73
74```text
75/etc/firefox/policies/policies.json
76```
77
78On Ubuntu, this path also works for the Firefox snap. Make the file root-owned and writable only by administrators; otherwise, you have a preference file rather than an enterprise control.
79
80A minimal example might look like this:
81
82```json
83{
84  "policies": {
85    "DisableFirefoxStudies": true,
86    "DisablePocket": true,
87    "DisableTelemetry": true,
88    "BlockAboutConfig": true,
89    "ExtensionSettings": {
90      "*": {
91        "installation_mode": "blocked"
92      },
93      "uBlock0@raymondhill.net": {
94        "installation_mode": "force_installed",
95        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
96      }
97    }
98  }
99}
100```
101
102That gives you a simple Linux-native way to:
103
104- block unapproved extensions
105- force-install approved ones
106- lock down settings standard users should not change
107- push a consistent browser posture across an Ubuntu fleet
108
109For **Google Chrome on Linux**, Google documents two policy tiers:
110
111- **managed** policies that users cannot override
112- **recommended** policies that set defaults users may change
113
114Typical paths are:
115
116```text
117/etc/opt/chrome/policies/managed/
118/etc/opt/chrome/policies/recommended/
119```
120
121For Chromium-based builds managed through distro packaging, the equivalent path may instead be under:
122
123```text
124/etc/chromium/policies/
125```
126
127A simple managed policy file could look like:
128
129```json
130{
131  "BrowserSignin": 0,
132  "PasswordManagerEnabled": false,
133  "SafeBrowsingProtectionLevel": 2,
134  "ExtensionInstallBlocklist": ["*"],
135  "ExtensionInstallAllowlist": [
136    "ddkjiahejlhfcafbddmgiahcphecmpfh"
137  ],
138  "ExtensionInstallForcelist": [
139    "ddkjiahejlhfcafbddmgiahcphecmpfh;https://clients2.google.com/service/update2/crx"
140  ]
141}
142```
143
144That example blocks user-installed extensions by default and force-installs **uBlock Origin Lite**, which is the Manifest V3-friendly version for Chrome. If your organisation uses Chrome Enterprise Core or a commercial secure web gateway, you may prefer to manage extension policy there instead of hard-coding extension IDs directly into local JSON.
145
146At fleet scale, I would not hand-place these files. I would push them with:
147
148- **Landscape** for script and package driven enforcement
149- **Ansible**, **Puppet**, or **Salt** if that is already your Linux config baseline
150- an immutable desktop image pipeline if the workstations are provisioned from a gold image
151
152To validate the result:
153
154- in Firefox, check `about:policies`
155- in Chrome, check `chrome://policy`
156
157That verification step matters. A policy file that exists on disk but is ignored by the packaged browser is not a control.
158
159### 2. Remove dead features and dangerous defaults
160
161A lot of historical browser attack surface simply should not exist anymore:
162
163- Java browser plugins or Java Web Start/JNLP helpers unless explicitly required
164- unmanaged external protocol handlers
165- unmanaged extension sprawl
166- automatic file handling for risky content
167
168On Ubuntu, this is partly a browser policy problem and partly a software standardisation problem. The practical control is to define what handlers, extensions, download behaviours, and helper applications are allowed, then test those settings through `about:policies` or `chrome://policy`.
169
170### 3. Treat ad, script, and active-content control as part of hardening
171
172The ASD guidance includes blocking web advertisements and unnecessary active content for good reason.
173
174For Ubuntu desktops, that can mean:
175
176- enterprise-managed content blocking in the browser
177- DNS or secure web gateway filtering
178- remote browser isolation for higher-risk use cases
179
180You do not have to make the desktop miserable. But you should absolutely reduce the number of hostile scripts users are expected to process by default.
181
182For many Ubuntu fleets, a sensible pattern is:
183
184- one approved ad or content-blocking extension, centrally installed
185- browser-side pop-up and download restrictions
186- DNS or SWG filtering for known malicious domains
187- a separate isolated path for genuinely risky browsing instead of trying to make every endpoint absorb that risk
188
189### 4. Harden document and PDF handling
190
191Browsers are not the only target. PDF readers, office suites, and mail clients should also be part of the design.
192
193On Ubuntu:
194
195- prefer simple viewers over feature-heavy document tooling where possible
196- keep document handlers patched
197- confine risky apps with AppArmor
198- open especially risky content in isolated sessions rather than directly on the endpoint
199
200### 5. Use isolation where hardening is not enough
201
202Some use cases simply carry more risk:
203
204- research on the open internet
205- handling untrusted attachments
206- accessing third-party portals
207
208That is where isolation tools are more honest than trying to harden a general-purpose desktop into something it is not. Browser isolation, remote workspace patterns, or disposable sessions can all help here.
209
210### Kasm as a commercial isolation pattern
211
212One product worth calling out explicitly here is **Kasm Workspaces**.
213
214Kasm is useful because it changes the location where the risky web code executes. Instead of the user's Ubuntu endpoint processing hostile websites directly, the browsing session runs in a **remote, containerised browser** and is streamed back to the user. The endpoint is interacting with the rendered session, not running the full browsing workload locally.
215
216That makes Kasm a very practical commercial answer when your security objective is not just "harden the browser a bit more" but "move high-risk web activity off the endpoint altogether."
217
218From an Essential Eight perspective, Kasm fits especially well as an uplift control for:
219
220- `ISM-1485` around reducing exposure to web advertisements and active content
221- `ISM-1412` around restricting risky browser processing paths
222- `ISM-1585` where browser security settings need to be enforced rather than left to users
223
224It is not a direct replacement for every Windows-specific Office or PDF hardening control, but it is a very practical way to move high-risk web activity out of the standard endpoint session.
225
226Kasm is especially compelling for Linux-heavy shops because it is not Windows-dependent and does not require you to pretend every risky workflow should be solved on the endpoint itself.
227
228### Good Kasm use cases on an Ubuntu fleet
229
230Here are a few situations where Kasm makes a lot of sense:
231
232- **Internet research from secure or sensitive environments**: analysts, engineers, or administrators can browse the open internet without giving the local workstation direct exposure to the full web threat surface.
233- **Opening suspicious links from email or chat**: users can push high-risk links into an isolated browser instead of handling them in their standard desktop session.
234- **Third-party or BYOD access**: contractors can use a browser-delivered isolated workspace without getting broad direct access from their local machine into your environment.
235- **Cross-domain or regulated browsing**: teams working in government, defence, legal, or finance can enforce tighter clipboard, upload, download, and session controls around browser activity.
236- **OSINT and investigative work**: Kasm is also useful when you want disposable browsing sessions, alternate egress points, and less attribution back to the analyst workstation.
237
238### A practical Kasm pattern
239
240The strongest pattern is usually not "everyone browses everything through Kasm all the time."
241
242It is more often:
243
244- standard browser hardening on all Ubuntu endpoints
245- Kasm for high-risk browsing roles
246- Kasm for suspicious links or unknown websites
247- policy controls on uploads, downloads, clipboard, and printing in the isolated browser
248- SSO and MFA in front of the Kasm environment
249
250That gives you a good balance between productivity and containment.
251
252> **Logs or it didn't happen**
253>
254> There does not appear to be an official Ubuntu 26.04 support listing for Elasticsearch yet, so I would not present it as a certified 26.04 reference build today. That said, Elastic remains one of the top-tier distributed logging and search options in the Linux ecosystem, and it is absolutely worth considering for centralising Ubuntu system and application logs.
255>
256> The classic Elastic Stack is made up of four main pieces: **Elasticsearch** for storage and search, **Logstash** for ingest and enrichment, **Kibana** for dashboards and investigation, and **Beats** such as Filebeat for shipping host and application logs.
257>
258> In an Essential Eight context, the important point is not "install Elastic and declare victory." It is having protected, searchable evidence that browser policy, AppArmor, audit, application, and endpoint events are being collected and reviewed. I will come back to this properly in a future deep-dive on Elasticsearch fundamentals.
259
260## ISM control mapping
261
262The October 2024 Essential Eight to ISM mapping is very Windows-heavy in this area, so the honest Linux answer is a mix of direct controls, compensating controls, and clearly documented non-applicability.
263
264| ISM control | E8 requirement in plain English | Ubuntu 26.04 implementation |
265|-------------|----------------------------------|-----------------------------|
266| `ISM-1654` | Internet Explorer 11 is disabled or removed. | Not applicable on Ubuntu by default. Document it as N/A and avoid reintroducing IE through Wine or remote application publishing unless it is isolated and explicitly approved. |
267| `ISM-1486` | Web browsers do not process Java from the internet. | Do not install Java browser plugins or Java Web Start handlers. If Java is needed for internal tools, restrict it to approved internal origins and verify browser/helper handling. |
268| `ISM-1485` | Web browsers do not process web advertisements from the internet. | Use an enterprise-managed content blocker, secure web gateway, DNS filtering, or remote browser isolation for higher-risk roles. |
269| `ISM-1412` | Browsers are hardened using ASD and vendor guidance. | Enforce Firefox `policies.json` or Chrome managed policies, then verify with `about:policies` or `chrome://policy`. |
270| `ISM-1585` | Browser security settings cannot be changed by users. | Store browser policy files as root-owned configuration deployed by Landscape, Ansible, Puppet, Salt, or a managed image pipeline. |
271| `ISM-1667` | Microsoft Office is blocked from creating child processes. | No neat native equivalent exists for LibreOffice. Use AppArmor or isolated sessions for high-risk document handling, and use managed remote Windows Office if exact Microsoft Office control coverage is required. |
272| `ISM-1668` | Microsoft Office is blocked from creating executable content. | Disable office macros unless required, avoid trusted write-execute locations, and treat document-created scripts or binaries as blocked content in endpoint monitoring. |
273| `ISM-1669` | Microsoft Office is blocked from injecting code into other processes. | Mostly Windows-specific. For Linux office suites, reduce exposure with AppArmor confinement and isolation for untrusted documents. |
274| `ISM-1542` | Microsoft Office is configured to prevent activation of OLE packages. | Mostly Windows-specific. Avoid Wine-based Office for standard users, disable external object activation where supported, and open untrusted documents in isolated sessions. |
275| `ISM-1859` | Office productivity suites are hardened using ASD and vendor guidance. | Baseline LibreOffice, OnlyOffice, or browser-based office tooling through managed configuration, and record any settings that cannot be centrally locked. |
276| `ISM-1823` | Office productivity suite security settings cannot be changed by users. | Use root-owned configuration, a managed desktop image, or isolation. If the chosen office suite cannot enforce a setting centrally, treat that as a control gap. |
277| `ISM-1670` | PDF software is blocked from creating child processes. | Prefer simple PDF viewers, keep PDF handling patched, and use AppArmor or browser isolation for untrusted PDF workflows. |
278| `ISM-1860` | PDF software is hardened using ASD and vendor guidance. | Disable PDF JavaScript or active features where the reader supports it, and avoid feature-heavy readers unless there is a business need. |
279| `ISM-1824` | PDF software security settings cannot be changed by users. | Choose PDF tooling that can be centrally configured, or enforce the workflow through managed images and isolated sessions. |
280| `ISM-1655` | .NET Framework 3.5 is disabled or removed. | Windows-specific. On Ubuntu, avoid unsupported legacy .NET or Wine runtime stacks unless they are isolated and business-owned. |
281| `ISM-1621` | Windows PowerShell 2.0 is disabled or removed. | Not installed on Ubuntu by default. If PowerShell is installed, standardise on a supported PowerShell 7 package and remove legacy or unmanaged copies. |
282| `ISM-1622` | PowerShell uses Constrained Language Mode. | There is no strong WDAC/AppLocker-backed Ubuntu equivalent. Avoid broad PowerShell use on desktops, or restrict it to controlled admin workstations and jump hosts. |
283| `ISM-1623`, `ISM-1889` | PowerShell and command-line process creation events are centrally logged. | If PowerShell is present, forward its logs. For Linux command execution, use `auditd`, Sysmon for Linux, osquery, Wazuh, Elastic Agent, Microsoft Defender for Endpoint, or another EDR path. |
284| `ISM-1815`, `ISM-1906`, `ISM-1907`, `ISM-0109`, `ISM-1228`, `ISM-0123`, `ISM-0140`, `ISM-1819` | Logs are protected, analysed, reported, and used in incident response. | Forward browser, application, audit, and EDR telemetry to a central platform with retention, access control, and tamper protection. |
285
286## Linux-friendly commercial additions
287
288If you need more than native browser policy and AppArmor can offer, the cleanest commercial additions are usually:
289
290- **Cloudflare Remote Browser Isolation**
291- **Kasm Workspaces**
292- **Menlo Security**
293- **secure web gateways** that enforce content filtering and isolation policies
294
295These work well with Linux because the control is delivered through the browser or network path, not through a Windows-only endpoint dependency.
296
297## A practical Ubuntu hardening baseline
298
299For Ubuntu 26.04 desktops, I would start with:
300
301- one or two approved browsers only
302- enterprise browser policies with controlled extensions
303- no unmanaged extension installs
304- controlled protocol handlers and automatic file handling
305- ad and script reduction for high-risk groups
306- AppArmor on user-facing apps
307- patched PDF and document tooling
308- Kasm for risky browsing, unknown links, or regulated web access roles
309- isolated browsing for risky internet research roles
310
311That is a sensible baseline without becoming unmanageable.
312
313## The bottom line
314
315User application hardening is one of the more achievable Essential Eight mitigations on Ubuntu 26.04 LTS.
316
317The trick is not to overcomplicate it. Harden the browser with real managed policies, reduce active content, control extensions, keep document handlers patched, and use isolation for higher-risk workflows. Linux gives you enough native leverage here that the control can be both practical and strong, and products like Kasm give you a credible commercial step-up when endpoint hardening alone is not enough.
318
319## References
320
321- [ASD Essential Eight maturity model and ISM mapping (October 2024)](https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight/essential-eight-maturity-model-and-ism-mapping)
322- [Canonical releases Ubuntu 26.04 LTS Resolute Raccoon](https://ubuntu.com/blog/canonical-releases-ubuntu-26-04-lts-resolute-raccoon)
323- [Firefox enterprise policies](https://mozilla.github.io/policy-templates/)
324- [Customize Firefox using policies.json](https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson)
325- [Chrome Browser quick start for Linux](https://support.google.com/chrome/a/answer/9025903?hl=en)
326- [Set Chrome policies](https://support.google.com/chrome/a/answer/9027408?hl=en)
327- [uBlock Origin Lite - Chrome Web Store](https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh)
328- [AppArmor on Ubuntu](https://ubuntu.com/server/docs/how-to/security/apparmor/)
329- [Kasm browser isolation docs](https://docs.kasm.com/docs/latest/guide/browser_isolation/index.html)
330- [Kasm web isolation use cases](https://kasm.com/solutions/web-isolation)
331- [Cloudflare Remote Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)
332- [Menlo Remote Browser Isolation](https://www.menlosecurity.com/product/remote-browser-isolation)
333- [Elastic Support Matrix](https://www.elastic.co/support/matrix/)
334

---
title: "Essential Eight on Linux, Part 7 of 8: User Application Hardening on Ubuntu 26.04 LTS"
date: "2026-05-04"
published: true
tags: ["essential-eight", "asd", "ism", "ubuntu", "linux", "firefox", "apparmor", "browser-isolation", "security"]
author: "Gavin Jackson"
excerpt: "Part 7 of an 8-part series on implementing the Essential Eight on Ubuntu 26.04 LTS, covering browser and user application hardening with Firefox policies, snap confinement, AppArmor, and isolation controls."
---

# Essential Eight on Linux, Part 7 of 8: User Application Hardening on Ubuntu 26.04 LTS

Of all the Essential Eight mitigations, this one is probably the most naturally adaptable to Linux.

The reason is simple: the underlying security idea is not Windows-specific at all. Harden the software users attack with first. That is just as relevant on Ubuntu 26.04 LTS as anywhere else.

Browsers, PDF readers, email clients, collaboration tools, and document handlers are all part of the frontline.

## What ASD is trying to achieve

The Essential Eight user application hardening mitigation is about reducing unnecessary functionality in common user-facing software so attackers have fewer ways to execute code, pivot, or deliver payloads.

On Linux, that mostly becomes:

- browser hardening
- document viewer hardening
- script and plugin reduction
- stronger defaults for content handling
- isolation for risky applications

## Ubuntu 26.04 LTS reference implementation

### Resolute Raccoon highlights

Ubuntu 26.04 LTS is actually a nice step forward for this mitigation:

- GNOME 50 on Wayland reduces some legacy X11 desktop attack patterns, especially around global input and screen access
- application permission prompting is improved, with early integration into the **Security Center**

None of that replaces hardening policy, but it gives you a cleaner base desktop than Ubuntu 24.04 LTS did.

### 1. Start with the browser

Ubuntu 26.04 ships Firefox as a snap, which is already a helpful default because you get:

- confinement
- central update channels
- a cleaner packaging model

But that is only the start. For managed environments, use enterprise browser policies to enforce settings such as:

- extension allowlists
- password manager decisions
- telemetry or privacy settings consistent with policy
- download restrictions
- homepage and safe browsing controls

For Chromium-based browsers on Linux, the same principle applies. The platform is not the hard bit. The discipline is.

### How to implement enterprise browser policies on Ubuntu

This is the part that often gets hand-waved away.

On Linux, the practical pattern is usually:

1. define your browser standards in JSON
2. deploy them with your configuration management tool
3. verify enforcement on endpoints
4. keep the package source for the browser under central control

For **Firefox**, Mozilla supports cross-platform policy management through `policies.json`.

On Linux, the usual system-wide location is:

```text
/etc/firefox/policies/policies.json
```

On Ubuntu, this path also works for the Firefox snap. Make the file root-owned and writable only by administrators; otherwise, you have a preference file rather than an enterprise control.

A minimal example might look like this:

```json
{
  "policies": {
    "DisableFirefoxStudies": true,
    "DisablePocket": true,
    "DisableTelemetry": true,
    "BlockAboutConfig": true,
    "ExtensionSettings": {
      "*": {
        "installation_mode": "blocked"
      },
      "uBlock0@raymondhill.net": {
        "installation_mode": "force_installed",
        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
      }
    }
  }
}
```

That gives you a simple Linux-native way to:

- block unapproved extensions
- force-install approved ones
- lock down settings standard users should not change
- push a consistent browser posture across an Ubuntu fleet

For **Google Chrome on Linux**, Google documents two policy tiers:

- **managed** policies that users cannot override
- **recommended** policies that set defaults users may change

Typical paths are:

```text
/etc/opt/chrome/policies/managed/
/etc/opt/chrome/policies/recommended/
```

For Chromium-based builds managed through distro packaging, the equivalent path may instead be under:

```text
/etc/chromium/policies/
```

A simple managed policy file could look like:

```json
{
  "BrowserSignin": 0,
  "PasswordManagerEnabled": false,
  "SafeBrowsingProtectionLevel": 2,
  "ExtensionInstallBlocklist": ["*"],
  "ExtensionInstallAllowlist": [
    "ddkjiahejlhfcafbddmgiahcphecmpfh"
  ],
  "ExtensionInstallForcelist": [
    "ddkjiahejlhfcafbddmgiahcphecmpfh;https://clients2.google.com/service/update2/crx"
  ]
}
```

That example blocks user-installed extensions by default and force-installs **uBlock Origin Lite**, which is the Manifest V3-friendly version for Chrome. If your organisation uses Chrome Enterprise Core or a commercial secure web gateway, you may prefer to manage extension policy there instead of hard-coding extension IDs directly into local JSON.

At fleet scale, I would not hand-place these files. I would push them with:

- **Landscape** for script and package driven enforcement
- **Ansible**, **Puppet**, or **Salt** if that is already your Linux config baseline
- an immutable desktop image pipeline if the workstations are provisioned from a gold image

To validate the result:

- in Firefox, check `about:policies`
- in Chrome, check `chrome://policy`

That verification step matters. A policy file that exists on disk but is ignored by the packaged browser is not a control.

### 2. Remove dead features and dangerous defaults

A lot of historical browser attack surface simply should not exist anymore:

- Java browser plugins or Java Web Start/JNLP helpers unless explicitly required
- unmanaged external protocol handlers
- unmanaged extension sprawl
- automatic file handling for risky content

On Ubuntu, this is partly a browser policy problem and partly a software standardisation problem. The practical control is to define what handlers, extensions, download behaviours, and helper applications are allowed, then test those settings through `about:policies` or `chrome://policy`.

### 3. Treat ad, script, and active-content control as part of hardening

The ASD guidance includes blocking web advertisements and unnecessary active content for good reason.

For Ubuntu desktops, that can mean:

- enterprise-managed content blocking in the browser
- DNS or secure web gateway filtering
- remote browser isolation for higher-risk use cases

You do not have to make the desktop miserable. But you should absolutely reduce the number of hostile scripts users are expected to process by default.

For many Ubuntu fleets, a sensible pattern is:

- one approved ad or content-blocking extension, centrally installed
- browser-side pop-up and download restrictions
- DNS or SWG filtering for known malicious domains
- a separate isolated path for genuinely risky browsing instead of trying to make every endpoint absorb that risk

### 4. Harden document and PDF handling

Browsers are not the only target. PDF readers, office suites, and mail clients should also be part of the design.

On Ubuntu:

- prefer simple viewers over feature-heavy document tooling where possible
- keep document handlers patched
- confine risky apps with AppArmor
- open especially risky content in isolated sessions rather than directly on the endpoint

### 5. Use isolation where hardening is not enough

Some use cases simply carry more risk:

- research on the open internet
- handling untrusted attachments
- accessing third-party portals

That is where isolation tools are more honest than trying to harden a general-purpose desktop into something it is not. Browser isolation, remote workspace patterns, or disposable sessions can all help here.

### Kasm as a commercial isolation pattern

One product worth calling out explicitly here is **Kasm Workspaces**.

Kasm is useful because it changes the location where the risky web code executes. Instead of the user's Ubuntu endpoint processing hostile websites directly, the browsing session runs in a **remote, containerised browser** and is streamed back to the user. The endpoint is interacting with the rendered session, not running the full browsing workload locally.

That makes Kasm a very practical commercial answer when your security objective is not just "harden the browser a bit more" but "move high-risk web activity off the endpoint altogether."

From an Essential Eight perspective, Kasm fits especially well as an uplift control for:

- `ISM-1485` around reducing exposure to web advertisements and active content
- `ISM-1412` around restricting risky browser processing paths
- `ISM-1585` where browser security settings need to be enforced rather than left to users

It is not a direct replacement for every Windows-specific Office or PDF hardening control, but it is a very practical way to move high-risk web activity out of the standard endpoint session.

Kasm is especially compelling for Linux-heavy shops because it is not Windows-dependent and does not require you to pretend every risky workflow should be solved on the endpoint itself.

### Good Kasm use cases on an Ubuntu fleet

Here are a few situations where Kasm makes a lot of sense:

- **Internet research from secure or sensitive environments**: analysts, engineers, or administrators can browse the open internet without giving the local workstation direct exposure to the full web threat surface.
- **Opening suspicious links from email or chat**: users can push high-risk links into an isolated browser instead of handling them in their standard desktop session.
- **Third-party or BYOD access**: contractors can use a browser-delivered isolated workspace without getting broad direct access from their local machine into your environment.
- **Cross-domain or regulated browsing**: teams working in government, defence, legal, or finance can enforce tighter clipboard, upload, download, and session controls around browser activity.
- **OSINT and investigative work**: Kasm is also useful when you want disposable browsing sessions, alternate egress points, and less attribution back to the analyst workstation.

### A practical Kasm pattern

The strongest pattern is usually not "everyone browses everything through Kasm all the time."

It is more often:

- standard browser hardening on all Ubuntu endpoints
- Kasm for high-risk browsing roles
- Kasm for suspicious links or unknown websites
- policy controls on uploads, downloads, clipboard, and printing in the isolated browser
- SSO and MFA in front of the Kasm environment

That gives you a good balance between productivity and containment.

> **Logs or it didn't happen**
>
> There does not appear to be an official Ubuntu 26.04 support listing for Elasticsearch yet, so I would not present it as a certified 26.04 reference build today. That said, Elastic remains one of the top-tier distributed logging and search options in the Linux ecosystem, and it is absolutely worth considering for centralising Ubuntu system and application logs.
>
> The classic Elastic Stack is made up of four main pieces: **Elasticsearch** for storage and search, **Logstash** for ingest and enrichment, **Kibana** for dashboards and investigation, and **Beats** such as Filebeat for shipping host and application logs.
>
> In an Essential Eight context, the important point is not "install Elastic and declare victory." It is having protected, searchable evidence that browser policy, AppArmor, audit, application, and endpoint events are being collected and reviewed. I will come back to this properly in a future deep-dive on Elasticsearch fundamentals.

## ISM control mapping

The October 2024 Essential Eight to ISM mapping is very Windows-heavy in this area, so the honest Linux answer is a mix of direct controls, compensating controls, and clearly documented non-applicability.

| ISM control | E8 requirement in plain English | Ubuntu 26.04 implementation |
|-------------|----------------------------------|-----------------------------|
| `ISM-1654` | Internet Explorer 11 is disabled or removed. | Not applicable on Ubuntu by default. Document it as N/A and avoid reintroducing IE through Wine or remote application publishing unless it is isolated and explicitly approved. |
| `ISM-1486` | Web browsers do not process Java from the internet. | Do not install Java browser plugins or Java Web Start handlers. If Java is needed for internal tools, restrict it to approved internal origins and verify browser/helper handling. |
| `ISM-1485` | Web browsers do not process web advertisements from the internet. | Use an enterprise-managed content blocker, secure web gateway, DNS filtering, or remote browser isolation for higher-risk roles. |
| `ISM-1412` | Browsers are hardened using ASD and vendor guidance. | Enforce Firefox `policies.json` or Chrome managed policies, then verify with `about:policies` or `chrome://policy`. |
| `ISM-1585` | Browser security settings cannot be changed by users. | Store browser policy files as root-owned configuration deployed by Landscape, Ansible, Puppet, Salt, or a managed image pipeline. |
| `ISM-1667` | Microsoft Office is blocked from creating child processes. | No neat native equivalent exists for LibreOffice. Use AppArmor or isolated sessions for high-risk document handling, and use managed remote Windows Office if exact Microsoft Office control coverage is required. |
| `ISM-1668` | Microsoft Office is blocked from creating executable content. | Disable office macros unless required, avoid trusted write-execute locations, and treat document-created scripts or binaries as blocked content in endpoint monitoring. |
| `ISM-1669` | Microsoft Office is blocked from injecting code into other processes. | Mostly Windows-specific. For Linux office suites, reduce exposure with AppArmor confinement and isolation for untrusted documents. |
| `ISM-1542` | Microsoft Office is configured to prevent activation of OLE packages. | Mostly Windows-specific. Avoid Wine-based Office for standard users, disable external object activation where supported, and open untrusted documents in isolated sessions. |
| `ISM-1859` | Office productivity suites are hardened using ASD and vendor guidance. | Baseline LibreOffice, OnlyOffice, or browser-based office tooling through managed configuration, and record any settings that cannot be centrally locked. |
| `ISM-1823` | Office productivity suite security settings cannot be changed by users. | Use root-owned configuration, a managed desktop image, or isolation. If the chosen office suite cannot enforce a setting centrally, treat that as a control gap. |
| `ISM-1670` | PDF software is blocked from creating child processes. | Prefer simple PDF viewers, keep PDF handling patched, and use AppArmor or browser isolation for untrusted PDF workflows. |
| `ISM-1860` | PDF software is hardened using ASD and vendor guidance. | Disable PDF JavaScript or active features where the reader supports it, and avoid feature-heavy readers unless there is a business need. |
| `ISM-1824` | PDF software security settings cannot be changed by users. | Choose PDF tooling that can be centrally configured, or enforce the workflow through managed images and isolated sessions. |
| `ISM-1655` | .NET Framework 3.5 is disabled or removed. | Windows-specific. On Ubuntu, avoid unsupported legacy .NET or Wine runtime stacks unless they are isolated and business-owned. |
| `ISM-1621` | Windows PowerShell 2.0 is disabled or removed. | Not installed on Ubuntu by default. If PowerShell is installed, standardise on a supported PowerShell 7 package and remove legacy or unmanaged copies. |
| `ISM-1622` | PowerShell uses Constrained Language Mode. | There is no strong WDAC/AppLocker-backed Ubuntu equivalent. Avoid broad PowerShell use on desktops, or restrict it to controlled admin workstations and jump hosts. |
| `ISM-1623`, `ISM-1889` | PowerShell and command-line process creation events are centrally logged. | If PowerShell is present, forward its logs. For Linux command execution, use `auditd`, Sysmon for Linux, osquery, Wazuh, Elastic Agent, Microsoft Defender for Endpoint, or another EDR path. |
| `ISM-1815`, `ISM-1906`, `ISM-1907`, `ISM-0109`, `ISM-1228`, `ISM-0123`, `ISM-0140`, `ISM-1819` | Logs are protected, analysed, reported, and used in incident response. | Forward browser, application, audit, and EDR telemetry to a central platform with retention, access control, and tamper protection. |

## Linux-friendly commercial additions

If you need more than native browser policy and AppArmor can offer, the cleanest commercial additions are usually:

- **Cloudflare Remote Browser Isolation**
- **Kasm Workspaces**
- **Menlo Security**
- **secure web gateways** that enforce content filtering and isolation policies

These work well with Linux because the control is delivered through the browser or network path, not through a Windows-only endpoint dependency.

## A practical Ubuntu hardening baseline

For Ubuntu 26.04 desktops, I would start with:

- one or two approved browsers only
- enterprise browser policies with controlled extensions
- no unmanaged extension installs
- controlled protocol handlers and automatic file handling
- ad and script reduction for high-risk groups
- AppArmor on user-facing apps
- patched PDF and document tooling
- Kasm for risky browsing, unknown links, or regulated web access roles
- isolated browsing for risky internet research roles

That is a sensible baseline without becoming unmanageable.

## The bottom line

User application hardening is one of the more achievable Essential Eight mitigations on Ubuntu 26.04 LTS.

The trick is not to overcomplicate it. Harden the browser with real managed policies, reduce active content, control extensions, keep document handlers patched, and use isolation for higher-risk workflows. Linux gives you enough native leverage here that the control can be both practical and strong, and products like Kasm give you a credible commercial step-up when endpoint hardening alone is not enough.

## References

- [ASD Essential Eight maturity model and ISM mapping (October 2024)](https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight/essential-eight-maturity-model-and-ism-mapping)
- [Canonical releases Ubuntu 26.04 LTS Resolute Raccoon](https://ubuntu.com/blog/canonical-releases-ubuntu-26-04-lts-resolute-raccoon)
- [Firefox enterprise policies](https://mozilla.github.io/policy-templates/)
- [Customize Firefox using policies.json](https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson)
- [Chrome Browser quick start for Linux](https://support.google.com/chrome/a/answer/9025903?hl=en)
- [Set Chrome policies](https://support.google.com/chrome/a/answer/9027408?hl=en)
- [uBlock Origin Lite - Chrome Web Store](https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh)
- [AppArmor on Ubuntu](https://ubuntu.com/server/docs/how-to/security/apparmor/)
- [Kasm browser isolation docs](https://docs.kasm.com/docs/latest/guide/browser_isolation/index.html)
- [Kasm web isolation use cases](https://kasm.com/solutions/web-isolation)
- [Cloudflare Remote Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)
- [Menlo Remote Browser Isolation](https://www.menlosecurity.com/product/remote-browser-isolation)
- [Elastic Support Matrix](https://www.elastic.co/support/matrix/)