Overview of security features

This page provides a high-level overview of the security features in Ubuntu, their default configurations and rationale for having them enabled or disabled.

area	feature	20.04 LTS	22.04 LTS	24.04 LTS	24.10	25.04
Privilege restriction	AppArmor	2.13.3	3.0.4	3.0.7	3.0.7	3.0.7
Privilege restriction	AppArmor unprivileged user namespace restrictions	–	–	kernel & userspace	kernel & userspace	kernel & userspace
Privilege restriction	SELinux	universe	universe	universe	universe	universe
Privilege restriction	SMACK	kernel	kernel	kernel	kernel	kernel
Privilege restriction	PR_SET_SECCOMP	kernel	kernel	kernel	kernel	kernel
Privilege restriction	Seccomp Filtering	kernel	kernel	kernel	kernel	kernel
Privilege restriction	Filesystem Capabilities	kernel & userspace (default on server)	kernel & userspace (default on server)	kernel & userspace (default on server)	kernel & userspace (default on server)	kernel & userspace (default on server)
Storage and filesystem	Full disk encryption (FDE)	LUKS + TPM	LUKS + TPM	LUKS + TPM	LUKS + TPM	LUKS + TPM
Storage and filesystem	Encrypted LVM	main installer	main installer	main installer	main installer	main installer
Storage and filesystem	File Encryption	ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe	ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe	ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe	ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe	ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe
Network and firewalls	No Open Ports	policy	policy	policy	policy	policy
Network and firewalls	SYN Cookies	kernel & sysctl	kernel & sysctl	kernel & sysctl	kernel & sysctl	kernel & sysctl
Network and firewalls	Firewall	ufw	ufw	ufw	ufw	ufw
Cryptography	Password Hashing	sha512	yescrypt	yescrypt	yescrypt	yescrypt
Cryptography	Cloud PRNG Seed	pollinate	pollinate	pollinate	pollinate	pollinate
Cryptography	Disable Legacy TLS	policy	policy	policy	policy	policy
Process and memory protections	Symlink restrictions	kernel	kernel	kernel	kernel	kernel
Process and memory protections	Hardlink restrictions	kernel	kernel	kernel	kernel	kernel
Process and memory protections	FIFO restrictions	kernel & sysctl	kernel & sysctl	kernel & sysctl	kernel & sysctl	kernel & sysctl
Process and memory protections	Regular file restrictions	kernel & sysctl	kernel & sysctl	kernel & sysctl	kernel & sysctl	kernel & sysctl
Process and memory protections	Stack Protector	gcc patch	gcc patch	gcc patch	gcc patch	gcc patch
Process and memory protections	Heap Protector	glibc	glibc	glibc	glibc	glibc
Process and memory protections	Pointer Obfuscation	glibc	glibc	glibc	glibc	glibc
Process and memory protections	Stack ASLR	kernel	kernel	kernel	kernel	kernel
Process and memory protections	Libs/mmap ASLR	kernel	kernel	kernel	kernel	kernel
Process and memory protections	Exec ASLR	kernel	kernel	kernel	kernel	kernel
Process and memory protections	brk ASLR	kernel	kernel	kernel	kernel	kernel
Process and memory protections	vDSO ASLR	kernel	kernel	kernel	kernel	kernel
Process and memory protections	Built as PIE	gcc patch (amd64, ppc64el, s390x), package list for others	gcc patch (amd64, ppc64el, s390x), package list for others	gcc patch (amd64, ppc64el, s390x), package list for others	gcc patch (amd64, ppc64el, s390x), package list for others	gcc patch (amd64, ppc64el, s390x), package list for others
Process and memory protections	Built with Fortify Source	gcc patch	gcc patch	gcc patch	gcc patch	gcc patch
Process and memory protections	Built with RELRO	gcc patch	gcc patch	gcc patch	gcc patch	gcc patch
Process and memory protections	Built with BIND_NOW	gcc patch (amd64, ppc64el, s390x), package list for others	gcc patch (amd64, ppc64el, s390x), package list for others	gcc patch (amd64, ppc64el, s390x), package list for others	gcc patch (amd64, ppc64el, s390x), package list for others	gcc patch (amd64, ppc64el, s390x), package list for others
Process and memory protections	Built with -fstack-clash-protection	gcc patch (i386, amd64, ppc64el, s390x)	gcc patch (i386, amd64, ppc64el, s390x)	gcc patch (i386, amd64, ppc64el, s390x)	gcc patch (i386, amd64, ppc64el, s390x)	gcc patch (i386, amd64, ppc64el, s390x)
Process and memory protections	Built with -fcf-protection	gcc patch (i386, amd64)	gcc patch (i386, amd64)	gcc patch (i386, amd64)	gcc patch (i386, amd64)	gcc patch (i386, amd64)
Process and memory protections	Non-Executable Memory	PAE, ia32 partial-NX-emulation	PAE, ia32 partial-NX-emulation	PAE, ia32 partial-NX-emulation	PAE, ia32 partial-NX-emulation	PAE, ia32 partial-NX-emulation
Process and memory protections	/proc/$pid/maps protection	kernel	kernel	kernel	kernel	kernel
Process and memory protections	ptrace scope	kernel	kernel	kernel	kernel	kernel
Process and memory protections	0-address protection	kernel	kernel	kernel	kernel	kernel
Process and memory protections	/dev/mem protection	kernel	kernel	kernel	kernel	kernel
Kernel protections	Kernel Lockdown	integrity only, no confidentiality	integrity only, no confidentiality	integrity only, no confidentiality	integrity only, no confidentiality	integrity only, no confidentiality
Kernel protections	/dev/kmem disabled	kernel	kernel	kernel	kernel	kernel
Kernel protections	Block module loading	sysctl	sysctl	sysctl	sysctl	sysctl
Kernel protections	Read-only data sections	kernel	kernel	kernel	kernel	kernel
Kernel protections	Kernel Stack protector	kernel	kernel	kernel	kernel	kernel
Kernel protections	Module RO/NX	kernel	kernel	kernel	kernel	kernel
Kernel protections	Kernel Address Display Restriction	kernel	kernel	kernel	kernel	kernel
Kernel protections	Kernel Address Space Layout Randomisation	kernel (i386, amd64, arm64, and s390 only)	kernel (i386, amd64, arm64, and s390 only)	kernel (i386, amd64, arm64, and s390 only)	kernel (i386, amd64, arm64, and s390 only)	kernel (i386, amd64, arm64, and s390 only)
Kernel protections	Denylist Rare Protocols	kernel	kernel	kernel	kernel	kernel
Kernel protections	dmesg restrictions	sysctl	kernel	kernel	kernel	kernel
Kernel protections	Block kexec	sysctl	sysctl	sysctl	sysctl	sysctl
Platform protections	UEFI Secure Boot	amd64, kernel signature enforcement	amd64, kernel signature enforcement	amd64, kernel signature enforcement	amd64, kernel signature enforcement	amd64, kernel signature enforcement
Platform protections	usbguard	kernel & userspace	kernel & userspace	kernel & userspace	kernel & userspace	kernel & userspace
Platform protections	usbauth	kernel & userspace	kernel & userspace	kernel & userspace	kernel & userspace	kernel & userspace
Platform protections	bolt	kernel & userspace	kernel & userspace	kernel & userspace	kernel & userspace	kernel & userspace
Platform protections	thunderbolt-tools	kernel & userspace	kernel & userspace	kernel & userspace	kernel & userspace	kernel & userspace
Security updates	Livepatch	20.04 LTS Kernel	22.04 LTS Kernel	24.04 LTS Kernel	–	–

Additional Documentation

• Coordination with Debian

• Gentoo’s Hardening project

• Ubuntu Security Features for all releases