CIS Benchmark Compliance

charlesnw

This is the out of the box results on a fully patched/updated Cloudron per Wazuh (as of about 90 seconds ago).

I will be deploying a test instance of Cloudron on a VM with a set of CIS/NIST ansible playbooks to get the node to 100% compliance and see if anything breaks.

robi

Can you post the list of failures?

nebulon

The full list would indeed be interesting to see. Especially what comes after disabling all those kernel modules.

charlesnw

I’ll see about getting the full list exported to a text file and posted.

charlesnw

Is there a way to upload a text file to the forum? I have a csv of the wazuh report exported.

charlesnw

I have uploaded it here: https://staticbits.reachableceo.com/CloudronWazuhReport-2025-30-12.csv

joseph

From a quick read it seems most (all?) are just general linux things. Have you tried this on a fresh Ubuntu 24.04 system without Cloudron? Because I suspect most of these "issues" are in that as well. Most of them are not really issues in my eyes atleast.

charlesnw

As I mentioned, I'll be applying Ansible playbooks to bring the base system to 100% compliance.

I never said these were Cloudron issues. I said that I would be testing Cloudron on a 100% compliant base system and fixing anything that is broken. I don't expect any issues. Because, as you mentioned, these are all base system config tweaks.

Cloudron runs everything 100% in Docker images.

Where I suspect change may be needed, is at the Cloudron container level when I start scanning everything with Trivy.

Do you use hardened Docker base images?

charlesnw

As I have said, I'm deploying a FLO stack (with Cloudron at the core) into a startup that I'm building (as CIO/CTO). We have to be CMMC compliant. Making sure Cloudron works on a 100% compliant base system is the first milestone. While you may not consider them issues, they do need to be addressed to be compliant. That's "my problem". If a fully compliant base system causes an issue in Cloudron , that's "our problem".

While you, and many Cloudron users may not care about CMMC/HIPPA/SOC/PCI compliance, I (and my board) do. I'm also building a small side business which will sell Cloudron as a service (pre setup/configured, all applications have admin password changed, admin passwords stored in Bitwarden) (the new Bitwarden SSO makes that possible without bootstrapping issues) and it will have CMMC/SOC/PCI/HIPPA compliance (at the higher tier).