CIS Benchmark Compliance

Reply to CIS Benchmark Compliance on Fri, 02 Jan 2026 22:24:21 GMT

necrevistonnezr — Fri, 02 Jan 2026 22:24:21 GMT

@charlesnw said in CIS Benchmark Compliance:

Do you use hardened Docker base images?

See the discussion here: https://forum.cloudron.io/topic/14762/docker-hardened-images In short: No, for good reasons (maintenance and standards)

Reply to CIS Benchmark Compliance on Wed, 31 Dec 2025 13:08:09 GMT

charlesnw — Wed, 31 Dec 2025 13:08:09 GMT

As I have said, I'm deploying a FLO stack (with Cloudron at the core) into a startup that I'm building (as CIO/CTO). We have to be CMMC compliant. Making sure Cloudron works on a 100% compliant base system is the first milestone. While you may not consider them issues, they do need to be addressed to be compliant. That's "my problem". If a fully compliant base system causes an issue in Cloudron , that's "our problem".

While you, and many Cloudron users may not care about CMMC/HIPPA/SOC/PCI compliance, I (and my board) do. I'm also building a small side business which will sell Cloudron as a service (pre setup/configured, all applications have admin password changed, admin passwords stored in Bitwarden) (the new Bitwarden SSO makes that possible without bootstrapping issues) and it will have CMMC/SOC/PCI/HIPPA compliance (at the higher tier).

Reply to CIS Benchmark Compliance on Wed, 31 Dec 2025 13:03:57 GMT

charlesnw — Wed, 31 Dec 2025 13:03:57 GMT

As I mentioned, I'll be applying Ansible playbooks to bring the base system to 100% compliance.

I never said these were Cloudron issues. I said that I would be testing Cloudron on a 100% compliant base system and fixing anything that is broken. I don't expect any issues. Because, as you mentioned, these are all base system config tweaks.

Cloudron runs everything 100% in Docker images.

Where I suspect change may be needed, is at the Cloudron container level when I start scanning everything with Trivy.

Do you use hardened Docker base images?

Reply to CIS Benchmark Compliance on Wed, 31 Dec 2025 09:53:00 GMT

joseph — Wed, 31 Dec 2025 09:53:00 GMT

From a quick read it seems most (all?) are just general linux things. Have you tried this on a fresh Ubuntu 24.04 system without Cloudron? Because I suspect most of these "issues" are in that as well. Most of them are not really issues in my eyes atleast.

Reply to CIS Benchmark Compliance on Wed, 31 Dec 2025 01:23:02 GMT

charlesnw — Wed, 31 Dec 2025 01:23:02 GMT

I have uploaded it here: https://staticbits.reachableceo.com/CloudronWazuhReport-2025-30-12.csv

Reply to CIS Benchmark Compliance on Wed, 31 Dec 2025 01:20:18 GMT

charlesnw — Wed, 31 Dec 2025 01:20:18 GMT

Is there a way to upload a text file to the forum? I have a csv of the wazuh report exported.

Reply to CIS Benchmark Compliance on Tue, 30 Dec 2025 15:56:10 GMT

charlesnw — Tue, 30 Dec 2025 15:56:10 GMT

I’ll see about getting the full list exported to a text file and posted.

Reply to CIS Benchmark Compliance on Tue, 30 Dec 2025 07:44:44 GMT

nebulon — Tue, 30 Dec 2025 07:44:44 GMT

The full list would indeed be interesting to see. Especially what comes after disabling all those kernel modules.

Reply to CIS Benchmark Compliance on Tue, 30 Dec 2025 04:51:53 GMT

robi — Tue, 30 Dec 2025 04:51:53 GMT

Can you post the list of failures?