CIS Benchmark Compliance
-
This is the out of the box results on a fully patched/updated Cloudron per Wazuh (as of about 90 seconds ago).
I will be deploying a test instance of Cloudron on a VM with a set of CIS/NIST ansible playbooks to get the node to 100% compliance and see if anything breaks.
-
I have uploaded it here: https://staticbits.reachableceo.com/CloudronWazuhReport-2025-30-12.csv
-
From a quick read it seems most (all?) are just general linux things. Have you tried this on a fresh Ubuntu 24.04 system without Cloudron? Because I suspect most of these "issues" are in that as well. Most of them are not really issues in my eyes atleast.
-
As I mentioned, I'll be applying Ansible playbooks to bring the base system to 100% compliance.
I never said these were Cloudron issues. I said that I would be testing Cloudron on a 100% compliant base system and fixing anything that is broken. I don't expect any issues. Because, as you mentioned, these are all base system config tweaks.
Cloudron runs everything 100% in Docker images.
Where I suspect change may be needed, is at the Cloudron container level when I start scanning everything with Trivy.
Do you use hardened Docker base images?
-
As I have said, I'm deploying a FLO stack (with Cloudron at the core) into a startup that I'm building (as CIO/CTO). We have to be CMMC compliant. Making sure Cloudron works on a 100% compliant base system is the first milestone. While you may not consider them issues, they do need to be addressed to be compliant. That's "my problem". If a fully compliant base system causes an issue in Cloudron , that's "our problem".
While you, and many Cloudron users may not care about CMMC/HIPPA/SOC/PCI compliance, I (and my board) do. I'm also building a small side business which will sell Cloudron as a service (pre setup/configured, all applications have admin password changed, admin passwords stored in Bitwarden) (the new Bitwarden SSO makes that possible without bootstrapping issues) and it will have CMMC/SOC/PCI/HIPPA compliance (at the higher tier).
-
As I mentioned, I'll be applying Ansible playbooks to bring the base system to 100% compliance.
I never said these were Cloudron issues. I said that I would be testing Cloudron on a 100% compliant base system and fixing anything that is broken. I don't expect any issues. Because, as you mentioned, these are all base system config tweaks.
Cloudron runs everything 100% in Docker images.
Where I suspect change may be needed, is at the Cloudron container level when I start scanning everything with Trivy.
Do you use hardened Docker base images?
@charlesnw said in CIS Benchmark Compliance:
Do you use hardened Docker base images?
See the discussion here: https://forum.cloudron.io/topic/14762/docker-hardened-images In short: No, for good reasons (maintenance and standards)
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login