Cloudron on Linode CIS Benchmarks for the Base Image
Does the Cloudron application base image on Linode harden against CIS benchmarks?
If not what was the thinking behind not doing so?
Is there a plan to implement this for added security?
@dark-shadow currently the Linode image is not checked or hardened against CIS benchmark. Do you have further information on the process to do so?
Thanks for the reply here is some further info:
You can download the full report from here:
Let me know your thoughts
I checked this out quickly following https://ubuntu.com/security/certifications/docs/cis-installation.
It seems that CIS is available only under Ubuntu Pro subscription (even though that's free for personal use). I was able to register as personal instance and then run the benchmarks. It installs many packages (like postfix etc) and also configures a whole bunch of stuff. On Cloudron, most things run inside docker so many of them simply won't be configured right since it's configuring the host system and not the containers. It also seems to apply some ufw rules which is incompatible with docker firewall. I learnt about this tool called AIDE (https://www.hackerxone.com/2021/09/23/step-by-step-to-install-aide-on-ubuntu-20-04-lts/) which tracks file changes but I this this also needs to upload reports to a trusted server to track changes (not sure).
Ignoring the subscription aspect, which makes it a no go already since we cannot rely on canonical subscriptions, the best we can do is pick best practices from CIS and apply it to Cloudron's base image.
/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_serverhas been running for the past 45 minutes and seems stuck in
@girish I would say pick and choose what is applicable obviously you would know best it's also worth noting there are CIS benchmarks specifically for Docker Containers which might be a better fit. You could combine the two for better hardening.
Let me know what you think