Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Cloudron on Linode CIS Benchmarks for the Base Image

    Feature Requests
    cis security
    3
    6
    244
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dark Shadow last edited by girish

      Does the Cloudron application base image on Linode harden against CIS benchmarks?

      If not what was the thinking behind not doing so?

      Is there a plan to implement this for added security?

      nebulon 1 Reply Last reply Reply Quote 0
      • nebulon
        nebulon Staff @Dark Shadow last edited by

        @dark-shadow currently the Linode image is not checked or hardened against CIS benchmark. Do you have further information on the process to do so?

        1 Reply Last reply Reply Quote 0
        • D
          Dark Shadow last edited by

          @nebulon

          Thanks for the reply here is some further info:

          https://ubuntu.com/security/certifications/docs/cis

          https://github.com/alivx/CIS-Ubuntu-20.04-Ansible

          You can download the full report from here:

          https://www.cisecurity.org/benchmark/ubuntu_linux/

          Let me know your thoughts

          1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by

            I checked this out quickly following https://ubuntu.com/security/certifications/docs/cis-installation.

            It seems that CIS is available only under Ubuntu Pro subscription (even though that's free for personal use). I was able to register as personal instance and then run the benchmarks. It installs many packages (like postfix etc) and also configures a whole bunch of stuff. On Cloudron, most things run inside docker so many of them simply won't be configured right since it's configuring the host system and not the containers. It also seems to apply some ufw rules which is incompatible with docker firewall. I learnt about this tool called AIDE (https://www.hackerxone.com/2021/09/23/step-by-step-to-install-aide-on-ubuntu-20-04-lts/) which tracks file changes but I this this also needs to upload reports to a trusted server to track changes (not sure).

            Ignoring the subscription aspect, which makes it a no go already since we cannot rely on canonical subscriptions, the best we can do is pick best practices from CIS and apply it to Cloudron's base image.

            D 1 Reply Last reply Reply Quote 1
            • Moved from Support by  girish girish 
            • girish
              girish Staff last edited by

              Also, /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server has been running for the past 45 minutes and seems stuck in aide --init .

              1 Reply Last reply Reply Quote 0
              • D
                Dark Shadow @girish last edited by

                @girish I would say pick and choose what is applicable obviously you would know best it's also worth noting there are CIS benchmarks specifically for Docker Containers which might be a better fit. You could combine the two for better hardening.

                https://www.cisecurity.org/benchmark/docker/

                https://github.com/docker/docker-bench-security

                Let me know what you think

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Powered by NodeBB