Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum
Apps | Demo | Docs | Install

Cloudron on Linode CIS Benchmarks for the Base Image

Scheduled Pinned Locked Moved Feature Requests
cissecurity
6 Posts 3 Posters 313 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    D Offline
    Dark Shadow
    wrote on last edited by girish
    #1

    Does the Cloudron application base image on Linode harden against CIS benchmarks?

    If not what was the thinking behind not doing so?

    Is there a plan to implement this for added security?

    nebulonN 1 Reply Last reply
    0
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    replied to Dark Shadow on last edited by
    #2

    @dark-shadow currently the Linode image is not checked or hardened against CIS benchmark. Do you have further information on the process to do so?

    1 Reply Last reply
    0
  • D Offline
    D Offline
    Dark Shadow
    wrote on last edited by
    #3

    @nebulon

    Thanks for the reply here is some further info:

    https://ubuntu.com/security/certifications/docs/cis

    https://github.com/alivx/CIS-Ubuntu-20.04-Ansible

    You can download the full report from here:

    https://www.cisecurity.org/benchmark/ubuntu_linux/

    Let me know your thoughts

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #4

    I checked this out quickly following https://ubuntu.com/security/certifications/docs/cis-installation.

    It seems that CIS is available only under Ubuntu Pro subscription (even though that's free for personal use). I was able to register as personal instance and then run the benchmarks. It installs many packages (like postfix etc) and also configures a whole bunch of stuff. On Cloudron, most things run inside docker so many of them simply won't be configured right since it's configuring the host system and not the containers. It also seems to apply some ufw rules which is incompatible with docker firewall. I learnt about this tool called AIDE (https://www.hackerxone.com/2021/09/23/step-by-step-to-install-aide-on-ubuntu-20-04-lts/) which tracks file changes but I this this also needs to upload reports to a trusted server to track changes (not sure).

    Ignoring the subscription aspect, which makes it a no go already since we cannot rely on canonical subscriptions, the best we can do is pick best practices from CIS and apply it to Cloudron's base image.

    D 1 Reply Last reply
    1
  • girishG girish moved this topic from Support on
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #5

    Also, /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server has been running for the past 45 minutes and seems stuck in aide --init .

    1 Reply Last reply
    0
  • D Offline
    D Offline
    Dark Shadow
    replied to girish on last edited by
    #6

    @girish I would say pick and choose what is applicable obviously you would know best it's also worth noting there are CIS benchmarks specifically for Docker Containers which might be a better fit. You could combine the two for better hardening.

    https://www.cisecurity.org/benchmark/docker/

    https://github.com/docker/docker-bench-security

    Let me know what you think

    1 Reply Last reply
    0

  • Login
  • Don't have an account? Register
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks