Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Cloudron on Linode CIS Benchmarks for the Base Image

Cloudron on Linode CIS Benchmarks for the Base Image

Scheduled Pinned Locked Moved Feature Requests
cissecurity
6 Posts 3 Posters 1.1k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      D Offline
      Dark Shadow
      wrote on last edited by girish
      #1

      Does the Cloudron application base image on Linode harden against CIS benchmarks?

      If not what was the thinking behind not doing so?

      Is there a plan to implement this for added security?

      nebulonN 1 Reply Last reply
      0
      • D Dark Shadow

        Does the Cloudron application base image on Linode harden against CIS benchmarks?

        If not what was the thinking behind not doing so?

        Is there a plan to implement this for added security?

        nebulonN Offline
        nebulonN Offline
        nebulon
        Staff
        wrote on last edited by
        #2

        @dark-shadow currently the Linode image is not checked or hardened against CIS benchmark. Do you have further information on the process to do so?

        1 Reply Last reply
        0
        • D Offline
          D Offline
          Dark Shadow
          wrote on last edited by
          #3

          @nebulon

          Thanks for the reply here is some further info:

          https://ubuntu.com/security/certifications/docs/cis

          https://github.com/alivx/CIS-Ubuntu-20.04-Ansible

          You can download the full report from here:

          https://www.cisecurity.org/benchmark/ubuntu_linux/

          Let me know your thoughts

          1 Reply Last reply
          0
          • girishG Do not disturb
            girishG Do not disturb
            girish
            Staff
            wrote on last edited by
            #4

            I checked this out quickly following https://ubuntu.com/security/certifications/docs/cis-installation.

            It seems that CIS is available only under Ubuntu Pro subscription (even though that's free for personal use). I was able to register as personal instance and then run the benchmarks. It installs many packages (like postfix etc) and also configures a whole bunch of stuff. On Cloudron, most things run inside docker so many of them simply won't be configured right since it's configuring the host system and not the containers. It also seems to apply some ufw rules which is incompatible with docker firewall. I learnt about this tool called AIDE (https://www.hackerxone.com/2021/09/23/step-by-step-to-install-aide-on-ubuntu-20-04-lts/) which tracks file changes but I this this also needs to upload reports to a trusted server to track changes (not sure).

            Ignoring the subscription aspect, which makes it a no go already since we cannot rely on canonical subscriptions, the best we can do is pick best practices from CIS and apply it to Cloudron's base image.

            D 1 Reply Last reply
            1
            • girishG girish moved this topic from Support on
            • girishG Do not disturb
              girishG Do not disturb
              girish
              Staff
              wrote on last edited by
              #5

              Also, /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server has been running for the past 45 minutes and seems stuck in aide --init .

              1 Reply Last reply
              0
              • girishG girish

                I checked this out quickly following https://ubuntu.com/security/certifications/docs/cis-installation.

                It seems that CIS is available only under Ubuntu Pro subscription (even though that's free for personal use). I was able to register as personal instance and then run the benchmarks. It installs many packages (like postfix etc) and also configures a whole bunch of stuff. On Cloudron, most things run inside docker so many of them simply won't be configured right since it's configuring the host system and not the containers. It also seems to apply some ufw rules which is incompatible with docker firewall. I learnt about this tool called AIDE (https://www.hackerxone.com/2021/09/23/step-by-step-to-install-aide-on-ubuntu-20-04-lts/) which tracks file changes but I this this also needs to upload reports to a trusted server to track changes (not sure).

                Ignoring the subscription aspect, which makes it a no go already since we cannot rely on canonical subscriptions, the best we can do is pick best practices from CIS and apply it to Cloudron's base image.

                D Offline
                D Offline
                Dark Shadow
                wrote on last edited by
                #6

                @girish I would say pick and choose what is applicable obviously you would know best it's also worth noting there are CIS benchmarks specifically for Docker Containers which might be a better fit. You could combine the two for better hardening.

                https://www.cisecurity.org/benchmark/docker/

                https://github.com/docker/docker-bench-security

                Let me know what you think

                1 Reply Last reply
                0
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes


                  • Login

                  • Don't have an account? Register

                  • Login or register to search.
                  • First post
                    Last post
                  0
                  • Categories
                  • Recent
                  • Tags
                  • Popular
                  • Bookmarks
                  • Search