Ubuntu Security Guide

Container env detection

Bug #2037435 reported by Bartosz Woronicz
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Security Guide
Opinion
Undecided
Unassigned

Bug Description

Seems like the containerenv detection is not reliable on lxd container

Not sure how to find it for audit, but remediation script for fix looks for two following files>
Not of them is to be found on lxd container by default.

Yet, I found strange behaviour that if I create /run/.containerenv it is removed while running usg fix

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
...

fi

then I got rule failing like on LXD container

Rule ID xccdf_org.ssgproject.content_rule_grub2_enable_apparmor
Result fail

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

there are currently no support for lxd or requests for it.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Also, that's not part of USG but rather Compliance as Code, which we use to build the benchmarks, so it doesn't really fit USG.

Revision history for this message
Bartosz Woronicz (mastier1) wrote :

We use LXD in most of our cloud products actually: Charmed Openstack , Charmed Kubernetes. It should be handled.

"Compliance as Code" - could you please link me to this? So far I understand this is upstream project. Yet our benchmark for Ubuntu should take this into account, especially the technologies that are crucial part of the product.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

https://github.com/ComplianceAsCode/content

If you want that kind of support, this will need to be included in a Roadmap, I suggest that you talk to
Henry Coggill.

Changed in usg:
status: New → Opinion
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

also do note that most of the benchmarks are for servers or Desktops, not for virtual environments.
For those there are some specific benchmarks, which is not the case of Ubuntu's benchmark. The checks you see are mostly for testing purposes in CI/CD in Compliance As Code.

Revision history for this message
Miona Aleksic (mionaalex) wrote :

Chipping in from the LXD product side - we have actually requested previously (last year ahead of 22.10 if I remember correctly) hardening benchmarks to be developed for LXD as well as being able to add that to USG, but there was no bandwidth for this. Since then it has been on the maybe list, again due to team capacity. I'll reach out to Henry to revisit this.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.