content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Support for Ubuntu 24.04 Noble

Open rossigee opened this issue 1 year ago • 1 comments

Description of problem:

Trying to understand why the 'ssg-debderived' package contains configurations up to 22.04, but not for 24.04 (a.k.a. Noble), even though it's been out for six months or so now.

Does nobody harden their Noble servers?!

SCAP Security Guide Version:

N/A

Operating System Version:

Ubuntu 24.04

Steps to Reproduce:

  1. Install ssg-debderived package on Ubuntu 24.04.
  2. Try to find appropriate SSG to scan the machine. Find only versions for 22.04.
  3. Try fruitlessly to run 22.04 versions on 24.04.
  4. Scratch head. Wonder why there are no 24.04 configurations to be found anywhere, even on Google.

Actual Results:

Unable to scan machine.

Expected Results:

Something like this should just work...

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --fetch-remote-resources --results before-hardening-results.xml --results-arf before-hardening-arf-results.xml --report before-hardening-report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-xccdf.xml

Additional Information/Debugging Steps:

N/A

rossigee avatar Oct 12 '24 06:10 rossigee

The first benchmark for 24.04 was CIS which only came late in August and so far no one contributed it. Also if you are installing ssg-debderived through apt, it wouldn't include a profile for 24.04 as the development cycle of a release does not match benchmarks timeline anyway.

DISA STIG for 24.04 will probably only come late next year.

dodys avatar Oct 18 '24 08:10 dodys

Given that 24.04 is more-or-less just an updated 22.04, I would expect 90% of the rules to 'just work'. I was hoping I could at least run the 22.04 rules against my 24.04 install provide at least a certain level of coverage.

so far no one contributed it

How would one contribute it? Is there hoops to jump through, or is it really just a case of taking the 22.04 rules, replacing '22' with '24' and starting with that?

rossigee avatar Nov 09 '24 01:11 rossigee

How would one contribute it? Is there hoops to jump through, or is it really just a case of taking the 22.04 rules, replacing '22' with '24' and starting with that?

Just doing that creates more noise than helps. The right way is to evaluate the benchmarks, make a comparison and from there start building the 2404 profile. @mpurg already started it, the profile should be ready in a few months, depending on testing results

dodys avatar Nov 11 '24 08:11 dodys

@dodys Can we close this now because we have the Ubuntu 24.04 product?

jan-cerny avatar Feb 20 '25 13:02 jan-cerny

I would wait until we move the profile from draft, there are a few things we are still handling/fixing.

dodys avatar Feb 20 '25 16:02 dodys

We are considering now the noble profile ready. Note that it will only land in version 0.1.77. Let us know in case of issues.

dodys avatar Feb 21 '25 16:02 dodys