cis level1 workstation hardening profile breaks firefox
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu Security Guide |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Hi USG team,
When hardening a fresh install of Ubuntu 22.04 desktop (ubuntu-
using cis_level1_
```
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
Please make sure that the snapd.apparmor service is enabled and started.
```
# Steps to reproduce:
1. Attach to Pro
```
sudo pro attach <TOKEN>
```
2. Enable the USG service
```
sudo pro enable usg
```
3. Install the USG packages
```
sudo apt install usg
```
4. Harden the desktop
```
sudo usg fix cis_level1_
```
5. Reboot
```
sudo reboot
```
6. Run firefox
```
firefox
```
Get error
```
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
Please make sure that the snapd.apparmor service is enabled and started.
```
# Workaround
sudo aa-enforce /etc/apparmor.
Please let me know if there's anything else I can facilitate.
Thanks for your time and consideration
| Eduardo Barretto (ebarretto) wrote | #1 |
| Changed in usg: | |
| status: | New → Incomplete |
| status: | Incomplete → New |
| status: | New → Invalid |
Hi Jaimes,
CIS Level1 Server/Workstation requires users to run all apparmor profiles in "complain" or "enforced" mode, while CIS Level2 Server/Workstation requires users to run all apparmor profiles in "enforced" mode.
By default on USG we set all apparmor profiles to "complain" in CIS Level1 Server/Workstation .
Can this cause problems? Yes, but unfortunately there's no way of knowing which mode (complain or enforce) will cause less or more issues as we wouldn't know what profiles people are using, and also because CIS Benchmark doesn't really cover snaps.
The good thing is that you are able to change that through tailoring files and adjusting the value of var_apparmor_mode to "enforce" and that should solve your case.
Therefore I'm closing this bug as "Won't Fix". Scratch that, I cannot set the bug to "Won't Fix", so I set it to "Invalid".