[Bug 2109334] [NEW] USG CIS 6.1.11 false positive due to read-only Snap SquashFS mounts on Ubuntu 24.04

pas Fri, 25 Apr 2025 02:45:36 -0700

Public bug reported:

Package usg (Ubuntu Security Guide)


Ubuntu Security Guide (USG) fails CIS Benchmark rule 6.1.11 (“Ensure no
files have no group”) on a default Ubuntu (Server) 24.04 LTS
installation because it does not exclude read-only SquashFS-mounted Snap
packages from the check.

By default, Snap packages are mounted as read-only SquashFS images under
/snap/<name>/<rev>, and their contents cannot be modified on the host.

Because the SquashFS images are read-only, administrators cannot change
file ownership inside them, leading USG to report an unfixable “nogroup”
finding.

Steps to reproduce:

Install Ubuntu (Server) 24.04 LTS (with snapd and core22 present by
default)

Attach Ubuntu Pro if not made by system installation and enable USG:

sudo apt update
sudo apt install ubuntu-advantage-tools
sudo pro attach <your-token>
sudo apt update && sudo apt upgrade
sudo pro enable usg
sudo apt install usg

Run the CIS fix and audit:

sudo usg fix cis_level1_server
sudo usg audit cis_level1_server

Observe a failure for rule 6.1.11 and check -nogroup:

findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste 
-sd,)
find /snap/core22/* xdev -nogroup 2>/dev/null

Expected behavior

USG should exclude read-only SquashFS mounts (e.g., /snap/*) from the
“nogroup” check, or ship with a default tailoring file that disables
rule 6.1.11 for Snap-mounted paths.

Actual behavior
USG flags files inside SquashFS-mounted snaps and reports CIS 6.1.11 as FAIL, 
despite these files being root-owned, read-only, and confined by Snap.

** Affects: ubuntu
     Importance: Undecided
         Status: New


** Tags: cis snap usg

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2109334

Title:
  USG CIS 6.1.11 false positive due to read-only Snap SquashFS mounts on
  Ubuntu 24.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2109334/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2109334] [NEW] USG CIS 6.1.11 false positive due to read-only Snap SquashFS mounts on Ubuntu 24.04

Reply via email to