Security
Cloud OS includes a comprehensive security system with a scoring engine, CVE scanning, a web application firewall (WAF), and compliance checks. The security page evaluates your server posture on a 0-100 scale and provides actionable recommendations.
Security Score
The security score is calculated from nine weighted categories:
| Category | What It Checks |
|---|---|
| Authentication | Strong passwords, account lockout policies |
| Networking | Firewall rules, exposed ports, VPN configuration |
| Backup | Active backup schedules, off-site targets |
| Updates | Container images and Cloud OS binary up to date |
| Docker | Container isolation, privilege settings, image provenance |
| SSL | TLS certificates valid, HTTPS enforced on all routes |
| Logs | Audit logging enabled, log retention configured |
| Monitoring | Alert rules active, notification channels configured |
| Access Control | RBAC roles assigned, 2FA enabled for all users |
The score gauge on the Security page uses color-coded indicators:
- 80-100 (Green) — good security posture
- 50-79 (Amber) — improvements recommended
- 0-49 (Red) — critical issues need attention
CVE Scanning
Cloud OS uses Trivy to scan Docker container images for known Common Vulnerabilities and Exposures (CVEs).
How Scanning Works
- Trivy runs as a CLI tool invoked by the Cloud OS backend
- Each installed app container image is scanned
- Results are categorized by severity: Critical, High, Medium, Low
- Findings are stored in the database and displayed per app
Scan Results
The vulnerability list on the Security page shows:
| Column | Description |
|---|---|
| CVE ID | The vulnerability identifier (e.g., CVE-2024-1234) |
| App | Which installed app is affected |
| Severity | Critical, High, Medium, or Low |
| Package | The affected package within the container image |
| Fixed Version | The version that resolves the vulnerability (if available) |
Click any CVE to see its full description and remediation steps.
Automatic and Manual Scans
By default, Cloud OS runs a security scan once per week. You can adjust the schedule in Security > Settings or trigger a manual scan at any time by clicking Scan Now.
Web Application Firewall (WAF)
Cloud OS includes a built-in WAF powered by the Coraza engine with OWASP ModSecurity Core Rule Set (CRS).
What the WAF Protects Against
- SQL injection
- Cross-site scripting (XSS)
- Remote code execution
- Path traversal
- Request smuggling
- Other OWASP Top 10 attack vectors
WAF Configuration
Navigate to Security > WAF to manage the firewall:
- Enable/disable the WAF globally or per app
- Rule mode — detection only (log but do not block) or prevention (block malicious requests)
- Custom rules — add exceptions for known false positives
- View logs — inspect blocked requests and triggered rules
When first enabling the WAF, consider running in detection mode for a few days to identify any false positives before switching to prevention mode.
Compliance Checks
Cloud OS runs automated compliance checks against established security benchmarks.
CIS Docker Benchmark
The CIS Docker Benchmark check evaluates your Docker configuration against the Center for Internet Security guidelines. Results include:
- Host configuration recommendations
- Docker daemon configuration checks
- Container runtime settings
- Image and build file best practices
Compliance Readiness
The Security page includes readiness indicators for:
- HIPAA — health data protection controls
- GDPR — data privacy and protection requirements
- SOC 2 — security, availability, and confidentiality controls
Each indicator shows which requirements are met and which need attention, with links to the relevant settings pages.
Security Recommendations
Below the score gauge, the Security page displays a prioritized list of recommendations. Each recommendation includes:
- A description of the issue
- Why it matters
- A Fix button that either navigates to the relevant settings page or applies the fix automatically with one click
Example recommendations:
- “Enable 2FA for all users” — links to user management
- “Update Nextcloud to latest version” — links to app update page
- “Configure automated backups” — links to backup settings
- “Enable WAF for public-facing apps” — links to WAF configuration
Score History
Cloud OS tracks your security score over time. The score history chart on the Security page shows how your score has changed, making it easy to see the impact of improvements or regressions.
Be careful when configuring firewall rules remotely. Locking yourself out of SSH (port 22) requires physical or console access to recover.
Compliance Reports
Generate comprehensive compliance reports in PDF or HTML format covering all security checks, audit log statistics, and WAF events.
Compliance reports require the compliance_reports license feature (Business+ plan).
Report Contents
Each report includes:
- Executive Summary — overall compliance score and key findings
- Security Scan Results — CVE scan scores and vulnerability details
- Compliance Check Results — pass/fail status for each compliance check
- Audit Log Statistics — event counts, user activity patterns
- WAF Events — blocked requests, rule triggers
- Detailed Findings — per-category breakdown with remediation guidance
Generating a Report
- Navigate to Security > Compliance
- Click Generate Report
- Select the format (PDF or HTML)
- Choose the date range and which checks to include
- Click Generate
The report is generated asynchronously. Once ready, it appears in the reports list for download.
Report API
| Endpoint | Method | Description |
|---|---|---|
/api/compliance/reports/generate | POST | Generate a report. Body: {format, date_range, checks[]} |
/api/compliance/reports | GET | List generated reports |
/api/compliance/reports/{id}/download | GET | Download a report file |
Troubleshooting
Security score is lower than expected
Click the score gauge to see the breakdown by category. Each category shows its current status and how many points it contributes. Fix the categories with the lowest scores first for the biggest improvement.
Trivy scan fails
Check that Docker is running and that the Cloud OS process has permissions to inspect container images. Trivy requires network access for its first run to download the vulnerability database:
docker run --rm aquasec/trivy image --download-db-onlyWAF is blocking legitimate requests
Check the WAF logs under Security > WAF > Logs to identify the triggered rule. You can add a custom exception for that rule or switch the WAF to detection mode while you investigate.
Recommendations do not clear after fixing
After applying a fix, the recommendation may take up to 5 minutes to update. You can trigger a manual re-evaluation by clicking Rescan on the Security page.