ROS Security Benchmark open for public comment

sidfaber

on 17 July 2020

This article is more than 4 years old.


We’re pleased to announce that the Center for Internet Security (CIS) has publicly released the ROS Security Benchmark for community discussion. When published, this benchmark will document community best-practice configuration settings to properly secure ROS Melodic running on Ubuntu Bionic. Hopefully this is just the beginning of an ongoing effort to define different security profiles for all ROS LTS distributions. Please join the community and help define the right security settings that both protect and enable ROS!

About CIS

The Center for Internet Security, Inc (CIS ®) is a community-driven nonprofit organization for defining best-practice security guidance. CIS is perhaps most well-known for the CIS Top 20 Controls, a prioritized list of actions to protect against well-known cyber attack vectors. CIS also publishes over 100 benchmarks. These community driven configuration recommendations define baseline safeguards to protect against cyber threats. A community of technology professionals maintain each benchmark and balance security goals against operational needs. The CIS benchmarks have become a de facto response to the question “are you following a best practice security configuration?”

Benchmarks leave plenty of room for local customization. An organization will tailor the benchmark to match their organizational policy. In addition, highly specific settings such as firewall policies are not defined within the benchmark. Instead, the benchmark recommends enabling the feature but defers the actual configuration details to local policy.

The Top 20 Controls and all the benchmarks are freely accessible from the CIS web site.

The ROS benchmark

The first ROS benchmark under consideration covers Melodic running on Ubuntu Server 18.04. As the most active LTS ROS distribution at the moment, Melodic also presents the greatest opportunity to secure existing robots. The current benchmark is built upon the existing Ubuntu benchmark, which in turn is based on the Debian benchmark.

The draft outline of the benchmark is as follows:

  • Installation options
    • Set file system permissions and partitions
    • Enable file system integrity checking
    • Configure service logon warning banners
  • Disable common but unnecessary services
  • Harden the network stack and enable a host-based firewall
  • Enable logging and auditing
    • Define system audit events which should be logged
    • Configure log forwarding and rotation
  • Configure access, authentication and authorization
    • Set policies for user accounts and authentication
    • Configure sshd
    • Restrict the root account
  • Define periodic security maintenance checks
    • System file permissions
    • User and group settings

While the draft benchmark contains well over 200 specific configuration items inherited from the Ubuntu benchmark, few items yet have been customized for ROS. That’s where we need your help!

How to participate

Anyone can join the CIS community and contribute to the ROS (or any other) benchmark. To do this:

  • Register for a CIS workbench account. It may take up to 24 hours to approve your account after you’ve validated your email address.
  • After your account is approved, log in to the workbench. Select “Begin Exploring Communities” and search for “ROS”. Click “Join” next to “CIS Robot Operating System (ROS) Benchmarks.”

Beginning in late July or early August, CIS will invite anyone who has joined the community to a kickoff teleconference.

Call for assistance

Once you’ve joined the ROS workbench community let your voice be heard! Participate in discussions on issues to be considered. Tweak scripts that apply settings. Create tickets when you find a problem with a benchmark setting. Join periodic conference calls to set the direction for the benchmarks and review open issues.

The CIS ROS community is not just for security professionals, it’s intended for all manner of ROS engineers. We need your help to define the industry best security practices!

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Are you building a robot on top of Ubuntu and looking for a partner? Talk to us!

Contact Us

Related posts

Deploying scalable AI and real-time robots at ROSCon 24

Another year, another ROSCon! This year we’re setting off to Odense, Denmark. At Canonical, we are excited to once again sponsor this event for a community...

TurtleBot3 OpenCR firmware update from a snap

The TurtleBot3 robot is a standard platform robot in the ROS community, and it’s a reference that Canonical knows well, since we’ve used it in our tutorials....

Discover the future of Autonomous Mobile Robots (AMR) with Canonical and Husarion at ROSCon 2023

At a time when Autonomous Mobile Robots (AMR) keep rapidly reshaping industries like logistics and manufacturing, we’re thrilled to introduce you to our...