We’re pleased to announce that the Center for Internet Security (CIS) has publicly released the ROS Security Benchmark for community discussion. When published, this benchmark will document community best-practice configuration settings to properly secure ROS Melodic running on Ubuntu Bionic. Hopefully this is just the beginning of an ongoing effort to define different security profiles for all ROS LTS distributions. Please join the community and help define the right security settings that both protect and enable ROS!
The Center for Internet Security, Inc (CIS ®) is a community-driven nonprofit organization for defining best-practice security guidance. CIS is perhaps most well-known for the CIS Top 20 Controls, a prioritized list of actions to protect against well-known cyber attack vectors. CIS also publishes over 100 benchmarks. These community driven configuration recommendations define baseline safeguards to protect against cyber threats. A community of technology professionals maintain each benchmark and balance security goals against operational needs. The CIS benchmarks have become a de facto response to the question “are you following a best practice security configuration?”
Benchmarks leave plenty of room for local customization. An organization will tailor the benchmark to match their organizational policy. In addition, highly specific settings such as firewall policies are not defined within the benchmark. Instead, the benchmark recommends enabling the feature but defers the actual configuration details to local policy.
The Top 20 Controls and all the benchmarks are freely accessible from the CIS web site.
The ROS benchmark
The first ROS benchmark under consideration covers Melodic running on Ubuntu Server 18.04. As the most active LTS ROS distribution at the moment, Melodic also presents the greatest opportunity to secure existing robots. The current benchmark is built upon the existing Ubuntu benchmark, which in turn is based on the Debian benchmark.
The draft outline of the benchmark is as follows:
- Installation options
- Set file system permissions and partitions
- Enable file system integrity checking
- Configure service logon warning banners
- Disable common but unnecessary services
- Harden the network stack and enable a host-based firewall
- Enable logging and auditing
- Define system audit events which should be logged
- Configure log forwarding and rotation
- Configure access, authentication and authorization
- Set policies for user accounts and authentication
- Configure sshd
- Restrict the root account
- Define periodic security maintenance checks
- System file permissions
- User and group settings
While the draft benchmark contains well over 200 specific configuration items inherited from the Ubuntu benchmark, few items yet have been customized for ROS. That’s where we need your help!
How to participate
Anyone can join the CIS community and contribute to the ROS (or any other) benchmark. To do this:
- Register for a CIS workbench account. It may take up to 24 hours to approve your account after you’ve validated your email address.
- After your account is approved, log in to the workbench. Select “Begin Exploring Communities” and search for “ROS”. Click “Join” next to “CIS Robot Operating System (ROS) Benchmarks.”
Beginning in late July or early August, CIS will invite anyone who has joined the community to a kickoff teleconference.
Call for assistance
Once you’ve joined the ROS workbench community let your voice be heard! Participate in discussions on issues to be considered. Tweak scripts that apply settings. Create tickets when you find a problem with a benchmark setting. Join periodic conference calls to set the direction for the benchmarks and review open issues.
The CIS ROS community is not just for security professionals, it’s intended for all manner of ROS engineers. We need your help to define the industry best security practices!