Your submission was sent successfully! Close

You have successfully unsubscribed! Close

ROS Security Benchmark open for public comment


on 17 July 2020

This article is more than 2 years old.

We’re pleased to announce that the Center for Internet Security (CIS) has publicly released the ROS Security Benchmark for community discussion. When published, this benchmark will document community best-practice configuration settings to properly secure ROS Melodic running on Ubuntu Bionic. Hopefully this is just the beginning of an ongoing effort to define different security profiles for all ROS LTS distributions. Please join the community and help define the right security settings that both protect and enable ROS!

About CIS

The Center for Internet Security, Inc (CIS ®) is a community-driven nonprofit organization for defining best-practice security guidance. CIS is perhaps most well-known for the CIS Top 20 Controls, a prioritized list of actions to protect against well-known cyber attack vectors. CIS also publishes over 100 benchmarks. These community driven configuration recommendations define baseline safeguards to protect against cyber threats. A community of technology professionals maintain each benchmark and balance security goals against operational needs. The CIS benchmarks have become a de facto response to the question “are you following a best practice security configuration?”

Benchmarks leave plenty of room for local customization. An organization will tailor the benchmark to match their organizational policy. In addition, highly specific settings such as firewall policies are not defined within the benchmark. Instead, the benchmark recommends enabling the feature but defers the actual configuration details to local policy.

The Top 20 Controls and all the benchmarks are freely accessible from the CIS web site.

The ROS benchmark

The first ROS benchmark under consideration covers Melodic running on Ubuntu Server 18.04. As the most active LTS ROS distribution at the moment, Melodic also presents the greatest opportunity to secure existing robots. The current benchmark is built upon the existing Ubuntu benchmark, which in turn is based on the Debian benchmark.

The draft outline of the benchmark is as follows:

  • Installation options
    • Set file system permissions and partitions
    • Enable file system integrity checking
    • Configure service logon warning banners
  • Disable common but unnecessary services
  • Harden the network stack and enable a host-based firewall
  • Enable logging and auditing
    • Define system audit events which should be logged
    • Configure log forwarding and rotation
  • Configure access, authentication and authorization
    • Set policies for user accounts and authentication
    • Configure sshd
    • Restrict the root account
  • Define periodic security maintenance checks
    • System file permissions
    • User and group settings

While the draft benchmark contains well over 200 specific configuration items inherited from the Ubuntu benchmark, few items yet have been customized for ROS. That’s where we need your help!

How to participate

Anyone can join the CIS community and contribute to the ROS (or any other) benchmark. To do this:

  • Register for a CIS workbench account. It may take up to 24 hours to approve your account after you’ve validated your email address.
  • After your account is approved, log in to the workbench. Select “Begin Exploring Communities” and search for “ROS”. Click “Join” next to “CIS Robot Operating System (ROS) Benchmarks.”

Beginning in late July or early August, CIS will invite anyone who has joined the community to a kickoff teleconference.

Call for assistance

Once you’ve joined the ROS workbench community let your voice be heard! Participate in discussions on issues to be considered. Tweak scripts that apply settings. Create tickets when you find a problem with a benchmark setting. Join periodic conference calls to set the direction for the benchmarks and review open issues.

The CIS ROS community is not just for security professionals, it’s intended for all manner of ROS engineers. We need your help to define the industry best security practices!

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Select topics you're
interested in

In submitting this form, I confirm that I have read and agree to Canonical's Privacy Notice and Privacy Policy.

Are you building a robot on top of Ubuntu and looking for a partner? Talk to us!

Contact Us

Related posts

Optimise your ROS snap – Part 2

Welcome to Part 2 of the “optimise your ROS snap” blog series. Make sure to check Part 1 before reading this blog post. This second part is going to present...

Optimise your ROS snap – Part 1

Do you want to optimise the performance of your ROS snap? We reduced the size of the installed Gazebo snap by 95%! This is how you can do it for your snap....

Getting started with ROS security scanning

It’s a new year, and an especially great time to reflect on the security of your robots. After all, those interested in breaching it are probably doing the...