Suggestion: Explain and advise on OS benchmarking more explicitly about iot-security-verification-standard-isvs HOT 6 CLOSED

My suggestion is to add an explicit recommendation, perhaps L2/L3 only.

3.2.x Verify that an appropriate SCAP benchmark has been used for the operating system and that any exceptions to the benchmark rules are documented.

• add a reference link to SCAP:
  https://csrc.nist.gov/projects/security-content-automation-protocol/scap-content

If you agree, the "control objective" could be expanded too, to make more explicit mention of benchmarks.
A suggestion:

The bootloader is the first piece of code to run during the device's boot process. The firmware vendor is responsible for configuring it correctly, otherwise its vulnerabilities can undermine the security of the entire device, leading to compromise and device hijacking. Controls in this chapter ensure boot trustworthiness by verifying cryptographic signatures on the loaded code, not allowing loading images loading from external locations, and disallowing memory, shell, and other debug access during boot.
The operating system, and its kernel in particular, are central for device security, as they run in privileged mode and implement critical device functionality, including many security primitives. This necessitates best security practices for operating system and kernel configuration and hardening.
The Linux operating system is one of the most popular in IoT. It has many features from first-line security to defense-in-depth, including the isolation mechanisms supported by namespaces and cgroups, and additional kernel security modules for access controls.
To ensure an operating system is configured according to industry best practices and makes use of all available security configurations, "SCAP" benchmarks can be used during development and deployment. These benchmarks provide an automated way of verifying secure configuration of operating systems and applications.

from iot-security-verification-standard-isvs.

SCAP is certainly used for server side OS’ but not for embedded (Linux, RTOS, or Windows) AFAIK. I agree that the mention of OS benchmarks to industry standards are not explicit although we do not want to limit users who use unconventional platforms where vendors supply their own security best practices. This is usually the case for RTOS and windows but linux based OS typically use yocto to build a custom distro or leverage build systems like openwrt which have their own config options. Unfortunately there is not an industry standard or benchmark for embedded OS’ (please correct me) outside of following CIS’ (DISA, etc.) general recommendations. The key is for manufacturers to be aware of such benchmarks, apply the security best practices, and ensure they are secure defaults according to their OS platform.

from iot-security-verification-standard-isvs.

Point taken. There is indeed decent off-the-shelf availability of benchmarks for common full-size operating systems, much less so for embedded operating systems where one needs to fall back to eg. CIS's "Distribution Independent Linux Benchmark" and build from there.
In my (limited) experience the tooling for benchmarking is often available in the build system repositories, but some DIY is needed to end up with meaningful benchmarks.

I admit, I might have written this comment with our own company in mind and not enough with the rest of the world, apologies.

Please disregard the control I suggested. but perhaps we can find a better wording in the introduction or in #3.2.1 to highlight the fact that this is an option in some cases, and add the suggested link at the bottom?

FYI - regarding benchmarks for RTOS, Windriver Linux does have SCAP benchmarks available and is widely used in govdef applications. I am not familiar with others.

from iot-security-verification-standard-isvs.

Agreed, toolchain and build systems are the areas that require hardening with DIY type benchmarks falling back to general Linux.

We should consider updating our control objectives detailing to use benchmarks (e.g. CIS & SCAP) for server side components in an IoT ecosystem as part of chapter 1 although Im not sure we want to include infrastructure controls as part of the standard. We will definitely add the SCAP reference link.

How about something like the following:

Verify that the embedded operating system is configured according to the latest industry best practices, CIS or SCAP benchmarks (if applicable), and uses secure defaults.

Thanks for the info on Windriver Linux SCAP. Looks pretty cool

from iot-security-verification-standard-isvs.

That looks good to me, thank you.

How do we proceed from here, do I close the ticket, do I make a pull request? Do you?

from iot-security-verification-standard-isvs.

Ive added it. Thank you! 🙏

from iot-security-verification-standard-isvs.