Ability™ Developer Portal
Try Sandbox for free
Get a month of free access to ABB Ability™ Platform to learn and experiment!
API Playground
Play with ABB Ability™ Platform APIs (no time limits)

# Device Hardening

​Hardening is the process of reducing the attack surface and identifying potential points of vulnerability in your Edge device operating system and locking them down to protect your device against attacks. To connect to the internet and to use the ABB Ability™ Platform, there are various user accounts for BL users to ensure that privacy and protections are comprehensive enough to protect against attacks. Various parameters and configurations can be adjusted to ensure you are protected, including password policies, opening and closing of ports, and various user group policies. The ABB Ability™ platform provides robust security features that are managed by the ABB Ability™ team and that are not covered here. An understanding of adjustable configurations and parameters for ensuring that your ABB Ability™ device is protected is helpful to fully utilize ABB Ability™ security services.

# User Accounts in the Edge Gateway

The BL is responsible for the Administrator account in the Edge. All the user accounts in the Edge should be documented per MCSR requirements. ​User

Account Name ​Login Description
​Responsible
​Administrator​ Yes ​Login account with root

privileges for Edge management for e.g. Configuring the Edge with ABB Ability™ parameters like ACR, Ability PKI enrollment code for certificate enrollment etc. The name of this account can be customized if "Administrator" does not meet use case needs|​BL| ​​ability-system |Disabled login and non root|​User account under which the Edge proxy container and device provision service run without root privileges|ABB Ability​™| ​ability-module​ |​Disabled login and non root|​User account under which the BL module containers should run |ABB ​Ability™| ​​tss |​Disabled login ​ |User account under which the trousers daemon for TPM 1.2 runs |ABB ​Ability™|

ROOT USER

The root account should not also be the administrator account. Please maintain these as separate users.

Apart from the user accounts listed above, ABB Ability™ does not require additional user accounts.​ All other user accounts that the BL needs for specific use cases are the responsibility of the BL and should be documented in the BL's end user document, along with the ABB Ability™ user accounts listed above.

# Guidelines for User Management (Ubuntu 18.04)

# Root Account

Administrative root account is by default disabled in Ubuntu. The root account should be kept disabled.

# Sudo

Sudo is a tool which allows an authorized user to temporarily elevate their privileges using their own password. It enforces accountability for all user actions and gives the administrator granular control over which operations a user can perform with elevated privileges. It is recommended that the root account not be enabled and that user actions requiring elevated privilege be done using sudo.

# Initial User Created During OS Installation

By default, the initial user created during OS installation is a member of the group sudo. This user can elevate their privilege to obtain full root access to the system. This user can be found in the /etc/sudoers file. The BL can chose this account as the Administrator account in the Edge. They may also remove and add new users in the sudo group for full access. However, it is recommended that the number of accounts in the Edge with full root access be strictly controlled.

# Groups

Groups available in the Edge can be found in the /etc/group file. Every user when created gets assigned to a default group which has the same name as the user. When a user logs in, by default, the primary group membership will be enabled. When the user launches a program or creates a file, both the file and the running program will be associated with the user’s current group membership. A user may be able to access other files in other groups, as long as they are also a member of that group and the access permissions are set.

# Password Policies

Strong password policies should be implemented, as passwords are among the most important factors affecting overall security of the Edge device.

# Minimum Password Length

By default, Ubuntu requires a minimum password length of six characters, as well as basic entropy checks. These values are controlled in the file /etc/pam.d/common-password, which is outlined as follows:

password [success=1 default=ignore] pam_unix.so obscure sha512

If you would like to adjust the minimum length to eight characters, change the appropriate variable to min=8. The modification is outlined below.

password [success=1 default=ignore] pam_unix.so obscure sha512 minlen=8

Basic password entropy checks and minimum length rules do not apply to the administrator using sudo level commands to set up a new user.

# Password Expiration

It is recommended that you set a policy to have a minimum and maximum password age, requiring users to change their passwords soon before or when they expire. The sudo chage -l username command can be used to view the current status of a user. In the example below, the user has no policies applied.

Last password change : Jan 20, 2015
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

# Setting Password Policies

The following is also an example of how you can manually change the explicit expiration date (-E) to 01/31/2015, the minimum password age (-m) of five days, the maximum password age (-M) of 90 days, the inactivity period (-I) of five days after password expiration, and the warning time period (-W) of 14 days before password expiration:

sudo chage -E 01/31/2015 -m 5 -M 90 -I 30 -W 14 username

To verify changes, use this command:

sudo chage -l username

The following output shows the new policies that have been established for the account.

Last password change : Jan 20, 2015
Password expires : Apr 19, 2015
Password inactive : May 19, 2015
Account expires : Jan 31, 2015
Minimum number of days between password change : 5
Maximum number of days between password change : 90
Number of days of warning before password expires : 14

# ​​Credentials in the Edge

Credential ​Location ​Components Affected ​Description
​Azure container registry access passwords setup.sh ​Edge setup and container download ​The Azure container registry credentials are required to pull the container images. To update the ACR credentials, the "IMAGEREGISTRIES" entry can be modified in "edge.env". On a running Edge, for the changed credentials to be effective, please restart the DPCM service​.
Last updated: 7/7/2021, 8:54:52 AM

TPM 2.0 Usage and Operations

Feedback