Edge Agent for Ubuntu
Differences From Other Edge Devices
- The Predix Edge Technician Console (PETC) is not supported on Ubuntu, and as such, advice related to PETC is not applicable to this system. This also means the internal API that drives PETC is not present.
- SNMP is not installed as a dependency of Edge Agent for Ubuntu. It is recommended that another performance monitoring solution be added.
- Edge Agent for Ubuntu does not benefit from any of the log management improvements added to Edge OS through journald and syslog. It is recommended to add a log streaming/management capability to the system, either through Edge Manager Custom Commands (with System Builder Commands), or some other third-party tool.
- There is no hard distinction between Production and Development images as there is for the VM. Code signing is enabled by default, but can be disabled for development purposes by editing /etc/edge-agent/agent-data.json and changing
"enforce_signing":true"
tofalse
. It is highly recommended that code signing be left on in any production setting. Refer to the Application Signing instructions for more information on getting an Edge Application signed by GE Digital.
Restricting Access to Docker the Edge Agent User
Access to eauser
, the user that the Edge Agent runs as, should be highly restricted. This is because eauser
is highly privileged (effectively root). Similarly any user with access to running docker should be understood to be highly privileged as this will allow the user to not just impact the availability/integrity of Edge applications, but of the system as a whole.
It is recommend as much of your device administration as possible be performed through Edge Manager, and only using CLI level access to Edge Agent as a last resort to minimize this risk. This goes hand in hand with having good user management practices in general, to avoid unintended access to support/admin accounts.
Building a Minimal System
Edge Agent for Ubuntu will install a minimal set of dependencies, and is able to remotely deploy additional software via apt
. However it is good practice to reduce the amount of software installed to the system in general. Each additional software package brings not just its own set of risks to the system, but also those inherited from its full dependency tree. In particular, caution should be exercised when adding new network listening code, or anything that elevates privileges.
There is often a wide variety of tools on Linux for any given job. Selecting the right one can be hard, but when in doubt, favor software that is well vetted, minimal to the required task, and still actively supported by the vendor.
It is also worth recommending that any software that does not need access to the root system could instead be turned into an Edge Application. This allows the application to benefit from all of the security boundaries built into the Edge Application framework, such as chroot, apparmor, seccomp, and code signing.
Monitoring for Updates
Unlike other Edge platforms, the onus is on the user to maintaining an up-to-date system. It is important to stay informed of not just security updates from GE Digital, but also Ubuntu, and any other third-party software you add to the system.
It is recommended to subscribe to receive the latest security updates directly from Ubuntu.
Additional Resources For Ubuntu Security
- Ubuntu provides a cross version matrix of security features. Each feature comes with an explanation and information for digging deeper into that topic, which is useful for designing an approach to various aspects of the system, such as filesystem encryption or configuring a firewall.
- The United Kingdom's National Cyber Security Centre (NCSC) has released a hardening guide for Ubuntu that covers topics in greater depth.