Dopra Linux OS Security(SingleRAN_12)

May 6, 2018 | Author: PhuongLanBui | Category: Secure Shell, Ip Address, Transmission Control Protocol, Operating System, Computer File
Share
Report this link


Comments



Description

SingleRANDopra Linux OS Security Feature Parameter Description Issue 12 Date 2015-04-30 HUAWEI TECHNOLOGIES CO., LTD. Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: [email protected] Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. i SingleRAN Dopra Linux OS Security Feature Parameter Description Contents Contents 1 Introduction....................................................................................................................................1 1.1 Scope..............................................................................................................................................................................1 1.2 Intended Audience..........................................................................................................................................................1 1.3 Change History...............................................................................................................................................................1 2 Dopra Linux Security Description.............................................................................................7 2.1 Introduction to the Dopra Linux.....................................................................................................................................7 2.1.1 Overview.....................................................................................................................................................................7 2.1.2 Differences Between the Dopra Linux and Other Operating Systems........................................................................7 2.2 Dopra Linux Security Overview.....................................................................................................................................8 2.3 Security Architecture......................................................................................................................................................8 3 Dopra Linux Security Features.................................................................................................10 3.1 User Management.........................................................................................................................................................10 3.1.1 Dopra Linux Users.....................................................................................................................................................10 3.1.2 Security Policies for User Management....................................................................................................................11 3.1.3 Operations Related to User Management..................................................................................................................12 3.1.4 Operations Related to Password Complexity Management......................................................................................13 3.1.5 Operations Related to Password Setting....................................................................................................................13 3.2 File System and Permission Management....................................................................................................................14 3.2.1 Directory Protection..................................................................................................................................................14 3.2.2 File Protection............................................................................................................................................................15 3.3 Network Management..................................................................................................................................................15 3.3.1 Protocols Enabled by Default....................................................................................................................................16 3.3.2 Services Enabled by Default......................................................................................................................................16 3.3.3 Ports Opened by Default............................................................................................................................................17 3.3.4 System Firewall iptables............................................................................................................................................17 3.3.5 Security Policies Related to TCP/IP Stacks..............................................................................................................17 3.3.6 Security Policies Related to SSH...............................................................................................................................21 3.3.7 Operations Related to SSH........................................................................................................................................22 3.4 Enhanced Antivirus Policy...........................................................................................................................................24 3.4.1 Virus Entry Control...................................................................................................................................................24 3.4.2 Post-entry Virus Control............................................................................................................................................24 3.5 Operating System Integrity Protection.........................................................................................................................24 Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. ii SingleRAN Dopra Linux OS Security Feature Parameter Description Contents 3.5.1 Product Development Security..................................................................................................................................24 3.5.2 Product Release Security...........................................................................................................................................25 3.6 System and Security Log Management........................................................................................................................25 3.6.1 Log Files....................................................................................................................................................................25 3.6.2 Real-Time Access Information Recording................................................................................................................25 3.6.3 Configuration Guide for the Log Audit Service of Dopra Linux..............................................................................25 3.6.3.1 Configuration Commands.......................................................................................................................................26 3.6.3.2 Configuration Guide...............................................................................................................................................27 3.7 System Upgrade and Patch Policy................................................................................................................................29 3.7.1 Patch Installation.......................................................................................................................................................29 3.7.2 Upgrade.....................................................................................................................................................................29 4 Base Station Applications..........................................................................................................31 5 Differences Between History Dopra Linux Versions...........................................................32 5.1 History Dopra Linux Versions.....................................................................................................................................32 5.2 Versions Running on the OMUa/SAUa/OMUb/SAUb................................................................................................33 5.2.1 V100R001C03SPC010 to V100R001C03SPC020...................................................................................................33 5.2.2 V100R001C03SPC020 to V100R001C03SPC030...................................................................................................33 5.3 Versions Running on the OMUc/SAUc.......................................................................................................................34 5.3.1 V200R003C02SPC030 to V200R003C02SPC060...................................................................................................34 5.3.2 V200R003C02SPC060 to V200R003C02SPC070...................................................................................................34 5.4 V200R003C02SPC080 Running on the OMUa/SAUa/OMUb/SAUb/OMUc/SAUc..................................................34 5.4.1 V200R003C02SPC070 to V200R003C02SPC080...................................................................................................34 5.4.2 V200R003C02SPC080 to V200R003C02SPC090...................................................................................................34 5.4.3 V200R003C02SPC090 to V200R003C08.................................................................................................................35 5.4.4 V200R003C08 to V200R003C08SPC080.................................................................................................................35 5.4.5 V200R003C08SPC080 to V200R003C08SPC100...................................................................................................35 5.4.6 V200R003C08SPC100 to V200R003C08SPC120...................................................................................................36 5.4.7 V200R003C08SPC120 to V200R003C08SPC130...................................................................................................36 5.4.8 V200R003C08SPC130 to V200R003C08SPC150...................................................................................................36 5.4.9 V200R003C08SPC150 to V200R003C08SPC170...................................................................................................36 5.4.10 V200R003C08SPC170 to V200R003C08SPC190.................................................................................................36 5.5 Versions Running on the EOMUa/ESAUa..................................................................................................................37 5.5.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030.........................................................................................37 5.5.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050............................................................................37 5.5.3 RTOS-V100R001C00SPC050 to RTOS-V100R001C00SPC060............................................................................37 5.5.4 RTOS-V100R001C00SPC060 to RTOS-V100R001C00SPC070............................................................................37 5.5.5 RTOS-V100R001C00SPC070 to RTOS-V100R001C00SPC080............................................................................37 5.5.6 RTOS-V100R001C00SPC080 to RTOS-V100R001C00SPC090............................................................................37 5.5.7 RTOS-V100R001C00SPC090 to RTOS-V200R003C08SPC080............................................................................38 5.5.8 RTOS-V200R003C08SPC080 to RTOS-V200R003C08SPC100............................................................................38 5.5.9 RTOS-V200R003C08SPC100 to RTOS-V200R003C08SPC120............................................................................38 Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iii .....5......40 7 Counters.................................................SingleRAN Dopra Linux OS Security Feature Parameter Description Contents 5...............................................................................5...................................................39 5...........................................................................5.... iv ......................................................................................39 6 Parameters................................................12 RTOS-V200R003C08SPC170 to RTOS-V200R003C08SPC190...............................................................................................................41 8 Glossary.................................43 Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.......................... Ltd............................................................................................................................................11 RTOS-V200R003C08SPC150 to RTOS-V200R003C08SPC170............................10 RTOS-V200R003C08SPC120 to RTOS-V200R003C08SPC150.39 5........42 9 Reference Documents. you cannot log in to the OS of a base station that is configured with one of these boards after the base station is delivered. see " 5 Differences Between History Dopra Linux Versions. this document can be applied to both Dopra Linux and RTOS. 1.SingleRAN Dopra Linux OS Security Feature Parameter Description 1 Introduction 1 Introduction 1. see chapter 4 Base Station Applications. For details about differences in history versions. which are defined as follows: l Feature change Changes in features of a specific product version l Issue 12 (2015-04-30) Editorial change Huawei Proprietary and Confidential Copyright © Huawei Technologies Co." l The operating system for the EOMUa/ESAUa and later boards based on Dopra Linux is renamed RTOS.3 Change History This section provides information about the changes in different document versions. for example. Real-time operating system (RTOS) inherits basic functions on Dopra Linux.2 Intended Audience This document is intended for personnel who: l Need to understand the features described herein l Work with Huawei products 1.in front of the version number. There are two types of changes. Unless otherwise stated. Ltd. For details. only software of the UMPT and UMDU boards uses and encapsulates the Dopra Linux OS. l For a base station. 1 . RTOSV100R001C00SPC070. This document refers to an RTOS version with a prefix RTOS. NOTE l This document is based on V200R003C02SPC090 and RTOS-V100R001C00 SPC080.1 Scope This document describes the security features and capabilities of the Dopra Linux operating system.. Therefore. 4.5.6 Security Policies Related to SSH delete arcfour256.arcfour128algorithm.4. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.3.. 2 .SingleRAN Dopra Linux OS Security Feature Parameter Description 1 Introduction Changes in wording or addition of information that was not described in the earlier version 12 (2015-04-30) This issue includes the following changes.3. Ltd.7 Operations Related to SSH delete arcfour256.3.10 V200R003C08SPC170 to V200R003C08SPC190 None Added 5.12 RTOSV200R003C08SPC170 to RTOSV200R003C08SPC190 Editorial change 3.arcfour128 algorithm 11 (2015-02-15) This issue includes the following changes.11 RTOSV200R003C08SPC150 to RTOSV200R003C08SPC170 Editorial change None None 10 (2015-01-15) This issue includes the following changes. Change Type Change Description Parameter Change Feature change Added 5. Change Type Change Description Parameter Change Feature change Added 5.7 Operations Related to SSH added SFTP timeout None 3.5.added hmac-sha2-256 algorithm 3.9 V200R003C08SPC150 to V200R003C08SPC170 None Added 5. 5 V200R003C08SPC080 to V200R003C08SPC100 None Added 5. Change Type Change Description Parameter Change Feature change Added 5.9 RTOSV200R003C08SPC100 to RTOSV200R003C08SPC120 Editorial change None None 07 (2014-09-25) This issue includes the following changes.8 V200R003C08SPC130 to V200R003C08SPC150 None Added 5.7 V200R003C08SPC120 to V200R003C08SPC130 None Editorial change None None 08 (2014-10-10) This issue includes the following changes. Ltd.4.5..4.5. Change Type Change Description Parameter Change Feature change Added 5.4.SingleRAN Dopra Linux OS Security Feature Parameter Description 1 Introduction Change Type Change Description Parameter Change Feature change Added 5.6 V200R003C08SPC100 to V200R003C08SPC120 None Added 5.5.8 RTOSV200R003C08SPC080 to RTOSV200R003C08SPC100 Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.4. 3 .10 RTOSV200R003C08SPC120 to RTOSV200R003C08SPC150 Editorial change None None 09 (2014-12-15) This issue includes the following changes. Change Type Change Description Parameter Change Feature change Added 5. Change Type Change Description Parameter Change Feature change None None Editorial change Added descriptions of base stations using the Dopra Linux OS in section 1. Ltd. RTOSV100R001C00 SPC060. None Added RTOS versions RTOSV100R001C00SPC030. Issue 12 (2015-04-30) Change Type Change Description Parameter Change Feature change Added V200R003C02SPC090 and its feature difference.6. RTOSV100R001C00SPC050.3 Configuration Guide for the Log Audit Service of Dopra Linux. For details. 4 .1 Scope. None 04 (2012-12-30) This issue includes the following changes.. None Editorial change None. Change Type Change Description Parameter Change Feature change Added 3. None Added descriptions on operating system applications of base stations. see "4 Base Station Applications".SingleRAN Dopra Linux OS Security Feature Parameter Description 1 Introduction Change Type Change Description Parameter Change Editorial change None None 06 (2014-08-15) This issue includes the following changes. None 05 (2014-06-10) This issue includes the following changes. None Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and RTOSV100R001C00 SPC070 and their feature difference. 1 "User Management. see section 3. None 02 (2012-09-30) This issue includes the following changes. None For details. None 03 (2012-11-30) This issue includes the following changes. None For details.3 "Network Management. and delete users." Added chapter 5 "Differences Between History Dopra Linux Versions".5 "Operating System Integrity Protection. Change Type Change Description Parameter Change Feature change None None Editorial change Changed "RTOS" to "Dopra Linux" in this document. 5 . Change Type Change Description Parameter Change Feature change None None Editorial change Added the description on how to create users.SingleRAN Dopra Linux OS Security Feature Parameter Description 1 Introduction Change Type Change Description Parameter Change Editorial change Changed the document name from Controller Dopra Linux OS Security to Dopra Linux OS Security." Added section 3. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd. change passwords.." None Modified Secure Shell (SSH) policies. None 01 (2012-08-16) This issue includes the following changes. see section 3. The document title is also changed from "RTOS Security" to "Controller Dopra Linux OS Security" for consistency with the name of the current operating system. None Added the description on how to create users.. change passwords. and delete users. 6 .SingleRAN Dopra Linux OS Security Feature Parameter Description 1 Introduction Change Type Change Description Parameter Change Editorial change Modified the organization and descriptions in section 3 "Dopra Linux Security Features. Ltd. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. None Draft A (2012-06-20) This is a draft." None Modified the TCP/IP protocol stack security policy table and added default values for these security policies. such as data confidentiality and integrity.1 Introduction to the Dopra Linux 2. Compared with server and desktop operating systems.SingleRAN Dopra Linux OS Security Feature Parameter Description 2 2 Dopra Linux Security Description Dopra Linux Security Description 2. and installation.1.2 Differences Between the Dopra Linux and Other Operating Systems The Dopra Linux is a real-time embedded operating system. l Root file system: The Dopra Linux is a compact operating system where only useful database and service components are installed in the file system. 7 .. which helps improve system security. such as use of secure protocols and anti-attack features l Requirements on product development. and security patch management l Anti-attack requirements for protocols and interfaces. the Dopra Linux meets the following security requirements: l System-level security requirements. As part of an end-to-end security solution. Ltd. and use of secure transmission channels Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. such as minimum installation. A customized Dopra Linux consists of the kernel and root file system: l Kernel: The Dopra Linux kernel is customized and has the latest patch installed. use of encryption algorithms. system tailoring.1 Overview The Dopra Linux is a Linux-based operating system tailored to provide full security protection for telecommunications products. 2.1. such as software commissioning and integrity checking l Sensitive data protection requirements. software commissioning. release. This helps minimize security risks. the Dopra Linux is enhanced in hardware support. and performance to minimize security risks. Illegal operation The maximum number of unsuccessful login attempts is not specified. As a multi-thread operating system. 8 . the Dopra Linux features the security policies listed in Table 2-2. For details about Dopra Linux antivirus. Major By default.4 Enhanced Antivirus Policy. Information disclosure Insecure protocols. The Dopra Linux runs on medium. log. Table 2-1 Main security threats for the Dopra Linux Threat Description Severity Security Requirement Security vulnerability The kernel.SingleRAN Dopra Linux OS Security Feature Parameter Description l 2 Dopra Linux Security Description Requirements for secure system management and maintenance.3 Security Architecture The Dopra Linux interfaces hardware (multi-core CPUs and other devices) and user-mode processes. Ltd. Minor The Dopra Linux provides a new service protocol version and is able to fix security vulnerabilities by version upgrade or patch installation. Instead. NOTE The Dopra Linux does not require antivirus software because few viruses target at Linux and only few Dopra Linux ports are open. illegal operations. such as Trivial File Transfer Protocol (TFTP) and Telnet are used. and alarm management 2. password cracking. see "3. Major The Dopra Linux requires users to use complex passwords.2 Dopra Linux Security Overview The main security threats for the Dopra Linux are security vulnerabilities. SSH. Table 2-1describes these threats. the Dopra Linux does not support insecure protocols. it uses secure protocols such as SFTP. authentication. Password cracking Password complexity check is not performed on the initial password." 2. Minor The Dopra Linux locks the login account or IP address when the maximum number of unsuccessful login attempts is exceeded.. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The Dopra Linux is upgraded every 12 months by default.or high-end CPUs. authorization. and information disclosure. such as password. and Secure File Transfer Protocol (SFTP) have known security vulnerabilities. SingleRAN Dopra Linux OS Security Feature Parameter Description 2 Dopra Linux Security Description Table 2-2 Dopra Linux security policies Identity Authentication l Access control l User password control File System and Permission Management l Directory protection Network Management l Protocols enabled by default l File protection l Services enabled by default l Ports opened by default l System firewall iptables l Security policies related to TCP/IP stacks l Security policies related to SSH Enhanced Antivirus Policy l Virus entry control l Post-entry virus control Operating System Integrity Protection l Product development security l Product release security l Product installation security System and Security Log Management Log file management. such as auditing and monitoring System Upgrade and Patch Policy l Patch installation l System upgrade Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 9 . Ltd.. and later versions no longer allow the root user to perform remote login. and mysql. or delete files under their specific home directories. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and execute permission to all files and directories. In addition. and execute permission. For example. The write permission allows the root user to create or delete files as well as modify file contents. This prevents unauthorized users from attacking the operating system and reduces security risks. common users can run scripts or binary executable files under the /usr/bin and /bin directories. user jack can perform relevant operations under the home directory /home/jack. haldaemon. messagebox. They can log in to the Dopra Linux and create. Service users have the lowest operation permission and cannot log in to the operating system. RTOS-V100R001C00SPC070. The permission of these users is as follows: l The root user has the highest operation permission. 10 . Service user accounts in the Dopra Linux include sshd.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 3 Dopra Linux Security Features Dopra Linux Security Features 3. They are not created by the root user. including read. service user. This measure helps enhance system security.1. write. The root user can be granted read. The execute permission allows the root user to run shell scripts or binary executable files.. common user. Ltd. l Common users are created by the root user. nobody. modify. l Service users are used by system service processes.1 User Management 3. V200R003C02SPC090. The read permission allows the root user to view the names and contents of files under a directory.1 Dopra Linux Users Dopra Linux users are categorized into root user. write. and lgnusr user. l For the RTOS.and the RTOS records a maximum of five history passwords. and one digit. You are advised to reserve the lgnusr user for SSH security. For example.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features NOTE l sshd: sshd server users cannot login to the operating systerm. the weak password dictionary cannot be viewed or modified to prevent it from being disclosed. Ltd. The new password must be different with the history passwords or the reverse of history passwords. 11 . one lowercase letter. l mysql: used by mysql servers. l messagebus:standard account used by D-BUS servers account cannot login to the operating systerm. Simple passwords (passwords defined in the weak password dictionary) are not allowed. The root user can change all users' passwords. Added in V200R003C02SPC090 and RTOSV100R001C00SPC070.2 Security Policies for User Management Table 3-1 describes the security policies for user management in the Dopra Linux.you can run the create-cracklib-dict command to update the weak password dictionary..dat command to add words in dict1. l haldaemon: standard account used by haldaemon servers account cannot login to the operating systerm. l nobody: portmap standard account of other system services cannot login to the operating systerm. 3. By default. the Dopra Linux records a maximum of three history passwords.gz command to view the weak password dictionary. NOTE l You can run the zcat /usr/share/cracklib/cracklib-words. including at least one uppercase letter. run the create-cracklibdict dict1. Table 3-1 Security policies for user management in the Dopra Linux User Management Policy Password complexity A user password must contain at least eight characters. The Dopra Linux records the history passwords of only common users. Common users can change only their own passwords. l For the Dopra Linux. the lgnusr user is used for Secure Shell (SSH) login. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.1. You can run the su command to switch the lgnusr user to the root user to gain administrative rights. l The lgnusr user is an internal common user.dat to the weak password dictionary. one special character. service user service users. Advance warning before password expiration The default password validity period is 30 days. the default password validity period is 90 days. The administrator can unlock the account. the password may bypass the password security policy inspection. You can enable the information print function as follows: Run the vi /etc/ssh/sshd_config command to open the sshd_config file. The information helps users determine whether unauthorized users have used the account. the Dopra Linux prints the information about the previous login after a login. old password is required. From V200R003C08SPC080 and later versions.Versions before V200R003C02SPC080 use MD5. Versions before V200R003C08SPC080.. the default password validity period is 30 days. In V200R003C02SPC090. Root user The root user is the only superuser in the system and is authorized to execute all scripts and executable files. the information print function is disabled by default after a successful login. time. For all versions. and switching users as well as changing user passwords. a user account is locked for 300 seconds at three consecutive unsuccessful login attempts. and run the killall sshd command to restart the SSHD service. They cannot log in to the Dopra Linux and are only for service purposes. This section uses user1 as an example to describe these operations. Login permission By default. users will be asked for old passwords when changing their own passwords. Passwords encryption The Dopra Linux uses SHA-512 encryption algorithm to encrypt passwords in V200R003C02SPC080 and later. In versions earlier than V200R003C02SPC090. the Dopra Linux prompts users to change their passwords seven days before the passwords expire.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features User Management Policy Login message l For the Dopra Linux. The password for the root user is customized before Dopra Linux deployment. and IP address. To enhance password security. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 3.1. Otherwise. l For the RTOS.RTOSV100R001C00SPC050 and later versions. 12 . old password is not required when root use r modifing non-root users.3 Operations Related to User Management Operations related to user management include creating. set PrintLastLog to yes. deleting. Ltd. Minimum password validity You are advised to set the minimum password validity period to 48 hours or longer. including the login date. l minlen = N: A password contains at least N characters. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. N is an integer from 0 to 127. l uname_check: A password cannot be the same as any user name or be any user name in reverse order.conf file and chage command are not supported in these versions. This function is enabled by default. N is an integer from 0 to 127. l ocredit = –N: A password contains at least N special characters(~!@#$%^&*()_+`-={}|[] \:". N is an integer from 0 to 400.1. The password must comply with the password complexity policy in Table 3-1. The default value is 1 for the Dopra Linux OS and 0 for the RTOS. run the following command: useradd –m user1 //After user1 is created. This rule does not take effect for the root user to change the passwords for itself and other accounts. N is an integer from 0 to 127. the password policy does not take effect to the root user. The default value is 6.. its home directory /home/user1 is also deleted. The hyphen (-) indicates that the environment variables are also switched. [email protected] Dopra Linux OS Security Feature Parameter Description l 3 Dopra Linux Security Features To create user1.'<>?. l ucredit = –N: A password contains at least N upper-case letters. N is an integer from 1 to 256. its home directory /home/user1 is also created./). run the following command: passwd user1 //Only user1 and the root user can change the password for user1. l To delete user1. the password lock and validity period cannot be changed because the etc/pam. After this parameter is deleted. You can set the following parameters in the /etc/pam. 3. run the following command: userdel –r user1 //After user1 is deleted. For example. 3. su . The default value is 1 for the Dopra Linux OS and 0 for the RTOS. l To switch to user1. N is an integer from 0 to 127. The default value is 3 for the Dopra Linux OS and 5 for the RTOS. l enforce_root: A password policy takes effect to the root user. Ltd.4 Operations Related to Password Complexity Management NOTE It is recommended that you not modify password complexity settings to enhance password security. The default value is 8.1. l lcredit = –N: A password contains at least N lower-case letters. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.user1 //The current user is switched to user1.d/common-password file to modify password complexity settings: l retry = N: You have N attempts to change the password each time you run the passwd command. l To change the password for user1.5 Operations Related to Password Setting NOTE In versions earlier than V100R001C03SPC030. 13 . l remember = N: N previous passwords are recorded for common users.. N is an integer from 6 to 127. run the following command: su user1 //The current user is switched to user1. The default value is 1 for the Dopra Linux OS and 0 for the RTOS. l dcredit = –N: A password contains at least N digits. which indicates that the login account is locked when the number of unsuccessful login attempts exceeds N.. write.2 File System and Permission Management File system permission is categorized into read. l unlock_time=N. write. The root user can operate all files. Ltd.d/common-auth file to modify password locking settings: l deny=N. N is an integer between 1 to 99999.2. N is an integer between 1 to 3600. The default value is 300. 14 . N is an integer between 0 to 99999. Common users can operate only their own files. N is an integer between 1 to 99999. you can change the password anytime. The default value is 3. and execute permission on files and sub-directories in different directories. 3. the maximum interval at which a password must be changed (Maximum).1 Directory Protection The Dopra Linux restricts directory access permission. which means you can change the password N days later. and advance warning before password expires (Warning). Permission management ensures file security. and execute permission. l chage -M N root/common user //N indicates the maximum interval at which common user's password must be changed. You can run the following commands to view or modify password time settings: l chage -l user1 //You can view the parameters such as the minimum interval at which a password must be changed (Minimum). If N is set to 0. N is an integer between 1 to 32. 3. l chage -m N common user //N indicates the minimum interval at which a common user's password must be changed. which indicates that the user account is locked for N seconds when the maximum number of unsuccessful login attempts is exceeded. This option does not apply to the root user. l chage -W N root/common user //N indicates the advance warning days before a common user's password expires. You can run the ll or ls –l command to query the read. The following is an example: Jasper / # ll total 112 drwxr-xr-x 2 root root 4096 Jul drw-r----6 root root 4096 Jul drwxr-xr-x 9 root root 5560 Jul drwxr-xr-x 25 root root 4096 Jul drwxr-x--x 4 root root 4096 Jul -rwxr-xr-x 1 root root 29 Jul drwxr-xr-x 7 root root 4096 Jul drwx-----2 root root 16384 Jul d-wx---r-x 5 root root 4096 Jul drwxr-xr-x 2 root root 4096 Jul drwxr-xr-x 4 root root 4096 Jul drwxr-x--2 root root 4096 Jul drwxr-x--3 root root 4096 Jul dr-xr-xr-x 114 root root 0 Jul drwx-----3 root root 4096 Jul drwxr-x--2 root root 4096 Jul -rwxr-xr-x 1 root root 23713 Jul drwxr-xr-x 2 root root 4096 Jul Issue 12 (2015-04-30) 6 7 7 7 7 5 6 5 5 5 5 5 5 7 7 7 5 5 22:10 23:08 19:11 23:15 21:19 22:24 22:10 22:23 22:24 22:24 22:25 22:24 22:24 19:10 22:06 21:25 22:24 22:24 bin boot dev etc home init lib lost+found mbsc media mnt none opt proc root sbin sc_init srv Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features You can set the following options in the /etc/pam. l root indicates that the file or directory is created by the root user. The execute permission to a file indicates that a user can execute the commands in the file. The write permission to a file indicates that a user can edit the contents in the file.3 Network Management Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l var is the file or directory name. Files are not started with d. l Common users cannot modify or delete commands. The write permission indicates that a user can create files and sub-directories under the directory. library files. – r-x indicates that users who belong to the same user group as the file or directory creator have read and execute permission.2 File Protection The Dopra Linux restricts common users' access to system files.SingleRAN Dopra Linux OS Security Feature Parameter Description drwxr-xr-x drwxrwxrwt drwxr-xr-x drwxr-xr-x drwxr-xr-x 11 2 2 7 10 root root root root root root root root root root 0 4096 4096 4096 4096 3 Dopra Linux Security Features Jul 7 19:10 sys Jul 11 03:30 tmp Jul 5 22:25 usb Jul 5 22:24 usr Jul 6 22:10 var The following uses the last line as an example to explain the command output: l In drwxr-xr-x: – d means directory. l Common users cannot visit the home directory.2. – The second r-x indicates that users who do not belong to the same user group as the file or directory creator have read and execute permission. l 10 indicates the number of hard connections to the directory. 15 . l Only the root user is authorized to access system command management directories (/ sbin and /usr/sbin) and log files in /var/log.. – rwx indicates that the file or directory creator has read. For example. 3. l 4096 indicates the directory or file size (excluding files or sub-directories under the directory). The execute permission does not apply to directories.dat. NOTE The root user has the highest permission and can operate all files created by other users. user1 has read and write permission to a. in the setfacl -m u:user1:rw a. l Jul 6 22:10 is the time when the file or directory was last modified. l The second root indicates that the file or directory creator is in the root user group. 3. The read permission to a file indicates that a user can view the contents in the file. NOTE The read permission to a directory indicates that a user can view the files and sub-directories under the directory. write. and execute permission. Users can run the setfacl command to set access permission to a file.dat command. and directories storing device files (/dev) or configuration files (/etc). Ltd. Table 3-2 Default services provided in the Dopra Linux Service Name ON/OFF Protocol Port Number Description sshd ON TCP 22 A service started from inittab for SSH login syslog-ng ON N/A N/A A service started from inittab for log recording dbus-daemon ON N/A N/A An application that uses the D-Bus library to implement a message bus daemon NOTE D-Bus is a library that provides one-toone communication between any two applications.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features 3. 16 .3.1 Protocols Enabled by Default By default. Issue 12 (2015-04-30) cron ON N/A N/A Daemon to execute scheduled commands klogd ON N/A N/A A service started from inittab for log buffering auditd ON N/A N/A A service for saving audit records to the disk boot..udev ON N/A N/A A service that listens to kernel events and passes the incoming events to udev haldaemon ON N/A N/A A service that collects and stores hardware information syslogbuf ON N/A N/A A service started from inittab for log buffering acpid ON N/A N/A A service that functions as the daemon of advanced configuration and power interface (ACPI) and manages the power supply Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and Internet Control Message Protocol (ICMP) are enabled in the Dopra Linux. Ltd. the User Datagram Protocol (UDP). Multiple programs connect to the message bus daemon and can exchange messages with each other. Transmission Control Protocol (TCP). 3.3.2 Services Enabled by Default Table 3-2 describes the default services provided in the Dopra Linux. 3. bond2. Table 3-3 describes security policies related to the IPv4 TCP/IP stack. When defining rules for a live network. 17 . such as eth1. as defined rules are deleted after the system is upgraded or updated.4 System Firewall iptables iptables is a kernel-level component in the Linux for filtering IP packets.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features 3. or Internet proxies. These items are configured in the /etc/sysctl. 3. see Communication Matrix delivered with the product. Ltd. servers. note the following points: l Do not modify existing rules. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. iptables does not need to be configured by default. l Define rules again after the Dopra Linux is upgraded or updated. and all means to apply to all interfaces. Where. Default settings in Table 3-3 are recommended by Huawei to ensure optimum security and performance. users can define rules in the iptables if required. However..3.3 Ports Opened by Default For details about the default ports opened in the Dopra Linux. You can run the netstat -nlp command to view all listening ports.5 Security Policies Related to TCP/IP Stacks Dopra Linux does not support IPv6 by default. Being integrated into the Dopra Linux. NOTE The configuration items of TCP/IP stacks are named in the format of "net + protocol + conf + all/default/ device + attribute".3. and vlan3. local area networks (LANs). When Linux is connected to the Internet. and generally should not be changed. iptables act as a firewall to filter IP packets.conf file. device means a logical interface. l Write scripts to ensure that defined rules automatically take effect upon system startup.3. default is used to initialize an interface as it is initialized and loaded. conf. l 0: The alias of the interface will not be upgraded to the primary one.ipv4. net.arp_f ilter l 0: The kernel can respond to ARP requests with addresses from other interfaces. l 1: Reply only if the target IP address is the local address configured on the incoming interface. and do not reply to local addresses configured with scope host. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.ipv4.ipv4. IP addresses are owned by the complete host on the Linux. net.arp_ignore 0 for the RTOS net.all.all.conf.promote_ secondaries 1 net. If this value is less than 0. This may seem wrong but it actually makes sense because it increases the number of successful communication attempts.default. l 8: Do not reply to local addresses.ipv4. routing header is not accepted.acce pt_source_route Issue 12 (2015-04-30) 0 This parameter specifies whether to accept routing extension headers. If the value for this parameter is greater than or equal to 0. net.conf.ipv4. irrespective of its interface.default. not by specific interfaces.accept_so urce_route net.ipv4. l 1: The alias of the interface will be upgraded to the primary one.conf. l 2: Reply only if the target IP address is the local address configured on the incoming interface.ipv4. l Default for Dopra linux is 0. and both the sender's and receiver's IP addresses are in the same subnet.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features Table 3-3 Configuration items Item Defaul t Value Description net. only the routing header type 2 is accepted.prom ote_secondaries If this item is enabled and primary address of an interface is deleted. for RTOS is 1.arp_i gnore 1 for the Dopra Linux This parameter defines the modes for sending replies in response to received ARP requests that resolve local target IP addresses. l 1: This value allows you to have multiple network interfaces on the same subnet and have the ARPs for each interface be answered based on whether the kernel can route packets from the ARP's IP address out of that interface.ipv4. l 4-7: Reserved.default.default.conf.arp_filter 1 net.all. Ltd.conf. an alias of the interface will be upgraded to the primary one.conf. l 3: Reply only resolutions for global and link addresses.conf.all. l 0: Reply to any local target IP address.. 18 . all.ipv4.ipv4. net. l 0 means not to ignore. instructing the gateway to forward those packets to other routers.tcp_syncookies 1 This parameter specifies whether to send syncookies when the syn backlog queue overflows.accept_re directs 0 It is assumed that the network segment where the host is located has two routers.secur e_redirects This parameter specifies the secure redirect forwarding function.tcp_synack_retries 1 This parameter specifies the number of times SYNACK messages for a passive TCP connection attempt will be retransmitted.conf. net.conf.default.conf. the router also sends an ICMP redirect message.ipv4. If the value of this parameter is too large.conf. net.0 means not to send.ipv4.all.ipv4. memory overflow may occur.conf.send _redirects l 0 means not to send.ipv4. net. When this function is enabled. l 0 means to disable the function. net. net. l 1 means to ignore. It is recommended that this parameter be set to 0 to eliminate potential security risks. net.secure_re directs 0 net.default. and one of them is set as the default gateway.ipv4.all. net.1 means to send. This parameter is valid only when CONFIG_SYNCOOKIES is set during kernel compilation. only ICMP redirect messages from the gateway are accepted. l 0 means to ignore the redirect forwarding.ipv4.. 19 . l 1 means to send. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.conf.tcp_syn_retries 1 This parameter specifies the number of times initial SYN messages for an active TCP connection attempt will be retransmitted. When another router sends IP packets to the gateway.tcp_fin_timeout 60 This parameter specifies the duration for keeping packets in the FIN-WAIT-2 state.ipv4. net.ipv4. l 1 means to enable the function.tcp_max_syn_bac klog 4096 This parameter specifies the maximum number of unacknowledged connection requests.send_redirects 0 This parameter specifies whether to send redirect messages.ipv4.ipv4.default. Ltd. net.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features Item Defaul t Value Description net.icmp_echo_ignor e_broadcasts 1 This parameter specifies whether to ignore broadcast and multicast messages.acce pt_redirects l 1 means to accept the redirect forwarding. sysrq 0 This parameter specifies the magic-sysrq key. respectively. kernel. l 1 means yes. l default_console_loglevel: This is the default value for console_loglevel. l 0 means not to add the timestamp.conf. l console_loglevel: Messages with a priority higher than this level will be printed to the console. l 1 means to add the timestamp. If the parameter is set to non-zero. l 0 means no.conf. l 0 means not to ignore.ipv4. default_message_loglevel. the system request key is activated. l minimum_console_loglevel: This level is the minimum (highest) value to which console_loglevel can be set. net. which denote console_loglevel. kernel.panic_on_oops 1 This parameter specifies the kernel's behavior when it encounters an exception or bug. l 1 means to ignore.rp_fil ter This parameter specifies whether to enable IP spoofing protection and turns on source route verification. net.ipv4.default.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features Item Defaul t Value Description kernel. the server will be rebooted.rp_filter 1 net.tcp_timestamps 0 This parameter specifies whether to add a 12-byte timestamp to TCP headers. l 1: Stop (panic) immediately. l 0: Attempt to continue operations. Ltd. l default_message_loglevel: Messages without an explicit priority will be printed with this level. If sysctl is also nonzero.all.ipv4.icmp_ignore_bog us_error_responses 1 This parameter specifies whether to ignore "bogus error message responses". This parameter has four default values. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. minimum_console_loglevel.ipv4. 20 .printk 6417 This parameter specifies where to send log messages according to their priorities. and default_console_loglevel. It is recommended that you set this parameter to 1 for a single host or routers in a stub network.. net. Instead.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features 3." NOTE You can run the vi /etc/issue. StrictModes Yes Forcibly checks file permission and the login user's permission to the home directory and files.. You can disable this function for security. Ltd. Only Authorized Users allowed.0.aes192ctr. a more scalable scheme. MACs hmacsha2-256.and compatible HMACSHA1 Protocol 2 Forcibly enables SSH V2.arcfour256. PermitEmptyPasswords No Forbids login with an empty password.aes256ctr.3. for authentication.6 Security Policies Related to SSH The Dopra Linux does not support non-encrypted File Transfer Protocol (FTP) and TELNET. PubkeyAuthentication Yes Allows public key authentication. Table 3-4 lists the configurations for SSH. UsePAM Yes Uses the pluggable authentication modules (PAM). Table 3-4 Configurations for SSH Item Default Value Description Ciphers aes128ctr. PermitRootLogin No Allows the root user to remotely log in to the Dopra Linux. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.a rcfour128 Uses the 3des-cbc and aes128-cbc encryption algorithm.net command to modify banners.net Displays banners after a user logs in to the Dopra Linux using SSH. 21 . LogLevel VERBOSE Sets a message level to Verbose to log user login information for auditing. Banner /etc/issue. The default banner is: "You are trying to access a restricted zone.hmac -sha1 Sets the message authentication code (MAC) algorithm to the secure algorithm (SHA2) for ensuring data integrity. it uses secure protocols such as SSH and SFTP. perform the following steps: Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0. Secure Logins To log in to a target computer (for example.168. The SFTP service is a sub-function of the SSHD service. and close the file. If command "pidof sshd" prints integers.0.241) that provides SSH services: Run the ssh [email protected] Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features 3. the process starts properly.168. V200R003C02SPC090.0. Check whether the SSHD process starts. with an IP address of 192. Ltd. If the SSHD process restarts. SFTP logging is enabled successfully.168.241 command.168. 22 . 2. Run the kill all sshd command to restart the SSHD service. l Disabling the SFTP Service 1.168.3. Run the vi /etc/ssh/sshd_config command.241): Run the scp -r /home/filename root@192. l Enabling SFTP Logging 1. /home/filename) from a Linux server that provides SSH services to /home of a target computer (for example. Check whether the SSHD process starts. If command "pidof sshd" prints integers.241): Run the sftp 192.0. or run the ssh user1@192. If the SSHD process restarts. To connect to a target computer (for example. Secure Copy To copy data (for example. To disable remote login. and close the file. with an IP address of 192. RTOSV100R001C00SPC070. and later versions no longer allow the root user to perform remote login. change the line starting with Subsystem sftp to Subsystem sftp internal-sftp -l INFO. 2. Run the kill all sshd command to restart the SSHD service. SFTP Operations A computer running Dopra Linux can function as a server to provide SFTP services.241 command to log in as the root user. The SFTP service is a sub-function of the SSHD service. the SFTP service is disabled successfully.0. the process starts properly. with an IP address of 192. Run the vi /etc/ssh/sshd_config command. save the modifications.. 3.168.241 command to log in as user user1.241:/home command.0. comment out the line starting with Subsystem sftp.7 Operations Related to SSH The following part describes operations associated with SSH. save the modifications. Forbidding remote login of the root user You are advised to disable the remote login of the root user.168. 3.0. aes256-ctr.aes256-ctr NOTE Find the line starting with Ciphers but not with #Ciphers. The modification takes effect after the SSH service restarts. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the SSH service becomes unavailable. l Run the passwd user1 command to set or change the password (for example. ----End NOTE The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings: Ciphers aes128-ctr.aes192-ctr. the SSH service restarts automatically.arcfour256. set PermitRootLogin to yes in the /etc/ssh/sshd_config file.need upgrade putty to 0. and set PermitRootLogin to no in the / etc/ssh/sshd_config file.arcfour128 Ciphers algorithm Perform the following steps to disable the CBC cipher algorithm for the SSH service: Step 1 Open the vi /etc/ssh/sshd_config file and find the line starting with Ciphers. For example: l Run the useradd –m user1 command to add user user1 and create directory /home/user1. Disable SSH Server CBC Mode . Hardening the MAC Algorithm of the SSH Service Perform the following steps to harden the MAC algorithm of the SSH service: Step 1 Open the vi /etc/ssh/sshd_config file and find the line starting with MACsand change the content to: l Before V200R003C08SPC190 version. Step 2 Modify the configuration file. l If MACs configue just have hmac-sha2-256. Ltd. For details about the password policy. Log in as the root user.1. Several seconds later. l After V200R003C08SPC190 version.2 Security Policies for User Management".arcfour256.MACs modify MACs hmac-sha2-256. 23 . and restart the SSH service. ----End NOTE After the sshd process is killed. Step 2 Run the kill all sshd command to restart the sshd service.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features Step 1 Add a common user that can log in to the Dopra Linux remotely.arcfour128 Ciphers disable SSH Server CBC . Tom@520123) for user user1.aes192-ctr.MACs modify MACs hmac-sha1.64 and above version.. and change the content to: Ciphers aes128-ctr. Step 3 Run the killall sshd command to restart the SSH service. see "3. The number sign (#) indicates that the line is commented out. To permit remote login of user root. V200R003C02SPC090. l Forces the user to log out after defined failed password attempts. Ltd. RTOS-V100R001C00SPC070. This method enhances Dopra Linux security. it is insusceptible to virus attacks unless the root user password is cracked. Therefore. 3. Though the Dopra Linux does not run any antivirus software. RTOS-V100R001C00.1 Virus Entry Control The Dopra Linux disables idle ports and uses secure protocols (such as SSH and SFTP) only.2 Post-entry Virus Control The Dopra Linux defines strict permission control. 24 . 3. Otherwise. System running and log files are not affected. In addition.5 Operating System Integrity Protection 3. the SSH connection may fail due to incorrect modifications. the root user password is well protected by the following measures: l Uses enhanced password policies. The Dopra Linux uses enhanced password polices. making itself much less vulnerable to virus attacks.4.4 Enhanced Antivirus Policy 3.. 3.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features NOTE Find the line starting with MACsbut not with #MACs.1 Product Development Security The Dopra Linux image contains vmlinuz (kernel) and initrd (root file system). These policies greatly improve the anti-hacking capability.5. only files to which the login user has the write permissions will be corrupted. and later versions support security loophole scan using the Retina.4. V200R003C02SPC080. Step 2 Run the kill all sshd command to restart the sshd service. which means that only the root user has the write permissions to system files and log files. and later versions support security loophole scan using the Nessus and port and protocol scan using the NMap. such as forced lockout after three failed password attempts. even virus files are falsely executed. ----End NOTE The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings: MACs hmac-sha1 The preceding operations must be performed by professional personnel who understand basic Linux command (vi) and common system management commands. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. where the kernel mode and user mode are separated. The number sign (#) indicates that the line is commented out. and track traces left by attackers. You can run vi/cat to view this file.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features 3. You can run faillog to view this file.6. You can run last to view this file. This file is encrypted. 3. l dlinstall. monitor real-time system status. 3. Avira. it is scanned by antivirus software Symantec. l warn A log file recording all warnings and error information. Kav and Trend to ensure that it is virus free. 25 . The following describes log files in the Dopra Linux: l audit A log file for the audit daemon.6 System and Security Log Management Logs record system running information and are of vital importance to system security.5. rollback. With logs. changes in system running level.log Log files recording information about system installation. which writes kernel information generated by applications and system activities into hard disk.2 Real-Time Access Information Recording The Dopra Linux records real-time Dopra Linux login and logout information in logs. l wtmp A log file recording all remote and local logins.. you can diagnose problems.log/dlupgrade.log/dlrecover. This file is encrypted. l messages A log file recording kernel and system information. 3. l faillog A log file recording the number of failed logins due to incorrect user name or password. and time of the changes. see section "Configuring the Function of Recording OMU OS Accessing Information in Real Time" in OMU Administration Guide.6. McAfee.1 Log Files Only the root user can view log files and description under the log directory /var/log.3 Configuration Guide for the Log Audit Service of Dopra Linux Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 3. and upgrade. For details about how to manage these logs.2 Product Release Security Before the Dopra Linux is released. Running the vi/cat command cannot open this file. Major log functions include auditing and monitoring. Ltd.6. rules. The audit service status' value of Dopra Linux system can be 0. is a system service. By default.If you want to retain the rules after a restart. You can run the auditctl-e 1 command to change the value of enabled to 1. enabled=1 is used after a normal startup.d/init.3. Jasper ~ # auditctl -s AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0 backlog=0 Jasper ~ # auditctl -e 2 AUDIT_STATUS: enabled=2 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0 backlog=0 Jasper ~ # auditctl -a entry. The paths for common Linux are /etc/auditd/auditd. rules cannot be edited.1. This service is used for auditing system invoking records and writing the records to files.conf and /etc/ auditd/audit. audit rules are not automatically loaded by default. l When the /etc/rc.. manually modify the /etc/rc. which is used for writing audit information to disks. Jasper ~ # auditctl -s AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0 backlog=0 Jasper ~ # enabled=1: Log auditing is enabled for the audit service.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features 3.d/init.6. Ltd.d/auditd file.rules. Querying Audit Service Status The audit service status' value of RTOS system can be 0. Audit Configuration Differences Between Dopra Linux and Common Linux The Dopra Linux(Before V200R003C08SPC100 versions) and common Linux differ in the audit service as follows: l The configuration file path is different. 26 . Query Existing Rules auditctl -l Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. enabled=2: The audit rules cannot be edited.conf and /etc/audit. see Configuration Guide.2.d/auditd script is used to enable the audit service.1 Configuration Commands Linux audit Subsystem (audit).always -S umask Error sending add rule request (Operation not permitted) Error sending add rule request (Operation not permitted) --> When enabled is 2.If you want to edit it. For details about the procedure.1. The user space program of the audit service is auditd. The paths for Dopra Linux are /etc/auditd.you should restart the system first. enabled=0: Log upgrades are disabled. rules /etc/audit/audit.6. Ltd. Stopping the auditd Service Process killall auditd or /etc/rc. Jasper ~ # mkdir /etc/audit/ Jasper ~ # cp /etc/auditd.d/init. 27 .3.d/init.2 Configuration Guide This section describes how to configure the audit service. Deleting an Audit Rule auditctl -d entry.rules is a text file containing rules in any paths. 3. Procedure Step 1 Create a default configuration file of the audit service.d/auditd status Checking Whether Recording Is Enabled for the auditd Service auditctl –s If "enabled=1" is displayed.d/auditd stop Starting the auditd Service Process startproc /sbin/auditd or /etc/rc.conf Jasper ~ # cp /etc/audit. recording is enabled.rules Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co..SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features Deleting All Audit Rules at a Time auditctl -D Adding an Audit Rule Auditctl -a entry.always -S umask -k umask --> Add an audit rule for invoking the umask system.d/init. Adding Audit Rules in Batches auditctl -R /etc/audit.d/auditd start Querying the auditd Service Process Status /etc/rc.conf /etc/audit/auditd.always -S umask -k umask --> Delete an audit rule for invoking the umask system.rules --> /etc/audit. ## successful and unsuccessful attempts to read information from the ## audit records. See auditctl man page ## Audit the audit logs. # The rules are simply the parameters that would be passed # to auditctl. 28 . all modifications to the audit trail -w /var/log/audit/ -k auditlog ## Monitor for use of audit management tools -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools ## changes to the time ## -a exit. Ltd.d/auditd (Skip this step if the bold line exists): case "$1" instart) echo -n "Starting RPC auditd daemon" auditd_pid=`pidof auditd` if [[ -z ${auditd_pid} ]] Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.d/init.d/ -p rwax -k pam ## ssh configuration -w /etc/ssh/sshd_config -k sshd ## changes to hostname -a exit. # Make this bigger for busy systems -b 256 # Feel free to add below this line.always -S umask -k umask ## cron configuration & scheduled jobs -w /etc/crontab -p rwax -k cron ## user.net -p rwax -k etcissue Step 3 Edit the startup script of the audit service to configure an automatic loading rule after a restart..always -F arch=b64 -S sethostname -k hostname ## changes to issue -w /etc/issue -p rwax -k etcissue -w /etc/issue.always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime k time -a exit.conf -p rwax -k modprobe ## pam configuration -w /etc/pam.rules. You can select interesting audit rules from the following samples: # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts.always -F arch=b32 -S sethostname -k hostname -a exit.conf -p rwax -k sysctl ## modprobe configuration -w /etc/modprobe.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features Step 2 Edit the rule file /etc/audit/audit. password databases -w /etc/group -p rwax -k etcgroup -w /etc/passwd -p rwax -k etcpasswd -w /etc/shadow -k etcpasswd ## monitor usage of passwd -w /usr/bin/passwd -p x -k passwd_modification ## login configuration and information -w /etc/login.defs -p rwax -k login -w /etc/securetty -p rwax -k login ## network configuration -w /etc/hosts -p rwax -k hosts -w /etc/sysconfig/network -p rwax -k network ## system startup scripts -w /etc/inittab -p rwax -k init ## kernel parameters -w /etc/sysctl.delete all -D # Increase the buffers to survive stress events. group.always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time ## umask -a entry. Add the following contents in bold to vi /etc/rc. # First rule . security patches are applied on the Dopra Linux every 12 months. These vulnerabilities may pose security threats such as hacking or viruses.7. 3.SingleRAN Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features then $AUDITD_BIN if [[ $? -ne 0 ]] then rc_failed 1 else rc_failed 0 fi else rc_failed 0 fi test -f /etc/audit/audit. for example.7 System Upgrade and Patch Policy Due to defects in product design or development. which compromise system performance. the Dopra Linux version and product version are independent. 29 . You can install patches to eliminate these system vulnerabilities. Delete unnecessary audit rules and minimize the number of audit rules based on site requirements to minimize performance deterioration. You can upgrade the Dopra Linux using either of the following methods: Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. service errors or authentication failures. ---End Important Notes Because audit rules are added.7. log recording is enabled.rules && /sbin/auditctl -R /etc/audit/audit.d/auditd restart Step 5 Check whether audit log recording is enabled. Ltd. If the value is not 1. /etc/rc. the system kernel adds additional audit operations besides normal processing.d/init.1 Patch Installation By default. run the auditctl –e 1 command to enable log recording.2 Upgrade Currently.. The Dopra Linux upgrade does not affect applications that have been installed on the source Dopra Linux. 3. ----End Run the auditctl -s command to check the value of enabled.rules >/dev/ null # Remember status and be verbose rc_status -v Step 4 Restart the audit service. 3. If the value is 1. the Dopra Linux may have certain vulnerabilities. when the hard disk partition settings on the source and destination Dopra Linux versions are the same. see Guide to Dopra Linux Operating System Remote Patch Upgrade delivered with Dopra Linux patches.. If you upgrade the Dopra Linux using the USB mode. you have to reinstall the Dopra Linux if the upgrade fails. NOTE You must restart the system after an upgrade is complete.SingleRAN Dopra Linux OS Security Feature Parameter Description l USB upgrade l Web upgrade 3 Dopra Linux Security Features For details about upgrade methods. If you upgrade the Dopra Linux using the web mode. the USB upgrade is recommended. If you upgrade the RTOS or certain Dopra Linux versions using the web mode. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd. In this case. the version cannot be rolled back. you can roll back the Dopra Linux to the source version if the upgrade fails. 30 . Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. only the anti-virus policy is provided by the operating system. you can run the operating system patches by way of the product version upgrade because these patches are packed in the latest product version. l Of all operating system security policies of the base station.4 Enhanced Antivirus Policy. However if any security risks are exposed in RTOS versions.SingleRAN Dopra Linux OS Security Feature Parameter Description 4 4 Base Station Applications Base Station Applications The base station operating system patches are packed in the base station product version. see "3." l Other than the antivirus policy. For details. NOTE If the product version includes RTOS patches.. and therefore an separated operating system upgrade is not supported on the base station. the patch information will be addressed in the Release Notes of base stations. The base station operating system is not visible for users because the patches are packed in the base station software. Ltd. 31 . operating system security policies are packed in the base station software. see the Base Station Equipment and OM Security Feature Parameter Description. For details. 32 ..1 History Dopra Linux Versions Table 5-1 lists history Dopra Linux versions and corresponding boards. Table 5-1 History Dopra Linux versions and corresponding boards Issue 12 (2015-04-30) Dopra Linux Version Board V100R001C03SPC010 OMUa/SAUa/OMUb/SAUb V100R001C03SPC020 OMUa/SAUa/OMUb/SAUb V100R001C03SPC030 OMUa/SAUa/OMUb/SAUb V200R003C02SPC030 OMUc/SAUc V200R003C02SPC060 OMUc/SAUc V200R003C02SPC070 OMUc/SAUc V200R003C02SPC080 OMUa/SAUa/OMUb/SAUb /OMUc/SAUc V200R003C02SPC090 OMUa/SAUa/OMUb/SAUb /OMUc/SAUc V200R003C08 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc V200R003C08SPC080 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc V200R003C08SPC100 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc V200R003C08SPC120 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc V200R003C08SPC130 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc V200R003C08SPC150 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc RTOS-V100R001C00SPC030 EOMUa/ESAUa Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd.SingleRAN Dopra Linux OS Security Feature Parameter Description 5 5 Differences Between History Dopra Linux Versions Differences Between History Dopra Linux Versions 5. and source IP address. basic functions of previous versions are inherited in the latest version.1 V100R001C03SPC010 to V100R001C03SPC020 The following functions are supported: l Enable or disable remote login for the root user.2 V100R001C03SPC020 to V100R001C03SPC030 l Issue 12 (2015-04-30) Provide the create-cracklib-dict command to allow users to update the weak password dictionary. 5. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 33 . l Add the setfacl package to allow users to set access permission to files. which enables the root user to set password complexity policies.SingleRAN Dopra Linux OS Security Feature Parameter Description 5 Differences Between History Dopra Linux Versions Dopra Linux Version Board RTOS-V100R001C00SPC050 EOMUa/ESAUa RTOS-V100R001C00 SPC060 EOMUa/ESAUa RTOS-V100R001C00 SPC070 EOMUa/ESAUa RTOS-V100R001C00 SPC080 EOMUa/ESAUa RTOS-V100R001C00 SPC090 EOMUa/ESAUa RTOS-V200R003C08SPC080 EOMUa/ESAUa RTOS-V200R003C08SPC100 EOMUa/ESAUa RTOS-V200R003C08SPC120 EOMUa/ESAUa RTOS-V200R003C08SPC150 EOMUa/ESAUa NOTE l The Dopra Linux can be upgraded to a destination version that supports the same type of boards as the source version. The logs include user name. l Allow the root user to uniformly set password expiration date. l Enhance the password complexity policy. l Unless otherwise stated. l Provide the su command so that login users can be switched. although supported boards vary with versions. l Add the SSH login and logout logs to enhance the log auditing function. For example. any version can be upgraded to V200R003C02SPC080.. but V100R001C03SPC010 cannot be upgraded to V200R003C02SPC070. 5.2 Versions Running on the OMUa/SAUa/OMUb/SAUb 5.2.2. login time. Ltd. l Lock user accounts at multiple unsuccessful login attempts. the period is counted since the change time. The deleted modules are ltp. l Upgrade the kernel version to Linux-2. 34 . 5.4.SingleRAN Dopra Linux OS Security Feature Parameter Description 5 Differences Between History Dopra Linux Versions 5. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.2 V200R003C02SPC080 to V200R003C02SPC090 The following functions are supported: l Update the kernel version to Linux-2. The default password validity period is changed from 30 days to 90 days.2 V200R003C02SPC060 to V200R003C02SPC070 l Upgrade the kernel version from Linux-2. such as password complexity policies.60-0. 5.87. l Disable unnecessary IPv6 modules to minimize security risks posed by these modules.60-0.60-0.68.1 to eliminate system loopholes scanned out by the NMap.16.6.2.3.16.1 V200R003C02SPC030 to V200R003C02SPC060 l Delete the modules for commissioning to minimize security risks. SAUb. l Upgrade to OpenSSH 5.99.4 V200R003C02SPC080 Running on the OMUa/SAUa/ OMUb/SAUb/OMUc/SAUc 5.3. 5. the user management security of the operating system is enhanced. Therefore. l Enhance operating system security by providing default security settings. SAUa. l Count the start time of password validity period from the system installation time. In this way.6. lmbench. which enhances operating system security. livegdb.16.6.3 Versions Running on the OMUc/SAUc 5. and livepatch.87.1. Ltd. OMUb.6. and Retina and harden the operating system security. but you can remotely log in to the system as an lgnusr user and then switch to the root user..4. port 111 used by the portmap service is also disabled by default. and SAUc.1 V200R003C02SPC070 to V200R003C02SPC080 The following functions are supported: l Support the OMUa. You cannot remotely log in to the system as a root user by default. Nessus. OMUc.60-0. l The portmap service is disabled by default.16.1. l Add a prompt message when the account is locked. If the password is changed. l Add the lgnusr user for remote login.1 to Linux-2. l Support PAM configuration for su command.1 to 2. l Upgrade OpenSSL to 0.99. including CVE-2014-0224. the old passwords of the root user are verified before they are changed. fix security issues and bug fix. l Rectify the incorrect failed log statistics issue. 35 .CVE-2014-0198.4. l Rectify the defect that a message indicating expired password is displayed after a USB flash disk is used to restore the OS.1 to 2.16.5 V200R003C08SPC080 to V200R003C08SPC100 l Upgrading the kernel from 2. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.16.9.CVE-2014-0076.1-bigsmp. l Add SFTP logging.6.4 V200R003C08 to V200R003C08SPC080 l Change the cipher algorithms for SSH services to secure ones.109.4. l Change the account encryption algorithm to the secure algorithm SHA512.60-0. l Add the one-click recovery function by upgrading the GRUB to GRUB 2. In addition.CVE-2014-0221. arcfour256.SingleRAN Dopra Linux OS Security Feature Parameter Description 5 Differences Between History Dopra Linux Versions 5. l Rectify the OpenSSL security issue (CVE-2013-0166). l Rectify the OpenSSH security issue CVE-2012-0814. l Rectify the defect that Ext3 file system is occasionally read-only. and arcfour128. such as aes128-ctr. to fix CVE-2004-1653. l Rectify the color change issue when a common user switches from the su user to the root user. 5.6.. which rectifies the OpenSSL security issues CVE-2013-0169 and CVE-2013-0166. l Rectify the defect that the MySQL service fails to start after a USB flash disk is used to restore the OS after an upgrade. SHA512 is used to encrypt GRUB passwords and GRUB password complexity check is added.C VE-2014-3470. l Rectify OpenSSL security vulnerabilities.4.8y. l Enhanced / etc / ssh / sshd_config in configuration AllowTcpForwarding no.91. Ltd. aes192ctr.3 V200R003C02SPC090 to V200R003C08 l Rectify the defect that common users cannot modify the OS time zones.60-0.105.1. aes256-ctr. l Forbid the upgrade from a later version to an earlier version.4-31. After GRUB is upgraded to GRUB 2. l Rectify the libsasl2 security issue CVE-2013-4122.Plaintext Recovery Attack against CBC ciphers(ID: CVE-2008-5161).CVE-2010-5298.CVE-2014-0195. l Forbid the CMDline parameter (init=/bin/bash) parsing in the kernel.4-31. fix security issues and bug fix. l Upgrade glibc from 2. 5. l New smartctl command. CVE-201 4-3508. l Rectify top command not support -b -n 1 parameter. l Rectify the failure in connecting to the network during an OS upgrade because the board was not reset after the OS upgrade from Doprax86V100R001C03. four in total: CVE-2014-3513.4.SingleRAN Dopra Linux OS Security Feature Parameter Description 5 Differences Between History Dopra Linux Versions 5. 5.4. CVE-2014-8275. l Rectify OpenSSL vulnerabilities. CVE-2013-7423.CVE-2014-3509.nine in total(HUAWEI Vulnerability ID:HWPSIRT-2014-0816):CVE-2014-3505.4.CVE-201 4-6278.9 V200R003C08SPC150 to V200R003C08SPC170 l Rectify OpenSSL Vulnerabilities CVE-2014-3569. CVE-2014-3566 (HUAWEI Vulnerability: HWPSIRT-2014-1041). board logins will fail.CVE-2014-3506.CVE-2014-7186. 5. CVE-2014-3572.CVE-2014-3510..CVE-2014-6277. l Rectify OpenSSL vulnerabilities.pub and ssh_host_rsa_key length 2048. usermod. rectify vulnerabilities CVE-2014-4877.2p2 to support the HMAC-SHA2-256 algorithm. 5. l Upgrade OpenSSL to 0. and CVE-2014-9402. the PuTTY must be upgraded to the 0. therefore deleted -p the support of option.CVE-20145139.CVE-2014-7169.4.8 V200R003C08SPC130 to V200R003C08SPC150 l Upgrade wget. groupadd and groupmod the option may bypass the password order of complexity inspection.CVE-2014-3512. CVE-2014-3568. l Rectify glibc Vulnerability CVE-2015-0235 (HUAWEI Vulnerability ID HWPSIRT-2015-01045). Otherwise. CVE-2015-0204. CVE-2014-3567. When only the HMAC-SHA2 algorithm is used.7 V200R003C08SPC120 to V200R003C08SPC130 l Rectified the defect that the working link mode of the network adapter is restored to the original configuration after the OMUc operating system is upgraded. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 36 .six in total(HUAWEI Vulnerability ID:HWPSIRT-2014-0951):CVE-2014-6271. l Added iostat command. l Rectify OpenSSH vulnerabilities CVE-2014-2653. CVE-2014-7817. l Rectify the glibc vulnerabilities CVE-2015-1472. l Rectify bash vulnerabilities.4. By default.CVE-2014-3507. the HMAC-SHA1 and HAMC-SHA2 algorithms are supported. 5.64 and above version.6 V200R003C08SPC100 to V200R003C08SPC120 l Enhanced ssh_host_rsa_key.10 V200R003C08SPC170 to V200R003C08SPC190 l Upgrade OpenSSH to 6. CVE-2014-3570. CVE-2014-3571.CVE-2014-7187. the PuTTY client does not need to be upgraded. l Because -p of the command useradd. In this case. Ltd.98zf to rectify the latest vulnerability (CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0293).CVE-2014-3511. l Fix the defect so that the operating system does not display the message that the number of password retries exceeds the upper limit after the boards are restarted. 5. l Count the start time of password validity period from the system installation time.6 RTOS-V100R001C00SPC080 to RTOS-V100R001C00SPC090 l Rectify the priority inversion issue and incorporate the open-source kernel patch http:// git.6. After a successful login of user lgnusr.5. If the password is changed. The SSH service does not support the arcfour128/256 algorithm. If no operation is performed in 30 minutes.org/cgit/linux/kernel/git/tip/tip. and bash (ID: CVE-2012-2807. CVE-2008-5077.7 to enhance operating system security.59-0.5 RTOS-V100R001C00SPC070 to RTOS-V100R001C00SPC080 l Upgrade the kernel version from 2.5.6.32. thereby enhancing the security of user management. libsnmp. 5.5.4 RTOS-V100R001C00SPC060 to RTOS-V100R001C00SPC070 l Rectify three high-risk vulnerabilities (CVE-2011-0997. l Add the support of the U_creator tool for a 16 GB large-capacity USB flash drive.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030 l Support the NIS to centrally manage accounts and harden password security. it can be switched to user root.54-0. There are no specific parameters associated with this feature. and CVE-2006-5276) and three medium-risk vulnerabilities (CVE-2008-7270. CVE-2012-3410).5. l Rectify the OpenSSH security issue (CVE-2010-5107): The OpenSSH LoginGracetime setting leads to SSH service denial.3 RTOS-V100R001C00SPC050 to RTOS-V100R001C00SPC060 l Enhance the self-healing mechanism of the file system. CVE-2010-0405. CVE-2012-2141. Ltd. 37 .5.5. the period is counted since the change time. The default password validity period is changed from 30 days to 90 days.. 5. 5.3 to 2.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050 l Fix security loopholes of libxml2.5 Versions Running on the EOMUa/ESAUa 5. l Forbid the upgrade from a later version to an earlier version.32.git/commit/? id=da7a735e51f9622eb3e1672594d4a41da01d7e4f. 5. and CVE-2009-0021) in the Retina scan result. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SingleRAN Dopra Linux OS Security Feature Parameter Description l 5 Differences Between History Dopra Linux Versions Reinforce security hardening. the SFTP service times out and exit. 5.kernel. Add user lgnusr for remote login. l Disable the remote login of user root by default. 5.CVE-201 4-3508.CVE-2014-3509.CVE-2014-3506.C VE-2014-3470. such as aes128-ctr. to fix CVE-2004-1653.59-0.5. l Upgrade glibc from 2. l Rectify bash vulnerabilities.CVE-2014-7187. including CVE-2014-0224. l Enhanced / etc / ssh / sshd_config in configuration AllowTcpForwarding no.CVE-201 4-6278.1-0.7 to 2. aes192ctr.CVE-20145139. l Rectify the libxml2 security issue CVE-2013-2877. security issues and bug fixes.32. fix security issues and bug fix. l Rectify top command not support -b -n 1 parameter.CVE-2014-0198.8 RTOS-V200R003C08SPC080 to RTOS-V200R003C08SPC100 l Upgrade the kernel from 2.50.1 to 2. l Add SFTP logging support.CVE-2014-0195.9.CVE-2014-6277. l Rectify the incorrect failed log statistics issue.59-0. l Remove NIS service support.CVE-2014-0076.CVE-2014-3512.pub and ssh_host_rsa_key length 2048. aes256-ctr.CVE-2010-5298.CVE-2014-7186.9 RTOS-V200R003C08SPC100 to RTOS-V200R003C08SPC120 l Enhanced ssh_host_rsa_key. After GRUB is upgraded to GRUB 2. l Plaintext Recovery Attack against CBC ciphers(ID: CVE-2008-5161). l Added support U disk to copy files from the file name containing the Chinese to the system. 5. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. SHA512 is used to encrypt GRUB passwords and GRUB password complexity check is added.CVE-2014-0221.CVE-2014-3507.34.SingleRAN Dopra Linux OS Security Feature Parameter Description l 5 Differences Between History Dopra Linux Versions Incorporate three precaution issues: – Precaution Notice [2013-001] – Memory Corruption May Occur When the Bus Master Is not Disabled When the PCI Device Is Stopped – Precaution Notice [2013-002] – Deadlock May Occur Due to the Migration of CPUs that Run Real-time Tasks – Precaution Notice [2013-004] – System Breakdown May Occur Due to the Core Dump on the Multi-thread Process Using the FPU 5. and arcfour128.CVE-2014-7169.nine in total(HUAWEI Vulnerability ID:HWPSIRT-2014-0816):CVE-2014-3505.6.six in total(HUAWEI Vulnerability ID:HWPSIRT-2014-0951):CVE-2014-6271.11. l Rectify OpenSSL security vulnerabilities. 38 .1-0. 5.1.11. Ltd.7 RTOS-V100R001C00SPC090 to RTOS-V200R003C08SPC080 l Change the cipher algorithms for SSH services to secure ones.CVE-2014-3510. l Rectify OpenSSL vulnerabilities. l Add the one-click recovery function by upgrading the GRUB to GRUB 2. l New smartctl command.5. l Add the function of password verification for the root user.CVE-2014-3511.32.. arcfour256.6. CVE-2014-7817.SingleRAN Dopra Linux OS Security Feature Parameter Description 5 Differences Between History Dopra Linux Versions 5. therefore deleted -p the support of option.98zf to rectify the latest vulnerability (CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0293). and CVE-2014-9585). In this case. If no operation is performed in 30 minutes. l Reinforce security hardening. l Rectify glibc Vulnerability CVE-2015-0235 (HUAWEI Vulnerability ID HWPSIRT-2015-01045). CVE-2013-7423.. four in total:CVE-2014-3513.59-0. rectify vulnerabilities CVE-2014-4877.64 and above version.6. The SSH service does not support the arcfour128/256 algorithm. CVE-2014-3566 (HUAWEI Vulnerability ID:HWPSIRT-2014-1041). CVE-2014-3567. l Rectify the kernel vulnerability CVE-2015-1593. l Rectify the glibc vulnerabilities CVE-2015-1472.5. When only the HMAC-SHA2 algorithm is used.19 to rectify the latest vulnerabilities (CVE-2012-6657.10 RTOS-V200R003C08SPC120 to RTOS-V200R003C08SPC150 l Upgrade wget. 39 . and CVE-2014-9402. CVE-2014-3568. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the HMAC-SHA1 and HAMC-SHA2 algorithms are supported. l Upgrade OpenSSH to 6. CVE-2013-7263. CVE-2014-3570. l Avoid the OS upgrade failure caused when the source file for the /etc/rc. the PuTTY client does not need to be upgraded. l Added iostat command. l Rectify OpenSSH vulnerabilities CVE-2014-2653. board logins will fail. By default. CVE-2015-0204.32.11 RTOS-V200R003C08SPC150 to RTOS-V200R003C08SPC170 l Rectify OpenSSL Vulnerabilities CVE-2014-3569. l Upgrade OpenSSL to 0. l Upgrade the kernel patch to 2. CVE-2014-9420. CVE-2014-0181. the PuTTY must be upgraded to the 0.d/mysql link is missing.5. CVE-2014-3571.5. 5. the SFTP service times out and exit. CVE-2014-9584. l Because -p of the command useradd and groupadd the option may bypass the password order of complexity inspection.2p2 to support the HMAC-SHA2-256 algorithm. l Rectify OpenSSL vulnerabilities. Otherwise. Ltd.12 RTOS-V200R003C08SPC170 to RTOS-V200R003C08SPC190 l Enhance hungtask maintenance and testing. 5. CVE-2014-8275. CVE-2014-3572. . 40 .SingleRAN Dopra Linux OS Security Feature Parameter Description 6 Parameters 6 Parameters There are no specific parameters associated with this feature. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd. SingleRAN Dopra Linux OS Security Feature Parameter Description 7 Counters 7 Counters There are no specific counters associated with this feature. Ltd.. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 41 . terms. Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd. and definitions. 42 . see Glossary. abbreviations..SingleRAN Dopra Linux OS Security Feature Parameter Description 8 Glossary 8 Glossary For the acronyms. OMU Administration Guide 3.. Ltd. 43 . Guide to Dopra Linux Operating System Remote Patch Upgrade Issue 12 (2015-04-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SingleRAN Dopra Linux OS Security Feature Parameter Description 9 9 Reference Documents Reference Documents 1. Equipment Security Feature Parameter Description 2.
Copyright © 2024 DOKUMEN.SITE Inc.