Dopra Linux OS Security(SingleRAN_12)

SingleRAN

Dopra Linux OS Security FeatureParameter Description

Issue 12Date 2015-04-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.comEmail: [email protected]

Issue 12 (2015-04-30) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.

i

Contents

1 Introduction....................................................................................................................................11.1 Scope..............................................................................................................................................................................11.2 Intended Audience..........................................................................................................................................................11.3 Change History...............................................................................................................................................................12 Dopra Linux Security Description.............................................................................................72.1 Introduction to the Dopra Linux.....................................................................................................................................72.1.1 Overview.....................................................................................................................................................................72.1.2 Differences Between the Dopra Linux and Other Operating Systems........................................................................72.2 Dopra Linux Security Overview.....................................................................................................................................82.3 Security Architecture......................................................................................................................................................83 Dopra Linux Security Features.................................................................................................103.1 User Management.........................................................................................................................................................103.1.1 Dopra Linux Users.....................................................................................................................................................103.1.2 Security Policies for User Management....................................................................................................................113.1.3 Operations Related to User Management..................................................................................................................123.1.4 Operations Related to Password Complexity Management......................................................................................133.1.5 Operations Related to Password Setting....................................................................................................................133.2 File System and Permission Management....................................................................................................................143.2.1 Directory Protection..................................................................................................................................................143.2.2 File Protection............................................................................................................................................................153.3 Network Management..................................................................................................................................................153.3.1 Protocols Enabled by Default....................................................................................................................................163.3.2 Services Enabled by Default......................................................................................................................................163.3.3 Ports Opened by Default............................................................................................................................................173.3.4 System Firewall iptables............................................................................................................................................173.3.5 Security Policies Related to TCP/IP Stacks..............................................................................................................173.3.6 Security Policies Related to SSH...............................................................................................................................213.3.7 Operations Related to SSH........................................................................................................................................223.4 Enhanced Antivirus Policy...........................................................................................................................................243.4.1 Virus Entry Control...................................................................................................................................................243.4.2 Post-entry Virus Control............................................................................................................................................243.5 Operating System Integrity Protection.........................................................................................................................24

SingleRANDopra Linux OS Security Feature Parameter Description Contents


ii

3.5.1 Product Development Security..................................................................................................................................243.5.2 Product Release Security...........................................................................................................................................253.6 System and Security Log Management........................................................................................................................253.6.1 Log Files....................................................................................................................................................................253.6.2 Real-Time Access Information Recording................................................................................................................253.6.3 Configuration Guide for the Log Audit Service of Dopra Linux..............................................................................253.6.3.1 Configuration Commands.......................................................................................................................................263.6.3.2 Configuration Guide...............................................................................................................................................273.7 System Upgrade and Patch Policy................................................................................................................................293.7.1 Patch Installation.......................................................................................................................................................293.7.2 Upgrade.....................................................................................................................................................................294 Base Station Applications..........................................................................................................315 Differences Between History Dopra Linux Versions...........................................................325.1 History Dopra Linux Versions.....................................................................................................................................325.2 Versions Running on the OMUa/SAUa/OMUb/SAUb................................................................................................335.2.1 V100R001C03SPC010 to V100R001C03SPC020...................................................................................................335.2.2 V100R001C03SPC020 to V100R001C03SPC030...................................................................................................335.3 Versions Running on the OMUc/SAUc.......................................................................................................................345.3.1 V200R003C02SPC030 to V200R003C02SPC060...................................................................................................345.3.2 V200R003C02SPC060 to V200R003C02SPC070...................................................................................................345.4 V200R003C02SPC080 Running on the OMUa/SAUa/OMUb/SAUb/OMUc/SAUc..................................................345.4.1 V200R003C02SPC070 to V200R003C02SPC080...................................................................................................345.4.2 V200R003C02SPC080 to V200R003C02SPC090...................................................................................................345.4.3 V200R003C02SPC090 to V200R003C08.................................................................................................................355.4.4 V200R003C08 to V200R003C08SPC080.................................................................................................................355.4.5 V200R003C08SPC080 to V200R003C08SPC100...................................................................................................355.4.6 V200R003C08SPC100 to V200R003C08SPC120...................................................................................................365.4.7 V200R003C08SPC120 to V200R003C08SPC130...................................................................................................365.4.8 V200R003C08SPC130 to V200R003C08SPC150...................................................................................................365.4.9 V200R003C08SPC150 to V200R003C08SPC170...................................................................................................365.4.10 V200R003C08SPC170 to V200R003C08SPC190.................................................................................................365.5 Versions Running on the EOMUa/ESAUa..................................................................................................................375.5.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030.........................................................................................375.5.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050............................................................................375.5.3 RTOS-V100R001C00SPC050 to RTOS-V100R001C00SPC060............................................................................375.5.4 RTOS-V100R001C00SPC060 to RTOS-V100R001C00SPC070............................................................................375.5.5 RTOS-V100R001C00SPC070 to RTOS-V100R001C00SPC080............................................................................375.5.6 RTOS-V100R001C00SPC080 to RTOS-V100R001C00SPC090............................................................................375.5.7 RTOS-V100R001C00SPC090 to RTOS-V200R003C08SPC080............................................................................385.5.8 RTOS-V200R003C08SPC080 to RTOS-V200R003C08SPC100............................................................................385.5.9 RTOS-V200R003C08SPC100 to RTOS-V200R003C08SPC120............................................................................38



iii

5.5.10 RTOS-V200R003C08SPC120 to RTOS-V200R003C08SPC150..........................................................................395.5.11 RTOS-V200R003C08SPC150 to RTOS-V200R003C08SPC170..........................................................................395.5.12 RTOS-V200R003C08SPC170 to RTOS-V200R003C08SPC190..........................................................................396 Parameters.....................................................................................................................................407 Counters........................................................................................................................................418 Glossary.........................................................................................................................................429 Reference Documents.................................................................................................................43



iv

1 Introduction1.1 Scope

This document describes the security features and capabilities of the Dopra Linux operatingsystem.

NOTE

l This document is based on V200R003C02SPC090 and RTOS-V100R001C00 SPC080. For detailsabout differences in history versions, see " 5 Differences Between History Dopra Linux Versions."

l The operating system for the EOMUa/ESAUa and later boards based on Dopra Linux is renamed RTOS.Real-time operating system (RTOS) inherits basic functions on Dopra Linux. This document refers toan RTOS version with a prefix RTOS- in front of the version number, for example, RTOS-V100R001C00SPC070. Unless otherwise stated, this document can be applied to both Dopra Linuxand RTOS.

l For a base station, only software of the UMPT and UMDU boards uses and encapsulates the DopraLinux OS. Therefore, you cannot log in to the OS of a base station that is configured with one of theseboards after the base station is delivered. For details, see chapter 4 Base Station Applications.

1.2 Intended AudienceThis document is intended for personnel who:l Need to understand the features described hereinl Work with Huawei products

1.3 Change HistoryThis section provides information about the changes in different document versions. There aretwo types of changes, which are defined as follows:l Feature change

Changes in features of a specific product versionl Editorial change

SingleRANDopra Linux OS Security Feature Parameter Description 1 Introduction


1

Changes in wording or addition of information that was not described in the earlier version

12 (2015-04-30)This issue includes the following changes.

Change Type Change Description Parameter ChangeFeature change Added 5.4.10 V200R003C08SPC170 to

V200R003C08SPC190Added 5.5.12 RTOS-V200R003C08SPC170 to RTOS-V200R003C08SPC190

None

Editorial change 3.3.7 Operations Related to SSH addedSFTP timeout3.3.6 Security Policies Related to SSHdeletearcfour256,arcfour128algorithm,addedhmac-sha2-256 algorithm3.3.7 Operations Related to SSH deletearcfour256,arcfour128 algorithm

None




None

Editorial change None None




2



None




V200R003C08SPC130None





None





None



3

Change Type Change Description Parameter ChangeEditorial change None None


Change Type Change Description Parameter ChangeFeature change None NoneEditorial change Added descriptions of base stations using

the Dopra Linux OS in section 1.1 Scope.None


Change Type Change Description Parameter ChangeFeature change Added 3.6.3 Configuration Guide for the

Log Audit Service of Dopra Linux.None

Editorial change None. None


Change Type Change Description Parameter ChangeFeature change Added V200R003C02SPC090 and its

feature difference.None

Added RTOS versions RTOS-V100R001C00SPC030, RTOS-V100R001C00SPC050, RTOS-V100R001C00 SPC060, and RTOS-V100R001C00 SPC070 and their featuredifference.

None

Added descriptions on operating systemapplications of base stations. For details,see "4 Base Station Applications".

None



4

Change Type Change Description Parameter ChangeEditorial change Changed the document name from

Controller Dopra Linux OS Security toDopra Linux OS Security.

None


Change Type Change Description Parameter ChangeFeature change None NoneEditorial change Changed "RTOS" to "Dopra Linux" in this

document. The document title is alsochanged from "RTOS Security" to"Controller Dopra Linux OS Security" forconsistency with the name of the currentoperating system.

None


Change Type Change Description Parameter ChangeFeature change None NoneEditorial change Added the description on how to create

users, change passwords, and delete users.For details, see section 3.1 "UserManagement."

None

Added section 3.5 "Operating SystemIntegrity Protection."

None

Modified Secure Shell (SSH) policies.For details, see section 3.3 "NetworkManagement."

None

Added chapter 5 "Differences BetweenHistory Dopra Linux Versions".

None




5

Change Type Change Description Parameter ChangeEditorial change Modified the organization and descriptions

in section 3 "Dopra Linux SecurityFeatures."

None

Modified the TCP/IP protocol stacksecurity policy table and added defaultvalues for these security policies.

None

Added the description on how to createusers, change passwords, and delete users.

None

Draft A (2012-06-20)This is a draft.



6

2 Dopra Linux Security Description2.1 Introduction to the Dopra Linux

2.1.1 OverviewThe Dopra Linux is a Linux-based operating system tailored to provide full security protectionfor telecommunications products. As part of an end-to-end security solution, the Dopra Linuxis enhanced in hardware support, software commissioning, and performance to minimizesecurity risks.A customized Dopra Linux consists of the kernel and root file system:l Kernel: The Dopra Linux kernel is customized and has the latest patch installed, which

helps improve system security.l Root file system: The Dopra Linux is a compact operating system where only useful

database and service components are installed in the file system. This helps minimizesecurity risks.

2.1.2 Differences Between the Dopra Linux and Other OperatingSystems

The Dopra Linux is a real-time embedded operating system. Compared with server and desktopoperating systems, the Dopra Linux meets the following security requirements:l System-level security requirements, such as minimum installation, system tailoring, and

security patch managementl Anti-attack requirements for protocols and interfaces, such as use of secure protocols and

anti-attack featuresl Requirements on product development, release, and installation, such as software

commissioning and integrity checkingl Sensitive data protection requirements, such as data confidentiality and integrity, use of

encryption algorithms, and use of secure transmission channels

SingleRANDopra Linux OS Security Feature Parameter Description 2 Dopra Linux Security Description


7

l Requirements for secure system management and maintenance, such as password,authentication, authorization, log, and alarm management

2.2 Dopra Linux Security OverviewThe main security threats for the Dopra Linux are security vulnerabilities, password cracking,illegal operations, and information disclosure.Table 2-1describes these threats.

Table 2-1 Main security threats for the Dopra LinuxThreat Description Severity Security RequirementSecurityvulnerability

The kernel, SSH, andSecure File TransferProtocol (SFTP)have known securityvulnerabilities.

Minor The Dopra Linux provides a newservice protocol version and isable to fix securityvulnerabilities by versionupgrade or patch installation.The Dopra Linux is upgradedevery 12 months by default.

Password cracking Passwordcomplexity check isnot performed on theinitial password.

Major The Dopra Linux requires usersto use complex passwords.

Illegal operation The maximumnumber ofunsuccessful loginattempts is notspecified.

Minor The Dopra Linux locks the loginaccount or IP address when themaximum number ofunsuccessful login attempts isexceeded.

Informationdisclosure

Insecure protocols,such as Trivial FileTransfer Protocol(TFTP) and Telnetare used.

Major By default, the Dopra Linux doesnot support insecure protocols.Instead, it uses secure protocolssuch as SFTP.

NOTE

The Dopra Linux does not require antivirus software because few viruses target at Linux and only fewDopra Linux ports are open. For details about Dopra Linux antivirus, see "3.4 Enhanced AntivirusPolicy."

2.3 Security ArchitectureThe Dopra Linux interfaces hardware (multi-core CPUs and other devices) and user-modeprocesses. The Dopra Linux runs on medium- or high-end CPUs. As a multi-thread operatingsystem, the Dopra Linux features the security policies listed in Table 2-2.



8

Table 2-2 Dopra Linux security policiesIdentity Authentication l Access control

l User password controlFile System and PermissionManagement

l Directory protectionl File protection

Network Management l Protocols enabled by defaultl Services enabled by defaultl Ports opened by defaultl System firewall iptablesl Security policies related to TCP/IP stacksl Security policies related to SSH

Enhanced Antivirus Policy l Virus entry controll Post-entry virus control

Operating System IntegrityProtection

l Product development securityl Product release securityl Product installation security

System and Security LogManagement

Log file management, such as auditing andmonitoring

System Upgrade and Patch Policy l Patch installationl System upgrade



9

3 Dopra Linux Security Features3.1 User Management3.1.1 Dopra Linux Users

Dopra Linux users are categorized into root user, common user, service user, and lgnusr user.The permission of these users is as follows:l The root user has the highest operation permission, including read, write, and execute

permission. The read permission allows the root user to view the names and contents offiles under a directory. The write permission allows the root user to create or delete filesas well as modify file contents. The execute permission allows the root user to run shellscripts or binary executable files. The root user can be granted read, write, and executepermission to all files and directories.V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions no longer allowthe root user to perform remote login. This measure helps enhance system security.

l Common users are created by the root user. They can log in to the Dopra Linux and create,modify, or delete files under their specific home directories. For example, user jack canperform relevant operations under the home directory /home/jack. In addition, commonusers can run scripts or binary executable files under the /usr/bin and /bin directories.

l Service users are used by system service processes. Service users have the lowest operationpermission and cannot log in to the operating system. They are not created by the root user.This prevents unauthorized users from attacking the operating system and reduces securityrisks. Service user accounts in the Dopra Linux include sshd, nobody, haldaemon,messagebox, and mysql.

SingleRANDopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features


10

NOTE

l sshd: sshd server users cannot login to the operating systerm.l nobody: portmap standard account of other system services cannot login to the operating systerm.l haldaemon: standard account used by haldaemon servers account cannot login to the operating

systerm.l messagebus:standard account used by D-BUS servers account cannot login to the operating

systerm.l mysql: used by mysql servers.

l The lgnusr user is an internal common user. Added in V200R003C02SPC090 and RTOS-V100R001C00SPC070, the lgnusr user is used for Secure Shell (SSH) login. You can runthe su command to switch the lgnusr user to the root user to gain administrative rights. Youare advised to reserve the lgnusr user for SSH security.

3.1.2 Security Policies for User ManagementTable 3-1 describes the security policies for user management in the Dopra Linux.

Table 3-1 Security policies for user management in the Dopra LinuxUserManagement

Policy

Passwordcomplexity

A user password must contain at least eight characters, including at leastone uppercase letter, one lowercase letter, one special character, andone digit.Simple passwords (passwords defined in the weak password dictionary)are not allowed.NOTEl You can run the zcat /usr/share/cracklib/cracklib-words.gz command to

view the weak password dictionary.l For the Dopra Linux,you can run the create-cracklib-dict command to

update the weak password dictionary. For example, run the create-cracklib-dict dict1.dat command to add words in dict1.dat to the weak passworddictionary.

l For the RTOS, the weak password dictionary cannot be viewed or modifiedto prevent it from being disclosed.

The Dopra Linux records the history passwords of only common users.By default, the Dopra Linux records a maximum of three historypasswords.and the RTOS records a maximum of five history passwords.The new password must be different with the history passwords or thereverse of history passwords.Common users can change only their own passwords. The root user canchange all users' passwords.



11

UserManagement

Policy

Login message l For the Dopra Linux, the Dopra Linux prints the information aboutthe previous login after a login, including the login date, time, andIP address. The information helps users determine whetherunauthorized users have used the account.

l For the RTOS, the information print function is disabled by defaultafter a successful login. You can enable the information printfunction as follows: Run the vi /etc/ssh/sshd_config command toopen the sshd_config file, set PrintLastLog to yes, and run thekillall sshd command to restart the SSHD service.

Login permission By default, a user account is locked for 300 seconds at three consecutiveunsuccessful login attempts. The administrator can unlock the account.Versions before V200R003C08SPC080, users will be asked for oldpasswords when changing their own passwords. FromV200R003C08SPC080 and later versions, old password is required.For all versions, old password is not required when root use r modifingnon-root users.

Root user The root user is the only superuser in the system and is authorized toexecute all scripts and executable files.The password for the root user is customized before Dopra Linuxdeployment.

service user service users. They cannot log in to the Dopra Linux and are only forservice purposes.

Advance warningbefore passwordexpiration

The default password validity period is 30 days. To enhance passwordsecurity, the Dopra Linux prompts users to change their passwordsseven days before the passwords expire.In versions earlier than V200R003C02SPC090, the default passwordvalidity period is 30 days. In V200R003C02SPC090,RTOS-V100R001C00SPC050 and later versions, the default password validityperiod is 90 days.

Minimumpassword validity

You are advised to set the minimum password validity period to 48hours or longer. Otherwise, the password may bypass the passwordsecurity policy inspection.

Passwordsencryption

The Dopra Linux uses SHA-512 encryption algorithm to encryptpasswords in V200R003C02SPC080 and later.Versions beforeV200R003C02SPC080 use MD5.

3.1.3 Operations Related to User ManagementOperations related to user management include creating, deleting, and switching users as wellas changing user passwords. This section uses user1 as an example to describe these operations.



12

l To create user1, run the following command:useradd m user1 //After user1 is created, its home directory /home/user1 is also created.

l To delete user1, run the following command:userdel r user1 //After user1 is deleted, its home directory /home/user1 is also deleted.

l To change the password for user1, run the following command:passwd user1 //Only user1 and the root user can change the password for user1.The password must comply with the password complexity policy in Table 3-1. For example,Huawei@751.

l To switch to user1, run the following command:su user1 //The current user is switched to user1.su - user1 //The current user is switched to user1. The hyphen (-) indicates that theenvironment variables are also switched.

3.1.4 Operations Related to Password Complexity ManagementNOTE

It is recommended that you not modify password complexity settings to enhance password security.

You can set the following parameters in the /etc/pam.d/common-password file to modifypassword complexity settings:l retry = N: You have N attempts to change the password each time you run the passwd

command. N is an integer from 1 to 256. The default value is 6.l lcredit = N: A password contains at least N lower-case letters. N is an integer from 0 to

127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.l ucredit = N: A password contains at least N upper-case letters. N is an integer from 0 to

127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.l dcredit = N: A password contains at least N digits. N is an integer from 0 to 127. The

default value is 1 for the Dopra Linux OS and 0 for the RTOS.l ocredit = N: A password contains at least N special characters(~!@#$%^&*()_+`-={}|[]

\:";'?,./). N is an integer from 0 to 127. The default value is 1 for the Dopra Linux OSand 0 for the RTOS.

l minlen = N: A password contains at least N characters. N is an integer from 6 to 127. Thedefault value is 8.

l enforce_root: A password policy takes effect to the root user. After this parameter isdeleted, the password policy does not take effect to the root user.

l remember = N: N previous passwords are recorded for common users. N is an integer from0 to 400. The default value is 3 for the Dopra Linux OS and 5 for the RTOS. This rule doesnot take effect for the root user to change the passwords for itself and other accounts.

l uname_check: A password cannot be the same as any user name or be any user name inreverse order. This function is enabled by default.

3.1.5 Operations Related to Password SettingNOTE

In versions earlier than V100R001C03SPC030, the password lock and validity period cannot be changedbecause the etc/pam.conf file and chage command are not supported in these versions.



13

You can set the following options in the /etc/pam.d/common-auth file to modify passwordlocking settings:l deny=N, which indicates that the login account is locked when the number of unsuccessful

login attempts exceeds N. N is an integer between 1 to 32. The default value is 3.l unlock_time=N, which indicates that the user account is locked for N seconds when the

maximum number of unsuccessful login attempts is exceeded. N is an integer between 1to 3600. The default value is 300.

You can run the following commands to view or modify password time settings:l chage -l user1 //You can view the parameters such as the minimum interval at which a

password must be changed (Minimum), the maximum interval at which a password mustbe changed (Maximum), and advance warning before password expires (Warning).

l chage -m N common user //N indicates the minimum interval at which a common user'spassword must be changed, which means you can change the password N days later. N isan integer between 0 to 99999. If N is set to 0, you can change the password anytime. Thisoption does not apply to the root user.

l chage -M N root/common user //N indicates the maximum interval at which common user'spassword must be changed. N is an integer between 1 to 99999.

l chage -W N root/common user //N indicates the advance warning days before a commonuser's password expires. N is an integer between 1 to 99999.

3.2 File System and Permission ManagementFile system permission is categorized into read, write, and execute permission. The root usercan operate all files. Common users can operate only their own files. Permission managementensures file security.

3.2.1 Directory ProtectionThe Dopra Linux restricts directory access permission. You can run the ll or ls l command toquery the read, write, and execute permission on files and sub-directories in different directories.The following is an example:Jasper / # ll total 112 drwxr-xr-x 2 root root 4096 Jul 6 22:10 bindrw-r----- 6 root root 4096 Jul 7 23:08 bootdrwxr-xr-x 9 root root 5560 Jul 7 19:11 devdrwxr-xr-x 25 root root 4096 Jul 7 23:15 etcdrwxr-x--x 4 root root 4096 Jul 7 21:19 home-rwxr-xr-x 1 root root 29 Jul 5 22:24 initdrwxr-xr-x 7 root root 4096 Jul 6 22:10 libdrwx------ 2 root root 16384 Jul 5 22:23 lost+foundd-wx---r-x 5 root root 4096 Jul 5 22:24 mbscdrwxr-xr-x 2 root root 4096 Jul 5 22:24 mediadrwxr-xr-x 4 root root 4096 Jul 5 22:25 mntdrwxr-x--- 2 root root 4096 Jul 5 22:24 nonedrwxr-x--- 3 root root 4096 Jul 5 22:24 optdr-xr-xr-x 114 root root 0 Jul 7 19:10 procdrwx------ 3 root root 4096 Jul 7 22:06 rootdrwxr-x--- 2 root root 4096 Jul 7 21:25 sbin-rwxr-xr-x 1 root root 23713 Jul 5 22:24 sc_initdrwxr-xr-x 2 root root 4096 Jul 5 22:24 srv



14

drwxr-xr-x 11 root root 0 Jul 7 19:10 sysdrwxrwxrwt 2 root root 4096 Jul 11 03:30 tmpdrwxr-xr-x 2 root root 4096 Jul 5 22:25 usbdrwxr-xr-x 7 root root 4096 Jul 5 22:24 usrdrwxr-xr-x 10 root root 4096 Jul 6 22:10 var

The following uses the last line as an example to explain the command output:l In drwxr-xr-x:

d means directory. Files are not started with d. rwx indicates that the file or directory creator has read, write, and execute permission. r-x indicates that users who belong to the same user group as the file or directory creator

have read and execute permission. The second r-x indicates that users who do not belong to the same user group as the file

or directory creator have read and execute permission.NOTE

The root user has the highest permission and can operate all files created by other users.l 10 indicates the number of hard connections to the directory.l root indicates that the file or directory is created by the root user.l The second root indicates that the file or directory creator is in the root user group.l 4096 indicates the directory or file size (excluding files or sub-directories under the

directory).l Jul 6 22:10 is the time when the file or directory was last modified.l var is the file or directory name.

3.2.2 File ProtectionThe Dopra Linux restricts common users' access to system files.l Common users cannot visit the home directory.l Common users cannot modify or delete commands, library files, and directories storing

device files (/dev) or configuration files (/etc).l Only the root user is authorized to access system command management directories (/

sbin and /usr/sbin) and log files in /var/log.NOTE

The read permission to a directory indicates that a user can view the files and sub-directories under thedirectory. The write permission indicates that a user can create files and sub-directories under the directory.The execute permission does not apply to directories.The read permission to a file indicates that a user can view the contents in the file. The write permissionto a file indicates that a user can edit the contents in the file. The execute permission to a file indicates thata user can execute the commands in the file.

Users can run the setfacl command to set access permission to a file. For example, in the setfacl-m u:user1:rw a.dat command, user1 has read and write permission to a.dat.

3.3 Network Management



15

3.3.1 Protocols Enabled by DefaultBy default, the User Datagram Protocol (UDP), Transmission Control Protocol (TCP), andInternet Control Message Protocol (ICMP) are enabled in the Dopra Linux.

3.3.2 Services Enabled by DefaultTable 3-2 describes the default services provided in the Dopra Linux.

Table 3-2 Default services provided in the Dopra LinuxServiceName

ON/OFF Protocol PortNumber

Description

sshd ON TCP 22 A service started from inittab forSSH login

syslog-ng ON N/A N/A A service started from inittab for logrecording

dbus-daemon ON N/A N/A An application that uses the D-Buslibrary to implement a message busdaemonNOTE

D-Bus is a library that provides one-to-one communication between any twoapplications. Multiple programs connectto the message bus daemon and canexchange messages with each other.

cron ON N/A N/A Daemon to execute scheduledcommands

klogd ON N/A N/A A service started from inittab for logbuffering

auditd ON N/A N/A A service for saving audit records tothe disk

boot.udev ON N/A N/A A service that listens to kernel eventsand passes the incoming events toudev

haldaemon ON N/A N/A A service that collects and storeshardware information

syslogbuf ON N/A N/A A service started from inittab for logbuffering

acpid ON N/A N/A A service that functions as thedaemon of advanced configurationand power interface (ACPI) andmanages the power supply



16

3.3.3 Ports Opened by DefaultFor details about the default ports opened in the Dopra Linux, see Communication Matrixdelivered with the product.You can run the netstat -nlp command to view all listening ports.

3.3.4 System Firewall iptablesiptables is a kernel-level component in the Linux for filtering IP packets. When Linux isconnected to the Internet, local area networks (LANs), servers, or Internet proxies, iptables actas a firewall to filter IP packets.Being integrated into the Dopra Linux, iptables does not need to be configured by default.However, users can define rules in the iptables if required. When defining rules for a livenetwork, note the following points:l Do not modify existing rules.l Write scripts to ensure that defined rules automatically take effect upon system startup.l Define rules again after the Dopra Linux is upgraded or updated, as defined rules are deleted

after the system is upgraded or updated.

3.3.5 Security Policies Related to TCP/IP StacksDopra Linux does not support IPv6 by default. Table 3-3 describes security policies related tothe IPv4 TCP/IP stack. These items are configured in the /etc/sysctl.conf file. Default settingsin Table 3-3 are recommended by Huawei to ensure optimum security and performance, andgenerally should not be changed.

NOTE

The configuration items of TCP/IP stacks are named in the format of "net + protocol + conf + all/default/device + attribute". Where, device means a logical interface, such as eth1, bond2, and vlan3, default is usedto initialize an interface as it is initialized and loaded, and all means to apply to all interfaces.



17

Table 3-3 Configuration itemsItem Defaul

t ValueDescription

net.ipv4.conf.all.arp_ig-nore

0 for theRTOS1 for theDopraLinux

This parameter defines the modes for sending repliesin response to received ARP requests that resolvelocal target IP addresses.l 0: Reply to any local target IP address,

irrespective of its interface.l 1: Reply only if the target IP address is the local

address configured on the incoming interface.l 2: Reply only if the target IP address is the local

address configured on the incoming interface,and both the sender's and receiver's IP addressesare in the same subnet.

l 3: Reply only resolutions for global and linkaddresses, and do not reply to local addressesconfigured with scope host.

l 4-7: Reserved.l 8: Do not reply to local addresses.

net.ipv4.conf.default.arp_ignore

net.ipv4.conf.all.promote_secondaries

1 If this item is enabled and primary address of aninterface is deleted, an alias of the interface will beupgraded to the primary one.l 0: The alias of the interface will not be upgraded

to the primary one.l 1: The alias of the interface will be upgraded to

the primary one.l Default for Dopra linux is 0, for RTOS is 1.

net.ipv4.conf.default.promote_secondaries

net.ipv4.conf.all.arp_filter 1 l 0: The kernel can respond to ARP requests withaddresses from other interfaces. This may seemwrong but it actually makes sense because itincreases the number of successfulcommunication attempts. IP addresses are ownedby the complete host on the Linux, not by specificinterfaces.

l 1: This value allows you to have multiple networkinterfaces on the same subnet and have the ARPsfor each interface be answered based on whetherthe kernel can route packets from the ARP's IPaddress out of that interface.

net.ipv4.conf.default.arp_filter

net.ipv4.conf.all.accept_source_route

0 This parameter specifies whether to accept routingextension headers.If the value for this parameter is greater than or equalto 0, only the routing header type 2 is accepted.If this value is less than 0, routing header is notaccepted.

net.ipv4.conf.default.accept_source_route



18

Item Default Value

Description

net.ipv4.conf.all.accept_redirects

0 It is assumed that the network segment where thehost is located has two routers, and one of them is setas the default gateway. When another router sendsIP packets to the gateway, the router also sends anICMP redirect message, instructing the gateway toforward those packets to other routers.l 1 means to accept the redirect forwarding.l 0 means to ignore the redirect forwarding.

It is recommended that this parameter be set to 0to eliminate potential security risks.

net.ipv4.conf.default.accept_redirects

net.ipv4.conf.all.secure_redirects

0 This parameter specifies the secure redirectforwarding function. When this function is enabled,only ICMP redirect messages from the gateway areaccepted.l 1 means to enable the function.l 0 means to disable the function.

net.ipv4.conf.default.secure_redirects

net.ipv4.conf.all.send_re-directs

0 This parameter specifies whether to send redirectmessages.l 1 means to send.l 0 means not to send.

net.ipv4.conf.default.send_redirectsnet.ipv4.tcp_fin_timeout 60 This parameter specifies the duration for keeping

packets in the FIN-WAIT-2 state. If the value of thisparameter is too large, memory overflow may occur.

net.ipv4.tcp_syncookies 1 This parameter specifies whether to send syncookieswhen the syn backlog queue overflows. Thisparameter is valid only when CONFIG_SYNCOO-KIES is set during kernel compilation.1 means tosend.0 means not to send.

net.ipv4.tcp_syn_retries 1 This parameter specifies the number of times initialSYN messages for an active TCP connection attemptwill be retransmitted.

net.ipv4.tcp_synack_re-tries

1 This parameter specifies the number of times SYN-ACK messages for a passive TCP connectionattempt will be retransmitted.

net.ipv4.tcp_max_syn_backlog

4096 This parameter specifies the maximum number ofunacknowledged connection requests.

net.ipv4.icmp_echo_ignore_broadcasts

1 This parameter specifies whether to ignore broadcastand multicast messages.l 1 means to ignore.l 0 means not to ignore.



19

Item Default Value

Description

kernel.panic_on_oops 1 This parameter specifies the kernel's behavior whenit encounters an exception or bug.l 0: Attempt to continue operations.l 1: Stop (panic) immediately. If sysctl is also non-

zero, the server will be rebooted.kernel.printk 6 4 1 7 This parameter specifies where to send log messages

according to their priorities. This parameter has fourdefault values, which denote console_loglevel,default_message_loglevel, minimum_console_lo-glevel, and default_console_loglevel, respectively.l console_loglevel: Messages with a priority

higher than this level will be printed to theconsole.

l default_message_loglevel: Messages without anexplicit priority will be printed with this level.

l minimum_console_loglevel: This level is theminimum (highest) value to whichconsole_loglevel can be set.

l default_console_loglevel: This is the defaultvalue for console_loglevel.

net.ipv4.tcp_timestamps 0 This parameter specifies whether to add a 12-bytetimestamp to TCP headers.l 0 means not to add the timestamp.l 1 means to add the timestamp.

net.ipv4.icmp_ignore_bogus_error_responses

1 This parameter specifies whether to ignore "boguserror message responses".l 1 means to ignore.l 0 means not to ignore.

net.ipv4.conf.all.rp_filter 1 This parameter specifies whether to enable IPspoofing protection and turns on source routeverification.l 1 means yes.l 0 means no.

It is recommended that you set this parameter to1 for a single host or routers in a stub network.

net.ipv4.conf.default.rp_filter

kernel.sysrq 0 This parameter specifies the magic-sysrq key.If the parameter is set to non-zero, the system requestkey is activated.



20

3.3.6 Security Policies Related to SSHThe Dopra Linux does not support non-encrypted File Transfer Protocol (FTP) and TELNET.Instead, it uses secure protocols such as SSH and SFTP.Table 3-4 lists the configurations for SSH.

Table 3-4 Configurations for SSHItem Default Value DescriptionCiphers aes128-

ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

Uses the 3des-cbc and aes128-cbc encryptionalgorithm.

MACs hmac-sha2-256,hmac-sha1

Sets the message authentication code (MAC)algorithm to the secure algorithm (SHA2) forensuring data integrity.and compatible HMAC-SHA1

Protocol 2 Forcibly enables SSH V2.0.LogLevel VERBOSE Sets a message level to Verbose to log user login

information for auditing.StrictModes Yes Forcibly checks file permission and the login user's

permission to the home directory and files.PubkeyAuthentica-tion

Yes Allows public key authentication.

PermitEmptyPass-words

No Forbids login with an empty password.

PermitRootLogin No Allows the root user to remotely log in to the DopraLinux. You can disable this function for security.

UsePAM Yes Uses the pluggable authentication modules(PAM), a more scalable scheme, forauthentication.

Banner /etc/issue.net Displays banners after a user logs in to the DopraLinux using SSH. The default banner is: "You aretrying to access a restricted zone. Only AuthorizedUsers allowed."

NOTE

You can run the vi /etc/issue.net command to modify banners.



21

3.3.7 Operations Related to SSHThe following part describes operations associated with SSH.

Secure LoginsTo log in to a target computer (for example, with an IP address of 192.168.0.241) that providesSSH services:Run the ssh [email protected] command to log in as the root user, or run the [email protected] command to log in as user user1.

Secure CopyTo copy data (for example, /home/filename) from a Linux server that provides SSH servicesto /home of a target computer (for example, with an IP address of 192.168.0.241):Run the scp -r /home/filename [email protected]:/home command.

SFTP OperationsA computer running Dopra Linux can function as a server to provide SFTP services. To connectto a target computer (for example, with an IP address of 192.168.0.241):Run the sftp 192.168.0.241 command.l Disabling the SFTP Service

1. Run the vi /etc/ssh/sshd_config command, comment out the line starting withSubsystem sftp, save the modifications, and close the file.

2. Run the kill all sshd command to restart the SSHD service.3. Check whether the SSHD process starts.If command "pidof sshd" prints integers, the process starts properly. The SFTP service isa sub-function of the SSHD service. If the SSHD process restarts, the SFTP service isdisabled successfully.

l Enabling SFTP Logging1. Run the vi /etc/ssh/sshd_config command, change the line starting with Subsystem

sftp to Subsystem sftp internal-sftp -l INFO, save the modifications, and close thefile.

2. Run the kill all sshd command to restart the SSHD service.3. Check whether the SSHD process starts.If command "pidof sshd" prints integers, the process starts properly. The SFTP service isa sub-function of the SSHD service. If the SSHD process restarts, SFTP logging is enabledsuccessfully.

Forbidding remote login of the root userYou are advised to disable the remote login of the root user. V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions no longer allow the root user to perform remote login.To disable remote login, perform the following steps:



22

Step 1 Add a common user that can log in to the Dopra Linux remotely. For example:l Run the useradd m user1 command to add user user1 and create directory /home/user1.l Run the passwd user1 command to set or change the password (for example,

Tom@520123) for user user1. For details about the password policy, see "3.1.2 SecurityPolicies for User Management".

Step 2 Modify the configuration file. Log in as the root user, and set PermitRootLogin to no in the /etc/ssh/sshd_config file.

Step 3 Run the killall sshd command to restart the SSH service. The modification takes effect after theSSH service restarts.----End

NOTE

After the sshd process is killed, the SSH service becomes unavailable. Several seconds later, the SSHservice restarts automatically.

To permit remote login of user root, set PermitRootLogin to yes in the /etc/ssh/sshd_configfile, and restart the SSH service.

Disable SSH Server CBC Mode ,arcfour256,arcfour128 Ciphers disable SSH ServerCBC ,arcfour256,arcfour128 Ciphers algorithm

Perform the following steps to disable the CBC cipher algorithm for the SSH service:Step 1 Open the vi /etc/ssh/sshd_config file and find the line starting with Ciphers, and change the

content to:Ciphers aes128-ctr,aes192-ctr,aes256-ctr

NOTE

Find the line starting with Ciphers but not with #Ciphers. The number sign (#) indicates that the line iscommented out.

Step 2 Run the kill all sshd command to restart the sshd service.----End

NOTE

The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings:Ciphers aes128-ctr,aes192-ctr,aes256-ctr.

Hardening the MAC Algorithm of the SSH ServicePerform the following steps to harden the MAC algorithm of the SSH service:

Step 1 Open the vi /etc/ssh/sshd_config file and find the line starting with MACsand change the contentto:l Before V200R003C08SPC190 version,MACs modify MACs hmac-sha1.l After V200R003C08SPC190 version,MACs modify MACs hmac-sha2-256.l If MACs configue just have hmac-sha2-256,need upgrade putty to 0.64 and above version.



23

NOTE

Find the line starting with MACsbut not with #MACs. The number sign (#) indicates that the line iscommented out.

Step 2 Run the kill all sshd command to restart the sshd service.----End

NOTE

The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings:MACs hmac-sha1The preceding operations must be performed by professional personnel who understand basic Linuxcommand (vi) and common system management commands. Otherwise, the SSH connection may fail dueto incorrect modifications.

3.4 Enhanced Antivirus Policy3.4.1 Virus Entry Control

The Dopra Linux disables idle ports and uses secure protocols (such as SSH and SFTP) only,making itself much less vulnerable to virus attacks.The Dopra Linux uses enhanced password polices, such as forced lockout after three failedpassword attempts. These policies greatly improve the anti-hacking capability.

3.4.2 Post-entry Virus ControlThe Dopra Linux defines strict permission control, which means that only the root user has thewrite permissions to system files and log files. Therefore, even virus files are falsely executed,only files to which the login user has the write permissions will be corrupted. System runningand log files are not affected.Though the Dopra Linux does not run any antivirus software, it is insusceptible to virus attacksunless the root user password is cracked. In addition, the root user password is well protectedby the following measures:l Uses enhanced password policies.l Forces the user to log out after defined failed password attempts.

3.5 Operating System Integrity Protection3.5.1 Product Development Security

The Dopra Linux image contains vmlinuz (kernel) and initrd (root file system), where the kernelmode and user mode are separated. This method enhances Dopra Linux security.V200R003C02SPC080, RTOS-V100R001C00, and later versions support security loopholescan using the Nessus and port and protocol scan using the NMap.V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions support securityloophole scan using the Retina.



24

3.5.2 Product Release SecurityBefore the Dopra Linux is released, it is scanned by antivirus software Symantec, McAfee, Avira,Kav and Trend to ensure that it is virus free.

3.6 System and Security Log ManagementLogs record system running information and are of vital importance to system security. Majorlog functions include auditing and monitoring. With logs, you can diagnose problems, monitorreal-time system status, and track traces left by attackers.

3.6.1 Log FilesOnly the root user can view log files and description under the log directory /var/log. Thefollowing describes log files in the Dopra Linux:l audit

A log file for the audit daemon, which writes kernel information generated by applicationsand system activities into hard disk.

l dlinstall.log/dlrecover.log/dlupgrade.logLog files recording information about system installation, rollback, and upgrade.

l faillogA log file recording the number of failed logins due to incorrect user name or password.This file is encrypted. Running the vi/cat command cannot open this file. You can runfaillog to view this file.

l messagesA log file recording kernel and system information.You can run vi/cat to view this file.

l warnA log file recording all warnings and error information.

l wtmpA log file recording all remote and local logins, changes in system running level, and timeof the changes.This file is encrypted. You can run last to view this file.

3.6.2 Real-Time Access Information RecordingThe Dopra Linux records real-time Dopra Linux login and logout information in logs. For detailsabout how to manage these logs, see section "Configuring the Function of Recording OMU OSAccessing Information in Real Time" in OMU Administration Guide.

3.6.3 Configuration Guide for the Log Audit Service of Dopra Linux



25

3.6.3.1 Configuration CommandsLinux audit Subsystem (audit), is a system service. This service is used for auditing systeminvoking records and writing the records to files. The user space program of the audit service isauditd, which is used for writing audit information to disks.

Audit Configuration Differences Between Dopra Linux and Common LinuxThe Dopra Linux(Before V200R003C08SPC100 versions) and common Linux differ in the auditservice as follows:l The configuration file path is different. The paths for Dopra Linux are /etc/auditd.conf

and /etc/audit.rules. The paths for common Linux are /etc/auditd/auditd.conf and /etc/auditd/audit.rules.

l When the /etc/rc.d/init.d/auditd script is used to enable the audit service, audit rules arenot automatically loaded by default.If you want to retain the rules after a restart, manuallymodify the /etc/rc.d/init.d/auditd file. For details about the procedure, see ConfigurationGuide.

Querying Audit Service StatusThe audit service status' value of RTOS system can be 0,1,2.The audit service status' value of Dopra Linux system can be 0,1.Jasper ~ # auditctl -s AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0 backlog=0 Jasper ~ #

enabled=1: Log auditing is enabled for the audit service.enabled=0: Log upgrades are disabled.enabled=2: The audit rules cannot be edited.If you want to edit it,you should restart the systemfirst.By default, enabled=1 is used after a normal startup. You can run the auditctl-e 1 command tochange the value of enabled to 1.Jasper ~ # auditctl -s AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0 backlog=0 Jasper ~ # auditctl -e 2 AUDIT_STATUS: enabled=2 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0 backlog=0 Jasper ~ # auditctl -a entry,always -S umask Error sending add rule request (Operation not permitted)

Error sending add rule request (Operation not permitted) --> When enabled is 2, rules cannotbe edited.

Query Existing Rulesauditctl -l



26

Deleting All Audit Rules at a Timeauditctl -D

Adding an Audit RuleAuditctl -a entry,always -S umask -k umask --> Add an audit rule for invoking the umask system.

Deleting an Audit Ruleauditctl -d entry,always -S umask -k umask --> Delete an audit rule for invoking the umasksystem.

Adding Audit Rules in Batchesauditctl -R /etc/audit.rules --> /etc/audit.rules is a text file containing rules in any paths.

Stopping the auditd Service Processkillall auditdor/etc/rc.d/init.d/auditd stop

Starting the auditd Service Processstartproc /sbin/auditdor/etc/rc.d/init.d/auditd start

Querying the auditd Service Process Status/etc/rc.d/init.d/auditd status

Checking Whether Recording Is Enabled for the auditd Serviceauditctl sIf "enabled=1" is displayed, recording is enabled.

3.6.3.2 Configuration GuideThis section describes how to configure the audit service.

ProcedureStep 1 Create a default configuration file of the audit service.

Jasper ~ # mkdir /etc/audit/ Jasper ~ # cp /etc/auditd.conf /etc/audit/auditd.conf Jasper ~ # cp /etc/audit.rules /etc/audit/audit.rules



27

Step 2 Edit the rule file /etc/audit/audit.rules.You can select interesting audit rules from the following samples:# This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 256 # Feel free to add below this line. See auditctl man page ## Audit the audit logs. ## successful and unsuccessful attempts to read information from the ## audit records; all modifications to the audit trail -w /var/log/audit/ -k auditlog ## Monitor for use of audit management tools -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools ## changes to the time ## -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time ## umask -a entry,always -S umask -k umask ## cron configuration & scheduled jobs -w /etc/crontab -p rwax -k cron ## user, group, password databases -w /etc/group -p rwax -k etcgroup -w /etc/passwd -p rwax -k etcpasswd -w /etc/shadow -k etcpasswd ## monitor usage of passwd -w /usr/bin/passwd -p x -k passwd_modification ## login configuration and information -w /etc/login.defs -p rwax -k login -w /etc/securetty -p rwax -k login ## network configuration -w /etc/hosts -p rwax -k hosts -w /etc/sysconfig/network -p rwax -k network ## system startup scripts -w /etc/inittab -p rwax -k init ## kernel parameters -w /etc/sysctl.conf -p rwax -k sysctl ## modprobe configuration -w /etc/modprobe.conf -p rwax -k modprobe ## pam configuration -w /etc/pam.d/ -p rwax -k pam ## ssh configuration -w /etc/ssh/sshd_config -k sshd ## changes to hostname -a exit,always -F arch=b32 -S sethostname -k hostname -a exit,always -F arch=b64 -S sethostname -k hostname ## changes to issue -w /etc/issue -p rwax -k etcissue -w /etc/issue.net -p rwax -k etcissue

Step 3 Edit the startup script of the audit service to configure an automatic loading rule after a restart.Add the following contents in bold to vi /etc/rc.d/init.d/auditd (Skip this step if the bold lineexists):case "$1" instart) echo -n "Starting RPC auditd daemon" auditd_pid=`pidof auditd` if [[ -z ${auditd_pid} ]]



28

then $AUDITD_BIN if [[ $? -ne 0 ]] then rc_failed 1 else rc_failed 0 fi else rc_failed 0 fi test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null # Remember status and be verbose rc_status -v

Step 4 Restart the audit service./etc/rc.d/init.d/auditd restart

Step 5 Check whether audit log recording is enabled.----EndRun the auditctl -s command to check the value of enabled.If the value is 1, log recording is enabled.If the value is not 1, run the auditctl e 1 command to enable log recording.---End

Important NotesBecause audit rules are added, the system kernel adds additional audit operations besides normalprocessing, which compromise system performance. Delete unnecessary audit rules andminimize the number of audit rules based on site requirements to minimize performancedeterioration.

3.7 System Upgrade and Patch PolicyDue to defects in product design or development, the Dopra Linux may have certainvulnerabilities, for example, service errors or authentication failures. These vulnerabilities maypose security threats such as hacking or viruses. You can install patches to eliminate these systemvulnerabilities.

3.7.1 Patch InstallationBy default, security patches are applied on the Dopra Linux every 12 months.

3.7.2 UpgradeCurrently, the Dopra Linux version and product version are independent. The Dopra Linuxupgrade does not affect applications that have been installed on the source Dopra Linux, whenthe hard disk partition settings on the source and destination Dopra Linux versions are the same.You can upgrade the Dopra Linux using either of the following methods:



29

l USB upgradel Web upgradeFor details about upgrade methods, see Guide to Dopra Linux Operating System Remote PatchUpgrade delivered with Dopra Linux patches.

NOTE

You must restart the system after an upgrade is complete. If you upgrade the Dopra Linux using the webmode, you can roll back the Dopra Linux to the source version if the upgrade fails. If you upgrade theDopra Linux using the USB mode, you have to reinstall the Dopra Linux if the upgrade fails.If you upgrade the RTOS or certain Dopra Linux versions using the web mode, the version cannot be rolledback. In this case, the USB upgrade is recommended.



30

4 Base Station ApplicationsThe base station operating system patches are packed in the base station product version, andtherefore an separated operating system upgrade is not supported on the base station. Howeverif any security risks are exposed in RTOS versions, you can run the operating system patchesby way of the product version upgrade because these patches are packed in the latest productversion.

NOTE

If the product version includes RTOS patches, the patch information will be addressed in the ReleaseNotes of base stations.

The base station operating system is not visible for users because the patches are packed in thebase station software.l Of all operating system security policies of the base station, only the anti-virus policy is

provided by the operating system. For details, see "3.4 Enhanced Antivirus Policy."l Other than the antivirus policy, operating system security policies are packed in the base

station software. For details, see the Base Station Equipment and OM Security FeatureParameter Description.

SingleRANDopra Linux OS Security Feature Parameter Description 4 Base Station Applications


31

5 Differences Between History Dopra LinuxVersions

5.1 History Dopra Linux VersionsTable 5-1 lists history Dopra Linux versions and corresponding boards.

Table 5-1 History Dopra Linux versions and corresponding boardsDopra Linux Version BoardV100R001C03SPC010 OMUa/SAUa/OMUb/SAUbV100R001C03SPC020 OMUa/SAUa/OMUb/SAUbV100R001C03SPC030 OMUa/SAUa/OMUb/SAUbV200R003C02SPC030 OMUc/SAUcV200R003C02SPC060 OMUc/SAUcV200R003C02SPC070 OMUc/SAUcV200R003C02SPC080 OMUa/SAUa/OMUb/SAUb /OMUc/SAUcV200R003C02SPC090 OMUa/SAUa/OMUb/SAUb /OMUc/SAUcV200R003C08 OMUa/SAUa/OMUb/SAUb/OMUc/SAUcV200R003C08SPC080 OMUa/SAUa/OMUb/SAUb/OMUc/SAUcV200R003C08SPC100 OMUa/SAUa/OMUb/SAUb/OMUc/SAUcV200R003C08SPC120 OMUa/SAUa/OMUb/SAUb/OMUc/SAUcV200R003C08SPC130 OMUa/SAUa/OMUb/SAUb/OMUc/SAUcV200R003C08SPC150 OMUa/SAUa/OMUb/SAUb/OMUc/SAUcRTOS-V100R001C00SPC030 EOMUa/ESAUa

SingleRANDopra Linux OS Security Feature Parameter Description 5 Differences Between History Dopra Linux Versions


32

Dopra Linux Version BoardRTOS-V100R001C00SPC050 EOMUa/ESAUaRTOS-V100R001C00 SPC060 EOMUa/ESAUaRTOS-V100R001C00 SPC070 EOMUa/ESAUaRTOS-V100R001C00 SPC080 EOMUa/ESAUaRTOS-V100R001C00 SPC090 EOMUa/ESAUaRTOS-V200R003C08SPC080 EOMUa/ESAUaRTOS-V200R003C08SPC100 EOMUa/ESAUaRTOS-V200R003C08SPC120 EOMUa/ESAUaRTOS-V200R003C08SPC150 EOMUa/ESAUa

NOTE

l The Dopra Linux can be upgraded to a destination version that supports the same type of boards as thesource version. For example, any version can be upgraded to V200R003C02SPC080, butV100R001C03SPC010 cannot be upgraded to V200R003C02SPC070.

l Unless otherwise stated, basic functions of previous versions are inherited in the latest version, althoughsupported boards vary with versions.

5.2 Versions Running on the OMUa/SAUa/OMUb/SAUb

5.2.1 V100R001C03SPC010 to V100R001C03SPC020The following functions are supported:l Enable or disable remote login for the root user.l Enhance the password complexity policy, which enables the root user to set password

complexity policies.l Allow the root user to uniformly set password expiration date.l Lock user accounts at multiple unsuccessful login attempts.l Add the setfacl package to allow users to set access permission to files.l Provide the su command so that login users can be switched.l Add the SSH login and logout logs to enhance the log auditing function. The logs include

user name, login time, and source IP address.

5.2.2 V100R001C03SPC020 to V100R001C03SPC030l Provide the create-cracklib-dict command to allow users to update the weak password

dictionary.



33

5.3 Versions Running on the OMUc/SAUc

5.3.1 V200R003C02SPC030 to V200R003C02SPC060l Delete the modules for commissioning to minimize security risks. The deleted modules are

ltp, livegdb, lmbench, and livepatch.

5.3.2 V200R003C02SPC060 to V200R003C02SPC070l Upgrade the kernel version from Linux-2.6.16.60-0.68.1 to Linux-2.6.16.60-0.87.1.

5.4 V200R003C02SPC080 Running on the OMUa/SAUa/OMUb/SAUb/OMUc/SAUc

5.4.1 V200R003C02SPC070 to V200R003C02SPC080The following functions are supported:l Support the OMUa, SAUa, OMUb, SAUb, OMUc, and SAUc.l Upgrade the kernel version to Linux-2.6.16.60-0.87.1, which enhances operating system

security.l Enhance operating system security by providing default security settings, such as password

complexity policies.l Upgrade to OpenSSH 5.2.l Disable unnecessary IPv6 modules to minimize security risks posed by these modules.l The portmap service is disabled by default. Therefore, port 111 used by the portmap service

is also disabled by default.

5.4.2 V200R003C02SPC080 to V200R003C02SPC090The following functions are supported:l Update the kernel version to Linux-2.6.16.60-0.99.1 to eliminate system loopholes scanned

out by the NMap, Nessus, and Retina and harden the operating system security.l Count the start time of password validity period from the system installation time. If the

password is changed, the period is counted since the change time. The default passwordvalidity period is changed from 30 days to 90 days.

l Add a prompt message when the account is locked.l Add the lgnusr user for remote login. You cannot remotely log in to the system as a root

user by default, but you can remotely log in to the system as an lgnusr user and then switchto the root user. In this way, the user management security of the operating system isenhanced.



34

5.4.3 V200R003C02SPC090 to V200R003C08l Rectify the defect that common users cannot modify the OS time zones.l Rectify the defect that Ext3 file system is occasionally read-only.l Rectify the defect that a message indicating expired password is displayed after a USB

flash disk is used to restore the OS.l Rectify the defect that the MySQL service fails to start after a USB flash disk is used to

restore the OS after an upgrade.l Forbid the upgrade from a later version to an earlier version.l Rectify the OpenSSL security issue (CVE-2013-0166).l Forbid the CMDline parameter (init=/bin/bash) parsing in the kernel.

5.4.4 V200R003C08 to V200R003C08SPC080l Change the cipher algorithms for SSH services to secure ones, such as aes128-ctr, aes192-

ctr, aes256-ctr, arcfour256, and arcfour128.l Change the account encryption algorithm to the secure algorithm SHA512. In addition, the

old passwords of the root user are verified before they are changed.l Add the one-click recovery function by upgrading the GRUB to GRUB 2. After GRUB is

upgraded to GRUB 2, SHA512 is used to encrypt GRUB passwords and GRUB passwordcomplexity check is added.

l Upgrade OpenSSL to 0.9.8y, which rectifies the OpenSSL security issues CVE-2013-0169and CVE-2013-0166.

l Rectify the OpenSSH security issue CVE-2012-0814,Plaintext Recovery Attack againstCBC ciphers(ID: CVE-2008-5161).

l Rectify the libsasl2 security issue CVE-2013-4122.l Rectify the color change issue when a common user switches from the su user to the

root user.l Rectify the incorrect failed log statistics issue.l Rectify OpenSSL security vulnerabilities, including

CVE-2014-0224,CVE-2014-0221,CVE-2014-0195,CVE-2014-0198,CVE-2010-5298,CVE-2014-3470,CVE-2014-0076.

l Add SFTP logging.

5.4.5 V200R003C08SPC080 to V200R003C08SPC100l Upgrading the kernel from 2.6.16.60-0.99.1 to 2.6.16.60-0.105.1-bigsmp, fix security

issues and bug fix.l Upgrade glibc from 2.4-31.91.1 to 2.4-31.109.1, fix security issues and bug fix.l Support PAM configuration for su command.l New smartctl command.l Enhanced / etc / ssh / sshd_config in configuration AllowTcpForwarding no, to fix

CVE-2004-1653.



35

5.4.6 V200R003C08SPC100 to V200R003C08SPC120l Enhanced ssh_host_rsa_key.pub and ssh_host_rsa_key length 2048.l Rectify top command not support -b -n 1 parameter.l Rectify bash vulnerabilities,six in total(HUAWEI Vulnerability

ID:HWPSIRT-2014-0951):CVE-2014-6271,CVE-2014-7169,CVE-2014-6277,CVE-2014-6278,CVE-2014-7186,CVE-2014-7187.

l Rectify OpenSSL vulnerabilities,nine in total(HUAWEI VulnerabilityID:HWPSIRT-2014-0816):CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-5139.

5.4.7 V200R003C08SPC120 to V200R003C08SPC130l Rectified the defect that the working link mode of the network adapter is restored to the

original configuration after the OMUc operating system is upgraded.

5.4.8 V200R003C08SPC130 to V200R003C08SPC150l Upgrade wget, rectify vulnerabilities CVE-2014-4877.l Added iostat command.l Rectify OpenSSL vulnerabilities, four in total: CVE-2014-3513, CVE-2014-3566

(HUAWEI Vulnerability: HWPSIRT-2014-1041), CVE-2014-3567, CVE-2014-3568.l Rectify OpenSSH vulnerabilities CVE-2014-2653.l Because -p of the command useradd, usermod, groupadd and groupmod the option may

bypass the password order of complexity inspection, therefore deleted -p the support ofoption.

5.4.9 V200R003C08SPC150 to V200R003C08SPC170l Rectify OpenSSL Vulnerabilities CVE-2014-3569, CVE-2014-3570, CVE-2014-3571,

CVE-2014-3572, CVE-2014-8275, CVE-2015-0204.l Rectify glibc Vulnerability CVE-2015-0235 (HUAWEI Vulnerability ID

HWPSIRT-2015-01045).l Rectify the failure in connecting to the network during an OS upgrade because the board

was not reset after the OS upgrade from Doprax86V100R001C03.

5.4.10 V200R003C08SPC170 to V200R003C08SPC190l Upgrade OpenSSH to 6.2p2 to support the HMAC-SHA2-256 algorithm. By default, the

HMAC-SHA1 and HAMC-SHA2 algorithms are supported. In this case, the PuTTY clientdoes not need to be upgraded. When only the HMAC-SHA2 algorithm is used, the PuTTYmust be upgraded to the 0.64 and above version. Otherwise, board logins will fail.

l Upgrade OpenSSL to 0.98zf to rectify the latest vulnerability (CVE-2015-0209CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0293).

l Rectify the glibc vulnerabilities CVE-2015-1472, CVE-2013-7423, CVE-2014-7817, andCVE-2014-9402.



36

l Reinforce security hardening. If no operation is performed in 30 minutes, the SFTP servicetimes out and exit. The SSH service does not support the arcfour128/256 algorithm.

5.5 Versions Running on the EOMUa/ESAUa5.5.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030

l Support the NIS to centrally manage accounts and harden password security.

5.5.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050l Fix security loopholes of libxml2, libsnmp, and bash (ID: CVE-2012-2807,

CVE-2012-2141, CVE-2012-3410).l Count the start time of password validity period from the system installation time. If the

password is changed, the period is counted since the change time. The default passwordvalidity period is changed from 30 days to 90 days.

5.5.3 RTOS-V100R001C00SPC050 to RTOS-V100R001C00SPC060l Enhance the self-healing mechanism of the file system.There are no specific parameters associated with this feature.

5.5.4 RTOS-V100R001C00SPC060 to RTOS-V100R001C00SPC070l Rectify three high-risk vulnerabilities (CVE-2011-0997, CVE-2010-0405, and

CVE-2006-5276) and three medium-risk vulnerabilities (CVE-2008-7270,CVE-2008-5077, and CVE-2009-0021) in the Retina scan result.

l Add the support of the U_creator tool for a 16 GB large-capacity USB flash drive.l Disable the remote login of user root by default. Add user lgnusr for remote login. After a

successful login of user lgnusr, it can be switched to user root, thereby enhancing thesecurity of user management.

5.5.5 RTOS-V100R001C00SPC070 to RTOS-V100R001C00SPC080l Upgrade the kernel version from 2.6.32.54-0.3 to 2.6.32.59-0.7 to enhance operating system

security.l Fix the defect so that the operating system does not display the message that the number

of password retries exceeds the upper limit after the boards are restarted.

5.5.6 RTOS-V100R001C00SPC080 to RTOS-V100R001C00SPC090l Rectify the priority inversion issue and incorporate the open-source kernel patch http://

git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=da7a735e51f9622eb3e1672594d4a41da01d7e4f.

l Rectify the OpenSSH security issue (CVE-2010-5107): The OpenSSH LoginGracetimesetting leads to SSH service denial.

l Forbid the upgrade from a later version to an earlier version.



37

l Incorporate three precaution issues: Precaution Notice [2013-001] Memory Corruption May Occur When the Bus Master

Is not Disabled When the PCI Device Is Stopped Precaution Notice [2013-002] Deadlock May Occur Due to the Migration of CPUs

that Run Real-time Tasks Precaution Notice [2013-004] System Breakdown May Occur Due to the Core Dump

on the Multi-thread Process Using the FPU

5.5.7 RTOS-V100R001C00SPC090 to RTOS-V200R003C08SPC080l Change the cipher algorithms for SSH services to secure ones, such as aes128-ctr, aes192-

ctr, aes256-ctr, arcfour256, and arcfour128.l Add the function of password verification for the root user.l Add the one-click recovery function by upgrading the GRUB to GRUB 2. After GRUB is

upgraded to GRUB 2, SHA512 is used to encrypt GRUB passwords and GRUB passwordcomplexity check is added.

l Rectify the libxml2 security issue CVE-2013-2877.l Rectify the incorrect failed log statistics issue.l Add SFTP logging support.l Rectify OpenSSL security vulnerabilities, including

CVE-2014-0224,CVE-2014-0221,CVE-2014-0195,CVE-2014-0198,CVE-2010-5298,CVE-2014-3470,CVE-2014-0076.

l Remove NIS service support.l Plaintext Recovery Attack against CBC ciphers(ID: CVE-2008-5161).

5.5.8 RTOS-V200R003C08SPC080 to RTOS-V200R003C08SPC100l Upgrade the kernel from 2.6.32.59-0.7 to 2.6.32.59-0.9, fix security issues and bug fix.l Upgrade glibc from 2.11.1-0.34.1 to 2.11.1-0.50.1, security issues and bug fixes.l New smartctl command.l Enhanced / etc / ssh / sshd_config in configuration AllowTcpForwarding no, to fix

CVE-2004-1653.

5.5.9 RTOS-V200R003C08SPC100 to RTOS-V200R003C08SPC120l Enhanced ssh_host_rsa_key.pub and ssh_host_rsa_key length 2048.l Rectify top command not support -b -n 1 parameter.l Rectify bash vulnerabilities,six in total(HUAWEI Vulnerability

ID:HWPSIRT-2014-0951):CVE-2014-6271,CVE-2014-7169,CVE-2014-6277,CVE-2014-6278,CVE-2014-7186,CVE-2014-7187.

l Rectify OpenSSL vulnerabilities,nine in total(HUAWEI VulnerabilityID:HWPSIRT-2014-0816):CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-5139.

l Added support U disk to copy files from the file name containing the Chinese to the system.



38

5.5.10 RTOS-V200R003C08SPC120 to RTOS-V200R003C08SPC150l Upgrade wget, rectify vulnerabilities CVE-2014-4877.l Added iostat command.l Rectify OpenSSL vulnerabilities, four in total:CVE-2014-3513, CVE-2014-3566

(HUAWEI Vulnerability ID:HWPSIRT-2014-1041), CVE-2014-3567, CVE-2014-3568.l Rectify OpenSSH vulnerabilities CVE-2014-2653.l Because -p of the command useradd and groupadd the option may bypass the password

order of complexity inspection, therefore deleted -p the support of option.

5.5.11 RTOS-V200R003C08SPC150 to RTOS-V200R003C08SPC170l Rectify OpenSSL Vulnerabilities CVE-2014-3569, CVE-2014-3570, CVE-2014-3571,

CVE-2014-3572, CVE-2014-8275, CVE-2015-0204.l Rectify glibc Vulne

Dopra Linux OS Security(SingleRAN_12)

Documents

Transcript of Dopra Linux OS Security(SingleRAN_12)