• No results found

Dopra Linux OS Security(SingleRAN_04).pdf

N/A
N/A
Protected

Academic year: 2021

Share "Dopra Linux OS Security(SingleRAN_04).pdf"

Copied!
35
0
0

Loading.... (view fulltext now)

Full text

(1)

SingleRAN

Dopra Linux OS Security Feature

Parameter Description

Issue 04

Date 2012-12-30

(2)

Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang Shenzhen 518129

People's Republic of China Website: http://www.huawei.com

(3)

Contents

1 Introduction...1

1.1 Scope...1

1.2 Intended Audience...1

1.3 Change History...1

2 Dopra Linux Security Description...4

2.1 Introduction to the Dopra Linux...4

2.1.1 Overview...4

2.1.2 Differences Between the Dopra Linux and Other Operating Systems...4

2.2 Dopra Linux Security Overview...5

2.3 Security Architecture...5

3 Dopra Linux Security Features...7

3.1 User Management...7

3.1.1 Dopra Linux Users...7

3.1.2 Security Policies for User Management...8

3.1.3 Operations Related to User Management...9

3.1.4 Operations Related to Password Complexity Management...10

3.1.5 Operations Related to Password Setting...10

3.2 File System and Permission Management...11

3.2.1 Directory Protection...11

3.2.2 File Protection...12

3.3 Network Management...12

3.3.1 Protocols Enabled by Default...13

3.3.2 Services Enabled by Default...13

3.3.3 Ports Opened by Default...14

3.3.4 System Firewall iptables...14

3.3.5 Security Policies Related to TCP/IP Stacks...14

3.3.6 Security Policies Related to SSH...18

3.3.7 Operations Related to SSH...19

3.4 Enhanced Antivirus Policy...20

3.4.1 Virus Entry Control...20

3.4.2 Post-entry Virus Control...20

3.5 Operating System Integrity Protection...20

(4)

3.5.1 Product Development Security...20

3.5.2 Product Release Security...20

3.5.3 Product Installation Security...20

3.6 System and Security Log Management...21

3.6.1 Log Files...21

3.6.2 Real-Time Access Information Recording...21

3.7 System Upgrade and Patch Policy...21

3.7.1 Patch Installation...22

3.7.2 Upgrade...22

4 Base Station Applications...23

5 Differences Between History Dopra Linux Versions...24

5.1 History Dopra Linux Versions...24

5.2 Versions Running on the OMUa/SAUa/OMUb/SAUb...25

5.2.1 V100R001C03SPC010 to V100R001C03SPC020...25

5.2.2 V100R001C03SPC020 to V100R001C03SPC030...25

5.3 Versions Running on the OMUc/SAUc...25

5.3.1 V200R003C02SPC030 to V200R003C02SPC060...25

5.3.2 V200R003C02SPC060 to V200R003C02SPC070...25

5.4 V200R003C02SPC080 Running on the OMUa/SAUa/OMUb/SAUb/OMUc/SAUc...25

5.4.1 V200R003C02SPC070 to V200R003C02SPC080...25

5.4.2 V200R003C02SPC080 to V200R003C02SPC090...26

5.4.3 V200R003C02SPC090 to V200R003C08...26

5.5 Versions Running on the EOMUa/ESAUa...26

5.5.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030...26 5.5.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050...27 5.5.3 RTOS-V100R001C00SPC050 to RTOS-V100R001C00SPC060...27 5.5.4 RTOS-V100R001C00SPC060 to RTOS-V100R001C00SPC070...27 5.5.5 RTOS-V100R001C00SPC070 to RTOS-V100R001C00SPC080...27 5.5.6 RTOS-V100R001C00SPC080 to RTOS-V100R001C00SPC090...27

6 Parameters...28

7 Counters...29

8 Glossary...30

9 Reference Documents...31

(5)

1

Introduction

1.1 Scope

This document describes the security features and capabilities of the Dopra Linux operating system.

NOTE

l This document is based on V200R003C02SPC100 and RTOS-V100R001C00 SPC080. For details about differences in history versions, see " 5 Differences Between History Dopra Linux Versions." l The operating system for the EOMUa/ESAUa and later boards based on Dopra Linux is renamed RTOS. Real-time operating system (RTOS) inherits basic functions on Dopra Linux. This document refers to an RTOS version with a prefix in front of the version number, for example,

RTOS-V100R001C00SPC070. Unless otherwise stated, this document can be applied to both Dopra Linux and RTOS.

1.2 Intended Audience

This document is intended for personnel who: l Need to understand the features described herein l Work with Huawei products

1.3 Change History

This section provides information about the changes in different document versions. There are two types of changes, which are defined as follows:

l Feature change

Changes in features of a specific product version l Editorial change

Changes in wording or addition of information that was not described in the earlier version

(6)

04 (2012-12-30)

This issue includes the following changes.

Change Type Change Description Parameter Change

Feature change Added V200R003C02SPC090 and its feature difference.

None

Added RTOS versions V100R001C00SPC030, V100R001C00SPC050, V100R001C00 SPC060, and RTOS-V100R001C00 SPC070 and their feature difference.

None

Added descriptions on operating system applications of base stations. For details, see "4 Base Station Applications".

None

Editorial change Changed the document name from Controller Dopra Linux OS Security to Dopra Linux OS Security.

None

03 (2012-11-30)

This issue includes the following changes.

Change Type Change Description Parameter Change

Feature change None None

Editorial change Changed "RTOS" to "Dopra Linux" in this document. The document title is also changed from "RTOS Security" to "Controller Dopra Linux OS Security" for consistency with the name of the current operating system.

None

02 (2012-09-30)

This issue includes the following changes.

Change Type Change Description Parameter Change

Feature change None None

(7)

Change Type Change Description Parameter Change Editorial change Added the description on how to create

users, change passwords, and delete users. For details, see section 3.1 "User

Management."

None

Added section 3.5 "Operating System Integrity Protection."

None

Modified Secure Shell (SSH) policies. For details, see section 3.3 "Network Management."

None

Added chapter 5 "Differences Between History Dopra Linux Versions".

None

01 (2012-08-16)

This issue includes the following changes.

Change Type Change Description Parameter Change

Editorial change Modified the organization and descriptions in section 3 "Dopra Linux Security Features."

None

Modified the TCP/IP protocol stack security policy table and added default values for these security policies.

None

Added the description on how to create users, change passwords, and delete users.

None

Draft A (2012-06-20)

This is a draft.

(8)

2

Dopra Linux Security Description

2.1 Introduction to the Dopra Linux

2.1.1 Overview

The Dopra Linux is a Linux-based operating system tailored to provide full security protection for telecommunications products. As part of an end-to-end security solution, the Dopra Linux is enhanced in hardware support, software commissioning, and performance to minimize security risks.

A customized Dopra Linux consists of the kernel and root file system:

l Kernel: The Dopra Linux kernel is customized and has the latest patch installed, which helps improve system security.

l Root file system: The Dopra Linux is a compact operating system where only useful database and service components are installed in the file system. This helps minimize security risks.

2.1.2 Differences Between the Dopra Linux and Other Operating

Systems

The Dopra Linux is a real-time embedded operating system. Compared with server and desktop operating systems, the Dopra Linux meets the following security requirements:

l System-level security requirements, such as minimum installation, system tailoring, and security patch management

l Anti-attack requirements for protocols and interfaces, such as use of secure protocols and anti-attack features

l Requirements on product development, release, and installation, such as software commissioning and integrity checking

l Sensitive data protection requirements, such as data confidentiality and integrity, use of encryption algorithms, and use of secure transmission channels

(9)

l Requirements for secure system management and maintenance, such as password, authentication, authorization, log, and alarm management

2.2 Dopra Linux Security Overview

The main security threats for the Dopra Linux are security vulnerabilities, password cracking, illegal operations, and information disclosure.

Table 2-1describes these threats.

Table 2-1 Main security threats for the Dopra Linux

Threat Description Severity Security Requirement

Security vulnerability

The kernel, SSH, and Secure File Transfer Protocol (SFTP) have known security vulnerabilities.

Minor The Dopra Linux provides a new service protocol version and is able to fix security

vulnerabilities by version upgrade or patch installation. The Dopra Linux is upgraded every 12 months by default. Password cracking Password

complexity check is not performed on the initial password.

Major The Dopra Linux requires users to use complex passwords.

Illegal operation The maximum number of

unsuccessful login attempts is not specified.

Minor The Dopra Linux locks the login account or IP address when the maximum number of

unsuccessful login attempts is exceeded.

Information disclosure

Insecure protocols, such as Trivial File Transfer Protocol (TFTP) and Telnet are used.

Major By default, the Dopra Linux does not support insecure protocols. Instead, it uses secure protocols such as SFTP.

NOTE

The Dopra Linux does not require antivirus software because few viruses target at Linux and only few Dopra Linux ports are open. For details about Dopra Linux antivirus, see "3.4 Enhanced Antivirus Policy."

2.3 Security Architecture

The Dopra Linux interfaces hardware (multi-core CPUs and other devices) and user-mode processes. The Dopra Linux runs on medium- or high-end CPUs. As a multi-thread operating system, the Dopra Linux features the security policies listed in Table 2-2.

(10)

Table 2-2 Dopra Linux security policies

Identity Authentication l Access control

l User password control File System and Permission

Management

l Directory protection l File protection

Network Management l Protocols enabled by default

l Services enabled by default l Ports opened by default l System firewall iptables

l Security policies related to TCP/IP stacks l Security policies related to SSH

Enhanced Antivirus Policy l Virus entry control l Post-entry virus control Operating System Integrity

Protection

l Product development security l Product release security l Product installation security System and Security Log

Management

Log file management, such as auditing and monitoring

System Upgrade and Patch Policy l Patch installation l System upgrade

(11)

3

Dopra Linux Security Features

3.1 User Management

3.1.1 Dopra Linux Users

Dopra Linux users are categorized into root user, common user, service user, and lgnusr user. The permission of these users is as follows:

l The root user has the highest operation permission, including read, write, and execute permission. The read permission allows the root user to view the names and contents of files under a directory. The write permission allows the root user to create or delete files as well as modify file contents. The execute permission allows the root user to run shell scripts or binary executable files. The root user can be granted read, write, and execute permission to all files and directories.

V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions no longer allow the root user to perform remote login. This measure helps enhance system security. l Common users are created by the root user. They can log in to the Dopra Linux and create,

modify, or delete files under their specific home directories. For example, user jack can perform relevant operations under the home directory /home/jack. In addition, common users can run scripts or binary executable files under the /usr/bin and /bin directories. l Service users are used by system service processes. Service users have the lowest operation

permission and cannot log in to the operating system. They are not created by the root user. This prevents unauthorized users from attacking the operating system and reduces security risks. Service user accounts in the Dopra Linux include sshd, nobody, haldaemon, messagebox, and mysql.

(12)

NOTE

l Sshd: sshd server users cannot login to the operating systerm.

l Nobody: portmap standard account of other system services cannot login to the operating systerm. l Haldaemon: standard account used by haldaemon servers account cannot login to the operating

systerm.

l Messagebus:standard account used by D-BUS servers account cannot login to the operating systerm.

l Mysql: used by mysql servers.

l The lgnusr user is an internal common user. Added in V200R003C02SPC090 and RTOS-V100R001C00SPC070, the lgnusr user is used for Secure Shell (SSH) login. You can run the su command to switch the lgnusr user to the root user to gain administrative rights. You are advised to reserve the lgnusr user for SSH security.

3.1.2 Security Policies for User Management

Table 3-1 describes the security policies for user management in the Dopra Linux.

Table 3-1 Security policies for user management in the Dopra Linux User

Management

Policy Password

complexity

A user password must contain at least eight characters, including at least one uppercase letter, one lowercase letter, one special character, and one digit.

Simple passwords (passwords defined in the weak password dictionary) are not allowed.

NOTE

l You can run the zcat /usr/share/cracklib/cracklib-words.gz command to view the weak password dictionary.

l For the Dopra Linux,you can run the create-cracklib-dict command to update the weak password dictionary. For example, run the

create-cracklib-dict create-cracklib-dict1.dat command to add words in create-cracklib-dict1.dat to the weak password

dictionary.

l For the RTOS, the weak password dictionary cannot be viewed or modified to prevent it from being disclosed.

The Dopra Linux records the history passwords of only common users. By default, the Dopra Linux records a maximum of three history passwords. The new password must be different with the history passwords or the reverse of history passwords.

Common users can change only their own passwords. The root user can change all users' passwords.

(13)

User

Management Policy

Login message l For the Dopra Linux, the Dopra Linux prints the information about the previous login after a login, including the login date, time, and IP address. The information helps users determine whether unauthorized users have used the account.

l For the RTOS, the information print function is disabled by default after a successful login. You can enable the information print function as follows: Run the vi /etc/ssh/sshd_config command to open the sshd_config file, set PrintLastLog to yes, and run the killall sshd command to restart the SSHD service.

Login permission By default, a user account is locked for 300 seconds at three consecutive unsuccessful login attempts. The administrator can unlock the account. Non-root users will be asked for old passwords when changing their own passwords (old password is not required for the root user). This policy strengthens the authentication procedure.

Root user The root user is the only superuser in the system and is authorized to execute all scripts and executable files.

The password for the root user is customized before Dopra Linux deployment.

Default user Default users are service users. They cannot log in to the Dopra Linux and are only for service purposes.

Advance warning before password expiration

The default password validity period is 30 days. To enhance password security, the Dopra Linux prompts users to change their passwords seven days before the passwords expire.

In versions earlier than V200R003C02SPC090, the default password validity period is 30 days. In V200R003C02SPC090 and later versions, the default password validity period is 90 days.

Passwords encryption

The Dopra Linux uses MD5 encryption algorithm to encrypt passwords in V200R003C02SPC080 and later.

NIS The Network Integration Service (NIS) is supported from RTOS-V100R001C00SPC030 so that accounts are centrally managed to enhance the password security.

3.1.3 Operations Related to User Management

Operations related to user management include creating, deleting, and switching users as well as changing user passwords. This section uses user1 as an example to describe these operations. l To create user1, run the following command:

useradd –m user1 //After user1 is created, its home directory /home/user1 is also created. l To delete user1, run the following command:

(14)

userdel –r user1 //After user1 is deleted, its home directory /home/user1 is also deleted. l To change the password for user1, run the following command:

passwd user1 //Only user1 and the root user can change the password for user1.

The password must comply with the password complexity policy in Table 3-1. For example, Huawei@751.

l To switch to user1, run the following command: su user1 //The current user is switched to user1.

su - user1 //The current user is switched to user1. The hyphen (-) indicates that the environment variables are also switched.

3.1.4 Operations Related to Password Complexity Management

NOTE

It is recommended that you not modify password complexity settings to enhance password security. You can set the following parameters in the /etc/pam.d/common-password file to modify password complexity settings:

l retry = N: You have N attempts to change the password each time you run the passwd command. N is an integer from 1 to 256. The default value is 6.

l lcredit = –N: A password contains at least N lower-case letters. N is an integer from 0 to 127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.

l ucredit = –N: A password contains at least N upper-case letters. N is an integer from 0 to 127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.

l dcredit = –N: A password contains at least N digits. N is an integer from 0 to 127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.

l ocredit = –N: A password contains at least N special characters(~!@#$%^&*()_+`-={}|[] \:";'<>?,./). N is an integer from 0 to 127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.

l minlen = N: A password contains at least N characters. N is an integer from 6 to 127. The default value is 8.

l enforce_root: A password policy takes effect to the root user. After this parameter is deleted, the password policy does not take effect to the root user.

l remember = N: N previous passwords are recorded for common users. N is an integer from 0 to 400. The default value is 3 for the Dopra Linux OS and 5 for the RTOS. This rule does not take effect for the root user to change the passwords for itself and other accounts. l uname_check: A password cannot be the same as any user name or be any user name in

reverse order. This function is enabled by default.

3.1.5 Operations Related to Password Setting

NOTE

In versions earlier than V100R001C03SPC030, the password lock and validity period cannot be changed because the etc/pam.conf file and chage command are not supported in these versions.

You can set the following options in the /etc/pam.d/common-auth file to modify password locking settings:

(15)

l deny=N, which indicates that the login account is locked when the number of unsuccessful login attempts exceeds N. N is an integer between 1 to 32. The default value is 3.

l unlock_time=N, which indicates that the user account is locked for N seconds when the maximum number of unsuccessful login attempts is exceeded. N is an integer between 1 to 3600. The default value is 300.

You can run the following commands to view or modify password time settings:

l chage -l user1 //You can view the parameters such as the minimum interval at which a password must be changed (Minimum), the maximum interval at which a password must be changed (Maximum), and advance warning before password expires (Warning). l chage -m N common user //N indicates the minimum interval at which a common user's

password must be changed, which means you can change the password N days later. N is an integer between 0 to 99999. If N is set to 0, you can change the password anytime. This option does not apply to the root user.

l chage -M N root/common user //N indicates the maximum interval at which common user's password must be changed. N is an integer between 1 to 99999.

l chage -W N root/common user //N indicates the advance warning days before a common user's password expires. N is an integer between 1 to 99999.

3.2 File System and Permission Management

File system permission is categorized into read, write, and execute permission. The root user can operate all files. Common users can operate only their own files. Permission management ensures file security.

3.2.1 Directory Protection

The Dopra Linux restricts directory access permission. You can run the ll or ls –l command to query the read, write, and execute permission on files and sub-directories in different directories. The following is an example:

Jasper / # ll total 112 drwxr-xr-x 2 root root 4096 Jul 6 22:10 bin drw-r--- 6 root root 4096 Jul 7 23:08 boot drwxr-xr-x 9 root root 5560 Jul 7 19:11 dev drwxr-xr-x 25 root root 4096 Jul 7 23:15 etc drwxr-x--x 4 root root 4096 Jul 7 21:19 home -rwxr-xr-x 1 root root 29 Jul 5 22:24 init drwxr-xr-x 7 root root 4096 Jul 6 22:10 lib

drwx--- 2 root root 16384 Jul 5 22:23 lost+found d-wx---r-x 5 root root 4096 Jul 5 22:24 mbsc drwxr-xr-x 2 root root 4096 Jul 5 22:24 media drwxr-xr-x 4 root root 4096 Jul 5 22:25 mnt drwxr-x--- 2 root root 4096 Jul 5 22:24 none drwxr-x--- 3 root root 4096 Jul 5 22:24 opt dr-xr-xr-x 114 root root 0 Jul 7 19:10 proc drwx--- 3 root root 4096 Jul 7 22:06 root drwxr-x--- 2 root root 4096 Jul 7 21:25 sbin -rwxr-xr-x 1 root root 23713 Jul 5 22:24 sc_init drwxr-xr-x 2 root root 4096 Jul 5 22:24 srv drwxr-xr-x 11 root root 0 Jul 7 19:10 sys drwxrwxrwt 2 root root 4096 Jul 11 03:30 tmp drwxr-xr-x 2 root root 4096 Jul 5 22:25 usb

(16)

drwxr-xr-x 7 root root 4096 Jul 5 22:24 usr drwxr-xr-x 10 root root 4096 Jul 6 22:10 var

The following uses the last line as an example to explain the command output: l In drwxr-xr-x:

d means directory. Files are not started with d.

rwx indicates that the file or directory creator has read, write, and execute permission.r-x indicates that users who belong to the same user group as the file or directory creator

have read and execute permission.

The second r-x indicates that users who do not belong to the same user group as the file or directory creator have read and execute permission.

NOTE

The root user has the highest permission and can operate all files created by other users. l 10 indicates the number of hard connections to the directory.

l root indicates that the file or directory is created by the root user.

l The second root indicates that the file or directory creator is in the root user group. l 4096 indicates the directory or file size (excluding files or sub-directories under the

directory).

l Jul 6 22:10 is the time when the file or directory was last modified. l var is the file or directory name.

3.2.2 File Protection

The Dopra Linux restricts common users' access to system files.

l Common users can access the home directory (for example, /home/jack) of other users. However, they are not authorized to run the ls –l command to query other users' information. l Common users cannot modify or delete commands, library files, and directories storing

device files (/dev) or configuration files (/etc).

l Only the root user is authorized to access system command management directories (/ sbin and /usr/sbin) and log files in /var/log.

NOTE

The read permission to a directory indicates that a user can view the files and sub-directories under the directory. The write permission indicates that a user can create files and sub-directories under the directory. The execute permission does not apply to directories.

The read permission to a file indicates that a user can view the contents in the file. The write permission to a file indicates that a user can edit the contents in the file. The execute permission to a file indicates that a user can execute the commands in the file.

Users can run the setfacl command to set access permission to a file. For example, in the setfacl -m u:user1:rw a.dat command, user1 has read and write permission to a.dat.

3.3 Network Management

(17)

3.3.1 Protocols Enabled by Default

By default, the User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet Control Message Protocol (ICMP) are enabled in the Dopra Linux.

3.3.2 Services Enabled by Default

The SSH version in the latest Dopra Linux is OpenSSH 5.2p1. This version enhances the security of SSH services. The SSH service uses port 22. The ports for other system services are closed by default.

Table 3-2 describes the default services provided in the Dopra Linux.

Table 3-2 Default services provided in the Dopra Linux Service

Name

ON/OFF Protocol Port

Number

Description

sshd ON TCP 22 A service started from inittab for

SSH login

syslog-ng ON N/A N/A A service started from inittab for log recording

dbus-daemon ON N/A N/A An application that uses the D-Bus library to implement a message bus daemon

NOTE

D-Bus is a library that provides one-to-one communication between any two applications. Multiple programs connect to the message bus daemon and can exchange messages with each other.

cron ON N/A N/A Daemon to execute scheduled

commands

klogd ON N/A N/A A service started from inittab for log

buffering

auditd ON N/A N/A A service for saving audit records to

the disk

boot.udev ON N/A N/A A service that listens to kernel events and passes the incoming events to udev

haldaemon ON N/A N/A A service that collects and stores hardware information

syslogbuf ON N/A N/A A service started from inittab for log buffering

(18)

Service

Name ON/OFF Protocol PortNumber Description

acpid ON N/A N/A A service that functions as the

daemon of advanced configuration and power interface (ACPI) and manages the power supply

3.3.3 Ports Opened by Default

For details about the default ports opened in the Dopra Linux, see Communication Matrix delivered with the product.

You can run the netstat -nlp command to view all listening ports.

3.3.4 System Firewall iptables

iptables is a kernel-level component in the Linux for filtering IP packets. When Linux is connected to the Internet, local area networks (LANs), servers, or Internet proxies, iptables act as a firewall to filter IP packets.

Being integrated into the Dopra Linux, iptables does not need to be configured by default. However, users can define rules in the iptables if required. When defining rules for a live network, note the following points:

l Do not modify existing rules.

l Write scripts to ensure that defined rules automatically take effect upon system startup. l Define rules again after the Dopra Linux is upgraded or updated, as defined rules are deleted

after the system is upgraded or updated.

3.3.5 Security Policies Related to TCP/IP Stacks

Dopra Linux does not support IPv6 by default. Table 3-3 describes security policies related to the IPv4 TCP/IP stack. These items are configured in the /etc/sysctl.conf file. Default settings in Table 3-3 are recommended by Huawei to ensure optimum security and performance, and generally should not be changed.

(19)

NOTE

The configuration items of TCP/IP stacks are named in the format of "net + protocol + conf + all/default/ device + attribute". Where, device means a logical interface, such as eth1, bond2, and vlan3, default is used to initialize an interface as it is initialized and loaded, and all means to apply to all interfaces.

Table 3-3 Configuration items

Item Defaul t Value Description net.ipv4.conf.all.arp_ig-nore 0 for the RTOS 1 for the Dopra Linux

This parameter defines the modes for sending replies in response to received ARP requests that resolve local target IP addresses.

l 0: Reply to any local target IP address, irrespective of its interface.

l 1: Reply only if the target IP address is the local address configured on the incoming interface. l 2: Reply only if the target IP address is the local

address configured on the incoming interface, and both the sender's and receiver's IP addresses are in the same subnet.

l 3: Reply only resolutions for global and link addresses, and do not reply to local addresses configured with scope host.

l 4-7: Reserved.

l 8: Do not reply to local addresses. net.ipv4.conf.default.arp_i

gnore

net.ipv4.conf.all.promote_ secondaries

1 If this item is enabled and primary address of an interface is deleted, an alias of the interface will be upgraded to the primary one.

net.ipv4.conf.default.prom ote_secondaries

net.ipv4.conf.all.arp_filter 1 l 0: The kernel can respond to ARP requests with addresses from other interfaces. This may seem wrong but it actually makes sense because it increases the number of successful

communication attempts. IP addresses are owned by the complete host on the Linux, not by specific interfaces.

l 1: This value allows you to have multiple network interfaces on the same subnet and have the ARPs for each interface be answered based on whether the kernel can route packets from the ARP's IP address out of that interface.

net.ipv4.conf.default.arp_f ilter

net.ipv4.conf.all.accept_so urce_route

0 This parameter specifies whether to accept routing extension headers.

If the value for this parameter is greater than or equal to 0, only the routing header type 2 is accepted. Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features

(20)

Item Defaul

t Value Description net.ipv4.conf.default.acce

pt_source_route

If this value is less than 0, routing header is not accepted.

net.ipv4.conf.all.accept_re directs

0 It is assumed that the network segment where the host is located has two routers, and one of them is set as the default gateway. When another router sends IP packets to the gateway, the router also sends an ICMP redirect message, instructing the gateway to forward those packets to other routers.

l 1 means to accept the redirect forwarding. l 0 means to ignore the redirect forwarding.

It is recommended that this parameter be set to 0 to eliminate potential security risks.

net.ipv4.conf.default.acce pt_redirects

net.ipv4.conf.all.secure_re directs

0 This parameter specifies the secure redirect

forwarding function. When this function is enabled, only ICMP redirect messages from the gateway are accepted.

l 1 means to enable the function. l 0 means to disable the function. net.ipv4.conf.default.secur

e_redirects

net.ipv4.conf.all.send_re-directs

0 This parameter specifies whether to send redirect messages.

l 1 means to send. l 0 means not to send. net.ipv4.conf.default.send

_redirects

net.ipv4.tcp_fin_timeout 60 This parameter specifies the duration for keeping packets in the FIN-WAIT-2 state. If the value of this parameter is too large, memory overflow may occur. net.ipv4.tcp_syncookies 1 This parameter specifies whether to send syncookies

when the syn backlog queue overflows. This parameter is valid only when CONFIG_SYNCOO-KIES is set during kernel compilation.1 means to send.0 means not to send.

net.ipv4.tcp_syn_retries 1 This parameter specifies the number of times initial SYN messages for an active TCP connection attempt will be retransmitted.

net.ipv4.tcp_synack_re-tries

1 This parameter specifies the number of times SYN-ACK messages for a passive TCP connection attempt will be retransmitted.

net.ipv4.tcp_max_syn_bac klog

4096 This parameter specifies the maximum number of unacknowledged connection requests.

(21)

Item Defaul

t Value Description net.ipv4.icmp_echo_ignor

e_broadcasts

1 This parameter specifies whether to ignore broadcast and multicast messages.

l 1 means to ignore. l 0 means not to ignore.

kernel.panic_on_oops 1 This parameter specifies the kernel's behavior when it encounters an exception or bug.

l 0: Attempt to continue operations.

l 1: Stop (panic) immediately. If sysctl is also non-zero, the server will be rebooted.

kernel.printk 6 4 1 7 This parameter specifies where to send log messages according to their priorities. This parameter has four default values, which denote console_loglevel, default_message_loglevel, minimum_console_lo-glevel, and default_console_lominimum_console_lo-glevel, respectively. l console_loglevel: Messages with a priority

higher than this level will be printed to the console.

l default_message_loglevel: Messages without an explicit priority will be printed with this level. l minimum_console_loglevel: This level is the

minimum (highest) value to which console_loglevel can be set.

l default_console_loglevel: This is the default value for console_loglevel.

net.ipv4.tcp_timestamps 0 This parameter specifies whether to add a 12-byte timestamp to TCP headers.

l 0 means not to add the timestamp. l 1 means to add the timestamp. net.ipv4.icmp_ignore_bog

us_error_responses

1 This parameter specifies whether to ignore "bogus error message responses".

l 1 means to ignore. l 0 means not to ignore.

net.ipv4.conf.all.rp_filter 1 This parameter specifies whether to enable IP spoofing protection and turns on source route verification.

l 1 means yes. l 0 means no.

It is recommended that you set this parameter to 1 for a single host or routers in a stub network. net.ipv4.conf.default.rp_fil

ter

(22)

Item Defaul

t Value Description

kernel.sysrq 0 This parameter specifies the magic-sysrq key. If the parameter is set to non-zero, the system request key is activated.

3.3.6 Security Policies Related to SSH

The Dopra Linux does not support insecure or non-encrypted protocols, such as File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP). Instead, it uses secure protocols such as SSH and SFTP.

Table 3-4 lists the configurations for SSH.

Table 3-4 Configurations for SSH

Item Default Value Description

Ciphers 3des-cbc and

aes128-cbc

Uses the 3des-cbc and aes128-cbc encryption algorithm.

MACs hmac-md5 Sets the message authentication code (MAC) algorithm to the secure message digest algorithm 5 (MD5) for ensuring data integrity.

Protocol 2 Forcibly enables SSH V2.0.

LogLevel VERBOSE Sets a message level to Verbose to log user login information for auditing.

StrictModes Yes Forcibly checks file permission and the login user's permission to the home directory and files.

PubkeyAuthentica-tion

Yes Allows public key authentication.

PermitEmptyPass-words

No Forbids login with an empty password.

PermitRootLogin No Allows the root user to remotely log in to the Dopra Linux. You can disable this function for security. UsePAM Yes Uses the pluggable authentication modules

(PAM), a more scalable scheme, for authentication.

Banner /etc/issue.net Displays banners after a user logs in to the Dopra Linux using SSH. The default banner is: "You are trying to access a restricted zone. Only Authorized Users allowed."

(23)

NOTE

You can run the vi /etc/issue.net command to modify banners.

3.3.7 Operations Related to SSH

The following part describes operations associated with SSH.

Secure Logins

To log in to a target computer (for example, with an IP address of 192.168.0.241) that provides SSH services:

Run the ssh root@192.168.0.241 command to log in as the root user, or run the ssh user1@192.168.0.241 command to log in as user user1.

Secure Copy

To copy data (for example, /home/filename) from a Linux server that provides SSH services to /home of a target computer (for example, with an IP address of 192.168.0.241):

Run the scp -r /home/filename root@192.168.0.241:/home command.

SFTP Operations

A computer running Dopra Linux can function as a server to provide SFTP services. To connect to a target computer (for example, with an IP address of 192.168.0.241):

Run the sftp 192.168.0.241 command.

Forbidding remote login of the root user

You are advised to disable the remote login of the root user. V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions no longer allow the root user to perform remote login. To disable remote login, perform the following steps:

Step 1 Add a common user that can log in to the Dopra Linux remotely. For example:

l Run the useradd –m user1 command to add user user1 and create directory /home/user1. l Run the passwd user1 command to set or change the password (for example,

Tom@520123) for user user1. For details about the password policy, see "3.1.2 Security Policies for User Management".

Step 2 Modify the configuration file. Log in as the root user, and set PermitRootLogin to no in the / etc/ssh/sshd_config file.

Step 3 Run the killall sshd command to restart the SSH service. The modification takes effect after the SSH service restarts.

----End NOTE

After the sshd process is killed, the SSH service becomes unavailable. Several seconds later, the SSH service restarts automatically.

(24)

To permit remote login of user root, set PermitRootLogin to yes in the /etc/ssh/sshd_config file, and restart the SSH service.

3.4 Enhanced Antivirus Policy

3.4.1 Virus Entry Control

The Dopra Linux disables idle ports and uses secure protocols (such as SSH and SFTP) only, making itself much less vulnerable to virus attacks.

The Dopra Linux uses enhanced password polices, such as forced lockout after three failed password attempts. These policies greatly improve the anti-hacking capability.

3.4.2 Post-entry Virus Control

The Dopra Linux defines strict permission control, which means that only the root user has the write permissions to system files and log files. Therefore, even virus files are falsely executed, only files to which the login user has the write permissions will be corrupted. System running and log files are not affected.

Though the Dopra Linux does not run any antivirus software, it is insusceptible to virus attacks unless the root user password is cracked. In addition, the root user password is well protected by the following measures:

l Uses enhanced password policies.

l Forces the user to log out after defined failed password attempts.

3.5 Operating System Integrity Protection

3.5.1 Product Development Security

The Dopra Linux image contains vmlinuz (kernel) and initrd (root file system), where the kernel mode and user mode are separated. This method enhances Dopra Linux security.

V200R003C02SPC080, RTOS-V100R001C00, and later versions support security loophole scan using the Nessus and port and protocol scan using the NMap.

V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions support security loophole scan using the Retina.

3.5.2 Product Release Security

Before the Dopra Linux is released, it is scanned by antivirus software Symantec, McAfee, Avira, and Trend to ensure that it is virus free.

3.5.3 Product Installation Security

Before being released, the Dopra Linux upgrade packages are digitally signed using the MD5 algorithm. The Dopra Linux automatically authenticates digital signatures before the upgrade. The upgrade can be performed only after the authentication succeeds.

(25)

3.6 System and Security Log Management

Logs record system running information and are of vital importance to system security. Major log functions include auditing and monitoring. With logs, you can diagnose problems, monitor real-time system status, and track traces left by attackers.

3.6.1 Log Files

Only the root user can view log files and description under the log directory /var/log. The following describes log files in the Dopra Linux:

l acpid

A log file for the daemon of the Advanced Configuration and Power Interface (ACPI), which notifies the user-space program of advanced configuration and power management events.

l audit

A log file for the audit daemon, which writes kernel information generated by applications and system activities into hard disk.

l dlinstall.log/dlrecover.log/dlupgrade.log

Log files recording information about system installation, rollback, and upgrade. l faillog

A log file recording the number of failed logins due to incorrect user name or password. This file is encrypted. Running the vi/cat command cannot open this file. You can run faillog to view this file.

l messages

A log file recording kernel and system information. You can run vi/cat to view this file.

l warn

A log file recording all warnings and error information. l wtmp

A log file recording all remote and local logins, changes in system running level, and time of the changes.

This file is encrypted. You can run last to view this file.

3.6.2 Real-Time Access Information Recording

The Dopra Linux records real-time Dopra Linux login and logout information in logs. For details about how to manage these logs, see section "Configuring the Function of Recording OMU OS Accessing Information in Real Time" in OMU Administration Guide.

3.7 System Upgrade and Patch Policy

Due to defects in product design or development, the Dopra Linux may have certain

vulnerabilities, for example, service errors or authentication failures. These vulnerabilities may Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features

(26)

pose security threats such as hacking or viruses. You can install patches to eliminate these system vulnerabilities.

3.7.1 Patch Installation

By default, security patches are applied on the Dopra Linux every 12 months.

3.7.2 Upgrade

Currently, the Dopra Linux version and product version are independent. The Dopra Linux upgrade does not affect applications that have been installed on the source Dopra Linux, when the hard disk partition settings on the source and destination Dopra Linux versions are the same. You can upgrade the Dopra Linux using either of the following methods:

l USB upgrade l Web upgrade

For details about upgrade methods, see Guide to Dopra Linux Operating System Remote Patch Upgrade delivered with Dopra Linux patches.

NOTE

You must restart the system after an upgrade is complete. If you upgrade the Dopra Linux using the web mode, you can roll back the Dopra Linux to the source version if the upgrade fails. If you upgrade the Dopra Linux using the USB mode, you have to reinstall the Dopra Linux if the upgrade fails.

If you upgrade the RTOS or certain Dopra Linux versions using the web mode, the version cannot be rolled back. In this case, the USB upgrade is recommended. The following versions can be rolled back when they are upgraded to V200R003C02SPC090 using the web mode.

l V100R001C03 initial versions l V200R003C02SPC030 l V200R003C02SPC070 l V200R003C02SPC080

(27)

4

Base Station Applications

The base station operating system patches are packed in the base station product version, and therefore an separated operating system upgrade is not supported on the base station. However if any security risks are exposed in RTOS versions, you can run the operating system patches by way of the product version upgrade because these patches are packed in the latest product version.

NOTE

If the product version includes RTOS patches, the patch information will be addressed in the Release

Notes of base stations.

The base station operating system is not visible for users because the patches are packed in the base station software.

l Of all operating system security policies of the base station, only the anti-virus policy is provided by the operating system. For details, see "3.4 Enhanced Antivirus Policy." l Other than the antivirus policy, operating system security policies are packed in the base

station software. For details, see the Equipment Security Feature Parameter Description. Dopra Linux OS Security Feature Parameter Description 4 Base Station Applications

(28)

5

Differences Between History Dopra Linux

Versions

5.1 History Dopra Linux Versions

Table 5-1 lists history Dopra Linux versions and corresponding boards.

Table 5-1 History Dopra Linux versions and corresponding boards

Dopra Linux Version Board

V100R001C03SPC010 OMUa/SAUa/OMUb/SAUb V100R001C03SPC020 OMUa/SAUa/OMUb/SAUb V100R001C03SPC030 OMUa/SAUa/OMUb/SAUb V200R003C02SPC030 OMUc/SAUc V200R003C02SPC060 OMUc/SAUc V200R003C02SPC070 OMUc/SAUc V200R003C02SPC080 OMUa/SAUa/OMUb/SAUb /OMUc/SAUc V200R003C02SPC090 OMUa/SAUa/OMUb/SAUb /OMUc/SAUc RTOS-V100R001C00SPC030 EOMUa/ESAUa RTOS-V100R001C00SPC05 EOMUa/ESAUa RTOS-V100R001C00 SPC060 EOMUa/ESAUa RTOS-V100R001C00 SPC070 EOMUa/ESAUa

(29)

NOTE

l The Dopra Linux can be upgraded to a destination version that supports the same type of boards as the source version. For example, any version can be upgraded to V200R003C02SPC080, but

V100R001C03SPC010 cannot be upgraded to V200R003C02SPC070.

l Unless otherwise stated, basic functions of previous versions are inherited in the latest version, although supported boards vary with versions.

5.2 Versions Running on the OMUa/SAUa/OMUb/SAUb

5.2.1 V100R001C03SPC010 to V100R001C03SPC020

The following functions are supported:

l Enable or disable remote login for the root user.

l Enhance the password complexity policy, which enables the root user to set password complexity policies.

l Allow the root user to uniformly set password expiration date. l Lock user accounts at multiple unsuccessful login attempts.

l Add the setfacl package to allow users to set access permission to files. l Provide the su command so that login users can be switched.

l Add the SSH login and logout logs to enhance the log auditing function. The logs include user name, login time, and source IP address.

5.2.2 V100R001C03SPC020 to V100R001C03SPC030

l Provide the create-cracklib-dict command to allow users to update the weak password dictionary.

5.3 Versions Running on the OMUc/SAUc

5.3.1 V200R003C02SPC030 to V200R003C02SPC060

l Delete the modules for commissioning to minimize security risks. The deleted modules are ltp, livegdb, lmbench, and livepatch.

5.3.2 V200R003C02SPC060 to V200R003C02SPC070

l Upgrade the kernel version from Linux-2.6.16.60-0.68.1 to Linux-2.6.16.60-0.87.1.

5.4 V200R003C02SPC080 Running on the OMUa/SAUa/

OMUb/SAUb/OMUc/SAUc

5.4.1 V200R003C02SPC070 to V200R003C02SPC080

The following functions are supported:

(30)

l Support the OMUa, SAUa, OMUb, SAUb, OMUc, and SAUc.

l Upgrade the kernel version to Linux-2.6.16.60-0.87.1, which enhances operating system security.

l Enhance operating system security by providing default security settings, such as password complexity policies.

l Upgrade to OpenSSH 5.2 to fix "Plaintext Recovery Attack against CBC ciphers" (ID: CVE-2008-5161).

l Disable unnecessary IPv6 modules to minimize security risks posed by these modules. l The portmap service is disabled by default. Therefore, port 111 used by the portmap service

is also disabled by default.

5.4.2 V200R003C02SPC080 to V200R003C02SPC090

The following functions are supported:

l Update the kernel version to Linux-2.6.16.60-0.99.1 to eliminate system loopholes scanned out by the NMap, Nessus, and Retina and harden the operating system security.

l Count the start time of password validity period from the system installation time. If the password is changed, the period is counted since the change time. The default password validity period is changed from 30 days to 90 days.

l Add a prompt message when the account is locked.

l Add the lgnusr user for remote login. You cannot remotely log in to the system as a root user by default, but you can remotely log in to the system as an lgnusr user and then switch to the root user. In this way, the user management security of the operating system is enhanced.

5.4.3 V200R003C02SPC090 to V200R003C08

l Rectify the defect that common users cannot modify the OS time zones. l Rectify the defect that Ext3 file system is occasionally read-only.

l Rectify the defect that a message indicating expired password is displayed after a USB flash disk is used to restore the OS.

l Rectify the defect that the MySQL service fails to start after a USB flash disk is used to restore the OS after an upgrade.

l Forbid the upgrade from a later version to an earlier version. l Rectify the OpenSSL security issue (CVE-2013-0166).

l Forbid the CMDline parameter (init=/bin/bash) parsing in the kernel.

5.5 Versions Running on the EOMUa/ESAUa

5.5.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030

l Support the NIS to centrally manage accounts and harden password security.

(31)

5.5.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050

l Fix security loopholes of libxml2, libsnmp, and bash (ID: CVE-2012-2807,

CVE-2012-2141, CVE-2012-3410).

l Count the start time of password validity period from the system installation time. If the password is changed, the period is counted since the change time. The default password validity period is changed from 30 days to 90 days.

5.5.3 RTOS-V100R001C00SPC050 to RTOS-V100R001C00SPC060

There are no specific parameters associated with this feature.

5.5.4 RTOS-V100R001C00SPC060 to RTOS-V100R001C00SPC070

There are no specific counters associated with this feature.

5.5.5 RTOS-V100R001C00SPC070 to RTOS-V100R001C00SPC080

l Upgrade the kernel version from 2.6.32.54-0.3 to 2.6.32.59-0.7 to enhance operating system

security.

l Fix the defect so that the operating system does not display the message that the number of password retries exceeds the upper limit after the boards are restarted.

5.5.6 RTOS-V100R001C00SPC080 to RTOS-V100R001C00SPC090

l Rectify the priority inversion issue and incorporate the open-source kernel patch

da7a735e51f9622eb3e1672594d4a41da01d7e4f.

l Rectify the OpnSSH security issue (CVE-2010-5107): The Opensh LoginGracetime setting leads to SSH service denial.

l Forbid the upgrade from a later version to an earlier version. l Incorporate three precaution issues:

– RTOS LMT Precaution Notice [2013-001] – Memory Corruption May Occur When the Bus Master Is not Disabled When the PCI Device Is Stopped

– RTOS LMT Precaution Notice [2013-002] – Deadlock May Occur Due to the Migration of CPUs that Run Real-time Tasks

– RTOS LMT Precaution Notice [2013-004] – System Breakdown May Occur Due to the Core Dump on the Multi-thread Process Using the FPU

(32)

6

Parameters

There are no specific parameters associated with this feature.

(33)

7

Counters

There are no specific counters associated with this feature.

(34)

8

Glossary

For the acronyms, abbreviations, terms, and definitions, see Glossary.

(35)

9

Reference Documents

1. Equipment Security Feature Parameter Description

2. OMU Administration Guide

3. Guide to Dopra Linux Operating System Remote Patch Upgrade

References

Related documents

Because the wool yarn was felted, the carpet is a little thicker, and extra comfortable...

Father’s analysis: Norway only: Abruption in first pregnancy &amp; risk of paternal mortality 821,156 men; 48,840 deaths Sub-analysis Norway only: restricting to women

Loss figures for each province and cereal crop are adjusted considering the relevant agro- ecological factors like climate and scale of farming (commercial or subsistence) and

Accordingly, in subtitling, viewers also suspend their disbelief, they “pretend that subtitles are the actual dialogue, which in fact they are not” (p. 215), whereas “the

The following is a transcribed sequence from a “2016 US Festival of “Hot Hash” Calling. SLIDE MOST SQUARE DANCING IS JUST TWO COUPLE DANCING The Following sequence is a

• Is the indication of the experimental standard deviation strong enough for characterizing “quality “ of the investigated measuring

ĞǀĞůŽƉŵĞŶƚŽĨĂŽŶĞ ͻ ĐŽŶĞ ĐĂŶ ďĞ ƌŝŐŚƚ ĐŽŶĞ ;ƚŚĂƚ ŵĂŬĞƐ ĂŶ ĂŶŐůĞ ϵϬŽ ǁŝƚŚ ƚŚĞ ŚŽƌŝnjŽŶƚĂůͿ Žƌ ŽďůŝƋƵĞ ;ƚŚĂƚ ŵĂŬĞƐ ĂŶ ĂŶŐůĞ ĚŝĨĨĞƌĞŶƚ ĨƌŽŵ ϵϬŽ ǁŝƚŚ