Professional Documents
Culture Documents
Dopra Linux OS Security (SingleRAN - 20)
Dopra Linux OS Security (SingleRAN - 20)
Issue 20
Date 2017-02-22
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
1 Introduction.................................................................................................................................... 1
1.1 Scope.............................................................................................................................................................................. 1
1.2 Intended Audience.......................................................................................................................................................... 1
1.3 Change History............................................................................................................................................................... 1
6 Parameters..................................................................................................................................... 49
7 Counters........................................................................................................................................ 50
8 Glossary......................................................................................................................................... 51
9 Reference Documents................................................................................................................. 52
1 Introduction
1.1 Scope
This document describes the security features and capabilities of the Dopra Linux operating
system (OS).
NOTE
l This document is based on V200R003C02SPC090 and RTOS-V100R001C00 SPC080. For details about
differences among history versions, see section 5 Differences Among History Dopra Linux Versions.
l The OS for the EOMUa/ESAUa and later boards based on Dopra Linux is renamed as Real-time
operating system (RTOS). RTOS inherits basic functions on Dopra Linux. This document refers to an
RTOS version with a prefix RTOS- in front of the version number, for example, RTOS-
V100R001C00SPC070. Unless otherwise stated, this document can be applied to both Dopra Linux and
RTOS.
l For a base station, only software of the UMPT and UMDU boards uses and encapsulates the Dopra Linux
OS. Therefore, you cannot log in to the OS of a base station that is configured with one of these boards
after the base station is delivered. For details, see section 4 Base Station Applications.
20 (2017-02-22)
This issue includes the following changes:
19 (2016-12-15)
This issue includes the following changes:
18 (2016-08-26)
This issue includes the following changes:
17 (2016-05-27)
This issue includes the following changes:
16 (2016-04-06)
This issue includes the following changes:
15 (2016-02-22)
This issue includes the following changes:
14 (2016-02-04)
This issue includes the following changes:
13 (2015-11-13)
This issue includes the following changes:
12 (2015-04-30)
This issue includes the following changes:
11 (2015-02-15)
This issue includes the following changes:
10 (2015-01-15)
This issue includes the following changes:
09 (2014-12-15)
This issue includes the following changes:
08 (2014-10-10)
This issue includes the following changes:
07 (2014-09-25)
This issue includes the following changes:
06 (2014-08-15)
This issue includes the following changes:
05 (2014-06-10)
This issue includes the following changes:
04 (2012-12-30)
This issue includes the following changes:
03 (2012-11-30)
This issue includes the following changes:
02 (2012-09-30)
This issue includes the following changes:
01 (2012-08-16)
This issue includes the following changes:
Draft A (2012-06-20)
This issue is a draft.
2.1.1 Overview
The Dopra Linux is a Linux-based operating system tailored to provide full security
protection for telecommunications products. As part of an end-to-end security solution, the
Dopra Linux is enhanced in hardware support, software commissioning, and performance to
minimize security risks.
A customized Dopra Linux consists of the kernel and root file system:
l Kernel: The Dopra Linux kernel is customized and has the latest patch installed, which
helps improve system security.
l Root file system: The Dopra Linux is a compact operating system where only useful
database and service components are installed in the file system. This helps minimize
security risks.
Illegal operation The maximum Minor The Dopra Linux locks the
number of login account when the
unsuccessful login maximum number of
attempts is not unsuccessful login attempts is
specified. exceeded.
NOTE
The Dopra Linux does not require antivirus software because few viruses target at Linux and only few Dopra
Linux ports are open. For details about Dopra Linux antivirus, see section 3.4 Enhanced Antivirus Policy.
l The root user has the highest operation permission, including read, write, and execute
permission. The read permission allows the root user to view the names and content of
files under a directory. The write permission allows the root user to create or delete files
as well as modify file content. The execute permission allows the root user to run shell
scripts or binary executable files. The root user can be granted read, write, and execute
permission on all files and directories.
V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions no longer
allow the root user to perform remote logins. This measure helps enhance system
security.
l Common users are created by the root user. They can log in to the Dopra Linux and
create, modify, or delete files under their specific home directories. For example, user
jack can perform relevant operations under the home directory /home/jack. In addition,
common users can run scripts or binary executable files under the /usr/bin and /bin
directories.
l Service users are used by system service processes. Service users have the lowest
operation permission and cannot log in to the operating system. They are not created by
the root user. This prevents unauthorized users from attacking the operating system and
reduces security risks. Service user accounts in the Dopra Linux include sshd, nobody,
haldaemon, messagebox, and mysql.
NOTE
Table 3-1 Security policies for user management in the Dopra Linux
User Policy
Management
Login message After a login, the information about the previous login is printed,
including the login date, time, and IP address. Such information helps
users determine whether unauthorized users have accessed the
account.
Login permission By default, a user account is locked for 300 seconds at three
consecutive unsuccessful login attempts. The administrator can
unlock the account.
In versions earlier than V200R003C08SPC080, users will not be
asked for old passwords when changing their own passwords. In
V200R003C08SPC080 and later versions, a user's old password is
required.
For all versions, the old password is not required when the root user
changes the password of a common user.
User Policy
Management
Root user The root user is the only superuser in the system and is authorized to
execute all scripts and executable files.
The password for the root user is customized before Dopra Linux
deployment.
service user They cannot log in to the Dopra Linux and are only for service
purposes.
Minimum You are advised to set the minimum password validity period to 48
password validity hours or longer. Otherwise, the password may bypass the password
security policy inspection.
su - user1 //The current user is switched to user1. The hyphen (-) indicates that the
environment variables are also switched.
It is recommended that you not modify password complexity settings to enhance password security.
You can set the following parameters in the /etc/pam.d/common-password file to modify
password complexity settings:
l retry = N: You have N attempts to change the password each time you run the passwd
command. N is an integer from 1 to 256. The default value is 6.
l lcredit = –N: A password contains at least N lower-case letters. N is an integer from 0 to
127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.
l ucredit = –N: A password contains at least N upper-case letters. N is an integer from 0 to
127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.
l dcredit = –N: A password contains at least N digits. N is an integer from 0 to 127. The
default value is 1 for the Dopra Linux OS and 0 for the RTOS.
l ocredit = –N: A password contains at least N special characters (~!@#$%^&*()_+`-={}|
[]\:";'<>?,./). N is an integer from 0 to 127. The default value is 1 for the Dopra Linux OS
and 0 for the RTOS.
l minlen = N: A password contains at least N characters. N is an integer from 6 to 127.
The default value is 8.
l enforce_root: A password policy takes effect to the root user. After this parameter is
deleted, the password policy does not take effect to the root user.
l remember = N: N previous passwords are recorded for users. N is an integer from 0 to
400. The default value is 3 for the Dopra Linux OS and 5 for the RTOS.
NOTE
l In versions earlier than V200R003C08SPC080, the root user can change its own password or the
passwords of common users, regardless of the remember parameter setting.
l In versions between V200R003C08SPC080 and V200R003C08SPC230 version, the number of times the
root user changes its own password depends on the remember parameter setting, but the root user can
change the passwords of common users, regardless of the remember parameter setting.
l In V200R003C08SPC260 or later versions, both the number of times the root user changes its own
password and the number of times the root user changes the passwords of common users depend on the
remember parameter setting.
l uname_check: A password cannot be the same as any user name or be any user name in
reverse order. This function is enabled by default.
l enforce_for_root: This option is added to V200R003C08SPC260 or later versions. This
option indicates that the historical password storage mechanism takes effect on the root
user. When the root user changes its own password or the passwords of common users,
the encrypted text will be recorded in /etc/security/opasswd.
In versions earlier than V100R001C03SPC030, the password lock and validity period cannot be changed
because the etc/pam.conf file and chage command are not supported in these versions.
You can set the following options in the /etc/pam.d/common-auth file to modify password
locking settings:
l deny = N, which indicates that the login account is locked when the number of
unsuccessful login attempts exceeds N. N is an integer from 1 to 32. The default value is
3.
l unlock_time = N, which indicates that the user account is locked for N seconds when
the maximum number of unsuccessful login attempts is exceeded. N is an integer from 1
to 3600. The default value is 300.
You can run the following commands to view or modify password time settings:
l chage -l user1 //You can view the parameters such as the minimum interval at which a
password must be changed (Minimum), the maximum interval at which a password
must be changed (Maximum), and advance password expiration warning (Warning).
l chage -m N common user//N indicates the minimum number of days that must pass
between a common user's password changes. N is an integer from 0 to 99999. If N is set
to 0, you can change the password anytime. This option does not apply to the root user.
l chage -M N root/common user //N indicates the validity period of the root password or
a common user's password. N is an integer from 1 to 99999.
l chage -W N root/common user //N indicates the number of days before password
expiration that the root user or common users are prompted to change their passwords. N
is an integer from 1 to 99999.
The following uses the last line as an example to explain the command output:
l In drwxr-xr-x:
– d means directory. Files are not started with d.
– rwx indicates that the file or directory creator has read, write, and execute
permission.
– r-x indicates that users who belong to the same user group as the file or directory
creator have read and execute permission.
– The second r-x indicates that users who do not belong to the same user group as the
file or directory creator have read and execute permission.
NOTE
The root user has the highest permission and can operate all files created by other users.
l 10 indicates the number of hard connections of the file or directory.
l root indicates that the file or directory is created by the root user.
l The second root indicates that the file or directory creator is in the root user group.
l 4096 indicates the directory or file size (excluding files or sub-directories under the
directory).
l Jul 6 22:10 is the time when the file or directory was last modified.
l var is the file or directory name.
The read permission on a directory indicates that a user can view the files and sub-directories under the
directory. The write permission indicates that a user can create files and sub-directories under the directory.
The execute permission indicates that a user can go to the directory.
The read permission on a file indicates that a user can view the content in the file. The write permission
indicates that a user can edit the content in the file. The execute permission indicates that a user can execute
the commands in the file.
Users can run the setfacl command to set the access permission on a file. For example, in the
setfacl -m u:user1:rw a.dat command, user1 has read and write permission on a.dat.
You can run the netstat -nlp command to view all listening ports.
Being integrated into the Dopra Linux, iptables does not need to be configured by default.
However, users can define rules in the iptables if required. When defining rules for a live
network, note the following points:
NOTE
The configuration items of TCP/IP stacks are named in the format of "net + protocol + conf + all/default/
device + attribute". device means a logical interface, such as eth1, bond2, and vlan3. default is used to
initialize an interface as it is initialized and loaded. all means to apply to all interfaces.
net.ipv4.conf.all.arp_ignor 0 for the This parameter defines the modes for sending
e RTOS replies in response to received ARP requests that
1 for the resolve local target IP addresses.
Dopra l 0: Reply to any local target IP address,
Linux irrespective of its interface.
NOTE
Secure Logins
To log in to a target computer (for example, with an IP address of 192.168.0.241) that
provides SSH services:
Run the ssh user1@192.168.0.241 command and enter the password of user1 as prompted to
log in as user1.
Secure Copy
To copy a file (for example, /home/filename) from a Linux server, which provides SSH
services, to /home of a target computer (for example, with an IP address of 192.168.0.241):
SFTP Operations
A computer running Dopra Linux can function as a server to provide SFTP services. To
connect to a target computer (for example, with an IP address of 192.168.0.241):
If command "pidof sshd" prints integers, the process starts properly. The SFTP
service is a sub-function of the SSHD service. If the SSHD process restarts, the
SFTP service is disabled successfully.
l Enabling SFTP Logging
a. Run the vi /etc/ssh/sshd_config command, change the line starting with Subsystem
sftp to Subsystem sftp internal-sftp -l INFO, save the modifications, and close the
file.
b. Run the killall sshd command to restart the SSHD service.
c. Check whether the SSHD process starts.
If command "pidof sshd" prints integers, the process starts properly. The SFTP
service is a sub-function of the SSHD service. If the SSHD process restarts, SFTP
logging is enabled successfully.
l SFTP Timeout
In V200R003C08SPC190 and later versions, the default timeout interval of SFTP
service logins is 30 minutes. To set the timeout interval in an earlier version, perform the
following steps:
1. Run the vi /etc/ssh/sshd_config command and perform the following configurations:
ClientAliveInterval 1800
ClientAliveCountMax 0
Step 1 Add a common user that can log in to the Dopra Linux remotely. For example:
l Run the useradd -m user1 command to add user user1 and create directory /home/
user1.
l Run the passwd user1 command to set or change the password (for example,
Tom@520123) for user user1. Set or change the password according to the security
policies listed in Table 3-1 in section 3.1.2 Security Policies for User Management.
Step 2 Modify the configuration file. Log in as the root user and run the vi /etc/ssh/sshd_config
command. Set PermitRootLogin to no in the /etc/ssh/sshd_config file.
Step 3 Run the killall sshd command to restart the SSHD service. The modification takes effect after
the SSHD service restarts.
----End
NOTE
After the sshd process is killed, the SSHD service becomes unavailable. Several seconds later, the SSHD
service restarts automatically.
To permit remote root logins, set PermitRootLogin to yes in the /etc/ssh/sshd_config file,
and restart the SSHD service.
Step 1 Run the vi /etc/ssh/sshd_config command to open the /etc/ssh/sshd_config file with the vi
editor. Find the line starting with Ciphers, and change the content to:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
NOTE
Find the line starting with Ciphers but not with #Ciphers. The number sign (#) indicates that the line is
commented out.
Step 2 Run the killall sshd command to restart the SSHD service.
----End
NOTE
The preceding two steps are not required if the /etc/ssh/sshd_config file contains the following line:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr.
Step 1 Run the vi /etc/ssh/sshd_config command to open the /etc/ssh/sshd_config file with the vi
editor. Find the line starting with MACs and change the content to:
l For versions earlier than V200R003C08SPC190, the line is changed to "MACs hmac-
sha1".
l For V200R003C08SPC190 and later versions, the line is changed to "MACs hmac-
sha2-256".
l If hmac-sha2-256 is the only configured MAC algorithm, upgrade PuTTY to 0.65 or a
later version.
NOTE
Find the line starting with MACs but not with #MACs. The number sign (#) indicates that the line is
commented out.
Step 2 Run the killall sshd command to restart the SSHD service.
----End
NOTE
The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings:
MACs hmac-sha1
The preceding operations must be performed by professional personnel who understand basic Linux
command (vi) and common system management commands. Otherwise, the SSH connection may fail due to
incorrect modifications.
The Dopra Linux uses enhanced password polices, such as forced lockout after three failed
password attempts. These policies greatly improve the anti-hacking capability.
Jasper ~ # auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0
backlog=0
Jasper ~ #
enabled=2: The audit rules cannot be edited. If you want to edit it, you should restart the
system first.
By default, enabled=1 is used after a normal startup. You can run the auditctl-e 1 command
to change the value of enabled to 1.
Jasper ~ # auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0
backlog=0
Jasper ~ # auditctl -e 2
AUDIT_STATUS: enabled=2 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0
backlog=0
Jasper ~ # auditctl -a entry,always -S umask
Error sending add rule request (Operation not permitted)
Error sending add rule request (Operation not permitted) --> When enabled is 2, rules cannot
be edited.
or
/etc/rc.d/init.d/auditd stop
Procedure
Step 1 Create a default configuration file of the audit service.
Jasper ~ # mkdir /etc/audit/
Jasper ~ # cp /etc/auditd.conf /etc/audit/auditd.conf
Jasper ~ # cp /etc/audit.rules /etc/audit/audit.rules
Step 3 Edit the startup script of the audit service to configure an automatic loading rule after a restart.
/etc/rc.d/init.d/auditd restart
----End
If the value is not 1, run the auditctl -e 1 command to enable log recording.
---End
Important Notes
Because audit rules are added, the system kernel adds additional audit operations besides
normal processing, which compromise system performance. Delete unnecessary audit rules
and minimize the number of audit rules based on site requirements to minimize performance
deterioration.
3.7.2 Upgrade
Currently, the Dopra Linux version and product version are independent. The Dopra Linux
upgrade does not affect applications that have been installed on the source Dopra Linux, when
the hard disk partition settings on the source and destination Dopra Linux versions are the
same.
You can upgrade the Dopra Linux using either of the following methods:
l USB upgrade
l Web upgrade
For details about upgrade methods, see Guide to Dopra Linux Operating System Remote
Patch Upgrade delivered with Dopra Linux patches.
NOTE
You must restart the system after an upgrade is complete. If you upgrade the Dopra Linux using the web
mode, you can roll back the Dopra Linux to the source version if the upgrade fails. If you upgrade the Dopra
Linux using the USB mode, you have to reinstall the Dopra Linux if the upgrade fails.
If you upgrade the RTOS or certain Dopra Linux versions using the web mode, the version cannot be rolled
back. In this case, the USB upgrade is recommended.
The base station operating system patches are packed in the base station product version, and
therefore a separated operating system upgrade is not supported on the base station. However
if any security risks are exposed in RTOS versions, you can run the operating system patches
by way of the product version upgrade because these patches are packed in the latest product
version.
NOTE
If the product version includes RTOS patches, the patch information will be addressed in the Release Notes of
base stations.
The base station operating system is not visible for users because the patches are packed in
the base station software.
l Of all operating system security policies of the base station, only the anti-virus policy is
provided by the operating system. For details, see section 3.4 Enhanced Antivirus
Policy.
l Other than the antivirus policy, operating system security policies are packed in the base
station software. For details, see the Equipment Security Feature Parameter
Description.
V100R001C03SPC010 OMUa/SAUa/OMUb/SAUb
V100R001C03SPC020 OMUa/SAUa/OMUb/SAUb
V100R001C03SPC030 OMUa/SAUa/OMUb/SAUb
V200R003C02SPC030 OMUc/SAUc
V200R003C02SPC060 OMUc/SAUc
V200R003C02SPC070 OMUc/SAUc
V200R003C02SPC080 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C02SPC090 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC080 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC100 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC120 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC130 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC150 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC170 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC190 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC230 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC260 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC290 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC310 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC330 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC360 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC390 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
RTOS-V100R001C00SPC030 EOMUa/ESAUa
RTOS-V100R001C00SPC050 EOMUa/ESAUa
RTOS-V100R001C00SPC060 EOMUa/ESAUa
RTOS-V100R001C00SPC070 EOMUa/ESAUa
RTOS-V100R001C00SPC080 EOMUa/ESAUa
RTOS-V100R001C00SPC090 EOMUa/ESAUa
RTOS-V200R003C08SPC080 EOMUa/ESAUa
RTOS-V200R003C08SPC100 EOMUa/ESAUa
RTOS-V200R003C08SPC120 EOMUa/ESAUa
RTOS-V200R003C08SPC150 EOMUa/ESAUa
RTOS-V200R003C08SPC170 EOMUa/ESAUa
RTOS-V200R003C08SPC190 EOMUa/ESAUa
RTOS-V200R003C08SPC230 EOMUa/ESAUa
RTOS-V200R003C08SPC260 EOMUa/ESAUa
RTOS-V200R003C08SPC290 EOMUa/ESAUa
RTOS-V200R003C08SPC310 EOMUa/ESAUa
RTOS-V200R003C08SPC330 EOMUa/ESAUa
RTOS-V200R003C08SPC330 EOMUa/ESAUa
RTOS-V200R003C08SPC360 EOMUa/ESAUa
RTOS-V200R003C08SPC390 EOMUa/ESAUa
NOTE
l The Dopra Linux can be upgraded to a target version that supports the same type of boards as the source
version. For example, any version can be upgraded to V200R003C02SPC080, but V100R001C03SPC010
cannot be upgraded to V200R003C02SPC070.
l Unless otherwise stated, basic functions of previous versions are inherited in the latest version, although
supported boards vary with versions.
l Rectify the OpenSSH security issue CVE-2012-0814 and fix the plaintext vulnerability
in the CBC mode (vulnerability ID: CVE-2008-5161).
l Rectify the libsasl2 security issue CVE-2013-4122.
l Rectify the color change issue when a common user switches from the su user to the
root user.
l Rectify the incorrect failed log statistics issue.
l Rectify OpenSSL security vulnerabilities, including CVE-2014-0224, CVE-2014-0221,
CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, and
CVE-2014-0076.
l Add SFTP logging.
l Support logging CLI operations.
l If attackers use the -p option in the useradd, usermod, groupadd, and groupmod
commands, they are able to find ways to bypass the password complexity check.
Therefore, to prevent attacks, the -p option is no longer supported.
l Rectify the fault that N+1 historical passwords are recorded when remember is set to N
in /etc/pam.d/common-password.
l Vulnerability CVE-2016-1907 will be falsely reported in vulnerability scan using
Nessus.
l Disable the remote login of user root by default. Add user lgnusr for remote login. After
a successful login of user lgnusr, it can be switched to user root, thereby enhancing the
security of user management.
l Add support for the lastlog function (displaying information about the previous login
upon login).
l Rectify the glibc vulnerability (CVE-2015-7547).
l Add the nice command, rectifying the problem of log dump failure that is caused by the
lack of the nice command.
l Rectified the defect that alarms cannot be correctly reported when the internal network
adapter encounters packet errors.
6 Parameters
7 Counters
8 Glossary
9 Reference Documents