Dopra Linux OS Security (SingleRAN - 12)

SingleRAN
Dopra Linux OS Security Feature

Parameter Description
Issue
12
Date
2015-04-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 12 (2015-04-30)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Contents
Contents
1 Introduction....................................................................................................................................1
1.1 Scope..............................................................................................................................................................................1
1.2 Intended Audience..........................................................................................................................................................1
1.3 Change History...............................................................................................................................................................1
2 Dopra Linux Security Description.............................................................................................7

2.1 Introduction to the Dopra Linux.....................................................................................................................................7
2.1.1 Overview.....................................................................................................................................................................7
2.1.2 Differences Between the Dopra Linux and Other Operating Systems........................................................................7
2.2 Dopra Linux Security Overview.....................................................................................................................................8
2.3 Security Architecture......................................................................................................................................................8
3 Dopra Linux Security Features.................................................................................................10

3.1 User Management.........................................................................................................................................................10
3.1.1 Dopra Linux Users.....................................................................................................................................................10
3.1.2 Security Policies for User Management....................................................................................................................11
3.1.3 Operations Related to User Management..................................................................................................................12
3.1.4 Operations Related to Password Complexity Management......................................................................................13
3.1.5 Operations Related to Password Setting....................................................................................................................13
3.2 File System and Permission Management....................................................................................................................14
3.2.1 Directory Protection..................................................................................................................................................14
3.2.2 File Protection............................................................................................................................................................15
3.3 Network Management..................................................................................................................................................15
3.3.1 Protocols Enabled by Default....................................................................................................................................16
3.3.2 Services Enabled by Default......................................................................................................................................16
3.3.3 Ports Opened by Default............................................................................................................................................17
3.3.4 System Firewall iptables............................................................................................................................................17
3.3.5 Security Policies Related to TCP/IP Stacks..............................................................................................................17
3.3.6 Security Policies Related to SSH...............................................................................................................................21
3.3.7 Operations Related to SSH........................................................................................................................................22
3.4 Enhanced Antivirus Policy...........................................................................................................................................24
3.4.1 Virus Entry Control...................................................................................................................................................24
3.4.2 Post-entry Virus Control............................................................................................................................................24
3.5 Operating System Integrity Protection.........................................................................................................................24
Issue 12 (2015-04-30)

ii
SingleRAN
Contents
3.5.1 Product Development Security..................................................................................................................................24

3.5.2 Product Release Security...........................................................................................................................................25
3.6 System and Security Log Management........................................................................................................................25
3.6.1 Log Files....................................................................................................................................................................25
3.6.2 Real-Time Access Information Recording................................................................................................................25
3.6.3 Configuration Guide for the Log Audit Service of Dopra Linux..............................................................................25
3.6.3.1 Configuration Commands.......................................................................................................................................26
3.6.3.2 Configuration Guide...............................................................................................................................................27
3.7 System Upgrade and Patch Policy................................................................................................................................29
3.7.1 Patch Installation.......................................................................................................................................................29
3.7.2 Upgrade.....................................................................................................................................................................29
4 Base Station Applications..........................................................................................................31

5 Differences Between History Dopra Linux Versions...........................................................32
5.1 History Dopra Linux Versions.....................................................................................................................................32
5.2 Versions Running on the OMUa/SAUa/OMUb/SAUb................................................................................................33
5.2.1 V100R001C03SPC010 to V100R001C03SPC020...................................................................................................33
5.2.2 V100R001C03SPC020 to V100R001C03SPC030...................................................................................................33
5.3 Versions Running on the OMUc/SAUc.......................................................................................................................34
5.3.1 V200R003C02SPC030 to V200R003C02SPC060...................................................................................................34
5.3.2 V200R003C02SPC060 to V200R003C02SPC070...................................................................................................34
5.4 V200R003C02SPC080 Running on the OMUa/SAUa/OMUb/SAUb/OMUc/SAUc..................................................34
5.4.1 V200R003C02SPC070 to V200R003C02SPC080...................................................................................................34
5.4.2 V200R003C02SPC080 to V200R003C02SPC090...................................................................................................34
5.4.3 V200R003C02SPC090 to V200R003C08.................................................................................................................35
5.4.4 V200R003C08 to V200R003C08SPC080.................................................................................................................35
5.4.5 V200R003C08SPC080 to V200R003C08SPC100...................................................................................................35
5.4.6 V200R003C08SPC100 to V200R003C08SPC120...................................................................................................36
5.4.7 V200R003C08SPC120 to V200R003C08SPC130...................................................................................................36
5.4.8 V200R003C08SPC130 to V200R003C08SPC150...................................................................................................36
5.4.9 V200R003C08SPC150 to V200R003C08SPC170...................................................................................................36
5.4.10 V200R003C08SPC170 to V200R003C08SPC190.................................................................................................36
5.5 Versions Running on the EOMUa/ESAUa..................................................................................................................37
5.5.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030.........................................................................................37
5.5.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050............................................................................37
Issue 12 (2015-04-30)

iii
SingleRAN
Contents
5.5.10 RTOS-V200R003C08SPC120 to RTOS-V200R003C08SPC150..........................................................................39

6 Parameters.....................................................................................................................................40
7 Counters........................................................................................................................................41
8 Glossary.........................................................................................................................................42
9 Reference Documents.................................................................................................................43
Issue 12 (2015-04-30)

iv
SingleRAN
1 Introduction
Introduction
1.1 Scope
This document describes the security features and capabilities of the Dopra Linux operating
system.
NOTE
l This document is based on V200R003C02SPC090 and RTOS-V100R001C00 SPC080. For details

about differences in history versions, see " 5 Differences Between History Dopra Linux Versions."
l The operating system for the EOMUa/ESAUa and later boards based on Dopra Linux is renamed RTOS.
Real-time operating system (RTOS) inherits basic functions on Dopra Linux. This document refers to
an RTOS version with a prefix RTOS- in front of the version number, for example, RTOSV100R001C00SPC070. Unless otherwise stated, this document can be applied to both Dopra Linux
and RTOS.
l For a base station, only software of the UMPT and UMDU boards uses and encapsulates the Dopra
Linux OS. Therefore, you cannot log in to the OS of a base station that is configured with one of these
boards after the base station is delivered. For details, see chapter 4 Base Station Applications.
1.2 Intended Audience

This document is intended for personnel who:
l
Need to understand the features described herein
Work with Huawei products
1.3 Change History

This section provides information about the changes in different document versions. There are
two types of changes, which are defined as follows:
l
Feature change
Changes in features of a specific product version
l
Issue 12 (2015-04-30)
Editorial change
SingleRAN
1 Introduction
Changes in wording or addition of information that was not described in the earlier version
12 (2015-04-30)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
Added 5.4.10 V200R003C08SPC170 to

V200R003C08SPC190
None
Added 5.5.12 RTOSV200R003C08SPC170 to RTOSV200R003C08SPC190

Editorial change
3.3.7 Operations Related to SSH added

SFTP timeout
None
3.3.6 Security Policies Related to SSH

delete
arcfour256,arcfour128algorithm,added
hmac-sha2-256 algorithm
3.3.7 Operations Related to SSH delete
arcfour256,arcfour128 algorithm
11 (2015-02-15)
Change Type
Change Description
Parameter Change
Feature change
Added 5.4.9 V200R003C08SPC150 to

V200R003C08SPC170
None

Editorial change
None
None
10 (2015-01-15)
Issue 12 (2015-04-30)

SingleRAN
1 Introduction
Change Type
Change Description
Parameter Change
Feature change

V200R003C08SPC150
None

Editorial change
None
None
09 (2014-12-15)
Change Type
Change Description
Parameter Change
Feature change

V200R003C08SPC130
None
Editorial change
None
None
08 (2014-10-10)
Change Type
Change Description
Parameter Change
Feature change

V200R003C08SPC120
None

Editorial change
None
None
07 (2014-09-25)
Change Type
Change Description
Parameter Change
Feature change

V200R003C08SPC100
None

Issue 12 (2015-04-30)

SingleRAN
1 Introduction
Change Type
Change Description
Parameter Change
Editorial change
None
None
06 (2014-08-15)
Change Type
Change Description
Parameter Change
Feature change
None
None
Editorial change
Added descriptions of base stations using

the Dopra Linux OS in section 1.1 Scope.
None
05 (2014-06-10)
Change Type
Change Description
Parameter Change
Feature change
Added 3.6.3 Configuration Guide for the

Log Audit Service of Dopra Linux.
None
Editorial change
None.
None
04 (2012-12-30)
Issue 12 (2015-04-30)
Change Type
Change Description
Parameter Change
Feature change
Added V200R003C02SPC090 and its

feature difference.
None
Added RTOS versions RTOSV100R001C00SPC030, RTOSV100R001C00SPC050, RTOSV100R001C00 SPC060, and RTOSV100R001C00 SPC070 and their feature
difference.
None
Added descriptions on operating system

applications of base stations. For details,
see "4 Base Station Applications".
None

SingleRAN
1 Introduction
Change Type
Change Description
Parameter Change
Editorial change
Changed the document name from

Controller Dopra Linux OS Security to
Dopra Linux OS Security.
None
03 (2012-11-30)
Change Type
Change Description
Parameter Change
Feature change
None
None
Editorial change
Changed "RTOS" to "Dopra Linux" in this

document. The document title is also
changed from "RTOS Security" to
"Controller Dopra Linux OS Security" for
consistency with the name of the current
operating system.
None
02 (2012-09-30)
Change Type
Change Description
Parameter Change
Feature change
None
None
Editorial change
Added the description on how to create

users, change passwords, and delete users.
None
For details, see section 3.1 "User

Management."
Added section 3.5 "Operating System
Integrity Protection."
None
Modified Secure Shell (SSH) policies.
None
For details, see section 3.3 "Network

Management."
Added chapter 5 "Differences Between
History Dopra Linux Versions".
None
01 (2012-08-16)
Issue 12 (2015-04-30)

SingleRAN
1 Introduction
Change Type
Change Description
Parameter Change
Editorial change
Modified the organization and descriptions

in section 3 "Dopra Linux Security
Features."
None
Modified the TCP/IP protocol stack

security policy table and added default
values for these security policies.
None
Added the description on how to create

users, change passwords, and delete users.
None
Draft A (2012-06-20)
This is a draft.
Issue 12 (2015-04-30)

SingleRAN
2 Dopra Linux Security Description
Dopra Linux Security Description
2.1 Introduction to the Dopra Linux

2.1.1 Overview
The Dopra Linux is a Linux-based operating system tailored to provide full security protection
for telecommunications products. As part of an end-to-end security solution, the Dopra Linux
is enhanced in hardware support, software commissioning, and performance to minimize
security risks.
A customized Dopra Linux consists of the kernel and root file system:
l
Kernel: The Dopra Linux kernel is customized and has the latest patch installed, which
helps improve system security.
Root file system: The Dopra Linux is a compact operating system where only useful
database and service components are installed in the file system. This helps minimize
security risks.
2.1.2 Differences Between the Dopra Linux and Other Operating

Systems
The Dopra Linux is a real-time embedded operating system. Compared with server and desktop
operating systems, the Dopra Linux meets the following security requirements:
l
System-level security requirements, such as minimum installation, system tailoring, and

security patch management
Anti-attack requirements for protocols and interfaces, such as use of secure protocols and
anti-attack features
Requirements on product development, release, and installation, such as software

commissioning and integrity checking
Sensitive data protection requirements, such as data confidentiality and integrity, use of
encryption algorithms, and use of secure transmission channels
Issue 12 (2015-04-30)

SingleRAN
Requirements for secure system management and maintenance, such as password,

authentication, authorization, log, and alarm management
2.2 Dopra Linux Security Overview

The main security threats for the Dopra Linux are security vulnerabilities, password cracking,
illegal operations, and information disclosure.
Table 2-1describes these threats.
Table 2-1 Main security threats for the Dopra Linux
Threat
Description
Severity
Security Requirement
Security
vulnerability
The kernel, SSH, and

Secure File Transfer
Protocol (SFTP)
have known security
vulnerabilities.
Minor
The Dopra Linux provides a new

service protocol version and is
able to fix security
vulnerabilities by version
upgrade or patch installation.
The Dopra Linux is upgraded
every 12 months by default.
Password cracking
Password
complexity check is
not performed on the
initial password.
Major
The Dopra Linux requires users

to use complex passwords.
Illegal operation
The maximum
number of
unsuccessful login
attempts is not
specified.
Minor
The Dopra Linux locks the login

account or IP address when the
maximum number of
unsuccessful login attempts is
exceeded.
Information
disclosure
Insecure protocols,
such as Trivial File
Transfer Protocol
(TFTP) and Telnet
are used.
Major
By default, the Dopra Linux does

not support insecure protocols.
Instead, it uses secure protocols
such as SFTP.
NOTE
The Dopra Linux does not require antivirus software because few viruses target at Linux and only few
Dopra Linux ports are open. For details about Dopra Linux antivirus, see "3.4 Enhanced Antivirus
Policy."
2.3 Security Architecture

The Dopra Linux interfaces hardware (multi-core CPUs and other devices) and user-mode
processes. The Dopra Linux runs on medium- or high-end CPUs. As a multi-thread operating
system, the Dopra Linux features the security policies listed in Table 2-2.
Issue 12 (2015-04-30)

SingleRAN
Table 2-2 Dopra Linux security policies

Identity Authentication
l Access control
l User password control
File System and Permission

Management
l Directory protection
Network Management
l Protocols enabled by default
l File protection
l Services enabled by default

l Ports opened by default
l System firewall iptables
l Security policies related to TCP/IP stacks
l Security policies related to SSH
Enhanced Antivirus Policy
l Virus entry control

l Post-entry virus control
Operating System Integrity

Protection
l Product development security

l Product release security
l Product installation security
System and Security Log

Management
Log file management, such as auditing and

monitoring
System Upgrade and Patch Policy
l Patch installation
l System upgrade
Issue 12 (2015-04-30)

SingleRAN
3 Dopra Linux Security Features
Dopra Linux Security Features
3.1 User Management

3.1.1 Dopra Linux Users
Dopra Linux users are categorized into root user, common user, service user, and lgnusr user.
The permission of these users is as follows:
l
The root user has the highest operation permission, including read, write, and execute
permission. The read permission allows the root user to view the names and contents of
files under a directory. The write permission allows the root user to create or delete files
as well as modify file contents. The execute permission allows the root user to run shell
scripts or binary executable files. The root user can be granted read, write, and execute
permission to all files and directories.
V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions no longer allow
the root user to perform remote login. This measure helps enhance system security.
Common users are created by the root user. They can log in to the Dopra Linux and create,
modify, or delete files under their specific home directories. For example, user jack can
perform relevant operations under the home directory /home/jack. In addition, common
users can run scripts or binary executable files under the /usr/bin and /bin directories.
Service users are used by system service processes. Service users have the lowest operation
permission and cannot log in to the operating system. They are not created by the root user.
This prevents unauthorized users from attacking the operating system and reduces security
risks. Service user accounts in the Dopra Linux include sshd, nobody, haldaemon,
messagebox, and mysql.
Issue 12 (2015-04-30)

10
SingleRAN
NOTE
l sshd: sshd server users cannot login to the operating systerm.

l nobody: portmap standard account of other system services cannot login to the operating systerm.
l haldaemon: standard account used by haldaemon servers account cannot login to the operating
systerm.
l messagebus:standard account used by D-BUS servers account cannot login to the operating
systerm.
l mysql: used by mysql servers.
The lgnusr user is an internal common user. Added in V200R003C02SPC090 and RTOSV100R001C00SPC070, the lgnusr user is used for Secure Shell (SSH) login. You can run
the su command to switch the lgnusr user to the root user to gain administrative rights. You
are advised to reserve the lgnusr user for SSH security.
3.1.2 Security Policies for User Management

Table 3-1 describes the security policies for user management in the Dopra Linux.
Table 3-1 Security policies for user management in the Dopra Linux
User
Management
Policy
Password
complexity
A user password must contain at least eight characters, including at least

one uppercase letter, one lowercase letter, one special character, and
one digit.
Simple passwords (passwords defined in the weak password dictionary)
are not allowed.
NOTE
l You can run the zcat /usr/share/cracklib/cracklib-words.gz command to
view the weak password dictionary.
l For the Dopra Linux,you can run the create-cracklib-dict command to
update the weak password dictionary. For example, run the create-cracklibdict dict1.dat command to add words in dict1.dat to the weak password
dictionary.
l For the RTOS, the weak password dictionary cannot be viewed or modified
to prevent it from being disclosed.
The Dopra Linux records the history passwords of only common users.
By default, the Dopra Linux records a maximum of three history
passwords.and the RTOS records a maximum of five history passwords.
The new password must be different with the history passwords or the
reverse of history passwords.
Common users can change only their own passwords. The root user can
change all users' passwords.
Issue 12 (2015-04-30)

11
SingleRAN
User
Management
Policy
Login message
l For the Dopra Linux, the Dopra Linux prints the information about
the previous login after a login, including the login date, time, and
IP address. The information helps users determine whether
unauthorized users have used the account.
l For the RTOS, the information print function is disabled by default
after a successful login. You can enable the information print
function as follows: Run the vi /etc/ssh/sshd_config command to
open the sshd_config file, set PrintLastLog to yes, and run the
killall sshd command to restart the SSHD service.
Login permission
By default, a user account is locked for 300 seconds at three consecutive

unsuccessful login attempts. The administrator can unlock the account.
Versions before V200R003C08SPC080, users will be asked for old
passwords when changing their own passwords. From
V200R003C08SPC080 and later versions, old password is required.
For all versions, old password is not required when root use r modifing
non-root users.
Root user
The root user is the only superuser in the system and is authorized to
execute all scripts and executable files.
The password for the root user is customized before Dopra Linux
deployment.
service user
service users. They cannot log in to the Dopra Linux and are only for
service purposes.
Advance warning
before password
expiration
The default password validity period is 30 days. To enhance password

security, the Dopra Linux prompts users to change their passwords
seven days before the passwords expire.
In versions earlier than V200R003C02SPC090, the default password
validity period is 30 days. In V200R003C02SPC090,RTOSV100R001C00SPC050 and later versions, the default password validity
period is 90 days.
Minimum
password validity
You are advised to set the minimum password validity period to 48

hours or longer. Otherwise, the password may bypass the password
security policy inspection.
Passwords
encryption
The Dopra Linux uses SHA-512 encryption algorithm to encrypt

passwords in V200R003C02SPC080 and later.Versions before
V200R003C02SPC080 use MD5.
3.1.3 Operations Related to User Management

Operations related to user management include creating, deleting, and switching users as well
as changing user passwords. This section uses user1 as an example to describe these operations.
Issue 12 (2015-04-30)

12
SingleRAN
To create user1, run the following command:

useradd m user1 //After user1 is created, its home directory /home/user1 is also created.
To delete user1, run the following command:

userdel r user1 //After user1 is deleted, its home directory /home/user1 is also deleted.
To change the password for user1, run the following command:

passwd user1 //Only user1 and the root user can change the password for user1.
The password must comply with the password complexity policy in Table 3-1. For example,
Huawei@751.
To switch to user1, run the following command:

su user1 //The current user is switched to user1.
su - user1 //The current user is switched to user1. The hyphen (-) indicates that the
environment variables are also switched.
3.1.4 Operations Related to Password Complexity Management

NOTE
It is recommended that you not modify password complexity settings to enhance password security.
You can set the following parameters in the /etc/pam.d/common-password file to modify
password complexity settings:
l
retry = N: You have N attempts to change the password each time you run the passwd
command. N is an integer from 1 to 256. The default value is 6.
lcredit = N: A password contains at least N lower-case letters. N is an integer from 0 to

127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.
ucredit = N: A password contains at least N upper-case letters. N is an integer from 0 to

127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.
dcredit = N: A password contains at least N digits. N is an integer from 0 to 127. The

default value is 1 for the Dopra Linux OS and 0 for the RTOS.
ocredit = N: A password contains at least N special characters(~!@#$%^&*()_+`-={}|[]

\:";'<>?,./). N is an integer from 0 to 127. The default value is 1 for the Dopra Linux OS
and 0 for the RTOS.
minlen = N: A password contains at least N characters. N is an integer from 6 to 127. The

default value is 8.
enforce_root: A password policy takes effect to the root user. After this parameter is
deleted, the password policy does not take effect to the root user.
remember = N: N previous passwords are recorded for common users. N is an integer from
0 to 400. The default value is 3 for the Dopra Linux OS and 5 for the RTOS. This rule does
not take effect for the root user to change the passwords for itself and other accounts.
uname_check: A password cannot be the same as any user name or be any user name in
reverse order. This function is enabled by default.
3.1.5 Operations Related to Password Setting

NOTE
In versions earlier than V100R001C03SPC030, the password lock and validity period cannot be changed
because the etc/pam.conf file and chage command are not supported in these versions.
Issue 12 (2015-04-30)

13
SingleRAN
You can set the following options in the /etc/pam.d/common-auth file to modify password
locking settings:
l
deny=N, which indicates that the login account is locked when the number of unsuccessful
login attempts exceeds N. N is an integer between 1 to 32. The default value is 3.
unlock_time=N, which indicates that the user account is locked for N seconds when the
maximum number of unsuccessful login attempts is exceeded. N is an integer between 1
to 3600. The default value is 300.
You can run the following commands to view or modify password time settings:
l
chage -l user1 //You can view the parameters such as the minimum interval at which a
password must be changed (Minimum), the maximum interval at which a password must
be changed (Maximum), and advance warning before password expires (Warning).
chage -m N common user //N indicates the minimum interval at which a common user's
password must be changed, which means you can change the password N days later. N is
an integer between 0 to 99999. If N is set to 0, you can change the password anytime. This
option does not apply to the root user.
chage -M N root/common user //N indicates the maximum interval at which common user's
password must be changed. N is an integer between 1 to 99999.
chage -W N root/common user //N indicates the advance warning days before a common
user's password expires. N is an integer between 1 to 99999.
3.2 File System and Permission Management

File system permission is categorized into read, write, and execute permission. The root user
can operate all files. Common users can operate only their own files. Permission management
ensures file security.
3.2.1 Directory Protection

The Dopra Linux restricts directory access permission. You can run the ll or ls l command to
query the read, write, and execute permission on files and sub-directories in different directories.
The following is an example:
Jasper / # ll
total 112
drwxr-xr-x
2 root root 4096 Jul
drw-r----6 root root 4096 Jul
drwxr-xr-x
drwxr-xr-x 25 root root 4096 Jul
drwxr-x--x
-rwxr-xr-x
1 root root
29 Jul
drwxr-xr-x
drwx-----2 root root 16384 Jul
d-wx---r-x
drwxr-xr-x
drwxr-xr-x
drwxr-x--2 root root 4096 Jul
dr-xr-xr-x 114 root root
0 Jul
drwx-----3 root root 4096 Jul
-rwxr-xr-x
drwxr-xr-x
Issue 12 (2015-04-30)
6
7
7
7
7
5
6
5
5
5
5
5
5
7
7
7
5
5
22:10
23:08
19:11
23:15
21:19
22:24
22:10
22:23
22:24
22:24
22:25
22:24
22:24
19:10
22:06
21:25
22:24
22:24
bin
boot
dev
etc
home
init
lib
lost+found
mbsc
media
mnt
none
opt
proc
root
sbin
sc_init
srv

14
SingleRAN
drwxr-xr-x
drwxrwxrwt
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
11
2
2
7
10
root
root
root
root
root
root
root
root
root
root
0
4096
4096
4096
4096

Jul 7 19:10 sys
Jul 11 03:30 tmp
Jul 5 22:25 usb
Jul 5 22:24 usr
Jul 6 22:10 var
The following uses the last line as an example to explain the command output:
l
In drwxr-xr-x:
d means directory. Files are not started with d.
rwx indicates that the file or directory creator has read, write, and execute permission.
r-x indicates that users who belong to the same user group as the file or directory creator
have read and execute permission.
The second r-x indicates that users who do not belong to the same user group as the file
or directory creator have read and execute permission.
NOTE
The root user has the highest permission and can operate all files created by other users.
10 indicates the number of hard connections to the directory.
root indicates that the file or directory is created by the root user.
The second root indicates that the file or directory creator is in the root user group.
4096 indicates the directory or file size (excluding files or sub-directories under the
directory).
Jul 6 22:10 is the time when the file or directory was last modified.
var is the file or directory name.
3.2.2 File Protection

The Dopra Linux restricts common users' access to system files.
l
Common users cannot visit the home directory.
Common users cannot modify or delete commands, library files, and directories storing
device files (/dev) or configuration files (/etc).
Only the root user is authorized to access system command management directories (/
sbin and /usr/sbin) and log files in /var/log.
NOTE
The read permission to a directory indicates that a user can view the files and sub-directories under the
directory. The write permission indicates that a user can create files and sub-directories under the directory.
The execute permission does not apply to directories.
The read permission to a file indicates that a user can view the contents in the file. The write permission
to a file indicates that a user can edit the contents in the file. The execute permission to a file indicates that
a user can execute the commands in the file.
Users can run the setfacl command to set access permission to a file. For example, in the setfacl
-m u:user1:rw a.dat command, user1 has read and write permission to a.dat.
3.3 Network Management

Issue 12 (2015-04-30)

15
SingleRAN
3.3.1 Protocols Enabled by Default

By default, the User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and
Internet Control Message Protocol (ICMP) are enabled in the Dopra Linux.
3.3.2 Services Enabled by Default

Table 3-2 describes the default services provided in the Dopra Linux.
Table 3-2 Default services provided in the Dopra Linux
Service
Name
ON/OFF
Protocol
Port
Number
Description
sshd
ON
TCP
22
A service started from inittab for

SSH login
syslog-ng
ON
N/A
N/A
A service started from inittab for log

recording
dbus-daemon
ON
N/A
N/A
An application that uses the D-Bus

library to implement a message bus
daemon
NOTE
D-Bus is a library that provides one-toone communication between any two
applications. Multiple programs connect
to the message bus daemon and can
exchange messages with each other.
Issue 12 (2015-04-30)
cron
ON
N/A
N/A
Daemon to execute scheduled

commands
klogd
ON
N/A
N/A

buffering
auditd
ON
N/A
N/A
A service for saving audit records to

the disk
boot.udev
ON
N/A
N/A
A service that listens to kernel events

and passes the incoming events to
udev
haldaemon
ON
N/A
N/A
A service that collects and stores

hardware information
syslogbuf
ON
N/A
N/A

buffering
acpid
ON
N/A
N/A
A service that functions as the

daemon of advanced configuration
and power interface (ACPI) and
manages the power supply

16
SingleRAN
3.3.3 Ports Opened by Default

For details about the default ports opened in the Dopra Linux, see Communication Matrix
delivered with the product.
You can run the netstat -nlp command to view all listening ports.
3.3.4 System Firewall iptables

iptables is a kernel-level component in the Linux for filtering IP packets. When Linux is
connected to the Internet, local area networks (LANs), servers, or Internet proxies, iptables act
as a firewall to filter IP packets.
Being integrated into the Dopra Linux, iptables does not need to be configured by default.
However, users can define rules in the iptables if required. When defining rules for a live
network, note the following points:
l
Do not modify existing rules.
Write scripts to ensure that defined rules automatically take effect upon system startup.
Define rules again after the Dopra Linux is upgraded or updated, as defined rules are deleted
after the system is upgraded or updated.
3.3.5 Security Policies Related to TCP/IP Stacks

Dopra Linux does not support IPv6 by default. Table 3-3 describes security policies related to
the IPv4 TCP/IP stack. These items are configured in the /etc/sysctl.conf file. Default settings
in Table 3-3 are recommended by Huawei to ensure optimum security and performance, and
generally should not be changed.
NOTE
The configuration items of TCP/IP stacks are named in the format of "net + protocol + conf + all/default/
device + attribute". Where, device means a logical interface, such as eth1, bond2, and vlan3, default is used
to initialize an interface as it is initialized and loaded, and all means to apply to all interfaces.
Issue 12 (2015-04-30)

17
SingleRAN
Table 3-3 Configuration items

Item
Defaul
t Value
Description
net.ipv4.conf.all.arp_ignore
0 for the
RTOS
net.ipv4.conf.default.arp_i
gnore
1 for the
Dopra
Linux
This parameter defines the modes for sending replies

in response to received ARP requests that resolve
local target IP addresses.
l 0: Reply to any local target IP address,
irrespective of its interface.
l 1: Reply only if the target IP address is the local
address configured on the incoming interface.
l 2: Reply only if the target IP address is the local
address configured on the incoming interface,
and both the sender's and receiver's IP addresses
are in the same subnet.
l 3: Reply only resolutions for global and link
addresses, and do not reply to local addresses
configured with scope host.
l 4-7: Reserved.
l 8: Do not reply to local addresses.
net.ipv4.conf.all.promote_
secondaries
net.ipv4.conf.default.prom
ote_secondaries
If this item is enabled and primary address of an

interface is deleted, an alias of the interface will be
upgraded to the primary one.
l 0: The alias of the interface will not be upgraded
to the primary one.
l 1: The alias of the interface will be upgraded to
the primary one.
l Default for Dopra linux is 0, for RTOS is 1.
net.ipv4.conf.all.arp_filter
net.ipv4.conf.default.arp_f
ilter
l 0: The kernel can respond to ARP requests with

addresses from other interfaces. This may seem
wrong but it actually makes sense because it
increases the number of successful
communication attempts. IP addresses are owned
by the complete host on the Linux, not by specific
interfaces.
l 1: This value allows you to have multiple network
interfaces on the same subnet and have the ARPs
for each interface be answered based on whether
the kernel can route packets from the ARP's IP
address out of that interface.
net.ipv4.conf.all.accept_so
urce_route
net.ipv4.conf.default.acce
pt_source_route
Issue 12 (2015-04-30)
This parameter specifies whether to accept routing

extension headers.
If the value for this parameter is greater than or equal
to 0, only the routing header type 2 is accepted.
If this value is less than 0, routing header is not
accepted.

18
SingleRAN
Item
Defaul
t Value
Description
net.ipv4.conf.all.accept_re
directs
It is assumed that the network segment where the

host is located has two routers, and one of them is set
as the default gateway. When another router sends
IP packets to the gateway, the router also sends an
ICMP redirect message, instructing the gateway to
forward those packets to other routers.
net.ipv4.conf.default.acce
pt_redirects
l 1 means to accept the redirect forwarding.

l 0 means to ignore the redirect forwarding.
It is recommended that this parameter be set to 0
to eliminate potential security risks.
net.ipv4.conf.all.secure_re
directs
net.ipv4.conf.default.secur
e_redirects
This parameter specifies the secure redirect

forwarding function. When this function is enabled,
only ICMP redirect messages from the gateway are
accepted.
l 1 means to enable the function.
l 0 means to disable the function.
net.ipv4.conf.all.send_redirects
This parameter specifies whether to send redirect

messages.
l 1 means to send.
net.ipv4.conf.default.send
_redirects
l 0 means not to send.
net.ipv4.tcp_fin_timeout
60
This parameter specifies the duration for keeping

packets in the FIN-WAIT-2 state. If the value of this
parameter is too large, memory overflow may occur.
net.ipv4.tcp_syncookies
This parameter specifies whether to send syncookies

when the syn backlog queue overflows. This
parameter is valid only when CONFIG_SYNCOOKIES is set during kernel compilation.1 means to
send.0 means not to send.
net.ipv4.tcp_syn_retries
This parameter specifies the number of times initial

SYN messages for an active TCP connection attempt
will be retransmitted.
net.ipv4.tcp_synack_retries
This parameter specifies the number of times SYNACK messages for a passive TCP connection
attempt will be retransmitted.
net.ipv4.tcp_max_syn_bac
klog
4096
This parameter specifies the maximum number of

unacknowledged connection requests.
net.ipv4.icmp_echo_ignor
e_broadcasts
This parameter specifies whether to ignore broadcast

and multicast messages.
l 1 means to ignore.
l 0 means not to ignore.
Issue 12 (2015-04-30)

19
SingleRAN
Item
Defaul
t Value
Description
kernel.panic_on_oops
This parameter specifies the kernel's behavior when

it encounters an exception or bug.
l 0: Attempt to continue operations.
l 1: Stop (panic) immediately. If sysctl is also nonzero, the server will be rebooted.
kernel.printk
6417
This parameter specifies where to send log messages

according to their priorities. This parameter has four
default values, which denote console_loglevel,
default_message_loglevel, minimum_console_loglevel, and default_console_loglevel, respectively.
l console_loglevel: Messages with a priority
higher than this level will be printed to the
console.
l default_message_loglevel: Messages without an
explicit priority will be printed with this level.
l minimum_console_loglevel: This level is the
minimum (highest) value to which
console_loglevel can be set.
l default_console_loglevel: This is the default
value for console_loglevel.
net.ipv4.tcp_timestamps
This parameter specifies whether to add a 12-byte

timestamp to TCP headers.
l 0 means not to add the timestamp.
l 1 means to add the timestamp.
net.ipv4.icmp_ignore_bog
us_error_responses
This parameter specifies whether to ignore "bogus

error message responses".
l 1 means to ignore.
l 0 means not to ignore.
net.ipv4.conf.all.rp_filter
net.ipv4.conf.default.rp_fil
ter
This parameter specifies whether to enable IP

spoofing protection and turns on source route
verification.
l 1 means yes.
l 0 means no.
It is recommended that you set this parameter to
1 for a single host or routers in a stub network.
kernel.sysrq
This parameter specifies the magic-sysrq key.

If the parameter is set to non-zero, the system request
key is activated.
Issue 12 (2015-04-30)

20
SingleRAN
3.3.6 Security Policies Related to SSH

The Dopra Linux does not support non-encrypted File Transfer Protocol (FTP) and TELNET.
Instead, it uses secure protocols such as SSH and SFTP.
Table 3-4 lists the configurations for SSH.
Table 3-4 Configurations for SSH
Item
Default Value
Description
Ciphers
aes128ctr,aes192ctr,aes256ctr,arcfour256,a
rcfour128
Uses the 3des-cbc and aes128-cbc encryption

algorithm.
MACs
hmacsha2-256,hmac
-sha1
Sets the message authentication code (MAC)

algorithm to the secure algorithm (SHA2) for
ensuring data integrity.and compatible HMACSHA1
Protocol
Forcibly enables SSH V2.0.
LogLevel
VERBOSE
Sets a message level to Verbose to log user login

information for auditing.
StrictModes
Yes
Forcibly checks file permission and the login user's

permission to the home directory and files.
PubkeyAuthentication
Yes
Allows public key authentication.
PermitEmptyPasswords
No
Forbids login with an empty password.
PermitRootLogin
No
Allows the root user to remotely log in to the Dopra

Linux. You can disable this function for security.
UsePAM
Yes
Uses the pluggable authentication modules

(PAM), a more scalable scheme, for
authentication.
Banner
/etc/issue.net
Displays banners after a user logs in to the Dopra

Linux using SSH. The default banner is: "You are
trying to access a restricted zone. Only Authorized
Users allowed."
NOTE
You can run the vi /etc/issue.net command to modify banners.
Issue 12 (2015-04-30)

21
SingleRAN
3.3.7 Operations Related to SSH

The following part describes operations associated with SSH.
Secure Logins
To log in to a target computer (for example, with an IP address of 192.168.0.241) that provides
SSH services:
Run the ssh root@192.168.0.241 command to log in as the root user, or run the ssh
user1@192.168.0.241 command to log in as user user1.
Secure Copy
To copy data (for example, /home/filename) from a Linux server that provides SSH services
to /home of a target computer (for example, with an IP address of 192.168.0.241):
Run the scp -r /home/filename root@192.168.0.241:/home command.
SFTP Operations
A computer running Dopra Linux can function as a server to provide SFTP services. To connect
to a target computer (for example, with an IP address of 192.168.0.241):
Run the sftp 192.168.0.241 command.
l
Disabling the SFTP Service

1.
Run the vi /etc/ssh/sshd_config command, comment out the line starting with
Subsystem sftp, save the modifications, and close the file.
2.
Run the kill all sshd command to restart the SSHD service.
3.
Check whether the SSHD process starts.
If command "pidof sshd" prints integers, the process starts properly. The SFTP service is
a sub-function of the SSHD service. If the SSHD process restarts, the SFTP service is
disabled successfully.
l
Enabling SFTP Logging

1.
Run the vi /etc/ssh/sshd_config command, change the line starting with Subsystem
sftp to Subsystem sftp internal-sftp -l INFO, save the modifications, and close the
file.
2.
Run the kill all sshd command to restart the SSHD service.
3.
Check whether the SSHD process starts.
If command "pidof sshd" prints integers, the process starts properly. The SFTP service is
a sub-function of the SSHD service. If the SSHD process restarts, SFTP logging is enabled
successfully.
Forbidding remote login of the root user

You are advised to disable the remote login of the root user. V200R003C02SPC090, RTOSV100R001C00SPC070, and later versions no longer allow the root user to perform remote login.
To disable remote login, perform the following steps:
Issue 12 (2015-04-30)

22
SingleRAN
Step 1 Add a common user that can log in to the Dopra Linux remotely. For example:
l Run the useradd m user1 command to add user user1 and create directory /home/user1.
l Run the passwd user1 command to set or change the password (for example,
Tom@520123) for user user1. For details about the password policy, see "3.1.2 Security
Policies for User Management".
Step 2 Modify the configuration file. Log in as the root user, and set PermitRootLogin to no in the /
etc/ssh/sshd_config file.
Step 3 Run the killall sshd command to restart the SSH service. The modification takes effect after the
SSH service restarts.
----End
NOTE
After the sshd process is killed, the SSH service becomes unavailable. Several seconds later, the SSH
service restarts automatically.
To permit remote login of user root, set PermitRootLogin to yes in the /etc/ssh/sshd_config
file, and restart the SSH service.
Disable SSH Server CBC Mode ,arcfour256,arcfour128 Ciphers disable SSH Server
CBC ,arcfour256,arcfour128 Ciphers algorithm
Perform the following steps to disable the CBC cipher algorithm for the SSH service:
Step 1 Open the vi /etc/ssh/sshd_config file and find the line starting with Ciphers, and change the
content to:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
NOTE
Find the line starting with Ciphers but not with #Ciphers. The number sign (#) indicates that the line is
commented out.
Step 2 Run the kill all sshd command to restart the sshd service.
----End
NOTE
The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr.
Hardening the MAC Algorithm of the SSH Service

Perform the following steps to harden the MAC algorithm of the SSH service:
Step 1 Open the vi /etc/ssh/sshd_config file and find the line starting with MACsand change the content
to:
l Before V200R003C08SPC190 version,MACs modify MACs hmac-sha1.
l After V200R003C08SPC190 version,MACs modify MACs hmac-sha2-256.
l If MACs configue just have hmac-sha2-256,need upgrade putty to 0.64 and above version.
Issue 12 (2015-04-30)

23
SingleRAN
NOTE
Find the line starting with MACsbut not with #MACs. The number sign (#) indicates that the line is
commented out.
Step 2 Run the kill all sshd command to restart the sshd service.
----End
NOTE
The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings:
MACs hmac-sha1
The preceding operations must be performed by professional personnel who understand basic Linux
command (vi) and common system management commands. Otherwise, the SSH connection may fail due
to incorrect modifications.
3.4 Enhanced Antivirus Policy

3.4.1 Virus Entry Control
The Dopra Linux disables idle ports and uses secure protocols (such as SSH and SFTP) only,
making itself much less vulnerable to virus attacks.
The Dopra Linux uses enhanced password polices, such as forced lockout after three failed
password attempts. These policies greatly improve the anti-hacking capability.
3.4.2 Post-entry Virus Control

The Dopra Linux defines strict permission control, which means that only the root user has the
write permissions to system files and log files. Therefore, even virus files are falsely executed,
only files to which the login user has the write permissions will be corrupted. System running
and log files are not affected.
Though the Dopra Linux does not run any antivirus software, it is insusceptible to virus attacks
unless the root user password is cracked. In addition, the root user password is well protected
by the following measures:
l
Uses enhanced password policies.
Forces the user to log out after defined failed password attempts.
3.5 Operating System Integrity Protection

3.5.1 Product Development Security
The Dopra Linux image contains vmlinuz (kernel) and initrd (root file system), where the kernel
mode and user mode are separated. This method enhances Dopra Linux security.
V200R003C02SPC080, RTOS-V100R001C00, and later versions support security loophole
scan using the Nessus and port and protocol scan using the NMap.
V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions support security
loophole scan using the Retina.
Issue 12 (2015-04-30)

24
SingleRAN
3.5.2 Product Release Security

Before the Dopra Linux is released, it is scanned by antivirus software Symantec, McAfee, Avira,
Kav and Trend to ensure that it is virus free.
3.6 System and Security Log Management

Logs record system running information and are of vital importance to system security. Major
log functions include auditing and monitoring. With logs, you can diagnose problems, monitor
real-time system status, and track traces left by attackers.
3.6.1 Log Files

Only the root user can view log files and description under the log directory /var/log. The
following describes log files in the Dopra Linux:
l
audit
A log file for the audit daemon, which writes kernel information generated by applications
and system activities into hard disk.
dlinstall.log/dlrecover.log/dlupgrade.log
Log files recording information about system installation, rollback, and upgrade.
faillog
A log file recording the number of failed logins due to incorrect user name or password.
This file is encrypted. Running the vi/cat command cannot open this file. You can run
faillog to view this file.
messages
A log file recording kernel and system information.
You can run vi/cat to view this file.
warn
A log file recording all warnings and error information.
wtmp
A log file recording all remote and local logins, changes in system running level, and time
of the changes.
This file is encrypted. You can run last to view this file.
3.6.2 Real-Time Access Information Recording

The Dopra Linux records real-time Dopra Linux login and logout information in logs. For details
about how to manage these logs, see section "Configuring the Function of Recording OMU OS
Accessing Information in Real Time" in OMU Administration Guide.
3.6.3 Configuration Guide for the Log Audit Service of Dopra Linux
Issue 12 (2015-04-30)

25
SingleRAN
3.6.3.1 Configuration Commands

Linux audit Subsystem (audit), is a system service. This service is used for auditing system
invoking records and writing the records to files. The user space program of the audit service is
auditd, which is used for writing audit information to disks.
Audit Configuration Differences Between Dopra Linux and Common Linux

The Dopra Linux(Before V200R003C08SPC100 versions) and common Linux differ in the audit
service as follows:
l
The configuration file path is different. The paths for Dopra Linux are /etc/auditd.conf
and /etc/audit.rules. The paths for common Linux are /etc/auditd/auditd.conf and /etc/
auditd/audit.rules.
When the /etc/rc.d/init.d/auditd script is used to enable the audit service, audit rules are
not automatically loaded by default.If you want to retain the rules after a restart, manually
modify the /etc/rc.d/init.d/auditd file. For details about the procedure, see Configuration
Guide.
Querying Audit Service Status

The audit service status' value of RTOS system can be 0,1,2.
The audit service status' value of Dopra Linux system can be 0,1.
Jasper ~ # auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0
backlog=0
Jasper ~ #
enabled=1: Log auditing is enabled for the audit service.

enabled=0: Log upgrades are disabled.
enabled=2: The audit rules cannot be edited.If you want to edit it,you should restart the system
first.
By default, enabled=1 is used after a normal startup. You can run the auditctl-e 1 command to
change the value of enabled to 1.
Jasper ~ # auditctl -s
backlog=0
Jasper ~ # auditctl -e 2
backlog=0
Jasper ~ # auditctl -a entry,always -S umask
Error sending add rule request (Operation not permitted)
Error sending add rule request (Operation not permitted) --> When enabled is 2, rules cannot
be edited.
Query Existing Rules

auditctl -l
Issue 12 (2015-04-30)

26
SingleRAN
Deleting All Audit Rules at a Time

auditctl -D
Adding an Audit Rule

Auditctl -a entry,always -S umask -k umask --> Add an audit rule for invoking the umask system.
Deleting an Audit Rule

auditctl -d entry,always -S umask -k umask --> Delete an audit rule for invoking the umask
system.
Adding Audit Rules in Batches

auditctl -R /etc/audit.rules --> /etc/audit.rules is a text file containing rules in any paths.
Stopping the auditd Service Process

killall auditd
or
/etc/rc.d/init.d/auditd stop
Starting the auditd Service Process

startproc /sbin/auditd
or
/etc/rc.d/init.d/auditd start
Querying the auditd Service Process Status

/etc/rc.d/init.d/auditd status
Checking Whether Recording Is Enabled for the auditd Service

auditctl s
If "enabled=1" is displayed, recording is enabled.
3.6.3.2 Configuration Guide

This section describes how to configure the audit service.
Procedure
Step 1 Create a default configuration file of the audit service.
Jasper ~ # mkdir /etc/audit/
Jasper ~ # cp /etc/auditd.conf /etc/audit/auditd.conf
Jasper ~ # cp /etc/audit.rules /etc/audit/audit.rules
Issue 12 (2015-04-30)

27
SingleRAN
Step 2 Edit the rule file /etc/audit/audit.rules.

You can select interesting audit rules from the following samples:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 256
# Feel free to add below this line. See auditctl man page
## Audit the audit logs.
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
-w /var/log/audit/ -k auditlog
## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
## changes to the time
##
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
## umask
-a entry,always -S umask -k umask
## cron configuration & scheduled jobs
-w /etc/crontab -p rwax -k cron
## user, group, password databases
-w /etc/group -p rwax -k etcgroup
-w /etc/passwd -p rwax -k etcpasswd
-w /etc/shadow -k etcpasswd
## monitor usage of passwd
-w /usr/bin/passwd -p x -k passwd_modification
## login configuration and information
-w /etc/login.defs -p rwax -k login
-w /etc/securetty -p rwax -k login
## network configuration
-w /etc/hosts -p rwax -k hosts
-w /etc/sysconfig/network -p rwax -k network
## system startup scripts
-w /etc/inittab -p rwax -k init
## kernel parameters
-w /etc/sysctl.conf -p rwax -k sysctl
## modprobe configuration
-w /etc/modprobe.conf -p rwax -k modprobe
## pam configuration
-w /etc/pam.d/ -p rwax -k pam
## ssh configuration
-w /etc/ssh/sshd_config -k sshd
## changes to hostname
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname
## changes to issue
-w /etc/issue -p rwax -k etcissue
-w /etc/issue.net -p rwax -k etcissue
Step 3 Edit the startup script of the audit service to configure an automatic loading rule after a restart.
Add the following contents in bold to vi /etc/rc.d/init.d/auditd (Skip this step if the bold line
exists):
case "$1" instart) echo -n "Starting RPC auditd daemon"
auditd_pid=`pidof auditd`
if [[ -z ${auditd_pid} ]]
Issue 12 (2015-04-30)

28
SingleRAN
then
$AUDITD_BIN
if [[ $? -ne 0 ]]
then rc_failed 1
else
rc_failed 0
fi
else
rc_failed 0
fi
test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/
null
# Remember status and be verbose
rc_status -v
Step 4 Restart the audit service.

/etc/rc.d/init.d/auditd restart
Step 5 Check whether audit log recording is enabled.
----End
Run the auditctl -s command to check the value of enabled.
If the value is 1, log recording is enabled.
If the value is not 1, run the auditctl e 1 command to enable log recording.
---End
Important Notes
Because audit rules are added, the system kernel adds additional audit operations besides normal
processing, which compromise system performance. Delete unnecessary audit rules and
minimize the number of audit rules based on site requirements to minimize performance
deterioration.
3.7 System Upgrade and Patch Policy

Due to defects in product design or development, the Dopra Linux may have certain
vulnerabilities, for example, service errors or authentication failures. These vulnerabilities may
pose security threats such as hacking or viruses. You can install patches to eliminate these system
vulnerabilities.
3.7.1 Patch Installation

By default, security patches are applied on the Dopra Linux every 12 months.
3.7.2 Upgrade
Currently, the Dopra Linux version and product version are independent. The Dopra Linux
upgrade does not affect applications that have been installed on the source Dopra Linux, when
the hard disk partition settings on the source and destination Dopra Linux versions are the same.
You can upgrade the Dopra Linux using either of the following methods:
Issue 12 (2015-04-30)

29
SingleRAN
USB upgrade
Web upgrade
For details about upgrade methods, see Guide to Dopra Linux Operating System Remote Patch
Upgrade delivered with Dopra Linux patches.
NOTE
You must restart the system after an upgrade is complete. If you upgrade the Dopra Linux using the web
mode, you can roll back the Dopra Linux to the source version if the upgrade fails. If you upgrade the
Dopra Linux using the USB mode, you have to reinstall the Dopra Linux if the upgrade fails.
If you upgrade the RTOS or certain Dopra Linux versions using the web mode, the version cannot be rolled
back. In this case, the USB upgrade is recommended.
Issue 12 (2015-04-30)

30
SingleRAN
4 Base Station Applications
Base Station Applications
The base station operating system patches are packed in the base station product version, and
therefore an separated operating system upgrade is not supported on the base station. However
if any security risks are exposed in RTOS versions, you can run the operating system patches
by way of the product version upgrade because these patches are packed in the latest product
version.
NOTE
If the product version includes RTOS patches, the patch information will be addressed in the Release
Notes of base stations.
The base station operating system is not visible for users because the patches are packed in the
base station software.
l
Of all operating system security policies of the base station, only the anti-virus policy is
provided by the operating system. For details, see "3.4 Enhanced Antivirus Policy."
Other than the antivirus policy, operating system security policies are packed in the base
station software. For details, see the Base Station Equipment and OM Security Feature
Parameter Description.
Issue 12 (2015-04-30)

31
SingleRAN
5 Differences Between History Dopra Linux Versions
Differences Between History Dopra Linux

Versions
5.1 History Dopra Linux Versions

Table 5-1 lists history Dopra Linux versions and corresponding boards.
Table 5-1 History Dopra Linux versions and corresponding boards
Issue 12 (2015-04-30)
Dopra Linux Version
Board
V100R001C03SPC010
OMUa/SAUa/OMUb/SAUb
V100R001C03SPC020
OMUa/SAUa/OMUb/SAUb
V100R001C03SPC030
OMUa/SAUa/OMUb/SAUb
V200R003C02SPC030
OMUc/SAUc
V200R003C02SPC060
OMUc/SAUc
V200R003C02SPC070
OMUc/SAUc
V200R003C02SPC080
OMUa/SAUa/OMUb/SAUb /OMUc/SAUc
V200R003C02SPC090
OMUa/SAUa/OMUb/SAUb /OMUc/SAUc
V200R003C08
OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC080
V200R003C08SPC100
V200R003C08SPC120
V200R003C08SPC130
V200R003C08SPC150
RTOS-V100R001C00SPC030
EOMUa/ESAUa

32
SingleRAN
Dopra Linux Version
Board
EOMUa/ESAUa
RTOS-V100R001C00 SPC060
EOMUa/ESAUa
EOMUa/ESAUa
EOMUa/ESAUa
EOMUa/ESAUa
EOMUa/ESAUa
EOMUa/ESAUa
EOMUa/ESAUa
EOMUa/ESAUa
NOTE
l The Dopra Linux can be upgraded to a destination version that supports the same type of boards as the
source version. For example, any version can be upgraded to V200R003C02SPC080, but
V100R001C03SPC010 cannot be upgraded to V200R003C02SPC070.
l Unless otherwise stated, basic functions of previous versions are inherited in the latest version, although
supported boards vary with versions.
5.2 Versions Running on the OMUa/SAUa/OMUb/SAUb

5.2.1 V100R001C03SPC010 to V100R001C03SPC020
The following functions are supported:
l
Enable or disable remote login for the root user.
Enhance the password complexity policy, which enables the root user to set password
complexity policies.
Allow the root user to uniformly set password expiration date.
Lock user accounts at multiple unsuccessful login attempts.
Add the setfacl package to allow users to set access permission to files.
Provide the su command so that login users can be switched.
Add the SSH login and logout logs to enhance the log auditing function. The logs include
user name, login time, and source IP address.
5.2.2 V100R001C03SPC020 to V100R001C03SPC030

l
Issue 12 (2015-04-30)
Provide the create-cracklib-dict command to allow users to update the weak password
dictionary.
33
SingleRAN
5.3 Versions Running on the OMUc/SAUc

5.3.1 V200R003C02SPC030 to V200R003C02SPC060
l
Delete the modules for commissioning to minimize security risks. The deleted modules are
ltp, livegdb, lmbench, and livepatch.
5.3.2 V200R003C02SPC060 to V200R003C02SPC070

l
Upgrade the kernel version from Linux-2.6.16.60-0.68.1 to Linux-2.6.16.60-0.87.1.
5.4 V200R003C02SPC080 Running on the OMUa/SAUa/

OMUb/SAUb/OMUc/SAUc
5.4.1 V200R003C02SPC070 to V200R003C02SPC080
l
Support the OMUa, SAUa, OMUb, SAUb, OMUc, and SAUc.
Upgrade the kernel version to Linux-2.6.16.60-0.87.1, which enhances operating system

security.
Enhance operating system security by providing default security settings, such as password
complexity policies.
Upgrade to OpenSSH 5.2.
Disable unnecessary IPv6 modules to minimize security risks posed by these modules.
The portmap service is disabled by default. Therefore, port 111 used by the portmap service
is also disabled by default.
5.4.2 V200R003C02SPC080 to V200R003C02SPC090

l
Update the kernel version to Linux-2.6.16.60-0.99.1 to eliminate system loopholes scanned

out by the NMap, Nessus, and Retina and harden the operating system security.
Count the start time of password validity period from the system installation time. If the
password is changed, the period is counted since the change time. The default password
validity period is changed from 30 days to 90 days.
Add a prompt message when the account is locked.
Add the lgnusr user for remote login. You cannot remotely log in to the system as a root
user by default, but you can remotely log in to the system as an lgnusr user and then switch
to the root user. In this way, the user management security of the operating system is
enhanced.
Issue 12 (2015-04-30)

34
SingleRAN
5.4.3 V200R003C02SPC090 to V200R003C08

l
Rectify the defect that common users cannot modify the OS time zones.
Rectify the defect that Ext3 file system is occasionally read-only.
Rectify the defect that a message indicating expired password is displayed after a USB
flash disk is used to restore the OS.
Rectify the defect that the MySQL service fails to start after a USB flash disk is used to
restore the OS after an upgrade.
Forbid the upgrade from a later version to an earlier version.
Rectify the OpenSSL security issue (CVE-2013-0166).
Forbid the CMDline parameter (init=/bin/bash) parsing in the kernel.
5.4.4 V200R003C08 to V200R003C08SPC080

l
Change the cipher algorithms for SSH services to secure ones, such as aes128-ctr, aes192ctr, aes256-ctr, arcfour256, and arcfour128.
Change the account encryption algorithm to the secure algorithm SHA512. In addition, the
old passwords of the root user are verified before they are changed.
Add the one-click recovery function by upgrading the GRUB to GRUB 2. After GRUB is
upgraded to GRUB 2, SHA512 is used to encrypt GRUB passwords and GRUB password
complexity check is added.
Upgrade OpenSSL to 0.9.8y, which rectifies the OpenSSL security issues CVE-2013-0169
and CVE-2013-0166.
Rectify the OpenSSH security issue CVE-2012-0814,Plaintext Recovery Attack against

CBC ciphers(ID: CVE-2008-5161).
Rectify the libsasl2 security issue CVE-2013-4122.
Rectify the color change issue when a common user switches from the su user to the
root user.
Rectify the incorrect failed log statistics issue.
Rectify OpenSSL security vulnerabilities, including

CVE-2014-0224,CVE-2014-0221,CVE-2014-0195,CVE-2014-0198,CVE-2010-5298,C
VE-2014-3470,CVE-2014-0076.
Add SFTP logging.
5.4.5 V200R003C08SPC080 to V200R003C08SPC100

l
Upgrading the kernel from 2.6.16.60-0.99.1 to 2.6.16.60-0.105.1-bigsmp, fix security

issues and bug fix.
Upgrade glibc from 2.4-31.91.1 to 2.4-31.109.1, fix security issues and bug fix.
Support PAM configuration for su command.
New smartctl command.
Enhanced / etc / ssh / sshd_config in configuration AllowTcpForwarding no, to fix

CVE-2004-1653.
Issue 12 (2015-04-30)

35
SingleRAN
5.4.6 V200R003C08SPC100 to V200R003C08SPC120

l
Enhanced ssh_host_rsa_key.pub and ssh_host_rsa_key length 2048.
Rectify top command not support -b -n 1 parameter.
Rectify bash vulnerabilities,six in total(HUAWEI Vulnerability

ID:HWPSIRT-2014-0951):CVE-2014-6271,CVE-2014-7169,CVE-2014-6277,CVE-201
4-6278,CVE-2014-7186,CVE-2014-7187.
Rectify OpenSSL vulnerabilities,nine in total(HUAWEI Vulnerability

4-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-20145139.
5.4.7 V200R003C08SPC120 to V200R003C08SPC130

l
Rectified the defect that the working link mode of the network adapter is restored to the
original configuration after the OMUc operating system is upgraded.
5.4.8 V200R003C08SPC130 to V200R003C08SPC150

l
Upgrade wget, rectify vulnerabilities CVE-2014-4877.
Added iostat command.
Rectify OpenSSL vulnerabilities, four in total: CVE-2014-3513, CVE-2014-3566

(HUAWEI Vulnerability: HWPSIRT-2014-1041), CVE-2014-3567, CVE-2014-3568.
Rectify OpenSSH vulnerabilities CVE-2014-2653.
Because -p of the command useradd, usermod, groupadd and groupmod the option may
bypass the password order of complexity inspection, therefore deleted -p the support of
option.
5.4.9 V200R003C08SPC150 to V200R003C08SPC170

l
Rectify OpenSSL Vulnerabilities CVE-2014-3569, CVE-2014-3570, CVE-2014-3571,

CVE-2014-3572, CVE-2014-8275, CVE-2015-0204.
Rectify glibc Vulnerability CVE-2015-0235 (HUAWEI Vulnerability ID

HWPSIRT-2015-01045).
Rectify the failure in connecting to the network during an OS upgrade because the board
was not reset after the OS upgrade from Doprax86V100R001C03.
5.4.10 V200R003C08SPC170 to V200R003C08SPC190

l
Upgrade OpenSSH to 6.2p2 to support the HMAC-SHA2-256 algorithm. By default, the

HMAC-SHA1 and HAMC-SHA2 algorithms are supported. In this case, the PuTTY client
does not need to be upgraded. When only the HMAC-SHA2 algorithm is used, the PuTTY
must be upgraded to the 0.64 and above version. Otherwise, board logins will fail.
Upgrade OpenSSL to 0.98zf to rectify the latest vulnerability (CVE-2015-0209

CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0293).
Rectify the glibc vulnerabilities CVE-2015-1472, CVE-2013-7423, CVE-2014-7817, and

CVE-2014-9402.
Issue 12 (2015-04-30)

36
SingleRAN
Reinforce security hardening. If no operation is performed in 30 minutes, the SFTP service

times out and exit. The SSH service does not support the arcfour128/256 algorithm.
5.5 Versions Running on the EOMUa/ESAUa

5.5.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030
l
Support the NIS to centrally manage accounts and harden password security.
5.5.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050

l
Fix security loopholes of libxml2, libsnmp, and bash (ID: CVE-2012-2807,

CVE-2012-2141, CVE-2012-3410).
Count the start time of password validity period from the system installation time. If the
password is changed, the period is counted since the change time. The default password
validity period is changed from 30 days to 90 days.

l
Enhance the self-healing mechanism of the file system.
There are no specific parameters associated with this feature.

l
Rectify three high-risk vulnerabilities (CVE-2011-0997, CVE-2010-0405, and

CVE-2006-5276) and three medium-risk vulnerabilities (CVE-2008-7270,
CVE-2008-5077, and CVE-2009-0021) in the Retina scan result.
Add the support of the U_creator tool for a 16 GB large-capacity USB flash drive.
Disable the remote login of user root by default. Add user lgnusr for remote login. After a
successful login of user lgnusr, it can be switched to user root, thereby enhancing the
security of user management.

l
Upgrade the kernel version from 2.6.32.54-0.3 to 2.6.32.59-0.7 to enhance operating system
security.
Fix the defect so that the operating system does not display the message that the number
of password retries exceeds the upper limit after the boards are restarted.

l
Rectify the priority inversion issue and incorporate the open-source kernel patch http://
git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?
id=da7a735e51f9622eb3e1672594d4a41da01d7e4f.
Rectify the OpenSSH security issue (CVE-2010-5107): The OpenSSH LoginGracetime

setting leads to SSH service denial.
Forbid the upgrade from a later version to an earlier version.
Issue 12 (2015-04-30)

37
SingleRAN
Incorporate three precaution issues:

Precaution Notice [2013-001] Memory Corruption May Occur When the Bus Master
Is not Disabled When the PCI Device Is Stopped
Precaution Notice [2013-002] Deadlock May Occur Due to the Migration of CPUs
that Run Real-time Tasks
Precaution Notice [2013-004] System Breakdown May Occur Due to the Core Dump
on the Multi-thread Process Using the FPU

l
Change the cipher algorithms for SSH services to secure ones, such as aes128-ctr, aes192ctr, aes256-ctr, arcfour256, and arcfour128.
Add the function of password verification for the root user.
Add the one-click recovery function by upgrading the GRUB to GRUB 2. After GRUB is
upgraded to GRUB 2, SHA512 is used to encrypt GRUB passwords and GRUB password
complexity check is added.
Rectify the libxml2 security issue CVE-2013-2877.
Rectify the incorrect failed log statistics issue.
Add SFTP logging support.
Rectify OpenSSL security vulnerabilities, including

CVE-2014-0224,CVE-2014-0221,CVE-2014-0195,CVE-2014-0198,CVE-2010-5298,C
VE-2014-3470,CVE-2014-0076.
Remove NIS service support.
Plaintext Recovery Attack against CBC ciphers(ID: CVE-2008-5161).

l
Upgrade the kernel from 2.6.32.59-0.7 to 2.6.32.59-0.9, fix security issues and bug fix.
Upgrade glibc from 2.11.1-0.34.1 to 2.11.1-0.50.1, security issues and bug fixes.
New smartctl command.
Enhanced / etc / ssh / sshd_config in configuration AllowTcpForwarding no, to fix

CVE-2004-1653.

l
Enhanced ssh_host_rsa_key.pub and ssh_host_rsa_key length 2048.
Rectify top command not support -b -n 1 parameter.
Rectify bash vulnerabilities,six in total(HUAWEI Vulnerability

4-6278,CVE-2014-7186,CVE-2014-7187.
Rectify OpenSSL vulnerabilities,nine in total(HUAWEI Vulnerability

4-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-20145139.
Added support U disk to copy files from the file name containing the Chinese to the system.
Issue 12 (2015-04-30)

38
SingleRAN

l
Upgrade wget, rectify vulnerabilities CVE-2014-4877.
Added iostat command.
Rectify OpenSSL vulnerabilities, four in total:CVE-2014-3513, CVE-2014-3566

(HUAWEI Vulnerability ID:HWPSIRT-2014-1041), CVE-2014-3567, CVE-2014-3568.
Rectify OpenSSH vulnerabilities CVE-2014-2653.
Because -p of the command useradd and groupadd the option may bypass the password
order of complexity inspection, therefore deleted -p the support of option.

l
Rectify OpenSSL Vulnerabilities CVE-2014-3569, CVE-2014-3570, CVE-2014-3571,

CVE-2014-3572, CVE-2014-8275, CVE-2015-0204.
Rectify glibc Vulnerability CVE-2015-0235 (HUAWEI Vulnerability ID

HWPSIRT-2015-01045).

l
Enhance hungtask maintenance and testing.
Upgrade OpenSSH to 6.2p2 to support the HMAC-SHA2-256 algorithm. By default, the

HMAC-SHA1 and HAMC-SHA2 algorithms are supported. In this case, the PuTTY client
does not need to be upgraded. When only the HMAC-SHA2 algorithm is used, the PuTTY
must be upgraded to the 0.64 and above version. Otherwise, board logins will fail.
Upgrade OpenSSL to 0.98zf to rectify the latest vulnerability (CVE-2015-0209

CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0293).
Rectify the kernel vulnerability CVE-2015-1593.
Upgrade the kernel patch to 2.6.32.59-0.19 to rectify the latest vulnerabilities

(CVE-2012-6657, CVE-2013-7263, CVE-2014-0181, CVE-2014-9420, CVE-2014-9584,
and CVE-2014-9585).
Rectify the glibc vulnerabilities CVE-2015-1472, CVE-2013-7423, CVE-2014-7817, and

CVE-2014-9402.
Reinforce security hardening. If no operation is performed in 30 minutes, the SFTP service

times out and exit. The SSH service does not support the arcfour128/256 algorithm.
Avoid the OS upgrade failure caused when the source file for the /etc/rc.d/mysql link is
missing.
Issue 12 (2015-04-30)

39
SingleRAN
6 Parameters
Parameters
There are no specific parameters associated with this feature.
Issue 12 (2015-04-30)

40
SingleRAN
7 Counters
Counters
There are no specific counters associated with this feature.
Issue 12 (2015-04-30)

41
SingleRAN
8 Glossary
Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.
Issue 12 (2015-04-30)

42
SingleRAN
9 Reference Documents
Reference Documents
1.
Equipment Security Feature Parameter Description
2.
OMU Administration Guide
3.
Guide to Dopra Linux Operating System Remote Patch Upgrade
Issue 12 (2015-04-30)

43

Dopra Linux OS Security (SingleRAN - 12)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dopra Linux OS Security (SingleRAN - 12)

Uploaded by

Copyright:

Available Formats

SingleRAN

Dopra Linux OS Security Feature

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential

2 Dopra Linux Security Description.............................................................................................7

3 Dopra Linux Security Features.................................................................................................10

Huawei Proprietary and Confidential

3.5.1 Product Development Security..................................................................................................................................24

4 Base Station Applications..........................................................................................................31

Huawei Proprietary and Confidential

5.5.10 RTOS-V200R003C08SPC120 to RTOS-V200R003C08SPC150..........................................................................39

Huawei Proprietary and Confidential

l This document is based on V200R003C02SPC090 and RTOS-V100R001C00 SPC080. For details

1.2 Intended Audience

Need to understand the features described herein

Work with Huawei products

1.3 Change History

Added 5.4.10 V200R003C08SPC170 to

Added 5.5.12 RTOSV200R003C08SPC170 to RTOSV200R003C08SPC190

3.3.7 Operations Related to SSH added

3.3.6 Security Policies Related to SSH

Added 5.4.9 V200R003C08SPC150 to

Added 5.5.11 RTOSV200R003C08SPC150 to RTOSV200R003C08SPC170

Huawei Proprietary and Confidential

Added 5.4.8 V200R003C08SPC130 to

Added 5.5.10 RTOSV200R003C08SPC120 to RTOSV200R003C08SPC150

Added 5.4.7 V200R003C08SPC120 to

Added 5.4.6 V200R003C08SPC100 to

Added 5.5.9 RTOSV200R003C08SPC100 to RTOSV200R003C08SPC120

Added 5.4.5 V200R003C08SPC080 to

Added 5.5.8 RTOSV200R003C08SPC080 to RTOSV200R003C08SPC100

Huawei Proprietary and Confidential

Added descriptions of base stations using

Added 3.6.3 Configuration Guide for the

Added V200R003C02SPC090 and its

Added descriptions on operating system

Huawei Proprietary and Confidential

Changed the document name from

Changed "RTOS" to "Dopra Linux" in this

Added the description on how to create

For details, see section 3.1 "User

Modified Secure Shell (SSH) policies.

For details, see section 3.3 "Network

Huawei Proprietary and Confidential

Modified the organization and descriptions

Modified the TCP/IP protocol stack

Added the description on how to create

Huawei Proprietary and Confidential

2 Dopra Linux Security Description

Dopra Linux Security Description

2.1 Introduction to the Dopra Linux

2.1.2 Differences Between the Dopra Linux and Other Operating

System-level security requirements, such as minimum installation, system tailoring, and

Requirements on product development, release, and installation, such as software

Huawei Proprietary and Confidential

2 Dopra Linux Security Description

Requirements for secure system management and maintenance, such as password,

2.2 Dopra Linux Security Overview

The kernel, SSH, and