Professional Documents
Culture Documents
12
Date
2015-04-30
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 12 (2015-04-30)
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Contents
Contents
1 Introduction....................................................................................................................................1
1.1 Scope..............................................................................................................................................................................1
1.2 Intended Audience..........................................................................................................................................................1
1.3 Change History...............................................................................................................................................................1
ii
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Contents
iii
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Contents
6 Parameters.....................................................................................................................................40
7 Counters........................................................................................................................................41
8 Glossary.........................................................................................................................................42
9 Reference Documents.................................................................................................................43
Issue 12 (2015-04-30)
iv
SingleRAN
Dopra Linux OS Security Feature Parameter Description
1 Introduction
Introduction
1.1 Scope
This document describes the security features and capabilities of the Dopra Linux operating
system.
NOTE
Feature change
Changes in features of a specific product version
l
Issue 12 (2015-04-30)
Editorial change
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
SingleRAN
Dopra Linux OS Security Feature Parameter Description
1 Introduction
Changes in wording or addition of information that was not described in the earlier version
12 (2015-04-30)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
None
11 (2015-02-15)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
None
None
10 (2015-01-15)
This issue includes the following changes.
Issue 12 (2015-04-30)
SingleRAN
Dopra Linux OS Security Feature Parameter Description
1 Introduction
Change Type
Change Description
Parameter Change
Feature change
None
None
None
09 (2014-12-15)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
Editorial change
None
None
08 (2014-10-10)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
None
None
07 (2014-09-25)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
SingleRAN
Dopra Linux OS Security Feature Parameter Description
1 Introduction
Change Type
Change Description
Parameter Change
Editorial change
None
None
06 (2014-08-15)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
None
Editorial change
None
05 (2014-06-10)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
Editorial change
None.
None
04 (2012-12-30)
This issue includes the following changes.
Issue 12 (2015-04-30)
Change Type
Change Description
Parameter Change
Feature change
None
Added RTOS versions RTOSV100R001C00SPC030, RTOSV100R001C00SPC050, RTOSV100R001C00 SPC060, and RTOSV100R001C00 SPC070 and their feature
difference.
None
None
SingleRAN
Dopra Linux OS Security Feature Parameter Description
1 Introduction
Change Type
Change Description
Parameter Change
Editorial change
None
03 (2012-11-30)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
None
Editorial change
None
02 (2012-09-30)
This issue includes the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
None
Editorial change
None
None
None
None
01 (2012-08-16)
This issue includes the following changes.
Issue 12 (2015-04-30)
SingleRAN
Dopra Linux OS Security Feature Parameter Description
1 Introduction
Change Type
Change Description
Parameter Change
Editorial change
None
None
None
Draft A (2012-06-20)
This is a draft.
Issue 12 (2015-04-30)
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Kernel: The Dopra Linux kernel is customized and has the latest patch installed, which
helps improve system security.
Root file system: The Dopra Linux is a compact operating system where only useful
database and service components are installed in the file system. This helps minimize
security risks.
Anti-attack requirements for protocols and interfaces, such as use of secure protocols and
anti-attack features
Sensitive data protection requirements, such as data confidentiality and integrity, use of
encryption algorithms, and use of secure transmission channels
Issue 12 (2015-04-30)
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Description
Severity
Security Requirement
Security
vulnerability
Minor
Password cracking
Password
complexity check is
not performed on the
initial password.
Major
Illegal operation
The maximum
number of
unsuccessful login
attempts is not
specified.
Minor
Information
disclosure
Insecure protocols,
such as Trivial File
Transfer Protocol
(TFTP) and Telnet
are used.
Major
NOTE
The Dopra Linux does not require antivirus software because few viruses target at Linux and only few
Dopra Linux ports are open. For details about Dopra Linux antivirus, see "3.4 Enhanced Antivirus
Policy."
SingleRAN
Dopra Linux OS Security Feature Parameter Description
l Access control
l User password control
l Directory protection
Network Management
l File protection
l Patch installation
l System upgrade
Issue 12 (2015-04-30)
SingleRAN
Dopra Linux OS Security Feature Parameter Description
The root user has the highest operation permission, including read, write, and execute
permission. The read permission allows the root user to view the names and contents of
files under a directory. The write permission allows the root user to create or delete files
as well as modify file contents. The execute permission allows the root user to run shell
scripts or binary executable files. The root user can be granted read, write, and execute
permission to all files and directories.
V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions no longer allow
the root user to perform remote login. This measure helps enhance system security.
Common users are created by the root user. They can log in to the Dopra Linux and create,
modify, or delete files under their specific home directories. For example, user jack can
perform relevant operations under the home directory /home/jack. In addition, common
users can run scripts or binary executable files under the /usr/bin and /bin directories.
Service users are used by system service processes. Service users have the lowest operation
permission and cannot log in to the operating system. They are not created by the root user.
This prevents unauthorized users from attacking the operating system and reduces security
risks. Service user accounts in the Dopra Linux include sshd, nobody, haldaemon,
messagebox, and mysql.
Issue 12 (2015-04-30)
10
SingleRAN
Dopra Linux OS Security Feature Parameter Description
NOTE
The lgnusr user is an internal common user. Added in V200R003C02SPC090 and RTOSV100R001C00SPC070, the lgnusr user is used for Secure Shell (SSH) login. You can run
the su command to switch the lgnusr user to the root user to gain administrative rights. You
are advised to reserve the lgnusr user for SSH security.
Policy
Password
complexity
The Dopra Linux records the history passwords of only common users.
By default, the Dopra Linux records a maximum of three history
passwords.and the RTOS records a maximum of five history passwords.
The new password must be different with the history passwords or the
reverse of history passwords.
Common users can change only their own passwords. The root user can
change all users' passwords.
Issue 12 (2015-04-30)
11
SingleRAN
Dopra Linux OS Security Feature Parameter Description
User
Management
Policy
Login message
l For the Dopra Linux, the Dopra Linux prints the information about
the previous login after a login, including the login date, time, and
IP address. The information helps users determine whether
unauthorized users have used the account.
l For the RTOS, the information print function is disabled by default
after a successful login. You can enable the information print
function as follows: Run the vi /etc/ssh/sshd_config command to
open the sshd_config file, set PrintLastLog to yes, and run the
killall sshd command to restart the SSHD service.
Login permission
Root user
The root user is the only superuser in the system and is authorized to
execute all scripts and executable files.
The password for the root user is customized before Dopra Linux
deployment.
service user
service users. They cannot log in to the Dopra Linux and are only for
service purposes.
Advance warning
before password
expiration
Minimum
password validity
Passwords
encryption
Issue 12 (2015-04-30)
12
SingleRAN
Dopra Linux OS Security Feature Parameter Description
It is recommended that you not modify password complexity settings to enhance password security.
You can set the following parameters in the /etc/pam.d/common-password file to modify
password complexity settings:
l
retry = N: You have N attempts to change the password each time you run the passwd
command. N is an integer from 1 to 256. The default value is 6.
enforce_root: A password policy takes effect to the root user. After this parameter is
deleted, the password policy does not take effect to the root user.
remember = N: N previous passwords are recorded for common users. N is an integer from
0 to 400. The default value is 3 for the Dopra Linux OS and 5 for the RTOS. This rule does
not take effect for the root user to change the passwords for itself and other accounts.
uname_check: A password cannot be the same as any user name or be any user name in
reverse order. This function is enabled by default.
In versions earlier than V100R001C03SPC030, the password lock and validity period cannot be changed
because the etc/pam.conf file and chage command are not supported in these versions.
Issue 12 (2015-04-30)
13
SingleRAN
Dopra Linux OS Security Feature Parameter Description
You can set the following options in the /etc/pam.d/common-auth file to modify password
locking settings:
l
deny=N, which indicates that the login account is locked when the number of unsuccessful
login attempts exceeds N. N is an integer between 1 to 32. The default value is 3.
unlock_time=N, which indicates that the user account is locked for N seconds when the
maximum number of unsuccessful login attempts is exceeded. N is an integer between 1
to 3600. The default value is 300.
You can run the following commands to view or modify password time settings:
l
chage -l user1 //You can view the parameters such as the minimum interval at which a
password must be changed (Minimum), the maximum interval at which a password must
be changed (Maximum), and advance warning before password expires (Warning).
chage -m N common user //N indicates the minimum interval at which a common user's
password must be changed, which means you can change the password N days later. N is
an integer between 0 to 99999. If N is set to 0, you can change the password anytime. This
option does not apply to the root user.
chage -M N root/common user //N indicates the maximum interval at which common user's
password must be changed. N is an integer between 1 to 99999.
chage -W N root/common user //N indicates the advance warning days before a common
user's password expires. N is an integer between 1 to 99999.
Issue 12 (2015-04-30)
6
7
7
7
7
5
6
5
5
5
5
5
5
7
7
7
5
5
22:10
23:08
19:11
23:15
21:19
22:24
22:10
22:23
22:24
22:24
22:25
22:24
22:24
19:10
22:06
21:25
22:24
22:24
bin
boot
dev
etc
home
init
lib
lost+found
mbsc
media
mnt
none
opt
proc
root
sbin
sc_init
srv
14
SingleRAN
Dopra Linux OS Security Feature Parameter Description
drwxr-xr-x
drwxrwxrwt
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
11
2
2
7
10
root
root
root
root
root
root
root
root
root
root
0
4096
4096
4096
4096
The following uses the last line as an example to explain the command output:
l
In drwxr-xr-x:
d means directory. Files are not started with d.
rwx indicates that the file or directory creator has read, write, and execute permission.
r-x indicates that users who belong to the same user group as the file or directory creator
have read and execute permission.
The second r-x indicates that users who do not belong to the same user group as the file
or directory creator have read and execute permission.
NOTE
The root user has the highest permission and can operate all files created by other users.
root indicates that the file or directory is created by the root user.
The second root indicates that the file or directory creator is in the root user group.
4096 indicates the directory or file size (excluding files or sub-directories under the
directory).
Jul 6 22:10 is the time when the file or directory was last modified.
Common users cannot modify or delete commands, library files, and directories storing
device files (/dev) or configuration files (/etc).
Only the root user is authorized to access system command management directories (/
sbin and /usr/sbin) and log files in /var/log.
NOTE
The read permission to a directory indicates that a user can view the files and sub-directories under the
directory. The write permission indicates that a user can create files and sub-directories under the directory.
The execute permission does not apply to directories.
The read permission to a file indicates that a user can view the contents in the file. The write permission
to a file indicates that a user can edit the contents in the file. The execute permission to a file indicates that
a user can execute the commands in the file.
Users can run the setfacl command to set access permission to a file. For example, in the setfacl
-m u:user1:rw a.dat command, user1 has read and write permission to a.dat.
15
SingleRAN
Dopra Linux OS Security Feature Parameter Description
ON/OFF
Protocol
Port
Number
Description
sshd
ON
TCP
22
syslog-ng
ON
N/A
N/A
dbus-daemon
ON
N/A
N/A
Issue 12 (2015-04-30)
cron
ON
N/A
N/A
klogd
ON
N/A
N/A
auditd
ON
N/A
N/A
boot.udev
ON
N/A
N/A
haldaemon
ON
N/A
N/A
syslogbuf
ON
N/A
N/A
acpid
ON
N/A
N/A
16
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Write scripts to ensure that defined rules automatically take effect upon system startup.
Define rules again after the Dopra Linux is upgraded or updated, as defined rules are deleted
after the system is upgraded or updated.
The configuration items of TCP/IP stacks are named in the format of "net + protocol + conf + all/default/
device + attribute". Where, device means a logical interface, such as eth1, bond2, and vlan3, default is used
to initialize an interface as it is initialized and loaded, and all means to apply to all interfaces.
Issue 12 (2015-04-30)
17
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Defaul
t Value
Description
net.ipv4.conf.all.arp_ignore
0 for the
RTOS
net.ipv4.conf.default.arp_i
gnore
1 for the
Dopra
Linux
net.ipv4.conf.all.promote_
secondaries
net.ipv4.conf.default.prom
ote_secondaries
net.ipv4.conf.all.arp_filter
net.ipv4.conf.default.arp_f
ilter
net.ipv4.conf.all.accept_so
urce_route
net.ipv4.conf.default.acce
pt_source_route
Issue 12 (2015-04-30)
18
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Item
Defaul
t Value
Description
net.ipv4.conf.all.accept_re
directs
net.ipv4.conf.default.acce
pt_redirects
net.ipv4.conf.default.secur
e_redirects
net.ipv4.conf.all.send_redirects
net.ipv4.conf.default.send
_redirects
net.ipv4.tcp_fin_timeout
60
net.ipv4.tcp_syncookies
net.ipv4.tcp_syn_retries
net.ipv4.tcp_synack_retries
This parameter specifies the number of times SYNACK messages for a passive TCP connection
attempt will be retransmitted.
net.ipv4.tcp_max_syn_bac
klog
4096
net.ipv4.icmp_echo_ignor
e_broadcasts
Issue 12 (2015-04-30)
19
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Item
Defaul
t Value
Description
kernel.panic_on_oops
kernel.printk
6417
net.ipv4.tcp_timestamps
net.ipv4.icmp_ignore_bog
us_error_responses
net.ipv4.conf.all.rp_filter
net.ipv4.conf.default.rp_fil
ter
kernel.sysrq
Issue 12 (2015-04-30)
20
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Default Value
Description
Ciphers
aes128ctr,aes192ctr,aes256ctr,arcfour256,a
rcfour128
MACs
hmacsha2-256,hmac
-sha1
Protocol
LogLevel
VERBOSE
StrictModes
Yes
PubkeyAuthentication
Yes
PermitEmptyPasswords
No
PermitRootLogin
No
UsePAM
Yes
Banner
/etc/issue.net
NOTE
Issue 12 (2015-04-30)
21
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Secure Logins
To log in to a target computer (for example, with an IP address of 192.168.0.241) that provides
SSH services:
Run the ssh root@192.168.0.241 command to log in as the root user, or run the ssh
user1@192.168.0.241 command to log in as user user1.
Secure Copy
To copy data (for example, /home/filename) from a Linux server that provides SSH services
to /home of a target computer (for example, with an IP address of 192.168.0.241):
Run the scp -r /home/filename root@192.168.0.241:/home command.
SFTP Operations
A computer running Dopra Linux can function as a server to provide SFTP services. To connect
to a target computer (for example, with an IP address of 192.168.0.241):
Run the sftp 192.168.0.241 command.
l
Run the vi /etc/ssh/sshd_config command, comment out the line starting with
Subsystem sftp, save the modifications, and close the file.
2.
Run the kill all sshd command to restart the SSHD service.
3.
If command "pidof sshd" prints integers, the process starts properly. The SFTP service is
a sub-function of the SSHD service. If the SSHD process restarts, the SFTP service is
disabled successfully.
l
Run the vi /etc/ssh/sshd_config command, change the line starting with Subsystem
sftp to Subsystem sftp internal-sftp -l INFO, save the modifications, and close the
file.
2.
Run the kill all sshd command to restart the SSHD service.
3.
If command "pidof sshd" prints integers, the process starts properly. The SFTP service is
a sub-function of the SSHD service. If the SSHD process restarts, SFTP logging is enabled
successfully.
22
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Step 1 Add a common user that can log in to the Dopra Linux remotely. For example:
l Run the useradd m user1 command to add user user1 and create directory /home/user1.
l Run the passwd user1 command to set or change the password (for example,
Tom@520123) for user user1. For details about the password policy, see "3.1.2 Security
Policies for User Management".
Step 2 Modify the configuration file. Log in as the root user, and set PermitRootLogin to no in the /
etc/ssh/sshd_config file.
Step 3 Run the killall sshd command to restart the SSH service. The modification takes effect after the
SSH service restarts.
----End
NOTE
After the sshd process is killed, the SSH service becomes unavailable. Several seconds later, the SSH
service restarts automatically.
To permit remote login of user root, set PermitRootLogin to yes in the /etc/ssh/sshd_config
file, and restart the SSH service.
Disable SSH Server CBC Mode ,arcfour256,arcfour128 Ciphers disable SSH Server
CBC ,arcfour256,arcfour128 Ciphers algorithm
Perform the following steps to disable the CBC cipher algorithm for the SSH service:
Step 1 Open the vi /etc/ssh/sshd_config file and find the line starting with Ciphers, and change the
content to:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
NOTE
Find the line starting with Ciphers but not with #Ciphers. The number sign (#) indicates that the line is
commented out.
Step 2 Run the kill all sshd command to restart the sshd service.
----End
NOTE
The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr.
23
SingleRAN
Dopra Linux OS Security Feature Parameter Description
NOTE
Find the line starting with MACsbut not with #MACs. The number sign (#) indicates that the line is
commented out.
Step 2 Run the kill all sshd command to restart the sshd service.
----End
NOTE
The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings:
MACs hmac-sha1
The preceding operations must be performed by professional personnel who understand basic Linux
command (vi) and common system management commands. Otherwise, the SSH connection may fail due
to incorrect modifications.
Forces the user to log out after defined failed password attempts.
24
SingleRAN
Dopra Linux OS Security Feature Parameter Description
audit
A log file for the audit daemon, which writes kernel information generated by applications
and system activities into hard disk.
dlinstall.log/dlrecover.log/dlupgrade.log
Log files recording information about system installation, rollback, and upgrade.
faillog
A log file recording the number of failed logins due to incorrect user name or password.
This file is encrypted. Running the vi/cat command cannot open this file. You can run
faillog to view this file.
messages
A log file recording kernel and system information.
You can run vi/cat to view this file.
warn
A log file recording all warnings and error information.
wtmp
A log file recording all remote and local logins, changes in system running level, and time
of the changes.
This file is encrypted. You can run last to view this file.
3.6.3 Configuration Guide for the Log Audit Service of Dopra Linux
Issue 12 (2015-04-30)
25
SingleRAN
Dopra Linux OS Security Feature Parameter Description
The configuration file path is different. The paths for Dopra Linux are /etc/auditd.conf
and /etc/audit.rules. The paths for common Linux are /etc/auditd/auditd.conf and /etc/
auditd/audit.rules.
When the /etc/rc.d/init.d/auditd script is used to enable the audit service, audit rules are
not automatically loaded by default.If you want to retain the rules after a restart, manually
modify the /etc/rc.d/init.d/auditd file. For details about the procedure, see Configuration
Guide.
Error sending add rule request (Operation not permitted) --> When enabled is 2, rules cannot
be edited.
26
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Procedure
Step 1 Create a default configuration file of the audit service.
Jasper ~ # mkdir /etc/audit/
Jasper ~ # cp /etc/auditd.conf /etc/audit/auditd.conf
Jasper ~ # cp /etc/audit.rules /etc/audit/audit.rules
Issue 12 (2015-04-30)
27
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Step 3 Edit the startup script of the audit service to configure an automatic loading rule after a restart.
Add the following contents in bold to vi /etc/rc.d/init.d/auditd (Skip this step if the bold line
exists):
case "$1" instart) echo -n "Starting RPC auditd daemon"
auditd_pid=`pidof auditd`
if [[ -z ${auditd_pid} ]]
Issue 12 (2015-04-30)
28
SingleRAN
Dopra Linux OS Security Feature Parameter Description
then
$AUDITD_BIN
if [[ $? -ne 0 ]]
then rc_failed 1
else
rc_failed 0
fi
else
rc_failed 0
fi
test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/
null
# Remember status and be verbose
rc_status -v
Important Notes
Because audit rules are added, the system kernel adds additional audit operations besides normal
processing, which compromise system performance. Delete unnecessary audit rules and
minimize the number of audit rules based on site requirements to minimize performance
deterioration.
3.7.2 Upgrade
Currently, the Dopra Linux version and product version are independent. The Dopra Linux
upgrade does not affect applications that have been installed on the source Dopra Linux, when
the hard disk partition settings on the source and destination Dopra Linux versions are the same.
You can upgrade the Dopra Linux using either of the following methods:
Issue 12 (2015-04-30)
29
SingleRAN
Dopra Linux OS Security Feature Parameter Description
USB upgrade
Web upgrade
For details about upgrade methods, see Guide to Dopra Linux Operating System Remote Patch
Upgrade delivered with Dopra Linux patches.
NOTE
You must restart the system after an upgrade is complete. If you upgrade the Dopra Linux using the web
mode, you can roll back the Dopra Linux to the source version if the upgrade fails. If you upgrade the
Dopra Linux using the USB mode, you have to reinstall the Dopra Linux if the upgrade fails.
If you upgrade the RTOS or certain Dopra Linux versions using the web mode, the version cannot be rolled
back. In this case, the USB upgrade is recommended.
Issue 12 (2015-04-30)
30
SingleRAN
Dopra Linux OS Security Feature Parameter Description
The base station operating system patches are packed in the base station product version, and
therefore an separated operating system upgrade is not supported on the base station. However
if any security risks are exposed in RTOS versions, you can run the operating system patches
by way of the product version upgrade because these patches are packed in the latest product
version.
NOTE
If the product version includes RTOS patches, the patch information will be addressed in the Release
Notes of base stations.
The base station operating system is not visible for users because the patches are packed in the
base station software.
l
Of all operating system security policies of the base station, only the anti-virus policy is
provided by the operating system. For details, see "3.4 Enhanced Antivirus Policy."
Other than the antivirus policy, operating system security policies are packed in the base
station software. For details, see the Base Station Equipment and OM Security Feature
Parameter Description.
Issue 12 (2015-04-30)
31
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Issue 12 (2015-04-30)
Board
V100R001C03SPC010
OMUa/SAUa/OMUb/SAUb
V100R001C03SPC020
OMUa/SAUa/OMUb/SAUb
V100R001C03SPC030
OMUa/SAUa/OMUb/SAUb
V200R003C02SPC030
OMUc/SAUc
V200R003C02SPC060
OMUc/SAUc
V200R003C02SPC070
OMUc/SAUc
V200R003C02SPC080
OMUa/SAUa/OMUb/SAUb /OMUc/SAUc
V200R003C02SPC090
OMUa/SAUa/OMUb/SAUb /OMUc/SAUc
V200R003C08
OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC080
OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC100
OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC120
OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC130
OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08SPC150
OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
RTOS-V100R001C00SPC030
EOMUa/ESAUa
32
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Board
RTOS-V100R001C00SPC050
EOMUa/ESAUa
RTOS-V100R001C00 SPC060
EOMUa/ESAUa
RTOS-V100R001C00 SPC070
EOMUa/ESAUa
RTOS-V100R001C00 SPC080
EOMUa/ESAUa
RTOS-V100R001C00 SPC090
EOMUa/ESAUa
RTOS-V200R003C08SPC080
EOMUa/ESAUa
RTOS-V200R003C08SPC100
EOMUa/ESAUa
RTOS-V200R003C08SPC120
EOMUa/ESAUa
RTOS-V200R003C08SPC150
EOMUa/ESAUa
NOTE
l The Dopra Linux can be upgraded to a destination version that supports the same type of boards as the
source version. For example, any version can be upgraded to V200R003C02SPC080, but
V100R001C03SPC010 cannot be upgraded to V200R003C02SPC070.
l Unless otherwise stated, basic functions of previous versions are inherited in the latest version, although
supported boards vary with versions.
Enhance the password complexity policy, which enables the root user to set password
complexity policies.
Add the setfacl package to allow users to set access permission to files.
Add the SSH login and logout logs to enhance the log auditing function. The logs include
user name, login time, and source IP address.
Issue 12 (2015-04-30)
Provide the create-cracklib-dict command to allow users to update the weak password
dictionary.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
33
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Delete the modules for commissioning to minimize security risks. The deleted modules are
ltp, livegdb, lmbench, and livepatch.
Enhance operating system security by providing default security settings, such as password
complexity policies.
Disable unnecessary IPv6 modules to minimize security risks posed by these modules.
The portmap service is disabled by default. Therefore, port 111 used by the portmap service
is also disabled by default.
Count the start time of password validity period from the system installation time. If the
password is changed, the period is counted since the change time. The default password
validity period is changed from 30 days to 90 days.
Add the lgnusr user for remote login. You cannot remotely log in to the system as a root
user by default, but you can remotely log in to the system as an lgnusr user and then switch
to the root user. In this way, the user management security of the operating system is
enhanced.
Issue 12 (2015-04-30)
34
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Rectify the defect that common users cannot modify the OS time zones.
Rectify the defect that a message indicating expired password is displayed after a USB
flash disk is used to restore the OS.
Rectify the defect that the MySQL service fails to start after a USB flash disk is used to
restore the OS after an upgrade.
Change the cipher algorithms for SSH services to secure ones, such as aes128-ctr, aes192ctr, aes256-ctr, arcfour256, and arcfour128.
Change the account encryption algorithm to the secure algorithm SHA512. In addition, the
old passwords of the root user are verified before they are changed.
Add the one-click recovery function by upgrading the GRUB to GRUB 2. After GRUB is
upgraded to GRUB 2, SHA512 is used to encrypt GRUB passwords and GRUB password
complexity check is added.
Upgrade OpenSSL to 0.9.8y, which rectifies the OpenSSL security issues CVE-2013-0169
and CVE-2013-0166.
Rectify the color change issue when a common user switches from the su user to the
root user.
Upgrade glibc from 2.4-31.91.1 to 2.4-31.109.1, fix security issues and bug fix.
Issue 12 (2015-04-30)
35
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Rectified the defect that the working link mode of the network adapter is restored to the
original configuration after the OMUc operating system is upgraded.
Because -p of the command useradd, usermod, groupadd and groupmod the option may
bypass the password order of complexity inspection, therefore deleted -p the support of
option.
Rectify the failure in connecting to the network during an OS upgrade because the board
was not reset after the OS upgrade from Doprax86V100R001C03.
Issue 12 (2015-04-30)
36
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Support the NIS to centrally manage accounts and harden password security.
Count the start time of password validity period from the system installation time. If the
password is changed, the period is counted since the change time. The default password
validity period is changed from 30 days to 90 days.
Add the support of the U_creator tool for a 16 GB large-capacity USB flash drive.
Disable the remote login of user root by default. Add user lgnusr for remote login. After a
successful login of user lgnusr, it can be switched to user root, thereby enhancing the
security of user management.
Upgrade the kernel version from 2.6.32.54-0.3 to 2.6.32.59-0.7 to enhance operating system
security.
Fix the defect so that the operating system does not display the message that the number
of password retries exceeds the upper limit after the boards are restarted.
Rectify the priority inversion issue and incorporate the open-source kernel patch http://
git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?
id=da7a735e51f9622eb3e1672594d4a41da01d7e4f.
Issue 12 (2015-04-30)
37
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Change the cipher algorithms for SSH services to secure ones, such as aes128-ctr, aes192ctr, aes256-ctr, arcfour256, and arcfour128.
Add the one-click recovery function by upgrading the GRUB to GRUB 2. After GRUB is
upgraded to GRUB 2, SHA512 is used to encrypt GRUB passwords and GRUB password
complexity check is added.
Upgrade the kernel from 2.6.32.59-0.7 to 2.6.32.59-0.9, fix security issues and bug fix.
Upgrade glibc from 2.11.1-0.34.1 to 2.11.1-0.50.1, security issues and bug fixes.
Added support U disk to copy files from the file name containing the Chinese to the system.
Issue 12 (2015-04-30)
38
SingleRAN
Dopra Linux OS Security Feature Parameter Description
Because -p of the command useradd and groupadd the option may bypass the password
order of complexity inspection, therefore deleted -p the support of option.
Avoid the OS upgrade failure caused when the source file for the /etc/rc.d/mysql link is
missing.
Issue 12 (2015-04-30)
39
SingleRAN
Dopra Linux OS Security Feature Parameter Description
6 Parameters
Parameters
Issue 12 (2015-04-30)
40
SingleRAN
Dopra Linux OS Security Feature Parameter Description
7 Counters
Counters
Issue 12 (2015-04-30)
41
SingleRAN
Dopra Linux OS Security Feature Parameter Description
8 Glossary
Glossary
Issue 12 (2015-04-30)
42
SingleRAN
Dopra Linux OS Security Feature Parameter Description
9 Reference Documents
Reference Documents
1.
2.
3.
Issue 12 (2015-04-30)
43