Dopra Linux OS Security (SingleRAN - 20)

SingleRAN
Dopra Linux OS Security Feature

Parameter Description
Issue 20
Date 2017-02-22
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 20 (2017-02-22) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
Dopra Linux OS Security Feature Parameter Description Contents
Contents
1 Introduction.................................................................................................................................... 1
1.1 Scope.............................................................................................................................................................................. 1
1.2 Intended Audience.......................................................................................................................................................... 1
1.3 Change History............................................................................................................................................................... 1
2 Dopra Linux Security Description........................................................................................... 10

2.1 Introduction to the Dopra Linux................................................................................................................................... 10
2.1.1 Overview................................................................................................................................................................... 10
2.1.2 Differences Between the Dopra Linux and Other Operating Systems...................................................................... 10
2.2 Dopra Linux Security Overview...................................................................................................................................11
2.3 Security Architecture.................................................................................................................................................... 11
3 Dopra Linux Security Features................................................................................................. 13

3.1 User Management.........................................................................................................................................................13
3.1.1 Dopra Linux Users.....................................................................................................................................................13
3.1.2 Security Policies for User Management.................................................................................................................... 14
3.1.3 Operations Related to User Management.................................................................................................................. 15
3.1.4 Operations Related to Password Complexity Management...................................................................................... 16
3.1.5 Operations Related to Password Setting....................................................................................................................16
3.2 File System and Permission Management....................................................................................................................17
3.2.1 Directory Protection.................................................................................................................................................. 17
3.2.2 File Protection............................................................................................................................................................18
3.3 Network Management.................................................................................................................................................. 18
3.3.1 Protocols Enabled by Default.................................................................................................................................... 19
3.3.2 Services Enabled by Default......................................................................................................................................19
3.3.3 Ports Opened by Default............................................................................................................................................19
3.3.4 System Firewall iptables............................................................................................................................................20
3.3.5 Security Policies Related to TCP/IP Stacks.............................................................................................................. 20
3.3.6 Security Policies Related to SSH...............................................................................................................................24
3.3.7 Operations Related to SSH........................................................................................................................................ 26
3.4 Enhanced Antivirus Policy........................................................................................................................................... 28
3.4.1 Virus Entry Control................................................................................................................................................... 28
3.4.2 Post-Entry Virus Control........................................................................................................................................... 29
3.5 Operating System Integrity Protection......................................................................................................................... 29
Issue 20 (2017-02-22) Huawei Proprietary and Confidential ii

SingleRAN
3.5.1 Product Development Security.................................................................................................................................. 29

3.5.2 Product Release Security........................................................................................................................................... 29
3.6 System and Security Log Management........................................................................................................................ 29
3.6.1 Log Files.................................................................................................................................................................... 29
3.6.2 Real-Time Access Information Recording................................................................................................................ 30
3.6.3 Guidelines on Configuring the Log Audit Service of Dopra Linux.......................................................................... 30
3.6.3.1 Configuration Commands.......................................................................................................................................30
3.6.3.2 Configuration Guidelines....................................................................................................................................... 32
3.7 System Upgrade and Patch Policy................................................................................................................................34
3.7.1 Patch Installation....................................................................................................................................................... 34
3.7.2 Upgrade..................................................................................................................................................................... 34
4 Base Station Applications.......................................................................................................... 35

5 Differences Among History Dopra Linux Versions............................................................. 36
5.1 History Dopra Linux Versions...................................................................................................................................... 36
5.2 Versions Running on the OMUa/SAUa/OMUb/SAUb................................................................................................ 38
5.2.1 V100R001C03SPC010 to V100R001C03SPC020................................................................................................... 38
5.2.2 V100R001C03SPC020 to V100R001C03SPC030................................................................................................... 38
5.3 Versions Running on the OMUc/SAUc........................................................................................................................38
5.3.1 V200R003C02SPC030 to V200R003C02SPC060................................................................................................... 38
5.3.2 V200R003C02SPC060 to V200R003C02SPC070................................................................................................... 38
5.4 Versions Running on the OMUa/SAUa/OMUb/SAUb/OMUc/SAUc......................................................................... 38
5.4.1 V200R003C02SPC070 to V200R003C02SPC080................................................................................................... 38
5.4.2 V200R003C02SPC080 to V200R003C02SPC090................................................................................................... 39
5.4.3 V200R003C02SPC090 to V200R003C08.................................................................................................................39
5.4.4 V200R003C08 to V200R003C08SPC080.................................................................................................................39
5.4.5 V200R003C08SPC080 to V200R003C08SPC100................................................................................................... 40
5.4.6 V200R003C08SPC100 to V200R003C08SPC120................................................................................................... 40
5.4.7 V200R003C08SPC120 to V200R003C08SPC130................................................................................................... 40
5.4.8 V200R003C08SPC130 to V200R003C08SPC150................................................................................................... 40
5.4.9 V200R003C08SPC150 to V200R003C08SPC170................................................................................................... 41
5.4.10 V200R003C08SPC170 to V200R003C08SPC190................................................................................................. 41
5.4.11 V200R003C08SPC190 to V200R003C08SPC230..................................................................................................41
5.4.12 V200R003C08SPC230 to V200R003C08SPC260................................................................................................. 41
5.4.13 V200R003C08SPC260 to V200R003C08SPC290................................................................................................. 42
5.4.14 V200R003C08SPC290 to V200R003C08SPC310................................................................................................. 42
5.4.15 V200R003C08SPC310 to V200R003C08SPC330................................................................................................. 42
5.4.16 V200R003C08SPC330 to V200R003C08SPC360................................................................................................. 42
5.4.17 V200R003C08SPC360 to V200R003C08SPC390................................................................................................. 43
5.5 Versions Running on the EOMUa/ESAUa................................................................................................................... 43
5.5.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030.......................................................................................... 43
5.5.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050............................................................................. 43
Issue 20 (2017-02-22) Huawei Proprietary and Confidential iii

SingleRAN

5.5.10 RTOS-V200R003C08SPC120 to RTOS-V200R003C08SPC150........................................................................... 45
6 Parameters..................................................................................................................................... 49
7 Counters........................................................................................................................................ 50
8 Glossary......................................................................................................................................... 51
9 Reference Documents................................................................................................................. 52
Issue 20 (2017-02-22) Huawei Proprietary and Confidential iv

SingleRAN
Dopra Linux OS Security Feature Parameter Description 1 Introduction
1 Introduction
1.1 Scope
This document describes the security features and capabilities of the Dopra Linux operating
system (OS).
NOTE
l This document is based on V200R003C02SPC090 and RTOS-V100R001C00 SPC080. For details about
differences among history versions, see section 5 Differences Among History Dopra Linux Versions.
l The OS for the EOMUa/ESAUa and later boards based on Dopra Linux is renamed as Real-time
operating system (RTOS). RTOS inherits basic functions on Dopra Linux. This document refers to an
RTOS version with a prefix RTOS- in front of the version number, for example, RTOS-
V100R001C00SPC070. Unless otherwise stated, this document can be applied to both Dopra Linux and
RTOS.
l For a base station, only software of the UMPT and UMDU boards uses and encapsulates the Dopra Linux
OS. Therefore, you cannot log in to the OS of a base station that is configured with one of these boards
after the base station is delivered. For details, see section 4 Base Station Applications.
1.2 Intended Audience

This document is intended for personnel who:
l Need to understand the features described herein
l Work with Huawei products
1.3 Change History

This section provides information about the changes in different document versions. There are
two types of changes, which are defined as follows:
l Feature change
Changes in features of a specific product version
l Editorial change
Changes in wording or addition of information that was not described in the earlier
version
Issue 20 (2017-02-22) Huawei Proprietary and Confidential 1

SingleRAN
20 (2017-02-22)
This issue includes the following changes:
Change Type Description Paramet

er
Change
Feature change Added 5.4.17 V200R003C08SPC360 to None

V200R003C08SPC390
Added 5.5.19 RTOS-V200R003C08SPC360 to RTOS-
V200R003C08SPC390
19 (2016-12-15)
Change Type Description Paramet

er
Change
Feature change 3.3.6 Security Policies Related to SSH: Configuration None

items PermitUserRC, PermitUserEnvironment, and
HostbasedAuthentication and their description are added.
The description of KexAlgorithms is updated.
Added 5.4.16 V200R003C08SPC330 to
V200R003C08SPC360
Added 5.5.18 RTOS-V200R003C08SPC330 to RTOS-
V200R003C08SPC360
18 (2016-08-26)
Change Type Description Parameter Change

V200R003C08SPC330.
Added 5.5.17 RTOS-
V200R003C08SPC310 to RTOS-
V200R003C08SPC330.
17 (2016-05-27)

SingleRAN

V200R003C08SPC310.
Added 5.5.16 RTOS-
V200R003C08SPC310.
16 (2016-04-06)

V200R003C08SPC290.
Added 5.5.15 RTOS-
V200R003C08SPC290.
15 (2016-02-22)

SingleRAN
Editorial change 5.4.12 V200R003C08SPC230 to None

V200R003C08SPC260: "When the root
user changes the passwords of common
users, the encrypted text will be recorded
into /etc/security/opasswd" is added.
5.5.14 RTOS-V200R003C08SPC230 to
RTOS-V200R003C08SPC260: "When
the root user changes the passwords of
common users, the encrypted text will be
recorded into /etc/security/opasswd" is
added.
The following content is added to 3.1.4
Operations Related to Password
Complexity Management:
enforce_for_root: This option is added to
V200R003C08SPC260 or later versions.
This option indicates that the historical
password storage mechanism takes effect
on the root user. When the root user
changes its own password or the
passwords of common users, the
encrypted text will be recorded in /etc/
security/opasswd.
14 (2016-02-04)

V200R003C08SPC260.
Added 5.5.14 RTOS-
V200R003C08SPC260.
13 (2015-11-13)

SingleRAN

V200R003C08SPC230.
Added 5.5.13 RTOS-
V200R003C08SPC230.
12 (2015-04-30)

V200R003C08SPC190.
Added 5.5.12 RTOS-
V200R003C08SPC190.
Editorial change 3.3.7 Operations Related to SSH: added None

SFTP Timeout.
3.3.6 Security Policies Related to SSH:
deleted the arcfour256 and arcfour128
algorithms, and added the hmac-sha2-256
algorithm.
3.3.7 Operations Related to SSH:
deleted the arcfour256 and arcfour128
algorithms.
11 (2015-02-15)

V200R003C08SPC170.
Added 5.5.11 RTOS-
V200R003C08SPC170.
Editorial change None None
10 (2015-01-15)

SingleRAN

V200R003C08SPC150.
Added 5.5.10 RTOS-
V200R003C08SPC150.
09 (2014-12-15)

V200R003C08SPC130.
08 (2014-10-10)

V200R003C08SPC120.
Added 5.5.9 RTOS-
V200R003C08SPC120.
07 (2014-09-25)

V200R003C08SPC100.
Added 5.5.8 RTOS-
V200R003C08SPC100.

SingleRAN
06 (2014-08-15)
Feature change None None
Editorial change Added descriptions of base stations using None

the Dopra Linux OS in section 1.1 Scope.
05 (2014-06-10)
Feature change Added 3.6.3 Guidelines on Configuring None

the Log Audit Service of Dopra Linux.
04 (2012-12-30)
Feature change Added V200R003C02SPC090 and its None

feature differences.
Added RTOS versions RTOS- None

V100R001C00SPC030, RTOS-
V100R001C00SPC050, RTOS-
V100R001C00 SPC060, and RTOS-
V100R001C00 SPC070 and their feature
differences.
Added descriptions on operating system None

applications of base stations. For details,
see section 4 Base Station Applications.
Editorial change Changed the document name from None

"Controller Dopra Linux OS Security" to
"Dopra Linux OS Security".

SingleRAN
03 (2012-11-30)
Editorial change Changed "RTOS" to "Dopra Linux" in None

this document. The document title is also
changed from "RTOS Security" to
"Controller Dopra Linux OS Security" for
consistency with the name of the current
operating system.
02 (2012-09-30)
Editorial change Added the description on how to create None

users, change passwords, and delete
users.
For details, see section 3.1 User
Management.
Added section 3.4 Enhanced Antivirus None

Policy.
Modified Secure Shell (SSH) policies. None

For details, see section 3.3 Network
Management.
Added section 5 Differences Among None

History Dopra Linux Versions.
01 (2012-08-16)
Editorial change Modified the organization and None

descriptions in section 3 Dopra Linux
Security Features.

SingleRAN
Modified the TCP/IP protocol stack None

security policy table and added default
values for these security policies.
Added the description on how to create None

users, change passwords, and delete
users.
Draft A (2012-06-20)
This issue is a draft.

SingleRAN
Dopra Linux OS Security Feature Parameter Description 2 Dopra Linux Security Description
2 Dopra Linux Security Description
2.1 Introduction to the Dopra Linux
2.1.1 Overview
The Dopra Linux is a Linux-based operating system tailored to provide full security
protection for telecommunications products. As part of an end-to-end security solution, the
Dopra Linux is enhanced in hardware support, software commissioning, and performance to
minimize security risks.
A customized Dopra Linux consists of the kernel and root file system:
l Kernel: The Dopra Linux kernel is customized and has the latest patch installed, which
helps improve system security.
l Root file system: The Dopra Linux is a compact operating system where only useful
database and service components are installed in the file system. This helps minimize
security risks.
2.1.2 Differences Between the Dopra Linux and Other Operating

Systems
The Dopra Linux is a real-time embedded operating system. Compared with server and
desktop operating systems, the Dopra Linux meets the following security requirements:
l System-level security requirements, such as minimum installation, system tailoring, and

security patch management
l Anti-attack requirements for protocols and interfaces, such as use of secure protocols and
anti-attack features
l Requirements on product development, release, and installation, such as software
commissioning and integrity checking
l Sensitive data protection requirements, such as the use of encryption algorithms and
secure transmission channels
l Requirements for secure system management and maintenance, such as password,
authentication, authorization, log, and alarm management

SingleRAN
2.2 Dopra Linux Security Overview

The main security threats for the Dopra Linux are security vulnerabilities, password cracking,
illegal operations, and information disclosure.
Table 2-1 describes these threats.
Table 2-1 Main security threats for the Dopra Linux

Threat Description Severity Security Requirement
Security The kernel, SSH, Minor The Dopra Linux provides a

vulnerability and Secure File new service protocol version
Transfer Protocol and is able to fix security
(SFTP) have known vulnerabilities by version
security upgrade or patch installation.
vulnerabilities. The Dopra Linux is upgraded
every 12 months by default.
Password cracking Password Major The Dopra Linux requires users

complexity check is to use complex passwords.
not performed on the
initial password.
Illegal operation The maximum Minor The Dopra Linux locks the
number of login account when the
unsuccessful login maximum number of
attempts is not unsuccessful login attempts is
specified. exceeded.
Information Insecure protocols, Major By default, the Dopra Linux

disclosure such as Trivial File does not support insecure
Transfer Protocol protocols. Instead, it uses
(TFTP) and Telnet secure protocols such as SFTP.
are used.
NOTE
The Dopra Linux does not require antivirus software because few viruses target at Linux and only few Dopra
Linux ports are open. For details about Dopra Linux antivirus, see section 3.4 Enhanced Antivirus Policy.
2.3 Security Architecture

Dopra Linux OS functions as a bridge between hardware resources (multi-core CPUs and
other hardware devices) and services. As a multiprocessing OS running on mid-range and
high-end multi-core CPUs, Dopra Linux OS features a security architecture incorporating the
security policies listed in Table 2-2.

SingleRAN
Table 2-2 Dopra Linux security policies

Identity Authentication l Access control
l User password control
File System and Permission l Directory protection

Management l File protection
Network Management l Protocols enabled by default

l Services enabled by default
l Ports opened by default
l System firewall iptables
l Security policies related to TCP/IP stacks
l Security policies related to SSH
Enhanced Antivirus Policy l Virus entry control

l Post-entry virus control
Operating System Integrity l Product development security

Protection l Product release security
l Product installation security
System and Security Log Log file management

Management
System Upgrade and Patch Policy l Patch installation

l System upgrade

SingleRAN
Dopra Linux OS Security Feature Parameter Description 3 Dopra Linux Security Features
3 Dopra Linux Security Features
3.1 User Management
3.1.1 Dopra Linux Users

Dopra Linux users are categorized into root user, common user, service user, and lgnusr user.
The permission of these users is as follows:
l The root user has the highest operation permission, including read, write, and execute
permission. The read permission allows the root user to view the names and content of
files under a directory. The write permission allows the root user to create or delete files
as well as modify file content. The execute permission allows the root user to run shell
scripts or binary executable files. The root user can be granted read, write, and execute
permission on all files and directories.
V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions no longer
allow the root user to perform remote logins. This measure helps enhance system
security.
l Common users are created by the root user. They can log in to the Dopra Linux and
create, modify, or delete files under their specific home directories. For example, user
jack can perform relevant operations under the home directory /home/jack. In addition,
common users can run scripts or binary executable files under the /usr/bin and /bin
directories.
l Service users are used by system service processes. Service users have the lowest
operation permission and cannot log in to the operating system. They are not created by
the root user. This prevents unauthorized users from attacking the operating system and
reduces security risks. Service user accounts in the Dopra Linux include sshd, nobody,
haldaemon, messagebox, and mysql.
NOTE
l sshd: sshd server users cannot log in to the operating system.

l nobody: portmap standard account of other system services cannot log in to the operating system.
l haldaemon: standard account used by haldaemon servers account cannot log in to the operating system.
l messagebus: standard account used by D-BUS servers account cannot log in to the operating system.
l mysql: used by mysql servers.

SingleRAN
l The lgnusr user is an internal common user. Added in V200R003C02SPC090 and

RTOS-V100R001C00SPC070, the lgnusr user is used for SSH login. You can run the su
command to switch the lgnusr user to the root user to gain administrative rights. You are
advised to reserve the lgnusr user for SSH security.
3.1.2 Security Policies for User Management

Table 3-1 describes the security policies for user management in the Dopra Linux.
Table 3-1 Security policies for user management in the Dopra Linux
User Policy
Management
Password A user password must contain at least eight characters, including at

complexity least one uppercase letter, one lowercase letter, one special character,
and one digit.
Simple passwords (passwords defined in the weak password
dictionary) are not allowed.
NOTE
l You can run the zcat /usr/share/cracklib/cracklib-words.gz command to
view the weak password dictionary.
l For the Dopra Linux, you can run the create-cracklib-dict command to
update the weak password dictionary. For example, run the create-
cracklib-dict dict1.dat command to add words in dict1.dat to the weak
password dictionary.
l For the RTOS, the weak password dictionary cannot be viewed or
modified to prevent it from being disclosed.
By default, the Dopra Linux records a maximum of three history
passwords, and the RTOS records a maximum of five history
passwords. The new password must be different with the history
passwords or the reverse of history passwords.
Common users can change only their own passwords. The root user
can change all users' passwords.
Login message After a login, the information about the previous login is printed,
including the login date, time, and IP address. Such information helps
users determine whether unauthorized users have accessed the
account.
Login permission By default, a user account is locked for 300 seconds at three
consecutive unsuccessful login attempts. The administrator can
unlock the account.
In versions earlier than V200R003C08SPC080, users will not be
asked for old passwords when changing their own passwords. In
V200R003C08SPC080 and later versions, a user's old password is
required.
For all versions, the old password is not required when the root user
changes the password of a common user.

SingleRAN
User Policy
Management
Root user The root user is the only superuser in the system and is authorized to
execute all scripts and executable files.
The password for the root user is customized before Dopra Linux
deployment.
service user They cannot log in to the Dopra Linux and are only for service
purposes.
Advance password The default password validity period is 30 days. To enhance

expiration warning password security, the Dopra Linux prompts users to change their
passwords seven days before the passwords expire.
For versions earlier than V200R003C02SPC090, the default
password validity period is 30 days. For V200R003C02SPC090,
RTOS-V100R001C00SPC050 and later versions, the default
password validity period is 90 days.
Minimum You are advised to set the minimum password validity period to 48
password validity hours or longer. Otherwise, the password may bypass the password
security policy inspection.
Passwords The Dopra Linux uses SHA-512 encryption algorithm to encrypt

encryption passwords in V200R003C08SPC080 and later. Versions earlier than
V200R003C08SPC080 use MD5.
NOTE
To improve password security, you are advised to change the passwords for
users root and lgnusr immediately after an upgrade from any earlier version to
V200R003C08SPC080 or later. Otherwise, the passwords will still be
encrypted by the MD5 algorithm, leaving the passwords at risk of exposure.
3.1.3 Operations Related to User Management

Operations related to user management include creating, deleting, and switching users as well
as changing user passwords. This section uses user1 as an example to describe these
operations.
l To create user1, run the following command:
useradd -m user1 //After user1 is created, its home directory /home/user1 is also
created.
l To delete user1, run the following command:
userdel -r user1 //After user1 is deleted, its home directory /home/user1 is also deleted.
l To set or change the password for user1, run the following command:
passwd user1 // You can only change someone else's password when you sign on to the
root account. Common users can only change their own passwords.
The password must comply with the password complexity policy in Table 3-1. For
example, Huawei@751.
l To switch to user1, run the following command:
su user1 //The current user is switched to user1.

SingleRAN
su - user1 //The current user is switched to user1. The hyphen (-) indicates that the
environment variables are also switched.
3.1.4 Operations Related to Password Complexity Management

NOTE
It is recommended that you not modify password complexity settings to enhance password security.
You can set the following parameters in the /etc/pam.d/common-password file to modify
password complexity settings:
l retry = N: You have N attempts to change the password each time you run the passwd
command. N is an integer from 1 to 256. The default value is 6.
l lcredit = –N: A password contains at least N lower-case letters. N is an integer from 0 to
127. The default value is 1 for the Dopra Linux OS and 0 for the RTOS.
l ucredit = –N: A password contains at least N upper-case letters. N is an integer from 0 to
l dcredit = –N: A password contains at least N digits. N is an integer from 0 to 127. The
default value is 1 for the Dopra Linux OS and 0 for the RTOS.
l ocredit = –N: A password contains at least N special characters (~!@#$%^&*()_+`-={}|
[]\:";'<>?,./). N is an integer from 0 to 127. The default value is 1 for the Dopra Linux OS
and 0 for the RTOS.
l minlen = N: A password contains at least N characters. N is an integer from 6 to 127.
The default value is 8.
l enforce_root: A password policy takes effect to the root user. After this parameter is
deleted, the password policy does not take effect to the root user.
l remember = N: N previous passwords are recorded for users. N is an integer from 0 to
NOTE
l In versions earlier than V200R003C08SPC080, the root user can change its own password or the
passwords of common users, regardless of the remember parameter setting.
l In versions between V200R003C08SPC080 and V200R003C08SPC230 version, the number of times the
root user changes its own password depends on the remember parameter setting, but the root user can
change the passwords of common users, regardless of the remember parameter setting.
l In V200R003C08SPC260 or later versions, both the number of times the root user changes its own
password and the number of times the root user changes the passwords of common users depend on the
remember parameter setting.
l uname_check: A password cannot be the same as any user name or be any user name in
reverse order. This function is enabled by default.
l enforce_for_root: This option is added to V200R003C08SPC260 or later versions. This
option indicates that the historical password storage mechanism takes effect on the root
user. When the root user changes its own password or the passwords of common users,
the encrypted text will be recorded in /etc/security/opasswd.
3.1.5 Operations Related to Password Setting

NOTE
In versions earlier than V100R001C03SPC030, the password lock and validity period cannot be changed
because the etc/pam.conf file and chage command are not supported in these versions.

SingleRAN
You can set the following options in the /etc/pam.d/common-auth file to modify password
locking settings:
l deny = N, which indicates that the login account is locked when the number of
unsuccessful login attempts exceeds N. N is an integer from 1 to 32. The default value is
3.
l unlock_time = N, which indicates that the user account is locked for N seconds when
the maximum number of unsuccessful login attempts is exceeded. N is an integer from 1
to 3600. The default value is 300.
You can run the following commands to view or modify password time settings:
l chage -l user1 //You can view the parameters such as the minimum interval at which a
password must be changed (Minimum), the maximum interval at which a password
must be changed (Maximum), and advance password expiration warning (Warning).
l chage -m N common user//N indicates the minimum number of days that must pass
between a common user's password changes. N is an integer from 0 to 99999. If N is set
to 0, you can change the password anytime. This option does not apply to the root user.
l chage -M N root/common user //N indicates the validity period of the root password or
a common user's password. N is an integer from 1 to 99999.
l chage -W N root/common user //N indicates the number of days before password
expiration that the root user or common users are prompted to change their passwords. N
is an integer from 1 to 99999.
3.2 File System and Permission Management

File system permission is categorized into read, write, and execute permission. The root user
can operate all files. Common users can operate only their own files. Permission management
ensures file security.
3.2.1 Directory Protection

The Dopra Linux restricts directory access permission. You can run the ll or ls -l command to
query the read, write, and execute permission on files and sub-directories in different
directories.
The following is an example:
Jasper / # ll total 112
drwxr-xr-x 2 root root 4096 Jul 6 22:10 bin
drw-r----- 6 root root 4096 Jul 7 23:08 boot
drwxr-xr-x 9 root root 5560 Jul 7 19:11 dev
drwxr-xr-x 25 root root 4096 Jul 7 23:15 etc
drwxr-x--x 4 root root 4096 Jul 7 21:19 home
-rwxr-xr-x 1 root root 29 Jul 5 22:24 init
drwxr-xr-x 7 root root 4096 Jul 6 22:10 lib
drwx------ 2 root root 16384 Jul 5 22:23 lost+found
d-wx---r-x 5 root root 4096 Jul 5 22:24 mbsc
drwxr-xr-x 2 root root 4096 Jul 5 22:24 media
drwxr-xr-x 4 root root 4096 Jul 5 22:25 mnt
drwxr-x--- 2 root root 4096 Jul 5 22:24 none
drwxr-x--- 3 root root 4096 Jul 5 22:24 opt
dr-xr-xr-x 114 root root 0 Jul 7 19:10 proc
drwx------ 3 root root 4096 Jul 7 22:06 root
drwxr-x--- 2 root root 4096 Jul 7 21:25 sbin
-rwxr-xr-x 1 root root 23713 Jul 5 22:24 sc_init
drwxr-xr-x 2 root root 4096 Jul 5 22:24 srv
drwxr-xr-x 11 root root 0 Jul 7 19:10 sys

SingleRAN
drwxrwxrwt 2 root root 4096 Jul 11 03:30 tmp

drwxr-xr-x 2 root root 4096 Jul 5 22:25 usb
drwxr-xr-x 7 root root 4096 Jul 5 22:24 usr
drwxr-xr-x 10 root root 4096 Jul 6 22:10 var
The following uses the last line as an example to explain the command output:
l In drwxr-xr-x:
– d means directory. Files are not started with d.
– rwx indicates that the file or directory creator has read, write, and execute
permission.
– r-x indicates that users who belong to the same user group as the file or directory
creator have read and execute permission.
– The second r-x indicates that users who do not belong to the same user group as the
file or directory creator have read and execute permission.
NOTE
The root user has the highest permission and can operate all files created by other users.
l 10 indicates the number of hard connections of the file or directory.
l root indicates that the file or directory is created by the root user.
l The second root indicates that the file or directory creator is in the root user group.
l 4096 indicates the directory or file size (excluding files or sub-directories under the
directory).
l Jul 6 22:10 is the time when the file or directory was last modified.
l var is the file or directory name.
3.2.2 File Protection

The Dopra Linux restricts common users' access to system files.
l Common users cannot visit the home directory.

l Common users cannot modify or delete commands, library files, and directories storing
device files (/dev) or configuration files (/etc).
l Only the root user is authorized to access system command management directories (/
sbin and /usr/sbin) and log files in /var/log.
NOTE
The read permission on a directory indicates that a user can view the files and sub-directories under the
directory. The write permission indicates that a user can create files and sub-directories under the directory.
The execute permission indicates that a user can go to the directory.
The read permission on a file indicates that a user can view the content in the file. The write permission
indicates that a user can edit the content in the file. The execute permission indicates that a user can execute
the commands in the file.
Users can run the setfacl command to set the access permission on a file. For example, in the
setfacl -m u:user1:rw a.dat command, user1 has read and write permission on a.dat.
3.3 Network Management

SingleRAN
3.3.1 Protocols Enabled by Default

By default, the User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and
Internet Control Message Protocol (ICMP) are enabled in the Dopra Linux.
3.3.2 Services Enabled by Default

Table 3-2 describes the default services provided in the Dopra Linux.
Table 3-2 Default services provided in the Dopra Linux

Service ON/OFF Protocol Port Description
Name Number
sshd ON TCP 22 A service started from inittab for

SSH login
syslog-ng ON N/A N/A A service started from inittab for log

recording
dbus-daemon ON N/A N/A An application that uses the D-Bus

library to implement a message bus
daemon
NOTE
D-Bus is a library that provides one-to-
one communication between any two
applications. Multiple programs connect
to the message bus daemon and can
exchange messages with each other.
cron ON N/A N/A Daemon to execute scheduled

commands
klogd ON N/A N/A A service started from inittab for

logging
auditd ON N/A N/A A service for saving audit records to

the disk
boot.udev ON N/A N/A A service that listens to kernel

events and passes the incoming
events to udev
haldaemon ON N/A N/A A service that collects and stores

hardware information
acpid ON N/A N/A A service that functions as the

daemon of advanced configuration
and power interface (ACPI) and
manages the power supply
3.3.3 Ports Opened by Default

For details about the default ports opened in the Dopra Linux, see Communication Matrix
delivered with the product.

SingleRAN
You can run the netstat -nlp command to view all listening ports.
3.3.4 System Firewall iptables

iptables is a kernel-level component in the Linux for filtering IP packets. When Linux is
connected to the Internet, local area networks (LANs), servers, or Internet proxies, iptables act
as a firewall to filter IP packets.
Being integrated into the Dopra Linux, iptables does not need to be configured by default.
However, users can define rules in the iptables if required. When defining rules for a live
network, note the following points:
l Do not modify existing rules when adding or deleting policies.

l Write a script to ensure that defined rules automatically take effect upon system startup.
l Define rules again after the Dopra Linux is upgraded or updated, as defined rules are
deleted after the system is upgraded or updated.
3.3.5 Security Policies Related to TCP/IP Stacks

Dopra Linux does not support IPv6 by default. Table 3-3 describes security policies related to
the IPv4 TCP/IP stack. These items are configured in the /etc/sysctl.conf file. Default settings
in Table 3-3 are recommended by Huawei to ensure optimum security and performance, and
generally should not be changed.
NOTE
The configuration items of TCP/IP stacks are named in the format of "net + protocol + conf + all/default/
device + attribute". device means a logical interface, such as eth1, bond2, and vlan3. default is used to
initialize an interface as it is initialized and loaded. all means to apply to all interfaces.
Table 3-3 Configuration items
Item Default Description

Value
net.ipv4.conf.all.arp_ignor 0 for the This parameter defines the modes for sending
e RTOS replies in response to received ARP requests that
1 for the resolve local target IP addresses.
Dopra l 0: Reply to any local target IP address,
Linux irrespective of its interface.

SingleRAN

Value
net.ipv4.conf.default.arp_i l 1: Reply only if the target IP address is the

gnore local address configured on the incoming
interface.
l 2: Reply only if the target IP address is the
local address configured on the incoming
interface, and both the sender's and receiver's
IP addresses are in the same subnet.
l 3: Reply only resolutions for global link
addresses, and do not reply to local addresses
configured with scope host.
l 4–7: Reserved.
l 8: Do not reply to local addresses.
net.ipv4.conf.all.promote_ 0 for the This parameter specifies the relations between

secondaries Dopra network adapter aliases.
Linux l 0: If the primary alias of the network adapter
net.ipv4.conf.default.prom
ote_secondaries 1 for the is deactivated, the secondary aliases will also
RTOS be deactivated.
l 1: If the primary alias of the network adapter
is deactivated, a secondary alias will be
upgraded to the primary alias.
net.ipv4.conf.all.arp_filter 1 l 0: The kernel can respond to ARP requests

with addresses from other interfaces. This
net.ipv4.conf.default.arp_f may seem wrong but it actually makes sense
ilter because it increases the number of successful
communication attempts. IP addresses are
owned by the complete host on the Linux, not
by specific interfaces.
l 1: This value allows you to have multiple
network adapters on the same subnet and have
the ARPs for each network adapter be
answered based on whether the kernel can
route packets from the ARP's IP address out
of that network adapter.
net.ipv4.conf.all.accept_so 0 This parameter specifies whether to accept

urce_route source-routed packets.
net.ipv4.conf.default.acce 0 means not to accept source-routed packets.

pt_source_route 1 means to accept source-routed packets.
net.ipv4.conf.all.accept_re 0 It is assumed that the network segment where the

directs host is located has two routers, and one of them is
set as the default gateway. When another router
sends IP packets to the gateway, the router also
sends an ICMP redirect message, instructing the
gateway to forward those packets to other
routers.

SingleRAN

Value
net.ipv4.conf.default.acce l 1 means to accept the redirect forwarding.

pt_redirects l 0 means to ignore the redirect forwarding.
It is recommended that this parameter be set
to 0 to eliminate potential security risks.
net.ipv4.conf.all.secure_re 0 This parameter specifies the secure redirect

directs forwarding function. When this function is
enabled, only ICMP redirect messages from the
net.ipv4.conf.default.secur gateway are accepted.
e_redirects
l 1 means to enable the function.
l 0 means to disable the function.
net.ipv4.conf.all.send_redi 0 This parameter specifies whether to send redirect

rects messages.
net.ipv4.conf.default.send l 1 means to send.

_redirects l 0 means not to send.
net.ipv4.tcp_fin_timeout 60 This parameter specifies the duration for keeping

packets in the FIN-WAIT-2 state. If the value of
this parameter is too large, memory overflow
may occur.
net.ipv4.tcp_syncookies 1 This parameter specifies whether to send

syncookies to prevent SYN flood attacks when
the syn backlog queue overflows. This parameter
is valid only when CONFIG_SYNCOOKIES is
set during kernel compilation.
1 means to send syncookies.
0 means not to send syncookies.
net.ipv4.tcp_syn_retries 1 This parameter specifies the number of SYN

packets that the kernel sends before the kernel
gives up setting up a TCP connection.
net.ipv4.tcp_synack_retrie 1 To set up a TCP connection, the kernel needs to

s send a SYN packet and respond to the previous
SYN packet with an ACK packet. This process is
the second stage of the three-way handshake.
This parameter specifies the number of SYN and
ACK packets that the kernel sends before the
kernel gives up setting up a TCP connection.
net.ipv4.tcp_max_syn_bac 4096 This parameter specifies the maximum number of

klog unacknowledged connection requests.
net.ipv4.icmp_echo_ignor 1 This parameter specifies whether to ignore

e_broadcasts broadcast and multicast messages.
l 1 means to ignore.
l 0 means not to ignore.

SingleRAN

Value
kernel.panic_on_oops 1 This parameter specifies the kernel's behavior

when it encounters an exception or bug.
l 0: Attempt to continue operations.
l 1: Reboot the OS several seconds later. klogd
will log the delay.
kernel.printk 6417 This parameter specifies where to send log

messages according to their priorities. This
parameter has four default values, which denote
console_loglevel, default_message_loglevel,
minimum_console_loglevel, and
default_console_loglevel, respectively. For more
information about log priorities, see syslog.
l console_loglevel: Messages with a priority
higher than this level will be printed to the
console.
l default_message_loglevel: Messages without
an explicit priority will be printed with this
level.
l minimum_console_loglevel: This level is the
minimum (highest) value to which
console_loglevel can be set.
l default_console_loglevel: This is the default
value for console_loglevel.
The console is the interface that provides
character-mode I/Os.
net.ipv4.tcp_timestamps 0 This parameter specifies whether to add a 12-byte

timestamp to TCP headers.
l 0 means not to add the timestamp.
l 1 means to add the timestamp.
net.ipv4.icmp_ignore_bog 1 This parameter specifies whether to ignore the

us_error_responses ICMP errors generated by the hosts that claim
that the response address is the broadcast address.
l 1 means to ignore.
l 0 means not to ignore.
net.ipv4.conf.all.rp_filter 1 This parameter specifies whether to enable IP

spoofing protection and turns on source route
net.ipv4.conf.default.rp_fil verification.
ter
l 1 means yes.
l 0 means no.
It is recommended that you set this parameter
to 1 for a single host or routers in a stub
network.

SingleRAN

Value
kernel.sysrq 0 This parameter specifies whether to activate the

the system request key.
If the parameter is set to non-zero, the system
request key is activated.
3.3.6 Security Policies Related to SSH

The Dopra Linux does not support non-encrypted File Transfer Protocol (FTP) and TELNET.
Instead, it uses secure protocols such as SSH and SFTP.
Table 3-4 lists the configurations for SSH.
Table 3-4 Configurations for SSH

Item Default Value Description
Ciphers aes128-ctr, Uses the 3des-cbc and aes128-cbc

aes192-ctr, encryption algorithm. Sets encryption
aes256-ctr algorithms to secure algorithms.
MACs hmac-sha2-256, Sets the message authentication code (MAC)

hmac-sha1 algorithm to the Secure Hash Algorithm 2
(SHA2) and be compatible with HMAC-
SHA1 for data integrity protection.
Protocol 2 Forcibly enables SSH V2.0.
LogLevel VERBOSE Sets a message level to Verbose to log user

login information for auditing.
StrictModes yes Forcibly checks file permission and the login

user's permission on the home directory and
files.
PubkeyAuthentication yes Allows public key authentication. Currently,

a user name and a password are used for
SSH login authentication.
PermitEmptyPasswords no Forbids login with an empty password.
PermitRootLogin no In V200R003C02SPC090, RTOS-

V100R001C00SPC070 and later versions,
remote root logins are not allowed by
default.
UsePAM yes Uses the pluggable authentication modules

(PAM), a more scalable scheme, for
authentication.

SingleRAN
Banner /etc/issue.net Displays banners after a user logs in to the

Dopra Linux using SSH. The default banner
is "You are trying to access a restricted zone.
Only Authorized Users allowed."
KexAlgorithms curve25519- In V200R003C08SPC330 and later versions,

sha256@libssh. more secure Diffie-Hellman algorithms are
org,diffie- used, and diffie-hellman-group14-shal and
hellman-group- diffie-hellman-group1-sha1 are disabled.
exchange- In V200R003C08SPC360 and later versions,
sha256,diffie- curve25519-sha256@libssh.org is
hellman-group- supported.
exchange-sha1
NOTE
The PuTTY must be upgraded to the 0.65 or a
later version. The FileZilla must be upgraded to
3.13.0 or a later version. Otherwise, board logins
may fail.
UsePrivilegeSeparation yes In V200R003C08SPC330 and later versions,

after successful authentication, a child
process, which has the privilege of the
authenticated user, will be created. The goal
of privilege separation is to prevent privilege
escalation by containing any corruption
within the unprivileged processes.
NOTE
Ensure that the SSHD service account and
the /var/empty/sshd directory exist in Dopra
Linux OS.
PermitUserRC no In V200R003C08SPC360 and later versions,

this configuration item is supported and is
set to no by default.
This item is used to specify whether to
execute files in the ~/.ssh/rc directory. To
enhance OS security, the setting
PermitUserRC no must be contained in the
configuration file.
PermitUserEnvironment no In V200R003C08SPC360 and later versions,

this configuration item is supported and is
By setting this item to no, the SSHD service
is not allowed to process the ~/.ssh/
environment file and the environment
parameter in the ~/.ssh/authorized_keys
file, reducing the risk of attacks allowed by
vulnerabilities in SSHD.

SingleRAN
HostbasedAuthentica- no In V200R003C08SPC360 and later versions,

tion this configuration item is supported and is
By setting this item to no, host-based
authentication is not supported, indicating
that the ~/.shosts, ~/.rhosts, and /etc/
hosts.equiv files will not be authenticated. If
attackers modify those files, such
configuration reduces the risk of attacks
caused by reading the modified files during
authentication.
NOTE
You can run the vi /etc/issue.net command to modify banners.
3.3.7 Operations Related to SSH

The following part describes operations associated with SSH.
Secure Logins
To log in to a target computer (for example, with an IP address of 192.168.0.241) that
provides SSH services:
Run the ssh user1@192.168.0.241 command and enter the password of user1 as prompted to
log in as user1.
Secure Copy
To copy a file (for example, /home/filename) from a Linux server, which provides SSH
services, to /home of a target computer (for example, with an IP address of 192.168.0.241):
Run the scp -r /home/filename user1@192.168.0.241:/home/user1 command as user1 and

enter the password of user1.
SFTP Operations
A computer running Dopra Linux can function as a server to provide SFTP services. To
connect to a target computer (for example, with an IP address of 192.168.0.241):
Run the sftp 192.168.0.241 command.
l Disabling the SFTP Service

a. Run the vi /etc/ssh/sshd_config command, comment out the line starting with
Subsystem sftp, save the modifications, and close the file.
b. Run the killall sshd command to restart the SSHD service.
c. Check whether the SSHD process starts.

SingleRAN
If command "pidof sshd" prints integers, the process starts properly. The SFTP
service is a sub-function of the SSHD service. If the SSHD process restarts, the
SFTP service is disabled successfully.
l Enabling SFTP Logging
a. Run the vi /etc/ssh/sshd_config command, change the line starting with Subsystem
sftp to Subsystem sftp internal-sftp -l INFO, save the modifications, and close the
file.
b. Run the killall sshd command to restart the SSHD service.
c. Check whether the SSHD process starts.
If command "pidof sshd" prints integers, the process starts properly. The SFTP
service is a sub-function of the SSHD service. If the SSHD process restarts, SFTP
logging is enabled successfully.
l SFTP Timeout
In V200R003C08SPC190 and later versions, the default timeout interval of SFTP
service logins is 30 minutes. To set the timeout interval in an earlier version, perform the
following steps:
1. Run the vi /etc/ssh/sshd_config command and perform the following configurations:
ClientAliveInterval 1800
ClientAliveCountMax 0
2. Run the killall sshd command to restart the SSHD service.
Forbidding Remote Root Logins

You are advised to disable the remote login as the root user. V200R003C02SPC090, RTOS-
V100R001C00SPC070, and later versions no longer allow the root user to perform remote
logins. To disable remote logins, perform the following steps:
Step 1 Add a common user that can log in to the Dopra Linux remotely. For example:
l Run the useradd -m user1 command to add user user1 and create directory /home/
user1.
l Run the passwd user1 command to set or change the password (for example,
Tom@520123) for user user1. Set or change the password according to the security
policies listed in Table 3-1 in section 3.1.2 Security Policies for User Management.
Step 2 Modify the configuration file. Log in as the root user and run the vi /etc/ssh/sshd_config
command. Set PermitRootLogin to no in the /etc/ssh/sshd_config file.
Step 3 Run the killall sshd command to restart the SSHD service. The modification takes effect after
the SSHD service restarts.
----End
NOTE
After the sshd process is killed, the SSHD service becomes unavailable. Several seconds later, the SSHD
service restarts automatically.
To permit remote root logins, set PermitRootLogin to yes in the /etc/ssh/sshd_config file,
and restart the SSHD service.
Disabling SSH Server CBC Mode, arcfour256, arcfour128 Ciphers

Perform the following steps to disable SSH Server CBC mode ciphers:

SingleRAN
Step 1 Run the vi /etc/ssh/sshd_config command to open the /etc/ssh/sshd_config file with the vi
editor. Find the line starting with Ciphers, and change the content to:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
NOTE
Find the line starting with Ciphers but not with #Ciphers. The number sign (#) indicates that the line is
commented out.
Step 2 Run the killall sshd command to restart the SSHD service.
----End
NOTE
The preceding two steps are not required if the /etc/ssh/sshd_config file contains the following line:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr.
Hardening SSH Weak MAC Algorithms

Perform the following steps to harden SSH Weak MAC Algorithms:
Step 1 Run the vi /etc/ssh/sshd_config command to open the /etc/ssh/sshd_config file with the vi
editor. Find the line starting with MACs and change the content to:
l For versions earlier than V200R003C08SPC190, the line is changed to "MACs hmac-
sha1".
l For V200R003C08SPC190 and later versions, the line is changed to "MACs hmac-
sha2-256".
l If hmac-sha2-256 is the only configured MAC algorithm, upgrade PuTTY to 0.65 or a
later version.
NOTE
Find the line starting with MACs but not with #MACs. The number sign (#) indicates that the line is
commented out.
Step 2 Run the killall sshd command to restart the SSHD service.
----End
NOTE
The preceding two steps are not required if the /etc/ssh/sshd_config contains the following settings:
MACs hmac-sha1
The preceding operations must be performed by professional personnel who understand basic Linux
command (vi) and common system management commands. Otherwise, the SSH connection may fail due to
incorrect modifications.
3.4 Enhanced Antivirus Policy
3.4.1 Virus Entry Control

The Dopra Linux disables idle ports and uses secure protocols (such as SSH and SFTP) only,
making itself much less vulnerable to virus attacks.

SingleRAN
The Dopra Linux uses enhanced password polices, such as forced lockout after three failed
password attempts. These policies greatly improve the anti-hacking capability.
3.4.2 Post-Entry Virus Control

The Dopra Linux defines strict permission control, which means that only the root user has
the write permission on system files and log files. Therefore, even virus files are falsely
executed, only files on which the login user has the write permission will be corrupted.
System running and log files are not affected.
Though the Dopra Linux does not run any antivirus software, it is insusceptible to virus
attacks unless the root user password is cracked. In addition, the root user password is well
protected by the following measures:
l Uses enhanced password policies.
l Forces the user to log out after defined failed password attempts.
3.5 Operating System Integrity Protection
3.5.1 Product Development Security

The Dopra Linux image contains vmlinuz (kernel) and initrd (root file system), where the
kernel mode and user mode are separated. This method enhances Dopra Linux security.
V200R003C02SPC080, RTOS-V100R001C00, and later versions support security
vulnerability scan using the Nessus and port and protocol scan using the Nmap.
V200R003C02SPC090, RTOS-V100R001C00SPC070, and later versions support security
vulnerability scan using the Retina.
V200R003C08SPC120 and later versions support security vulnerability scan using the
NSFOCUS Web Vulnerability Scanning System (WVSS).
3.5.2 Product Release Security

Before the Dopra Linux is released, it is scanned by antivirus software Symantec, McAfee,
Avira, Kav and Trend to ensure that it is virus free.
3.6 System and Security Log Management

Logs record system running information and are of vital importance to system security. Major
log functions include auditing and monitoring. With logs, you can diagnose problems,
monitor real-time system status, and track traces left by attackers.
3.6.1 Log Files

Only the root user can view log files and description under the log directory /var/log. The
following describes log files in the Dopra Linux:
l audit
A log file for the audit daemon, which writes kernel information generated by
applications and system activities into hard disk.

SingleRAN
l dlinstall.log, dlrecover.log, and dlupgrade.log

Log files recording information about system installation, rollback, and upgrade.
l faillog
A log file recording the number of failed logins due to incorrect user name or password.
This file is encrypted. Running the vi or the cat command cannot open this file. You can
run faillog to view this file.
l messages
A log file recording kernel and system information.
You can run the vi or the cat command to view this file.
l warn
A log file recording all warnings and error information.
l wtmp
A log file recording all remote and local logins, changes in system running level, and
time of the changes.
This file is encrypted. You can run last to view this file.
3.6.2 Real-Time Access Information Recording

The Dopra Linux records real-time Dopra Linux login and logout information in logs. For
details about how to manage these logs, see section "Configuring the Function of Recording
OMU OS Accessing Information in Real Time" in OMU Administration Guide.
3.6.3 Guidelines on Configuring the Log Audit Service of Dopra

Linux
3.6.3.1 Configuration Commands

Linux audit Subsystem (audit) is a system service. This service is used for auditing system
invoking records and writing the records to files. The user space program of the audit service
is auditd, which is used for writing audit information to disks.
Audit Configuration Differences Between Dopra Linux and Common Linux

The Dopra Linux (versions earlier than V200R003C08SPC100) and common Linux differ in
the audit service as follows:
l The configuration file path is different. The paths for Dopra Linux are /etc/auditd.conf
and /etc/audit.rules. The paths for common Linux are /etc/auditd/auditd.conf and /etc/
auditd/audit.rules.
l When the /etc/rc.d/init.d/auditd script is used to enable the audit service, audit rules are
not automatically loaded by default. If you want to retain the rules after a restart,
manually modify the /etc/rc.d/init.d/auditd file. For details about the procedure, see
section 3.6.3.2 Configuration Guidelines.
Querying Audit Service Status

The audit service status' value of RTOS can be 0, 1, and 2.
The audit service status' value of Dopra Linux OS can be 0 and 1.

SingleRAN
Jasper ~ # auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=14886 rate_limit=0 backlog_limit=64 lost=0
backlog=0
Jasper ~ #
enabled=1: Log auditing is enabled for the audit service.
enabled=0: Log upgrades are disabled.
enabled=2: The audit rules cannot be edited. If you want to edit it, you should restart the
system first.
By default, enabled=1 is used after a normal startup. You can run the auditctl-e 1 command
to change the value of enabled to 1.
Jasper ~ # auditctl -s
backlog=0
Jasper ~ # auditctl -e 2
backlog=0
Jasper ~ # auditctl -a entry,always -S umask
Error sending add rule request (Operation not permitted)
Error sending add rule request (Operation not permitted) --> When enabled is 2, rules cannot
be edited.
Query Existing Rules

auditctl -l
Deleting All Audit Rules at a Time

auditctl -D
Adding an Audit Rule

auditctl -a entry,always -S umask -k umask --> Add an audit rule for invoking the umask
system.
Deleting an Audit Rule

auditctl -d entry,always -S umask -k umask --> Delete an audit rule for invoking the umask
system.
Adding Audit Rules in Batches

auditctl -R /etc/audit.rules --> /etc/audit.rules is a text file containing rules in any paths.
Stopping the auditd Service Process

killall auditd
or
/etc/rc.d/init.d/auditd stop

SingleRAN
Starting the auditd Service Process

startproc /sbin/auditd
or
/etc/rc.d/init.d/auditd start
Querying the auditd Service Process Status

/etc/rc.d/init.d/auditd status
Checking Whether Recording Is Enabled for the auditd Service

auditctl -s
If "enabled=1" is displayed, recording is enabled.
3.6.3.2 Configuration Guidelines

This section describes how to configure the audit service.
Procedure
Step 1 Create a default configuration file of the audit service.
Jasper ~ # mkdir /etc/audit/
Jasper ~ # cp /etc/auditd.conf /etc/audit/auditd.conf
Jasper ~ # cp /etc/audit.rules /etc/audit/audit.rules
Step 2 Edit the rule file /etc/audit/audit.rules.

You can select interesting audit rules from the following samples:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 256
# Feel free to add below this line. See auditctl man page
## Audit the audit logs.
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
-w /var/log/audit/ -k auditlog
## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
## changes to the time
##
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -
k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
## umask
-a entry,always -S umask -k umask
## cron configuration & scheduled jobs
-w /etc/crontab -p rwax -k cron
## user, group, password databases
-w /etc/group -p rwax -k etcgroup
-w /etc/passwd -p rwax -k etcpasswd
-w /etc/shadow -k etcpasswd

SingleRAN
## monitor usage of passwd

-w /usr/bin/passwd -p x -k passwd_modification
## login configuration and information
-w /etc/login.defs -p rwax -k login
-w /etc/securetty -p rwax -k login
## network configuration
-w /etc/hosts -p rwax -k hosts
-w /etc/sysconfig/network -p rwax -k network
## system startup scripts
-w /etc/inittab -p rwax -k init
## kernel parameters
-w /etc/sysctl.conf -p rwax -k sysctl
## modprobe configuration
-w /etc/modprobe.conf -p rwax -k modprobe
## pam configuration
-w /etc/pam.d/ -p rwax -k pam
## ssh configuration
-w /etc/ssh/sshd_config -k sshd
## changes to hostname
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname
## changes to issue
-w /etc/issue -p rwax -k etcissue
-w /etc/issue.net -p rwax -k etcissue
Step 3 Edit the startup script of the audit service to configure an automatic loading rule after a restart.
Run the vi /etc/rc.d/init.d/auditd command to open /etc/rc.d/init.d/auditd with the vi editor.

Add the following content in bold to /etc/rc.d/init.d/auditd (Skip this step if the bold line
exists):
case "$1" instart) echo -n "Starting RPC auditd daemon"
auditd_pid=`pidof auditd`
if [[ -z ${auditd_pid} ]]
then
$AUDITD_BIN
if [[ $? -ne 0 ]]
then rc_failed 1
else
rc_failed 0
fi
else
rc_failed 0
fi
test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/
null
# Remember status and be verbose
rc_status -v
Step 4 Restart the audit service.
/etc/rc.d/init.d/auditd restart
Step 5 Check whether audit log recording is enabled.
----End
Run the auditctl -s command to check the value of enabled.
If the value is 1, log recording is enabled.
If the value is not 1, run the auditctl -e 1 command to enable log recording.
---End

SingleRAN
Important Notes
Because audit rules are added, the system kernel adds additional audit operations besides
normal processing, which compromise system performance. Delete unnecessary audit rules
and minimize the number of audit rules based on site requirements to minimize performance
deterioration.
3.7 System Upgrade and Patch Policy

Due to defects in product design or development, the Dopra Linux may have certain
vulnerabilities, for example, service errors or authentication failures. These vulnerabilities
may pose security threats such as hacking or viruses. You can install patches to eliminate
these system vulnerabilities.
3.7.1 Patch Installation

By default, security patches are applied on the Dopra Linux every 12 months.
3.7.2 Upgrade
Currently, the Dopra Linux version and product version are independent. The Dopra Linux
upgrade does not affect applications that have been installed on the source Dopra Linux, when
the hard disk partition settings on the source and destination Dopra Linux versions are the
same.
You can upgrade the Dopra Linux using either of the following methods:
l USB upgrade
l Web upgrade
For details about upgrade methods, see Guide to Dopra Linux Operating System Remote
Patch Upgrade delivered with Dopra Linux patches.
NOTE
You must restart the system after an upgrade is complete. If you upgrade the Dopra Linux using the web
mode, you can roll back the Dopra Linux to the source version if the upgrade fails. If you upgrade the Dopra
Linux using the USB mode, you have to reinstall the Dopra Linux if the upgrade fails.
If you upgrade the RTOS or certain Dopra Linux versions using the web mode, the version cannot be rolled
back. In this case, the USB upgrade is recommended.

SingleRAN
Dopra Linux OS Security Feature Parameter Description 4 Base Station Applications
4 Base Station Applications
The base station operating system patches are packed in the base station product version, and
therefore a separated operating system upgrade is not supported on the base station. However
if any security risks are exposed in RTOS versions, you can run the operating system patches
by way of the product version upgrade because these patches are packed in the latest product
version.
NOTE
If the product version includes RTOS patches, the patch information will be addressed in the Release Notes of
base stations.
The base station operating system is not visible for users because the patches are packed in
the base station software.
l Of all operating system security policies of the base station, only the anti-virus policy is
provided by the operating system. For details, see section 3.4 Enhanced Antivirus
Policy.
l Other than the antivirus policy, operating system security policies are packed in the base
station software. For details, see the Equipment Security Feature Parameter
Description.

SingleRAN
Dopra Linux OS Security Feature Parameter Description 5 Differences Among History Dopra Linux Versions
5 Differences Among History Dopra Linux

Versions
5.1 History Dopra Linux Versions

Table 5-1 lists history Dopra Linux versions and corresponding boards.
Table 5-1 History Dopra Linux versions and corresponding boards
Dopra Linux Version Board
V100R001C03SPC010 OMUa/SAUa/OMUb/SAUb
V200R003C02SPC030 OMUc/SAUc
V200R003C02SPC080 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc
V200R003C08 OMUa/SAUa/OMUb/SAUb/OMUc/SAUc

SingleRAN
Dopra Linux Version Board
RTOS-V100R001C00SPC030 EOMUa/ESAUa

SingleRAN
NOTE
l The Dopra Linux can be upgraded to a target version that supports the same type of boards as the source
version. For example, any version can be upgraded to V200R003C02SPC080, but V100R001C03SPC010
cannot be upgraded to V200R003C02SPC070.
l Unless otherwise stated, basic functions of previous versions are inherited in the latest version, although
supported boards vary with versions.
5.2 Versions Running on the OMUa/SAUa/OMUb/SAUb
5.2.1 V100R001C03SPC010 to V100R001C03SPC020

The following functions are supported:
l Enable or disable remote login for the root user.
l Enhance the password complexity policy, which enables the root user to set password
complexity policies.
l Allow the root user to uniformly set password expiration date.
l Lock user accounts at multiple unsuccessful login attempts.
l Add the setfacl package to allow users to set the access permission on files.
l Provide the su command so that login users can be switched.
l Add the SSH login and logout logs to enhance the log auditing function. The logs
include user name, login time, and source IP address.
5.2.2 V100R001C03SPC020 to V100R001C03SPC030

l Provide the create-cracklib-dict command to allow users to update the weak password
dictionary.
5.3 Versions Running on the OMUc/SAUc
5.3.1 V200R003C02SPC030 to V200R003C02SPC060

l Delete the modules for commissioning to minimize security risks. The deleted modules
are ltp, livegdb, lmbench, and livepatch.
5.3.2 V200R003C02SPC060 to V200R003C02SPC070

l Upgrade the kernel version from Linux-2.6.16.60-0.68.1 to Linux-2.6.16.60-0.87.1.
5.4 Versions Running on the OMUa/SAUa/OMUb/SAUb/

OMUc/SAUc
5.4.1 V200R003C02SPC070 to V200R003C02SPC080


SingleRAN
l Support the OMUa, SAUa, OMUb, SAUb, OMUc, and SAUc.

l Upgrade the kernel version to Linux-2.6.16.60-0.87.1, which enhances operating system
security.
l Enhance operating system security by providing default security settings, such as
password complexity policies.
l Upgrade the version of OpenSSH to OpenSSH 5.2, enhancing the network security.
l Disable unnecessary IPv6 modules to minimize security risks posed by these modules.
l The portmap service is disabled by default. Therefore, port 111 used by the portmap
service is also disabled by default.
5.4.2 V200R003C02SPC080 to V200R003C02SPC090

l Update the kernel version to Linux-2.6.16.60-0.99.1 to eliminate system loopholes
scanned out by the NMap, Nessus, and Retina and harden the operating system security.
l Count the start time of password validity period from the system installation time. If the
password is changed, the period is counted since the change time. The default password
validity period is changed from 30 days to 90 days.
l Add a prompt message when the account is locked.
l Add the lgnusr user for remote login. You cannot remotely log in to the system as a root
user by default, but you can remotely log in to the system as an lgnusr user and then
switch to the root user. In this way, the user management security of the operating system
is enhanced.
5.4.3 V200R003C02SPC090 to V200R003C08

l Rectify the defect that common users cannot modify the OS time zones.
l Rectify the defect that Ext3 file system is occasionally read-only.
l Rectify the defect that a message indicating expired password is displayed after a USB
flash disk is used to restore the OS.
l Rectify the defect that the MySQL service fails to start after a USB flash disk is used to
restore the OS after an upgrade.
l Forbid the upgrade from a later version to an earlier version.
l Rectify the OpenSSL security issue (CVE-2013-0166).
l Forbid the cmdline parameter (init=/bin/bash) parsing in the kernel.
5.4.4 V200R003C08 to V200R003C08SPC080

l Change the cipher algorithms for SSH services to secure ones, such as aes128-ctr,
aes192-ctr, aes256-ctr, arcfour256, and arcfour128.
l Change the account encryption algorithm to the secure algorithm SHA512. In addition,
the old passwords of the root user are verified before they are changed.
l Add the one-click recovery function by upgrading the GRUB to GRUB 2. After GRUB
is upgraded to GRUB 2, SHA512 is used to encrypt GRUB passwords, and GRUB
password complexity check is added.
l Upgrade OpenSSL to 0.9.8y, which rectifies the OpenSSL security issues
CVE-2013-0169 and CVE-2013-0166.

SingleRAN
l Rectify the OpenSSH security issue CVE-2012-0814 and fix the plaintext vulnerability
in the CBC mode (vulnerability ID: CVE-2008-5161).
l Rectify the libsasl2 security issue CVE-2013-4122.
l Rectify the color change issue when a common user switches from the su user to the
root user.
l Rectify the incorrect failed log statistics issue.
l Rectify OpenSSL security vulnerabilities, including CVE-2014-0224, CVE-2014-0221,
CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, and
CVE-2014-0076.
l Add SFTP logging.
l Support logging CLI operations.
5.4.5 V200R003C08SPC080 to V200R003C08SPC100

l Upgrade the kernel from 2.6.16.60-0.99.1 to 2.6.16.60-0.105.1-bigsmp, and fix security
issues and bugs.
l Upgrade glibc from 2.4-31.91.1 to 2.4-31.109.1, and fix security issues and bugs.
l Support PAM configuration for the su command.
l New smartctl command.
l Set AllowTcpForwarding to no in the /etc/ssh/sshd_config file to fix CVE-2004-1653
and harden security.
5.4.6 V200R003C08SPC100 to V200R003C08SPC120

l Increase the length of ssh_host_rsa_key.pub and ssh_host_rsa_key to 2048.
l Rectify top command not support -b -n 1 parameter.
l Rectify bash vulnerabilities, six in total (HUAWEI vulnerability ID:
HWPSIRT-2014-0951): CVE-2014-6271, CVE-2014-7169, CVE-2014-6277,
CVE-2014-6278, CVE-2014-7186, and CVE-2014-7187.
l Rectify OpenSSL vulnerabilities, nine in total (HUAWEI vulnerability ID:
CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512,
and CVE-2014-5139.
5.4.7 V200R003C08SPC120 to V200R003C08SPC130

l Rectify the defect that the working link mode of the network adapter is restored to the
original configuration after the OMUc operating system is upgraded.
5.4.8 V200R003C08SPC130 to V200R003C08SPC150

l Upgrade wget and rectify the vulnerability CVE-2014-4877.
l Add the iostat command.
l Rectify OpenSSL vulnerabilities, four in total: CVE-2014-3513, CVE-2014-3566
(HUAWEI vulnerability ID: HWPSIRT-2014-1041), CVE-2014-3567, and
CVE-2014-3568.
l Rectify the OpenSSH vulnerability CVE-2014-2653.

SingleRAN
l If attackers use the -p option in the useradd, usermod, groupadd, and groupmod
commands, they are able to find ways to bypass the password complexity check.
Therefore, to prevent attacks, the -p option is no longer supported.
5.4.9 V200R003C08SPC150 to V200R003C08SPC170

l Rectify OpenSSL vulnerabilities CVE-2014-3569, CVE-2014-3570, CVE-2014-3571,
CVE-2014-3572, CVE-2014-8275, and CVE-2015-0204.
l Rectify the glibc vulnerability CVE-2015-0235 (HUAWEI vulnerability ID:
HWPSIRT-2015-01045).
l Rectify the failure in connecting to the network during an OS upgrade because the board
was not reset after the OS upgrade from Doprax86V100R001C03.
5.4.10 V200R003C08SPC170 to V200R003C08SPC190

l Upgrade OpenSSH to 6.2p2 to support the HMAC-SHA2-256 algorithm. By default, the
HMAC-SHA1 and HAMC-SHA2 algorithms are supported. In this case, the PuTTY
client does not need to be upgraded. When only the HMAC-SHA2 algorithm is used, the
PuTTY must be upgraded to the 0.64 or a later version. Otherwise, board logins will fail.
l Upgrade OpenSSL to 0.98zf to rectify the latest vulnerabilities (CVE-2015-0209,
CVE-2015-0293).
l Rectify the glibc vulnerabilities CVE-2015-1472, CVE-2013-7423, CVE-2014-7817,
and CVE-2014-9402.
l Reinforce security hardening. If no operation is performed in 30 minutes, the SFTP
service times out and exit. The SSH service does not support the arcfour128/256
algorithm.
5.4.11 V200R003C08SPC190 to V200R003C08SPC230

l Rectify OpenSSL vulnerabilities of June: CVE-2015-1788, CVE-2015-1789,
CVE-2015-4000.
l Rectify OpenSSH vulnerabilities of September: CVE-2015-6564, CVE-2015-5600,
CVE-2015-5352, and CVE-2015-6563.
l OMUa/c integrates the latest kernel upgrade package of suse10sp4 to upgrade the kernel
version to 2.6.16.60-0.132.1.
l Delete the unnecessary password file passwde in the /etc directory.
l Rectify the latest coreutils vulnerability CVE-2014-9471.
5.4.12 V200R003C08SPC230 to V200R003C08SPC260

l Rectify the menu.lst permission security issue. Change the permission from 644 to 600.
l Rectify the problem that permissions are different from SUSE file permissions.
/var/spool/cron/ Change the permission from 755 to 700.
/etc/security/opasswd Change the permission from 644 to 600.
l Rectify the PAM1.0.4 opasswd issue. During changing the password, save the ciphertext
that is encrypted using SHA512 in the opasswd file.

SingleRAN
l Rectify the grub2 vulnerability (CVE-2015-8370).

l Upgrade the OpenSSL version to 0.98zh and rectify the vulnerability (CVE-2015-3195).
l Rectify the OpenSSH vulnerabilities (CVE-2016-0777 and CVE-2016-0778).
l Delete gpasswd, which is an insecure command.
l Rectify the problems of occasional login failures and repeated authentication of the
known_hosts key that are brought by the installation of patches on OpenSSH.
l Rectify the problem that remote execution using SSH is not logged.
l When the root user changes the passwords of common users, the encrypted text will be
recorded into /etc/security/opasswd.
5.4.13 V200R003C08SPC260 to V200R003C08SPC290

l Add the function of secure packet capture and provide the stcpdump command.
l Rectify the OpenSSL vulnerabilities (CVE-2016-0800, CVE-2016-0797, and
CVE-2016-0799).
5.4.14 V200R003C08SPC290 to V200R003C08SPC310

l Rectify the OpenSSH vulnerability (CVE-2016-3115).
l Delete unsafe assembly OProfile.
5.4.15 V200R003C08SPC310 to V200R003C08SPC330

l Delete insecure commands (gdb, hexdump, and syslogbuf).
l Delete the insecure encryption algorithm DSA key from sshd_config.
l Harden configuration options in sshd_config by setting UsePrivilegeSeparation to yes
and AllowAgentForwarding to no.
l In sshd_config, configure the Diffie-Hellman algorithms in use. Disable diffie-hellman-
group14-sha1 and diffie-hellman-group1-sha1. The PuTTY must be upgraded to the 0.65
or a later version. Otherwise, board logins may fail.
l Enable the kernel security option CONFIG_DEBUG_RODATA.
5.4.16 V200R003C08SPC330 to V200R003C08SPC360

l Upgrade OpenSSH to 7.1p1. SSH connection through the DSA key is not supported.
Only RSA keys are supported. Add curve25519-sha256@libssh.org to the default value
of configuration item KexAlgorithms. Rectify the latest vulnerabilities (CVE-2016-1907,
CVE-2016-6515, CVE-2016-0777, CVE-2016-0778, CVE-2016-3115, CVE-2016-6210
and CVE-2016-8858). The PuTTY must be upgraded to the 0.65 or a later version. The
FileZilla must be upgraded to 3.13.0 or a later version. Otherwise, board logins may fail.
l Upgrade OpenSSL to 1.0.2j and rectify the latest vulnerabilities (CVE-2016-2177,
and CVE-2016-7052).
l Delete unnecessary packages openslp, wget, and nis and unnecessary files kdumptool,
libcurl.so.4.1.0, libssh2.so.1.0.0, libldap-2.4.so.2, liblber-2.4.so.2, mcelog,
libesmftp.so.5.1.5, and pam_userdb.so.
l Rectify the kernel vulnerability (CVE-2016-5195).

SingleRAN
l Rectify the fault that N+1 historical passwords are recorded when remember is set to N
in /etc/pam.d/common-password.
l Vulnerability CVE-2016-1907 will be falsely reported in vulnerability scan using
Nessus.
5.4.17 V200R003C08SPC360 to V200R003C08SPC390

l Rectify the latest OpenSSH vulnerabilities (CVE-2016-10009, CVE-2016-10010,
CVE-2016-10011 and CVE-2016-10012).
l Upgrade OpenSSL to 1.0.2k and rectify the latest vulnerabilities (CVE-2016-10009,
CVE-2016-10010, CVE-2016-10011 and CVE-2016-10012).
l Change the home directory of the nobody user from empty to /var/lib/nobody, and set the
permission to 750.
l Delete unnecessary file libbz2.a.
l /etc/skel/.bashrc and /etc/skel/.profile, change the permission from 755 to 644
l /var/log/dlinstall.log, /var/log/dlrecover.log, /var/log/dlupgrade.log, /var/log/
pcfg.log, /var/log/pscript.log and /dm.log, change the permission from 644 to 640.
l In /etc/profile, add configration "ulimit -u 5000".
l In /etc/pam.d/login, add configration "session required pam_loginuid.so".
l Vulnerability CVE-2006-1527, CVE-2007-2876, CVE-2016-10009, CVE-2016-10010,
CVE-2016-10011 and CVE-2016-10012 will be falsely reported in vulnerability scan
using Nessus.
5.5 Versions Running on the EOMUa/ESAUa
5.5.1 RTOS-V100R001C00 to RTOS-V100R001C00SPC030

l Support the NIS to centrally manage accounts and harden password security.
5.5.2 RTOS-V100R001C00SPC030 to RTOS-V100R001C00SPC050

l Fix security vulnerabilities of libxml2, libsnmp, and bash (vulnerability IDs:
CVE-2012-2807, CVE-2012-2141, and CVE-2012-3410).
l Count the start time of password validity period from the system installation time. If the
password is changed, the period is counted since the change time. The default password
validity period is changed from 30 days to 90 days.

l Enhance the self-healing mechanism of the file system.

l Rectify three high-risk vulnerabilities (CVE-2011-0997, CVE-2010-0405, and
CVE-2006-5276) and three medium-risk vulnerabilities (CVE-2008-7270,
CVE-2008-5077, and CVE-2009-0021) in the Retina scan result.
l Add the support of the U_creator tool for a 16 GB large-capacity USB flash drive.

SingleRAN
l Disable the remote login of user root by default. Add user lgnusr for remote login. After
a successful login of user lgnusr, it can be switched to user root, thereby enhancing the
security of user management.

l Upgrade the kernel version from 2.6.32.54-0.3 to 2.6.32.59-0.7 to enhance operating
system security.
l Fix the defect so that the operating system does not display the message that the number
of password retries exceeds the upper limit after the boards are restarted.

l Rectify the priority inversion issue and incorporate the open-source kernel patch: http://
git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?
id=da7a735e51f9622eb3e1672594d4a41da01d7e4f.
l Rectify the OpenSSH security issue (CVE-2010-5107): The OpenSSH LoginGracetime
setting leads to SSH service denial.
l Forbid the upgrade from a later version to an earlier version.
l Incorporate three precaution issues:
– Precaution Notice [2013-001] – Memory Corruption May Occur When the Bus
Master Is not Disabled When the PCI Device Is Stopped
– Precaution Notice [2013-002] – Deadlock May Occur Due to the Migration of
CPUs that Run Real-time Tasks
– Precaution Notice [2013-004] – System Breakdown May Occur Due to the Core
Dump on the Multi-thread Process Using the FPU

l Change the cipher algorithms for SSH services to secure ones, such as aes128-ctr,
aes192-ctr, aes256-ctr, arcfour256, and arcfour128.
l Add the function of password verification for the root user.
l Change the account encryption algorithm to the secure algorithm SHA512. Add the one-
click recovery function by upgrading the GRUB to GRUB 2. After GRUB is upgraded to
GRUB 2, SHA512 is used to encrypt GRUB passwords, and GRUB password
complexity check is added.
l Rectify the libxml2 security issue CVE-2013-2877.
l Rectify the incorrect failed log statistics issue.
l Add SFTP logging support.
l Rectify OpenSSL security vulnerabilities, including CVE-2014-0224, CVE-2014-0221,
CVE-2014-0076.
l Remove NIS service support.
l Fix the plaintext vulnerability in the CBC mode (vulnerability ID: CVE-2008-5161).
l Support logging CLI operations.

SingleRAN

l Upgrade the kernel from 2.6.32.59-0.7 to 2.6.32.59-0.9, and fix security issues and bugs.
l Upgrade glibc from 2.11.1-0.34.1 to 2.11.1-0.50.1, and fix security issues and bugs.
l New smartctl command.
l Set AllowTcpForwarding to no in the /etc/ssh/sshd_config file to fix CVE-2004-1653
and harden security.

l Increase the length of ssh_host_rsa_key.pub and ssh_host_rsa_key to 2048.
l Rectify top command not support -b -n 1 parameter.
l Rectify bash vulnerabilities, six in total (HUAWEI vulnerability ID:
CVE-2014-6278, CVE-2014-7186, and CVE-2014-7187.
l Rectify OpenSSL vulnerabilities, nine in total (HUAWEI vulnerability ID:
and CVE-2014-5139.
l Add support U disk to copy files from the file name containing the Chinese to the
system.

l Upgrade wget and rectify the vulnerability CVE-2014-4877.
l Add the iostat command.
l Rectify OpenSSL vulnerabilities, four in total: CVE-2014-3513, CVE-2014-3566
(HUAWEI vulnerability ID: HWPSIRT-2014-1041), CVE-2014-3567, and
CVE-2014-3568.
l Rectify OpenSSH the vulnerabilityCVE-2014-2653.
l If attackers use the -p option in the useradd and groupadd commands, they are able to
find ways to bypass the password complexity check. Therefore, to prevent attacks, the -p
option is no longer supported.

l Rectify OpenSSL vulnerabilities CVE-2014-3569, CVE-2014-3570, CVE-2014-3571,
CVE-2014-3572, CVE-2014-8275, and CVE-2015-0204.
l Rectify the glibc vulnerability CVE-2015-0235 (HUAWEI vulnerability ID:
HWPSIRT-2015-01045).

l Enhance hungtask maintenance and testing.
l Upgrade OpenSSH to 6.2p2 to support the HMAC-SHA2-256 algorithm. By default, the
HMAC-SHA1 and HAMC-SHA2 algorithms are supported. In this case, the PuTTY
client does not need to be upgraded. When only the HMAC-SHA2 algorithm is used, the
PuTTY must be upgraded to the 0.64 or a later version. Otherwise, board logins will fail.

SingleRAN
l Upgrade OpenSSL to 0.98zf to rectify the latest vulnerabilities (CVE-2015-0209,

CVE-2015-0293).
l Rectify the kernel vulnerability CVE-2015-1593.
l Upgrade the kernel patch to 2.6.32.59-0.19 to rectify the latest vulnerabilities
(CVE-2012-6657, CVE-2013-7263, CVE-2014-0181, CVE-2014-9420,
CVE-2014-9584, and CVE-2014-9585).
l Rectify the glibc vulnerabilities CVE-2015-1472, CVE-2013-7423, CVE-2014-7817,
and CVE-2014-9402.
l Reinforce security hardening. If no operation is performed in 30 minutes, the SFTP
service times out and exit. The SSH service does not support the arcfour128/256
algorithm.

l Rectify OpenSSL vulnerabilities of June: CVE-2015-1788, CVE-2015-1789,
CVE-2015-4000.
l Rectify OpenSSH vulnerabilities of September: CVE-2015-6564, CVE-2015-5600,
CVE-2015-5352, and CVE-2015-6563.
l Delete the unnecessary password file passwde in the /etc directory.
l Rectify the latest coreutils vulnerability CVE-2014-9471.
l On OMUd, the functions of the rtos_config command are enhanced by adding the
function of printing operation results.

l Rectify the menu.lst permission security issue. Change the permission from 644 to 600.
l Rectify the problem that permissions are different from SUSE file permissions.
/var/spool/cron/ Change the permission from 755 to 700.
/etc/security/opasswd Change the permission from 644 to 600.
l Rectify the PAM1.0.4 opasswd issue. During changing the password, save the ciphertext
that is encrypted using SHA512 in the opasswd file.
l Rectify the grub2 vulnerability (CVE-2015-8370).
l Upgrade the OpenSSL version to 0.98zh and rectify the vulnerability (CVE-2015-3195).
l Rectify the OpenSSH vulnerabilities (CVE-2016-0777 and CVE-2016-0778).
l Delete gpasswd, which is an insecure command.
l Rectify the problems of occasional login failures and repeated authentication of the
known_hosts key that are brought by the installation of patches on OpenSSH.
l Rectify the problem that remote execution using SSH is not logged.
l When the root user changes the passwords of common users, the encrypted text will be
recorded into /etc/security/opasswd.

l Add the function of secure packet capture and provide the stcpdump command.
l Rectify the OpenSSL vulnerabilities (CVE-2016-0800, CVE-2016-0797, and
CVE-2016-0799).

SingleRAN
l Add support for the lastlog function (displaying information about the previous login
upon login).
l Rectify the glibc vulnerability (CVE-2015-7547).
l Add the nice command, rectifying the problem of log dump failure that is caused by the
lack of the nice command.
l Rectified the defect that alarms cannot be correctly reported when the internal network
adapter encounters packet errors.

l Rectify the OpenSSH vulnerability (CVE-2016-3115).

l Delete the insecure command, syslogbuf.
l Fix the vulnerabilities in coreutils (CVE-2013-0221, CVE-2013-0222, and
CVE-2013-0223).
l Delete the insecure encryption algorithm DSA key from sshd_config.
l Harden configuration options in sshd_config by setting UsePrivilegeSeparation to yes
and AllowAgentForwarding to no.
l In sshd_config, configure the Diffie-Hellman algorithms in use. Disable diffie-hellman-
group14-sha1 and diffie-hellman-group1-sha1. The PuTTY must be upgraded to the 0.65
or a later version. Otherwise, board logins may fail.
l Enable the kernel security option CONFIG_STRICT_DEVMEM.

l Upgrade OpenSSH to 7.1p1. SSH connection through the DSA key is not supported.
Only RSA keys are supported. Add curve25519-sha256@libssh.org to the default value
of configuration item KexAlgorithms. Rectify the latest vulnerabilities (CVE-2016-1907,
and CVE-2016-8858). The PuTTY must be upgraded to the 0.65 or a later version. The
FileZilla must be upgraded to 3.13.0 or a later version. Otherwise, board logins may fail.
l Upgrade OpenSSL to 1.0.2j and rectify the latest vulnerabilities (CVE-2016-2177,
and CVE-2016-7052).
l Delete unnecessary packages openslp, wget, and nis and unnecessary files kdumptool,
libcurl.so.4.1.0, libssh2.so.1.0.0, libldap-2.4.so.2, liblber-2.4.so.2, mcelog,
libesmftp.so.5.1.5, and pam_userdb.so.
l Rectify vulnerabilities (CVE-2015-8710 and CVE-2014-3660) of the libxml2 package,
vulnerability (CVE-2014-8118) of the popt package, vulnerabilities (CVE-2014-3710
and CVE-2014-2270) of the file package, vulnerabilities (CVE-2013-4238,
CVE-2014-1912, CVE-2013-1752, and CVE-2014-4650) of the python package, and
kernel vulnerabilities (CVE-2015-5364, CVE-2013-2206, and CVE-2016-5195).
l Rectify the fault that N+1 historical passwords are recorded when remember is set to N
in /etc/pam.d/common-password.
l Vulnerability CVE-2016-1907 will be falsely reported in vulnerability scan using
Nessus.

SingleRAN

l Rectify the latest OpenSSH vulnerabilities (CVE-2016-10009, CVE-2016-10010,
CVE-2016-10011 and CVE-2016-10012).
l Upgrade OpenSSL to 1.0.2k and rectify the latest vulnerabilities (CVE-2016-10009,
CVE-2016-10010, CVE-2016-10011 and CVE-2016-10012).
l Change the home directory of the nobody user from empty to /var/lib/nobody, and set the
permission to 750.
l Delete unnecessary files libbz2.a and libpcap.so.1.1.1.
l /etc/skel/.bashrc and /etc/skel/.profile, change the permission from 755 to 644
l /var/log/dlinstall.log, /var/log/dlrecover.log, /var/log/dlupgrade.log, /var/log/
pcfg.log, /var/log/pscript.log and /dm.log, change the permission from 644 to 640.
l Rectify the kernel vulnerability (CVE-2016-8655).
l In /etc/profile, add configration "ulimit -u 5000".
l In /etc/pam.d/login, delete configration "session optional pam_mail.so standard".
l Vulnerability CVE-2006-1527, CVE-2007-2876, CVE-2016-10009, CVE-2016-10010,
CVE-2016-10011 and CVE-2016-10012 will be falsely reported in vulnerability scan
using Nessus.

SingleRAN
Dopra Linux OS Security Feature Parameter Description 6 Parameters
6 Parameters
There are no specific parameters associated with this feature.

SingleRAN
Dopra Linux OS Security Feature Parameter Description 7 Counters
7 Counters
There are no specific counters associated with this feature.

SingleRAN
Dopra Linux OS Security Feature Parameter Description 8 Glossary
8 Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.

SingleRAN
Dopra Linux OS Security Feature Parameter Description 9 Reference Documents
9 Reference Documents
1. Equipment Security Feature Parameter Description

2. OMU Administration Guide
3. Guide to Dopra Linux Operating System Remote Patch Upgrade


Dopra Linux OS Security (SingleRAN - 20)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dopra Linux OS Security (SingleRAN - 20)

Uploaded by

Copyright:

Available Formats

SingleRAN

Dopra Linux OS Security Feature

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 20 (2017-02-22) Huawei Proprietary and Confidential i

2 Dopra Linux Security Description........................................................................................... 10

3 Dopra Linux Security Features................................................................................................. 13

Issue 20 (2017-02-22) Huawei Proprietary and Confidential ii

3.5.1 Product Development Security.................................................................................................................................. 29

4 Base Station Applications.......................................................................................................... 35

Issue 20 (2017-02-22) Huawei Proprietary and Confidential iii

5.5.4 RTOS-V100R001C00SPC060 to RTOS-V100R001C00SPC070............................................................................. 43

Issue 20 (2017-02-22) Huawei Proprietary and Confidential iv

1.2 Intended Audience

1.3 Change History

Issue 20 (2017-02-22) Huawei Proprietary and Confidential 1

Change Type Description Paramet

Feature change Added 5.4.17 V200R003C08SPC360 to None

Change Type Description Paramet

Feature change 3.3.6 Security Policies Related to SSH: Configuration None

Change Type Description Parameter Change

Feature change Added 5.4.15 V200R003C08SPC310 to None

Issue 20 (2017-02-22) Huawei Proprietary and Confidential 2

Change Type Description Parameter Change

Feature change Added 5.4.14 V200R003C08SPC290 to None

Change Type Description Parameter Change

Feature change Added 5.4.13 V200R003C08SPC260 to None

Issue 20 (2017-02-22) Huawei Proprietary and Confidential 3

Change Type Description Parameter Change

Editorial change 5.4.12 V200R003C08SPC230 to None

Change Type Description Parameter Change

Feature change Added 5.4.12 V200R003C08SPC230 to None

Issue 20 (2017-02-22) Huawei Proprietary and Confidential 4

Change Type Description Parameter Change

Feature change Added 5.4.11 V200R003C08SPC190 to None

Change Type Description Parameter Change

Feature change Added 5.4.10 V200R003C08SPC170 to None

Editorial change 3.3.7 Operations Related to SSH: added None

Change Type Description Parameter Change

Feature change Added 5.4.9 V200R003C08SPC150 to None

Editorial change None None

Issue 20 (2017-02-22) Huawei Proprietary and Confidential 5

Change Type Description Parameter Change

Feature change Added 5.4.8 V200R003C08SPC130 to None

Editorial change None None

Change Type Description Parameter Change

Feature change Added 5.4.7 V200R003C08SPC120 to None

Editorial change None None

Change Type Description Parameter Change

Feature change Added 5.4.6 V200R003C08SPC100 to None

Editorial change None None

Change Type Description Parameter Change

Feature change Added 5.4.5 V200R003C08SPC080 to None

Issue 20 (2017-02-22) Huawei Proprietary and Confidential 6

Change Type Description Parameter Change

Editorial change None None

Change Type Description Parameter Change

Feature change None None

Editorial change Added descriptions of base stations using None

Change Type Description Parameter Change

Feature change Added 3.6.3 Guidelines on Configuring None

Editorial change None None