Beruflich Dokumente
Kultur Dokumente
Issue 06
Date 2016-12-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
2 Overview......................................................................................................................................... 4
2.1 Introduction.................................................................................................................................................................... 5
2.1.1 Security Threats........................................................................................................................................................... 5
2.1.2 Security Policies.......................................................................................................................................................... 5
2.2 Security Techniques........................................................................................................................................................6
2.2.1 Security Solution at the Management Layer............................................................................................................... 6
2.2.2 Security Solution at the System Layer........................................................................................................................ 7
2.2.2.1 Security Architecture at the System Layer............................................................................................................... 7
2.2.2.2 Identity Authentication............................................................................................................................................. 9
2.2.2.3 Security Protocols.....................................................................................................................................................9
2.2.2.4 Discretionary Access Control................................................................................................................................... 9
2.2.2.5 Mandatory Access Control..................................................................................................................................... 10
2.2.2.6 Memory Object Reuse............................................................................................................................................ 10
2.2.2.7 Host Firewall.......................................................................................................................................................... 10
2.2.3 Security Solution at the Network Layer.................................................................................................................... 11
2.3 Benefits......................................................................................................................................................................... 11
3 Security Features..........................................................................................................................13
3.1 Overview...................................................................................................................................................................... 13
3.2 OS Security Hardening Features.................................................................................................................................. 13
3.2.1 SSH Service Hardening............................................................................................................................................. 13
3.2.2 File Permissions.........................................................................................................................................................16
3.2.2.1 Setting File Permissions and Owners..................................................................................................................... 16
3.2.2.2 Deleting Unowned Files......................................................................................................................................... 17
3.2.2.3 Setting the Umask Value for the Daemon Process................................................................................................. 17
3.2.2.4 Deleting the Global Writable Attribute of Unauthorized Files...............................................................................17
3.2.2.5 Limiting Operation Rights of at Commands.......................................................................................................... 18
3.2.2.6 Limiting Operation Rights of cron Commands...................................................................................................... 18
3.2.2.7 Hardening the System Environment Variable PATH..............................................................................................18
6 Parameters..................................................................................................................................... 59
7 Counters........................................................................................................................................ 60
8 Glossary......................................................................................................................................... 61
9 Reference Documents................................................................................................................. 62
1.1 Scope
This document describes the security features and capabilities of the Euler Linux operating
system (OS). It instructs users to perform related security configurations and operations and
provides system maintenance and use suggestions.
NOTE
Currently, the Euler Linux OS applies to base station controllers and eCoordinator.
l Feature change
Changes in features of a specific product version
l Editorial change
Changes in wording or addition of information that was not described in the earlier
version
06 (2016-12-30)
The issue includes the following changes.
05 (2016-09-30)
The issue includes the following changes.
04 (2016-04-20)
The issue includes the following changes.
03 (2016-02-29)
The issue includes the following changes.
02 (2015-08-30)
The issue includes the following changes.
01 (2014-09-26)
This issue does not include any changes.
Draft A (2014-07-30)
This is a new document.
2 Overview
This section describes the security architecture and techniques of Euler Linux OS in
terms of the management, system, and network layers.
2.1 Introduction
This section describes security threats to the Euler Linux OS and the security policies and
processes used by the Euler Linux OS.
l Security techniques
Mainly refers to OS security, which is the major concern of product safety. Security
techniques involve the OS security layer, the network security layer of transmission
communication, and the application security layer on top of the OS.
l Process management
Specifies the security management regulations and use processes.
l Personnel
Specifies personnel security awareness and implementation-level security problems.
User roles must be specified and are mutually exclusive. Users can only get the account
matching their responsibilities. Accounts cannot be used interchangeably.
Audit events are classified into two types: successful and failed events. Successful events
indicate that users have successfully performed operations, and failed events indicate that
users have tried operations but failed. Failed events are helpful in tracking the behavior of
attacking the system. However, it is much more difficult to analyze successful events.
Although most successful audit events are generally normal activities in the system, an
attacker may produce a successful event after successfully controlling the system. Therefore,
the event type is as important as the occurrence process of the event. For example, a success
after continuous failures means that some people may try to attack the system and ultimately
succeed.
Under all conditions, the audit event should be combined with the associated users to perform
analysis. For example, if a user account is locked, the system can check whether the user tries
illegal logins during the locking period.
A user must be specified to check and audit logs, and only this user can perform this
operation. This ensures log security. In addition, the administrator should perform log check
and audit once a day and provide the check and audit result.
Patch Management
Patches are classified and the processes of using patches are recorded. Ensure that all
installation of patches is recorded in logs for future check.
System Backup
System backup is an important task and it is a last line of defense against disasters. Even if the
active service system is completely destroyed, services can be restored on another computer
by properly generating and protecting the backup.
There are many basic backup policies. However, when designing the backup environment,
you must bear in mind that we will make the most use of backup so they can fulfill functions
when being needed
1. Mirroring cannot replace backup. Mirroring can prevent hard disk failure, but it cannot
recover files that have been deleted or damaged. If a file is deleted from the mirroring, it
disappears from both the mirroring and the original location. Therefore, other measures
must be taken to retrieve the file. The most common method (not the only method) is to
restore data stored in the backup disk.
2. Periodically test the restorability. If the backup data cannot be restored, it will take a lot
of time to use other techniques to create a backup. Periodic restorability testing does not
require you to test each created backup. However, you need to periodically check the
status of each disk drive to ensure that the backup is readable. In addition, random
sampling test must be performed on backup data to ensure that backup data can be
correctly read and restored.
3. Keep the head clean. Backup may seem to have been successfully completed on a
contaminated magnetic head, whereas actually useless information is written into the
tape.
4. Note the mean time between failures (MTBF) of backup media. If the manufacturer
suggests that the effective service life of the storage medium be 1000 times of backup,
then use it for at most 1000 times.
5. Back up important data double. To ensure data security and service life, it is wise to store
a remote backup.
Security Training
Security training should be provided for the target users on a regular basis so that users have
security awareness and use products in a security manner. In addition, security risk analysis
should be provided so that users can locate and rectify basic security faults.
security mechanisms are vulnerable to damage, bypass, and spoofing attacks. The security
mechanisms of upper-layer applications, such as access control and encryption, need to be
supported by the OS security mechanisms.
The Euler Linux OS provides the following security mechanisms:
l Identity authentication
l Security protocols
l Discretionary access control
l Mandatory access control
l File integrity check
l Security audit
l Memory object reuse
l Trusted path
These security mechanisms serve as the security basis for upper-layer applications.
Figure 1 shows the security architecture of the Euler Linux OS.
The security mechanisms in the security architecture of the Euler Linux OS are described as
follows:
l The security hardening tool provides convenient security configuration and management
and implements security hardening for system services, file permissions, kernel
parameters, log audit, and account and password of the Euler Linux OS.
l IDENT performs identity authentication.
l ACL implements fine-grained discretionary access control.
l Linux security module (LSM) is a security architecture for the kernel.
l CAP implements MAC-based mandatory access control based on the LSM architecture.
l AUDIT performs security audit.
l MOR prohibits memory reuse.
l Trusted path provides security keys to start the trusted login process.
l SP is integrated security protocols.
its rights to others. For example, user A, the owner of file A can grant his read, write, and
execute permissions of file A to other users, and can take back these permissions at any time.
The Euler Linux OS uses the UGO and ACL mechanisms to implement DAC.
2.3 Benefits
With the rapid development of network applications, information systems face more and more
security threats, and a simple security technique cannot protect system security.
While ensuring product availability, the Euler Linux OS provides comprehensive protection
by using security techniques at the management layer, system layer, and network layer. This
reduces attack possibility, ensures product security in the whole life cycle, protects the
interests of users, and reduces security risks.
The management layer provides guidance on the product use and management regulations,
ensures that the user can properly use products, and minimizes the impact of human factors on
security by implementing management regulations.
The system layer provides the following security mechanism: identity authentication, security
protocols, fine-grained access control, MAC, file integrity check, security auditing, memory
reuse of object, trusted path, and security hardening. By using these security mechanisms, the
system layer provides security support for upper-layer applications, ensures product security,
prevents network attacks such as Trojan horses and viruses, and effectively controls security
risks within a reasonable range. In addition, the Euler Linux OS regularly collects and backs
up system logs so that users can perform security audit.
The network layer uses security networking to ensure the security of the products on the
network.
3 Security Features
3.1 Overview
This section describes the purpose, scheme, and impacts of hardening the Euler Linux system.
NOTE
Implementation
Table 3-1 describes the current hardening policies of the Euler Linux system implemented on
the SSH service. All listed hardening items are in the SSH configuration file /etc/ssh/
sshd_config.
Description
Linux considers all objects as files. Even a directory is considered to be a large file that
contains multiple files. Therefore, the security of files and directories is essential to Linux.
File and directory security is maintained mainly through the owner and permission.
By default, permissions and owners are set for common directories, executable files, and
configuration files in the system.
Implementation
Step 1 Modify the file permissions. Use the /bin directory as an example. By default, the permission
to the /bin directory is set to 755 as follows:
chmod 755 /bin
----End
chown root:root /bin
----End
Description
When a system administrator deletes a user, the administrator may forget to delete the files
owned by this user. In this case, if a new user has the same name as the deleted user, the new
user will own files that do not belong to the new user. Therefore, you are advised to delete
these files.
Implementation
Step 1 Run the find / -nouser command to find out files owned by users whose IDs do not exist and
then delete these files.
Step 2 Run the find / -nogroup command to find out files owned by groups whose IDs do not exist
and then delete these files.
----End
Description
The umask value is used to set the default permissions for new files and directories. If you do
not set the umask value, the generated files can be globally writable, posing potential risks.
The daemon process is responsible for a service and enables the system to accept
requirements of users or network customers. To enhance the security of files or directories
created in the daemon process, set the umask value to 027. The umask value represents two's
complement of permissions. For the values of umask and calculation of permissions, see 3.3.3
Meanings of Umask Values.
Implementation
Add the following to the configuration file /etc/rc.status: umask 027.
Description
Global writable files can be modified by any user, which affects the system integrity.
Implementation
Step 1 Run the following commands to display all the global writable files:
find / -type d \( -perm -o+w \) | grep -v proc
find / -type f \( -perm -o+w \) | grep -v proc
Step 2 Check all files (excluding files and directories that have sticky bits) listed in step 1 and delete
these files or delete their global writable attributes. You can run the following command to
delete the global writable attribute:
----End
chmod o-w <filename>
----End
Description
The at commands are used to create tasks that are automatically executed at a specified time.
To prevent users from arbitrarily running the at commands, which makes the system
vulnerable to attacks, you need to specify users who can use the at commands.
Implementation
Step 1 Delete the /etc/at.deny file.
Step 2 Create the /etc/at.allow file and write root by running the following command:
echo "root" >> /etc/at.allow
Step 3 Modify the permissions for the /etc/at.allow file to 400 (read-only) by running the following
command:
chmod 400 /etc/at.allow
Step 4 Modify the file owner of the at.allow file to root:root by running the following command:
chown root:root /etc/at.allow
----End
Description
The cron commands are used to create routine tasks. To prevent users from arbitrarily running
the cron commands, which makes the system vulnerable to attacks, you need to specify users
who can use the cron commands.
Implementation
Step 1 Delete the /etc/cron.deny file.
Step 2 Create the /etc/cron.allow file and write root by running the following command:
echo "root" >> /etc/cron.allow
Step 3 Modify the permissions for the /etc/cron.allow file to 400 (read-only) by running the
following command:
chmod 400 /etc/cron.allow
Step 4 Modify the file owner of the cron.allow file to root:root by running the following command:
chown root:root /etc/cron.allow
----End
Description
It is recommended that system paths be ranked before user paths. In this way, files in system
paths are preferentially executed compared with files of the same names in user paths. Rank
entities in different paths and arrange the system paths in the following sequence before the
user paths:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
<All other paths>
Similarly, the relative paths are not allowed in the PATH variable. Therefore, you need to
delete paths beginning with "." or those starting with or ending with redundant ":". The
changes take effect upon the next login.
Implementation
Step 1 Check the system environment variables by running the following command:
echo $PATH
Step 2 Modify the sequence of each path in the system environment variable.
Modify the sequence according to instructions. For example, you can write the following at
the end of the /etc/profile file:
export PATH=/bin:/sbin/:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin <all
other paths>
Step 3 Delete the relative paths in the system environment variable. Relative paths start with "." or
"./".
----End
Description
The purpose of this policy is to restrict usage of dev device files in data partitions to prevent
unauthorized users from mounting dev devices from data partitions. This can help reduce the
possibility of system attacks.
Implementation
1. Open the /etc/fstab file.
vim /etc/fstab
2. Modify the mounting mode for the ext2/ext3/reiserfs file system partition (except the
root partition) by adding the nodev attribute.
NOTE
This hardening policy applies only to the unified storage. For the massive storage, the nodev
attribute only needs to be added for the /var directory.
Description
A user can delete or modify files and directories in the globally writable directories. To ensure
that the files and directories in the globally writable directories are not deleted arbitrarily, you
need to add the sticky bit property for the globally writable directories.
Implementation
Step 1 Search for globally writable directories by running the following command:
find -type d -perm -0002 ! -perm -1000 -ls | grep -v proc
Step 2 Add the sticky bit property for the globally writable directories by running the following
command:
chmod +t $dirname
----End
Description
Kernel parameters specify the configurations and application permissions. The kernel
provides configurable system control which can be slightly adjusted or configured. This
function can control configurable kernel parameters to improve the OS security. For example,
by slightly adjusting or configuring network options, this function can enhance the system
security.
Implementation
Step 1 Write the hardening items in Table 3-2 to the /etc/sysctl.conf file.
NOTE
NOTE
kernel.panic indicates the waiting time (measured by seconds) needed before the kernel boots again
after the kernel panic occurs. In the release version of Euler Linux, the value of kernel.panic is 3 by
default. Users can set the value based on their needs.
Step 2 Load the kernel parameters set in the sysctl.conf file by running the following command:
sysctl -p /etc/sysctl.conf
----End
Description
The alarm information set for remote logins warns users before their logins to the system of
possible penalty on unauthorized access to the system and deters potential attackers. At the
same time, this can also hide system architecture and other system information to prevent
targeted attacks on the system.
Implementation
This setting can be implemented by modifying the /etc/issue.net file. Replace the original
content of the /etc/issue.net file with the following information:
Authorized users only. All activities may be monitored and reported.
Description
By default, you can restart the OS by pressing Ctrl+Alt+Del. Disabling this function can
prevent data loss due to misoperations.
Implementation
Modify the /etc/inittab file by replacing "ca::ctrlaltdel:/sbin/shutdown -r -t 4 now" with
"ca::ctrlaltdel:/bin/false".
Description
Unattended terminals can be easily intercepted or attacked, which may compromise system
security. Therefore, the terminals need to exit automatically after stopping running for a
period of time.
By default, the automatic logout time 1200s according to the security hardening policy. If the
terminal stops running for more than 1200s, the system automatically exits, thereby reducing
the risks of being attacked.
Implementation
The automatic logout time depends on the value of the TMOUT field (in the unit of second)
of the /etc/profile file. Add the following configuration to the end of the /etc/profile file:
TMOUT=1200,export TMOUT
Description
The umask value is used to set the default permissions for new files and directories. If the
value of umask is too small, users have too much right, which threatens system security.
Therefore, set the default umask value of all users to 077, that is, the default permission for
files created by users is 700 and that of directories is 600. The umask value represents two's
complement of permissions. For the values of umask and calculation of permissions, see
Meanings of Umask Values.
Implementation
Step 1 Add "umask 077" to the /etc/profile, /etc/csh.login, /etc/csh.cshrc, and /etc/bash.bashrc files
by running the following command:
echo "umask 077" >> $FILE
NOTE
Step 2 Set the owner and group of the file in step 1 to root, respectively by running the following
command:
chown root.root $FILE
----End
NOTE
Description
In addition to user accounts, other accounts are system accounts. System accounts can only be
used inside the system and cannot be used to log in to the system or perform other operations.
Therefore, system accounts are shielded.
Implementation
Modify the shell of a system account to /bin/false by running the following command:
usermod -L -s /bin/false $systemaccount
NOTE
Description
The su command is used to switch between different users. To enhance system security, it is
necessary to control the permission to use the su command. Only users in the root and wheel
groups are allowed to use the su command.
Implementation
You can modify the /etc/pam.d/su and /etc/pam.d/su-l files to control the permission to use
the su command. Add the following configuration to the end of these two files:
auth required pam_wheel.so use_uid group=wheel
Description
Set the password complexity as follows:
l A password must be different from the user name or the user name in reverse order.
Implementation
Set the password complexity by modifying the /etc/pam.d/common-password-pc file. Add
the following to the header of the /etc/pam.d/common-password-pc file:
password required pam_sek_pwck.so minlen=8 min_upper=1 min_lower=1 min_digits=1
min_special=1 remember=5 tries=5 enforce_for_root no_username root_check_dict
use_cracklib cracklib=/usr/share/cracklib/pw_dict
Description
Set the password validity period to 90 days and users will be informed of changing passwords
seven days before the password expires.
Implementation
Set the password validity period by modifying the /etc/login.defs file. Table 1 describes the
hardening items. All security hardening items are in the /etc/login.defs file. Fields in the table
can be modified by directly modifying the configuration file.
NOTE
The login.defs file is used to set restrictions on user accounts, such as setting the longest password
validity period and maximum length. When a new account is created, the Euler Linux OS reads the
preceding configuration information from the /etc/login.defs file and writes the read information into the
corresponding account's configuration items in the /etc/shadow file. The Euler Linux OS can identify
the maximum password validity period, minimum interval between two password changes, and number
of days in advance users are notified that their passwords are about to expire. When a user logs in after
the password expires, the user will be informed of the password expiry and is required to change the
password. If the user does not change the password, the user cannot access the system.
The default configurations of root and lgnusr accounts preset in the current system are as follows:
maximum password validity period (90 days), minimum interval between two password changes (no
restriction), and number of days in advance users are notified that their passwords are about to expire
(seven days only for the lgnusr account).
Description
According to password requirements, passwords cannot be stored in plaintext in the system
and must be encrypted. In addition, irreversible algorithms must be used to encrypt passwords
that do not need to be restored. Set the password encryption algorithm to sha256. The
preceding setting can effectively prevent password disclosure and ensure password security.
Implementation
Modify the system file /etc/default/passwd by changing values of the CRYPT and
CRYPT_FILES fields to sha256 as follows:
…
# Define default crypt hash. This hash will be
# used, if there is no hash for a special service
# the user is stored in.
CRYPT=sha256
…
# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=sha256
…
Description
According to password security requirements, set the maximum incorrect password inputs to
three and the locking time after three failed login attempts to five minutes (300 seconds).
During the locking period, any input is considered invalid and another input will not cause the
locking timer to recount. After a user account is unlocked, records of the user's incorrect input
are cleared. The preceding setting can effectively prevent violent password cracking and
enhance system security.
Implementation
Step 1 Modify the system file /etc/pam.d/common-auth-pc by adding the following to the end of
the file:
auth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root
root_unlock_time=300
----End
account required pam_tally2.so
Description
EulerLinux supports the NIS network centralized authentication service. The service can
implement centralized network account management to enhance the password security.
Description
According to the Password security requirements in product cyber security requirements, the
Euler Linux is designed to support setting of the grub password to prevent malicious
modification of startup options.
Implementation
Launch the Euler Linux command line interface and run the following command to modify
the grub password.
NOTE
The grub user of the Euler Linux is root and the default password is osadmin@123.
NOTE
If you have self-defined log recording modules, use the self-defined modules.
Description
Linux audit Subsystem (audit), is a system service. This service is used for auditing system
invoking records and writing the records to files. The user space program of the audit service
is auditd, which is used for writing audit information to disks.
You can run the auditctl command for dynamically managing auditing parameters and rules
or statically writing the audit rules to the /etc/audit/audit.rules file.
Others
auditctl [options]
-h Help
Examples
l View all the unsuccessful open system calls by running the following command:
auditctl -a entry,always -S open -F success!=0
l Monitor the changes of the audit.rules file in the /etc/audit/ directory by running the
following command:
-w /etc/audit.rules -k TEST_audit_rules -p rxwa
Description
ausearch [options]
NOTE
For further information about options, please refer to the relevant documents.
Especially, when each system call enters the kernel space, the system call has a unique event
ID. All audit events during the running of the system call share this ID. That is, an audit event
may contain multiple audit records.
Examples
To query the audit logs of operations performed on the /etc/audit/audit.rules file, run the
following command:
ausearch -k TEST_audit_rules
The system administrator can periodically generate audit reports according to maintenance
requirements. These reports are used to analyze abnormal audit information.
Description
aureport [options]
NOTE
For further information about options, please refer to the relevant documents.
Examples
To enable reporting of failed events, run the following command:
aureport --failed
3.3 Appendix
NOTE
All accounts are system accounts except the root user. Root accounts are privileged accounts that should
be managed only by authorized personnel.
There are three types of users who can access these files and directories:
Meanings of file and directory permissions are described using the following examples:
Assume that the permission for the /usr/src file is 755. Convert 755 to 111101101 (binary
value), which has the following meanings:
l The left-most 111 indicates that the file owner can read, write, and execute this file.
l The middle 101 indicates group users can read and execute but cannot write the file.
l The right-most 101 indicates that other users can read and execute but cannot write the
file.
Synopsis The SSH server on the remote host is affected by a memory corruption
vulnerability.
Description According to its banner, the version of OpenSSH running on the remote
host is version 6.2 or 6.3. It is, therefore, affected by a memory corruption
vulnerability in post-authentication when the AES-GCM cipher is used for
the key exchange. Exploitation of this vulnerability could lead to arbitrary
code execution.
Note that installations are only vulnerable if built against an OpenSSL
library that supports AES-GCM.
Solution Upgrade to OpenSSH 6.4 or refer to the vendor for a patch or workaround.
Ports tcp/22
Analysis Result
Euler Linux uses the OpenSSL and OpenSSH running on SLES11SP3. On SLES11SP3,
OpenSSL does not support AES-GCM, and OpenSSH, which is dependent on OpenSSL, does
not support or use AES-GCM either when it is being compiled. Therefore this vulnerability is
not applicable.
Synopsis A secure shell client on the remote host could be used to bypass host
verification methods.
Description According to its banner, the version of OpenSSH running on the remote
host is 6.1 through 6.6.
It is, therefore, affected by a host verification bypass vulnerability related
to SSHFP and certificates that could allow a malicious SSH server to cause
the supplied client to inappropriately trust the server.
Ports tcp/22
Analysis Result
The OpenSSH currently used by Euler Linux is openssh-6.2p2-0.21.1 provided by SUSE 11
SP3. This vulnerability has been resolved in 6.2p2-0.13.1. This vulnerability is falsely
reported and does not affect the OpenSSH.
Synopsis The SSH server on the remote host has multiple vulnerabilities.
Description According to its banner, the version of OpenSSH running on the remote
host is prior to version 6.6. It is, therefore, affected by the following
vulnerabilities:
- An error exists related to the function 'hash_buffer' in the file 'schnorr.c'
that could allow denial of service attacks. Note that the J-PAKE protocol
must be enabled at compile time via the 'CFLAGS' variable '-DJPAKE' in
the file 'Makefile.inc' in order for the OpenSSL installation to be
vulnerable. This is not enabled by default. Further note that only versions
5.3 through 6.5.x are affected by this issue. (CVE-2014-1692)
- An error exists related to the 'AcceptEnv' configuration setting in
'sshd_config' and wildcards. An attacker can bypass environment
restrictions by using a specially crafted request. (CVE-2014-2532)
Ports tcp/22
Analysis Result
l CVE-2014-1692: This vulnerability occurs only when the J-PAKE protocol is applied on
OpenSSH. The OpenSSH on SLES11SP3 used by Euler Linux does not support J-PAKE.
Therefore, this vulnerability is not applicable and does not affect the OpenSSH.
l CVE-2014-2532: The OpenSSH currently used by Euler Linux is openssh-6.2p2-0.21.1
provided by SUSE 11 SP3. This vulnerability has been resolved in 6.2p2-0.13.1. This
vulnerability is falsely reported and does not affect the OpenSSH.
Synopsis The remote host has been found to be NOT COMPLIANT with
the PCI DSS external scanning requirements.
Description The remote host is vulnerable to one or more conditions that are
considered to be 'automatic failures' according to the PCI DSS
Approved Scanning Vendors Program Guide (version 2.0). These
failures include one or more of the following:
- Vulnerabilities with a CVSS base score greater than or equal to
4.0
- Unsupported operating systems
- Internet reachable database servers (must validate whether
cardholder data is stored)
- Presence of built-in or default accounts
- Unrestricted DNS Zone transfers
- Unvalidated parameters leading to SQL injection attacks
- Cross-Site Scripting (XSS) flaws
- Directory traversal vulnerabilities
- HTTP response splitting/header injection
- Detection of backdoor applications (malware, trojan horses,
rootkits, backdoors)
- Use of older, insecure SSL/TLS versions (TLS v1.1 is the
minimum standard)
Details of the failed items may be found in the 'Output' section of
this plugin result. These vulnerabilities and/or failure conditions
will have to be corrected before you are able to submit your scan
results for validation by Tenable to meet your quarterly external
scanning requirements.
If you are conducting this scan via Nessus Cloud and either
disagree with any of the results, believe there are false-positives,
or must rely on compensating controls to mitigate the vulnerability
then you may proceed with submitting this report to our PCI portal
by clicking on 'Submit for PCI Validation'. You may login to the
Tenable PCI portal using your Nessus Cloud credentials and
dispute or provide mitigation evidence for each of the residual
findings.
Solution N/A
Ports tcp/0
Analysis Result
This vulnerability is involved in the compliance check of the payment card industry data
security standard (PCI DSS) and is not applicable to Euler Linux.
Synopsis The remote SSH server may permit anonymous port bouncing.
Ports tcp/22
Analysis Result
This vulnerability affects Euler Linux only when the following two conditions are met:
l Euler Linux allows the login from an anonymous or a public ssh account.
l Euler Linux provides network services forwarded by TCP ports in addition to sshd
services.
Currently, Euler Linux does not allow anonymous or public accounts or provide network
services forwarded over TCP ports. Therefore, this vulnerability does not affect Euler Linux.
The AllowTcpForwarding value is set to no, but the scanning software still reports the
vulnerability, indicating that the scanning software does not check the AllowTcpForwarding
parameter but reports the vulnerability as long as it identifies ssh version numbers. This
vulnerability is not applicable to Euler Linux and is falsely reported.
Description When using OPIE for PAM and OpenSSH, it is possible for
remote attackers to determine the existence of certain user
accounts.
Note that Nessus has not tried to exploit the issue, but rather
only checked if OpenSSH is running on the remote host. As a
result, it does not detect if the remote host actually has OPIE for
PAM installed.
Solution A patch currently does not exist for this issue. As a workaround,
ensure that OPIE for PAM is not installed.
Ports tcp/22
Analysis Result
This vulnerability is caused by OPIE for PAM.
http://support.novell.com/security/cve/CVE-2007-2768.html
Due to the nature of OTP authentification, hiding existence of users is not possible. So we
will not fix this issue.
Euler Linux uses the OpenSSH running on SLES11SP3, and OPIE (one-time passwords for
login mechanism) package is not installed on Euler Linux. Therefore, this vulnerability is not
applicable to Euler Linux and is falsely reported.
Checking method:
Solution A patch currently does not exist for this issue. As a workaround,
either set 'ChallengeResponseAuthentication' in the OpenSSH
config to 'no' or use a version of OpenSSH without S/KEY
support compiled in.
Ports tcp/22
Analysis Result
This vulnerability occurs when S/KEY authentication is enabled for SSH.
http://support.novell.com/security/cve/CVE-2007-2243.html
This issue does not affect openssh in SLES 9 and SLES 10, as no S/KEY support is built into
our packages.
(This vulnerability was resolved in 2007 before SLES11 is released. Therefore, it does not
affect OpenSSH.)
Euler Linux uses the OpenSSH running on SLES11SP3. The compilation parameters of
OpenSSH are ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/ssh --
without-zlib-version-check --with-tcp-wrappers --without-openssl-header-check --with-pam
(excluding the --with-skey[=PATH] option). Therefore, SSH does not support S/KEY
authentication. This vulnerability is not applicable and is falsely reported.
Ports tcp/22
Analysis Result
The vulnerability exists only when PermitRootLogin is set to prohibit-password or
without-password. PermitRootLogin is set to no by default in all Euler Linux versions.
Therefore, this vulnerability is falsely reported and does not affect Euler Linux.
Ports tcp/22
Analysis Result
The OpenSSH used by Euler Linux is provided by SUSE 11 SP3 and has been upgraded to
the latest version 6.2p2-0.21.1, in which this problem has been resolved. This vulnerability is
falsely reported and does not affect the OpenSSH. For details, go to the following SUSE
official website:
https://www.suse.com/security/cve/CVE-2015-5352.html
Ports tcp/22
Analysis Result
The OpenSSH used by Euler Linux is provided by SUSE 11 SP3 and has been upgraded to
the latest version 6.2p2-0.21.1, in which this problem has been resolved. This vulnerability is
falsely reported and does not affect the OpenSSH. For details, go to the following SUSE
official website:
https://www.suse.com/security/cve/CVE-2015-5600.html.
Synopsis The remote host allows SSH connections with one or more
Diffie-Hellman moduli less than or equal to 1024 bits.
Description The remote SSH server allows connections with one or more
Diffie-Hellman moduli less than or equal to 1024 bits. Through
cryptanalysis, a third party can find the shared secret in a short
amount of time (depending on modulus size and attacker
resources).
This allows an attacker to recover the plaintext or potentially
violate the integrity of connections.
Ports tcp/22
Analysis Result
The OpenSSH used by Euler Linux is provided by SUSE 11 SP3 and has been upgraded to
the latest version 6.2p2-0.33.3, in which this problem has been resolved. This vulnerability is
falsely reported and does not affect the OpenSSH. For details, go to the following SUSE
official website:
https://www.suse.com/security/cve/CVE-2015-4000.html
Solution N/A
Ports tcp/0
Analysis Result
This vulnerability is involved in the compliance check of the PCI DSS and is not applicable to
Euler Linux.
Synopsis The remote SSH server is configured to allow MD5 and 96-bit
MAC algorithms.
Description The remote SSH server is configured to allow either MD5 or 96-
bit MAC algorithms, both of which are considered weak.
Note that this plugin only checks for the options of the SSH
server, and it does not check for vulnerable software versions.
Ports tcp/22
Analysis Result
The MAC algorithms enabled for the remote SSH server are hmac-sha2-256 and hmac-sha1,
which are not weak algorithms. This vulnerability is not applicable to Euler Linux.
Synopsis The remote SUSE host is missing one or more security updates.
Description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to
receive various security and bugfixes.
Ports tcp/0
Analysis Result
The vulnerabilities of the kernel are fixed by installing patches. The kernel was not upgraded.
Patches have been installed to fix the CVEs. These vulnerabilities are falsely reported and do
not affect the kernel.
Synopsis The remote SUSE host is missing one or more security updates.
Description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to
fix one security issue. This security bug was fixed:
- CVE-2016-5195: Local privilege escalation using
MAP_PRIVATE. It is reportedly exploited in the wild
(bsc#1004418).
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory.
Tenable has attempted to automatically clean and format it as
much as possible without introducing additional issues.
Ports tcp/0
Analysis Result
The vulnerability of the kernel is fixed by installing patches. The kernel was not upgraded.
Patches have been installed to fix the CVE. This vulnerability is falsely reported and does not
affect the kernel.
Synopsis The remote SUSE host is missing one or more security updates.
Description The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated
to 3.0.101 and also includes various other bug and security fixes.
Ports tcp/0
Analysis Result
Vulnerability CVE-2013-7446 is caused by local user attacks. However, the product where
Euler Linux is installed is a closed system, which cannot be attacked in this way. Therefore,
the impacts of this vulnerability are controllable.
The vulnerability of the kernel is fixed by installing patches. The kernel was not upgraded.
Patches have been installed to fix the CVE. Alternatively, that the CVE has no impacts on the
kernel has been declared. This vulnerability is falsely reported and does not affect the kernel.
l V100R001C10SPC100 OMUd/UVP/VMware
l V100R001C10SPC101 OMUd/UVP/VMware
l V100R001C10SPC102 OMUd/UVP/Vmware
l V100R001C10SPC103 OMUd/UVP/VMware
l V100R001C10SPC105 OMUd/UVP/Vmware
l V100R001C10SPC200 OMUd/UVP/Vmware
l V100R001C10SPC201 OMUd/UVP/Vmware
l V100R001C10SPC300 OMUd/UVP/Vmware
l V100R001C10SPC301 OMUd/UVP/Vmware
l V100R001C10SPC302 OMUd/UVP/Vmware
l V100R001C10SPC305 OMUd/UVP/Vmware
l V100R001C10SPC307 OMUd/UVP/Vmware
l V100R001C10SPC308 OMUd/UVP/Vmware
l V100R001C10SPC309 OMUd/UVP/Vmware
l V100R001C10SPC311 OMUd/UVP/Vmware
l V100R001C10SPC313 OMUd/UVP/Vmware
5.2 V100R001C10SPC100~V100R001C10SPC101
l Rectify system vulnerabilities scanned out by the Nessus, and harden the operating
system security.
l Upgrade the glibc version from 2.11.3-17.54.1 to 2.11.3-17.62.1 to enhance operating
system security.
l Rectify system peripherals package vulnerabilities scanned out by the Nessus to enhance
operating system security.
l Fix security vulnerabilities: 70895 (1) - OpenSSH 6.2 and 6.3 AES-GCM Cipher
Memory Corruption.
l Fix CVE security vulnerabilities (CVE-2014-3144, CVE-2014-3145, and
CVE-2014-3122)
5.3 V100R001C10SPC101~V100R001C10SPC102
l Rectify the OpenSSL security issue (CVE-2014-0224).
l Upgrade the ntp version from 4.2.4p8-1.22.1 to 4.2.4p8-1.24.1 to enhance operating
system security.
l Upgrade the sudo version from 1.7.6p2-0.17.5 to 1.7.6p2-0.21.1.
l Fix CVE security vulnerabilities (CVE-2014-1739, CVE-2014-4652, CVE-2014-4654,
CVE-2014-4655, CVE-2014-4656, CVE-2014-4608, CVE-2014-4667, CVE-2014-4699,
CVE-2014-4171, CVE-2014-4027, and CVE-2014-4653)
5.4 V100R001C10SPC102~V100R001C10SPC103
l Rectify system vulnerabilities scanned out by the Nessus, and harden the operating
system security.
l Software integrity check MD5 checksum modified by way of sha256 check mode.
l Fix CVE security vulnerabilities (CVE-2014-6271 and CVE-2014-5206)
5.5 V100R001C10SPC103~V100R001C10SPC105
l Delete system useless Account.
l Rectify system vulnerabilities to update the peripheral package based on the result of
Nessus peripheral package scan.
l Fix CVE security vulnerabilities (CVE-2014-4330, CVE-2014-4877, CVE-2014-3567,
CVE-2014-3566, and CVE-2014-3568)
5.6 V100R001C10SPC105~V100R001C10SPC200
l Rectify system vulnerabilities scanned out by the Nessus.
l Fix the CVE security vulnerability (CVE-2014-7185)
5.7 V100R001C10SPC200~V100R001C10SPC201
Fix CVE security vulnerabilities (CVE-2014-9322, CVE-2014-8559, CVE-2014-7825, and
CVE-2014-7826)
5.8 V100R001C10SPC201~V100R001C10SPC300
l Delete link file which links null.
l Fix CVE security vulnerabilities (CVE-2014-3572, CVE-2014-8275, CVE-2015-0204,
CVE-2014-3570, CVE-2014-3571, CVE-2014-9295, CVE-2014-1912, CVE-2015-0235,
5.9 V100R001C10SPC300~V100R001C10SPC301
l Rectify system vulnerabilities scanned out by the Nessus.
l Fix CVE security vulnerabilities (CVE-2014-9656, CVE-2014-9657, CVE-2014-9658,
CVE-2014-9659, CVE-2014-9660, CVE-2014-9661, CVE-2014-9662, CVE-2014-9663,
CVE-2014-9664, CVE-2014-9665, CVE-2014-9666, CVE-2014-9667, CVE-2014-9668,
CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9672, CVE-2014-9673,
CVE-2014-9674, CVE-2014-9675, CVE-2014-5352, CVE-2014-9421, CVE-2014-9422,
CVE-2014-9423, CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423,
CVE-2009-5146, CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288,
CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2014-8139, CVE-2014-9636,
CVE-2014-9584, CVE-2014-9585, CVE-2015-1593, and CVE-2014-7822)
5.10 V100R001C10SPC301~V100R001C10SPC302
l Rectify system vulnerabilities scanned out by the Nessus.
l Fix CVE security vulnerabilities (CVE-2015-3202, CVE-2015-3143, CVE-2015-3148,
CVE-2015-3153, CVE-2015-3143, CVE-2015-3148, CVE-2015-3153, CVE-2012-4428,
CVE-2015-1546, CVE-2015-1545, CVE-2013-4449, CVE-2015-3636, CVE-2014-8172,
CVE-2013-7421, and CVE-2014-9644)
5.11 V100R001C10SPC302~V100R001C10SPC305
l Grub password complexity check is added for grub password setting.
l Upgrade the peripheral package based on the result of Nessus peripheral package scan.
l Fix CVE security vulnerabilities (CVE-2014-9419, CVE-2014-9683, CVE-2015-1421,
CVE-2015-2041, CVE-2015-2042, CVE-2015-2830, CVE-2015-2922, CVE-2015-3331,
CVE-2015-3339, CVE-2014-3673, CVE-2014-3687, CVE-2015-1805, CVE-2015-5697,
CVE-2015-5364, CVE-2015-5366, CVE-2014-9728, CVE-2014-9729, CVE-2014-9730,
CVE-2014-9731, CVE-2015-3212, CVE-2015-4700, CVE-2015-5707, CVE-2015-7613,
CVE-2015-5156, CVE-2015-7799, CVE-2015-6937, CVE-2015-1788, CVE-2015-1789,
CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3216, CVE-2015-4000,
CVE-2015-1799, CVE-2015-3405, CVE-2015-0247, CVE-2015-1572, CVE-2013-7439,
CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2014-9655,
CVE-2014-5353, CVE-2014-5354, CVE-2014-5355, CVE-2015-5600, CVE-2015-5352,
CVE-2015-6563, CVE-2015-6564, CVE-2015-5621, CVE-2015-7236, CVE-2014-8119,
CVE-2015-2695, CVE-2014-3591, and CVE-2015-0837)
5.12 V100R001C10SPC305~V100R001C10SPC307
l Add the command iostat and smartctl.
l Rectify the defect that alarms cannot be correctly reported when the internal network
adapter encounters packet errors.
l Upgrade the peripheral package based on the result of Nessus peripheral package scan.
l Fix CVE security vulnerabilities (CVE-2015-7990, CVE-2015-8543, CVE-2015-8569,
CVE-2015-7446, CVE-2016-0777, CVE-2016-0778, CVE-2015-3195, CVE-2015-3197,
CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705, CVE-2016-0797,
CVE-2016-0798, CVE-2016-0799, CVE-2016-0800, CVE-2016-0755, CVE-2015-8777,
CVE-2015-8779, CVE-2015-8778, CVE-2015-8776, CVE-2015-7547, CVE-2014-9761,
CVE-2015-7547, CVE-2015-8776, CVE-2015-8778, CVE-2014-9761, and
CVE-2015-8779).
5.13 V100R001C10SPC307~V100R001C10SPC308
l The user permission for the home directory of the nobody user has been modified to
750.
l Controlled access to the /dev/mem directory and controlled access of non-privileged
users to dmesg have been enabled.
l CSEC security code rectification has been conducted to prevent array threshold crossing,
initialize variables that have not been uninitialized, delete unused variables, and enhance
checking on input parameters.
l Upgrade the peripheral package based on the result of Nessus peripheral package scan.
l Fix CVE security vulnerabilities (CVE-2016-2105, CVE-2016-2106, CVE-2016-2108,
CVE-2016-2109, CVE-2016-0702, CVE-2015-5370, CVE-2016-2110, CVE-2016-2111,
CVE-2016-2112, CVE-2016-2113, CVE-2016-2115, CVE-2016-2118, CVE-2015-5257,
CVE-2015-7872, CVE-2015-8543, CVE-2015-8569, CVE-2015-8215, CVE-2013-7446,
CVE-2015-5307, CVE-2015-8104, CVE-2015-2925, CVE-2015-1420, CVE-2015-7513,
CVE-2016-0723, CVE-2015-7566, CVE-2015-7550, CVE-2015-8539, and
CVE-2016-0774).
5.14 V100R001C10SPC308~V100R001C10SPC309
l Perform security rectification such as enhancing the partition mount attribute.
l Rectify issues such as no system file owner and illegal password field.
l Rectify kernel rlock and oops issues.
l Rectify abnormal reset of the BNX2 driver.
l Upgrade the peripheral package based on the result of Nessus peripheral package scan.
l Fix CVE security vulnerabilities (CVE-2016-0821, CVE-2016-3156, CVE-2016-3134,
CVE-2015-2686, CVE-2016-2550, CVE-2016-2069, CVE-2016-2847, CVE-2015-1350,
CVE-2016-2073, CVE-2016-4449, CVE-2016-1837, CVE-2016-4483, CVE-2016-3705,
CVE-2016-4448, CVE-2016-4447, CVE-2016-1834, CVE-2016-1840, CVE-2016-1835,
CVE-2016-1833, CVE-2016-1839, CVE-2016-1838, CVE-2015-8806, CVE-2016-1762,
CVE-2015-5194, CVE-2015-5219, CVE-2015-5300, CVE-2015-7691, CVE-2015-7692,
CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705,
CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852,
CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871, CVE-2015-7973,
CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978,
CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, CVE-2015-8140, CVE-2015-8158,
CVE-2016-2518, CVE-2016-2519, CVE-2015-7974, CVE-2016-2516, CVE-2016-2517,
CVE-2015-7705, CVE-2015-7704, CVE-2016-1547, CVE-2016-1551, CVE-2016-1550,
CVE-2016-1548, CVE-2016-1549, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955,
CVE-2016-4956, and CVE-2016-4957).
5.15 V100R001C10SPC309~V100R001C10SPC311
l Upgrade the peripheral package based on the result of Nessus peripheral package scan.
l Fix CVE security vulnerabilities (CVE-2016-5696, CVE-2016-1583, CVE-2016-4470,
CVE-2016-4485, CVE-2016-4486, CVE-2016-4482, CVE-2016-5195, CVE-2016-5915,
CVE-2016-7117, CVE-2016-4971, CVE-2016-7098, CVE-2015-8325, CVE-2016-6210,
CVE-2016-1908, CVE-2016-3115, CVE-2016-6515, CVE-2016-6302, CVE-2016-6303,
CVE-2016-6304, CVE-2016-2179, CVE-2016-6306, CVE-2016-2178, CVE-2016-2177,
CVE-2016-2182, CVE-2016-2183, CVE-2016-2181, CVE-2016-2774, CVE-2015-4000,
CVE-2016-8858, CVE-2016-0772, CVE-2016-2183, CVE-2016-5636, CVE-2016-5699,
CVE-2016-7141, CVE-2016-5420, CVE-2016-5419, CVE-2015-1283,CVE-2016-0718,
and CVE-2016-2180).
6 Parameters
7 Counters
8 Glossary
9 Reference Documents