Euler Linux OS Security (SingleRAN - 06)

SingleRAN
Euler Linux OS Security Feature

Parameter Description
Issue 06
Date 2016-12-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 06 (2016-12-30) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
Euler Linux OS Security Feature Parameter Description Contents
Contents
1 About This Document.................................................................................................................. 1

1.1 Scope.............................................................................................................................................................................. 1
1.2 Intended Audience.......................................................................................................................................................... 1
1.3 Change History............................................................................................................................................................... 1
2 Overview......................................................................................................................................... 4
2.1 Introduction.................................................................................................................................................................... 5
2.1.1 Security Threats........................................................................................................................................................... 5
2.1.2 Security Policies.......................................................................................................................................................... 5
2.2 Security Techniques........................................................................................................................................................6
2.2.1 Security Solution at the Management Layer............................................................................................................... 6
2.2.2 Security Solution at the System Layer........................................................................................................................ 7
2.2.2.1 Security Architecture at the System Layer............................................................................................................... 7
2.2.2.2 Identity Authentication............................................................................................................................................. 9
2.2.2.3 Security Protocols.....................................................................................................................................................9
2.2.2.4 Discretionary Access Control................................................................................................................................... 9
2.2.2.5 Mandatory Access Control..................................................................................................................................... 10
2.2.2.6 Memory Object Reuse............................................................................................................................................ 10
2.2.2.7 Host Firewall.......................................................................................................................................................... 10
2.2.3 Security Solution at the Network Layer.................................................................................................................... 11
2.3 Benefits......................................................................................................................................................................... 11
3 Security Features..........................................................................................................................13
3.1 Overview...................................................................................................................................................................... 13
3.2 OS Security Hardening Features.................................................................................................................................. 13
3.2.1 SSH Service Hardening............................................................................................................................................. 13
3.2.2 File Permissions.........................................................................................................................................................16
3.2.2.1 Setting File Permissions and Owners..................................................................................................................... 16
3.2.2.2 Deleting Unowned Files......................................................................................................................................... 17
3.2.2.3 Setting the Umask Value for the Daemon Process................................................................................................. 17
3.2.2.4 Deleting the Global Writable Attribute of Unauthorized Files...............................................................................17
3.2.2.5 Limiting Operation Rights of at Commands.......................................................................................................... 18
3.2.2.6 Limiting Operation Rights of cron Commands...................................................................................................... 18
3.2.2.7 Hardening the System Environment Variable PATH..............................................................................................18
Issue 06 (2016-12-30) Huawei Proprietary and Confidential ii

SingleRAN
3.2.2.8 Adding the nodev Attribute for Specified Partitions.............................................................................................. 19

3.2.2.9 Adding Sticky Bit Property for Globally Writable Directories.............................................................................. 20
3.2.3 Kernel Parameters Hardening....................................................................................................................................20
3.2.4 Authorization and Authentication............................................................................................................................. 24
3.2.4.1 Setting Alarm Information for Remote Logins...................................................................................................... 24
3.2.4.2 Prohibiting System Restart by Pressing CTRL+ALT+DEL...................................................................................24
3.2.4.3 Setting the Automatic Logout Time....................................................................................................................... 25
3.2.4.4 Setting the Default Umask Value to 077................................................................................................................ 25
3.2.5 Account and Password...............................................................................................................................................25
3.2.5.1 Shielding System Accounts.................................................................................................................................... 26
3.2.5.2 Restricting the Accounts That Use the su Command............................................................................................. 26
3.2.5.3 Setting Password Complexity.................................................................................................................................26
3.2.5.4 Setting the Password Validity Period......................................................................................................................28
3.2.5.5 Setting the Password Encryption Algorithm.......................................................................................................... 29
3.2.5.6 Locking a User After Three Failed Login Attempts...............................................................................................29
3.2.5.7 Managing NIS Accounts........................................................................................................................................ 30
3.2.5.8 Setting the grub Password...................................................................................................................................... 30
3.2.6 Log Audit...................................................................................................................................................................30
3.2.6.1 List of Log Files..................................................................................................................................................... 31
3.2.6.2 Audit Configuration Guide..................................................................................................................................... 31
3.2.6.3 Checking Audit Logs..............................................................................................................................................35
3.2.6.4 Generating Audit Reports....................................................................................................................................... 35
3.3 Appendix...................................................................................................................................................................... 35
3.3.1 Host Accounts............................................................................................................................................................36
3.3.2 Meanings of File and Directory Permissions............................................................................................................ 36
3.3.3 Meanings of Umask Values....................................................................................................................................... 37
4 Nessus Scanning Report --Analysis on False Vulnerability Report................................. 38

4.1 70895 - OpenSSH 6.2 and 6.3 AES-GCM Cipher Memory Corruption...................................................................... 38
4.2 78655 - OpenSSH SSHFP Record Verification Weakness...........................................................................................39
4.3 73079 - OpenSSH < 6.6 Multiple Vulnerabilities........................................................................................................ 40
4.4 33929 - PCI DSS Compliance...................................................................................................................................... 41
4.5 17744 - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing...............................................................................42
4.6 17705 - OPIE w/ OpenSSH Account Enumeration......................................................................................................43
4.7 17704 - OpenSSH S/KEY Authentication Account Enumeration............................................................................... 44
4.8 85690 - OpenSSH < 7.1 PermitRootLogin Security Bypass........................................................................................45
4.9 84638 (2) - OpenSSH < 6.9 Multiple Vulnerabilities...................................................................................................46
4.10 85382 - OpenSSH < 7.0 Multiple Vulnerabilities...................................................................................................... 47
4.11 86328 - SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam).................................................................................48
4.12 56209 - PCI DSS Compliance: Remote Access Software Has Been Detected.......................................................... 49
4.13 71049 - SSH Weak MAC Algorithms Enabled.......................................................................................................... 49
4.14 93370 - SUSE SLES11 Security Update: kernel (SUSE-SU-2016:2245-1).............................................................. 50
4.15 94281 - SUSE SLES11 Security Update: kernel (SUSE-SU-2016:2614-1) (Dirty COW)........................................51
Issue 06 (2016-12-30) Huawei Proprietary and Confidential iii

SingleRAN
4.16 90884 - SUSE SLES11 Security Update: kernel (SUSE-SU-2016:1203-1).............................................................. 52
5 Differences Between History Versions................................................................................... 54

5.1 History Versions........................................................................................................................................................... 54
5.2 V100R001C10SPC100~V100R001C10SPC101......................................................................................................... 54
5.3 V100R001C10SPC101~V100R001C10SPC102......................................................................................................... 55
5.4 V100R001C10SPC102~V100R001C10SPC103......................................................................................................... 55
5.5 V100R001C10SPC103~V100R001C10SPC105......................................................................................................... 55
5.6 V100R001C10SPC105~V100R001C10SPC200......................................................................................................... 55
5.7 V100R001C10SPC200~V100R001C10SPC201......................................................................................................... 55
5.8 V100R001C10SPC201~V100R001C10SPC300......................................................................................................... 55
5.9 V100R001C10SPC300~V100R001C10SPC301......................................................................................................... 56
5.10 V100R001C10SPC301~V100R001C10SPC302....................................................................................................... 56
5.11 V100R001C10SPC302~V100R001C10SPC305........................................................................................................56
5.12 V100R001C10SPC305~V100R001C10SPC307....................................................................................................... 56
5.13 V100R001C10SPC307~V100R001C10SPC308....................................................................................................... 57
5.14 V100R001C10SPC308~V100R001C10SPC309....................................................................................................... 57
5.15 V100R001C10SPC309~V100R001C10SPC311........................................................................................................58
6 Parameters..................................................................................................................................... 59
7 Counters........................................................................................................................................ 60
8 Glossary......................................................................................................................................... 61
9 Reference Documents................................................................................................................. 62
Issue 06 (2016-12-30) Huawei Proprietary and Confidential iv

SingleRAN
Euler Linux OS Security Feature Parameter Description 1 About This Document
1 About This Document
1.1 Scope
This document describes the security features and capabilities of the Euler Linux operating
system (OS). It instructs users to perform related security configurations and operations and
provides system maintenance and use suggestions.
NOTE
Currently, the Euler Linux OS applies to base station controllers and eCoordinator.
1.2 Intended Audience

This document is intended for personnel who:
l Need to understand the features described herein.

l Work with Huawei products
1.3 Change History

This section provides information about the changes in different document versions. There are
two types of changes, which are defined as follows:
l Feature change
Changes in features of a specific product version
l Editorial change
Changes in wording or addition of information that was not described in the earlier
version
06 (2016-12-30)
The issue includes the following changes.
Issue 06 (2016-12-30) Huawei Proprietary and Confidential 1

SingleRAN
Change Type Change Description Parameter Change
Feature change Added "5.15 None

V100R001C10SPC309~V100R001C10S
PC311".
Editorial change None None
05 (2016-09-30)

V100R001C10SPC307~V100R001C10S
PC308".
Added "5.14
V100R001C10SPC308~V100R001C10S
PC309".
04 (2016-04-20)

V100R001C10SPC305~V100R001C10S
PC307".
03 (2016-02-29)
Feature change Added "4 Nessus Scanning Report -- None

Analysis on False Vulnerability
Report".
Added "5.11
V100R001C10SPC302~V100R001C10S
PC305".

SingleRAN
02 (2015-08-30)
Feature change Added the new chapter "5 None

Differences Between History
Versions".
01 (2014-09-26)
This issue does not include any changes.
Draft A (2014-07-30)
This is a new document.

SingleRAN
Euler Linux OS Security Feature Parameter Description 2 Overview
2 Overview
This section describes the security architecture and techniques of Euler Linux OS in
terms of the management, system, and network layers.

SingleRAN
2.1 Introduction
This section describes security threats to the Euler Linux OS and the security policies and
processes used by the Euler Linux OS.
2.1.1 Security Threats

OS, as the core of information systems, is responsible for managing hardware and software
resources. However, due to the defects in technologies and management systems, OS faces
various security threats, such as management-layer security threats, system-layer security
threats, and network-layer security threats.
2.1.2 Security Policies

Security policies of the Euler Linux OS may be considered from the following aspects:
security techniques, process management, and personnel.
Figure 2-1 Security policies of the Euler Linux OS
l Security techniques
Mainly refers to OS security, which is the major concern of product safety. Security
techniques involve the OS security layer, the network security layer of transmission
communication, and the application security layer on top of the OS.
l Process management
Specifies the security management regulations and use processes.
l Personnel
Specifies personnel security awareness and implementation-level security problems.

SingleRAN
2.2 Security Techniques

This section describes the security techniques used by the management layer, system layer,
and network layer of the Euler Linux OS.
2.2.1 Security Solution at the Management Layer

At the management layer, management regulations are used to ensure that personnel properly
use products in a security manner and reduce product security threats caused by human
factors.
Organization and Process

Determine the scope of the organization, the members of the organization, and the regulations
and processes of using products, and record product usage information so that security threats
can be conveniently located and backtracked. Regarding processes and regulations, ensure
that user behavior does not incur security risks.
Account and Rights Management

According to the different responsibilities of accounts, strictly differentiate the accounts in the
system and grant relevant rights to each account to ensure that the account can fulfill their job
duties. Account rights cannot be too large or cross each other, thereby satisfying the minimum
permission principle.
User roles must be specified and are mutually exclusive. Users can only get the account
matching their responsibilities. Accounts cannot be used interchangeably.
Log Check and Audit

Log check and audit is an important task. This task checks whether the system is attacked.
Logs are classified from the following aspects: system login and logout, user creation and
deletion, key directory access, changes of key file permissions, privileged operations, and
other operations.
Audit events are classified into two types: successful and failed events. Successful events
indicate that users have successfully performed operations, and failed events indicate that
users have tried operations but failed. Failed events are helpful in tracking the behavior of
attacking the system. However, it is much more difficult to analyze successful events.
Although most successful audit events are generally normal activities in the system, an
attacker may produce a successful event after successfully controlling the system. Therefore,
the event type is as important as the occurrence process of the event. For example, a success
after continuous failures means that some people may try to attack the system and ultimately
succeed.
Under all conditions, the audit event should be combined with the associated users to perform
analysis. For example, if a user account is locked, the system can check whether the user tries
illegal logins during the locking period.
A user must be specified to check and audit logs, and only this user can perform this
operation. This ensures log security. In addition, the administrator should perform log check
and audit once a day and provide the check and audit result.

SingleRAN
Patch Management
Patches are classified and the processes of using patches are recorded. Ensure that all
installation of patches is recorded in logs for future check.
System Backup
System backup is an important task and it is a last line of defense against disasters. Even if the
active service system is completely destroyed, services can be restored on another computer
by properly generating and protecting the backup.
There are many basic backup policies. However, when designing the backup environment,
you must bear in mind that we will make the most use of backup so they can fulfill functions
when being needed
1. Mirroring cannot replace backup. Mirroring can prevent hard disk failure, but it cannot
recover files that have been deleted or damaged. If a file is deleted from the mirroring, it
disappears from both the mirroring and the original location. Therefore, other measures
must be taken to retrieve the file. The most common method (not the only method) is to
restore data stored in the backup disk.
2. Periodically test the restorability. If the backup data cannot be restored, it will take a lot
of time to use other techniques to create a backup. Periodic restorability testing does not
require you to test each created backup. However, you need to periodically check the
status of each disk drive to ensure that the backup is readable. In addition, random
sampling test must be performed on backup data to ensure that backup data can be
correctly read and restored.
3. Keep the head clean. Backup may seem to have been successfully completed on a
contaminated magnetic head, whereas actually useless information is written into the
tape.
4. Note the mean time between failures (MTBF) of backup media. If the manufacturer
suggests that the effective service life of the storage medium be 1000 times of backup,
then use it for at most 1000 times.
5. Back up important data double. To ensure data security and service life, it is wise to store
a remote backup.
Security Training
Security training should be provided for the target users on a regular basis so that users have
security awareness and use products in a security manner. In addition, security risk analysis
should be provided so that users can locate and rectify basic security faults.
2.2.2 Security Solution at the System Layer

System layer security is the core of the Euler Linux OS security and involves various security
techniques used by the Euler Linux OS.
2.2.2.1 Security Architecture at the System Layer

The OS is the core of information systems. It guarantees the normal operation of upper-layer
applications, such as network services and database systems.
However, application-layer security mechanisms alone cannot solve security problems of
information systems fundamentally. Without the OS security mechanisms, application-layer

SingleRAN
security mechanisms are vulnerable to damage, bypass, and spoofing attacks. The security
mechanisms of upper-layer applications, such as access control and encryption, need to be
supported by the OS security mechanisms.
The Euler Linux OS provides the following security mechanisms:
l Identity authentication
l Security protocols
l Discretionary access control
l Mandatory access control
l File integrity check
l Security audit
l Memory object reuse
l Trusted path
These security mechanisms serve as the security basis for upper-layer applications.
Figure 1 shows the security architecture of the Euler Linux OS.
Figure 2-2 Security architecture of the Euler Linux OS
The security mechanisms in the security architecture of the Euler Linux OS are described as
follows:

SingleRAN
l The security hardening tool provides convenient security configuration and management
and implements security hardening for system services, file permissions, kernel
parameters, log audit, and account and password of the Euler Linux OS.
l IDENT performs identity authentication.
l ACL implements fine-grained discretionary access control.
l Linux security module (LSM) is a security architecture for the kernel.
l CAP implements MAC-based mandatory access control based on the LSM architecture.
l AUDIT performs security audit.
l MOR prohibits memory reuse.
l Trusted path provides security keys to start the trusted login process.
l SP is integrated security protocols.
2.2.2.2 Identity Authentication

The Euler Linux OS uses the pluggable authentication module (PAM) mechanism to
implement user identity authentication.
The PAM, first proposed and developed by Sun Microsystems, is a suite that provides
authentication and security services for system logins. The main functions of the PAM are
authentication management, account management, session management, and password
management.
By default, the Euler Linux OS uses the Linux-PAM.
2.2.2.3 Security Protocols

Security protocols, also called cryptographic protocols, are cryptography-based message
exchange protocols and provide various security services in the network environment.
Cryptography is the basis of network security. Network security, however, cannot be based on
only secure password algorithms. Security protocols, as an important part of network security,
are used for authenticating entities, securely allocating keys or other secrets between entities,
and verifying whether messages sent or received meet the requirements of non-repudiation.
The Euler Linux OS supports the following security protocols:
l SSH
l SSL
l IPsec
l SFTP
2.2.2.4 Discretionary Access Control

Access control, refers to the access rights of the subject on the object in a control system. The
subject refers to the active entity that causes the exchange of information or changes. A
subject is generally an object that sends an access request, for example, a process. The object
is a passive entity that contains or receives data. An object is an information carrier and is
often the accessed object, such as a file. Access rights refer to the operation permissions to
access the object.
Discretionary access control (DAC) is one of the indispensable security mechanisms for OSs.
In the DAC mechanism, the object owner is responsible for dispatching tasks and can assign

SingleRAN
its rights to others. For example, user A, the owner of file A can grant his read, write, and
execute permissions of file A to other users, and can take back these permissions at any time.
The Euler Linux OS uses the UGO and ACL mechanisms to implement DAC.
2.2.2.5 Mandatory Access Control

The basic idea of mandatory access control is that each subject and object (file, message
queue, shared area, and semaphore) are assigned with security attributes (tags). The attributes
are set by an administrator or the system. Users cannot modify the security attributes.
Based on the security attributes of the subject and object, the mandatory access control
mechanism determines whether the subject can access the object. If the system determines
that no access is allowed, nobody (including the object owner) can access the object.
2.2.2.6 Memory Object Reuse

The memory object reuse mechanism ensures that the information used by the subject in the
storage object will not be used by another subject after the activities of the subject are
completed.
In the free storage object space of the trusted computing base for the computer information
system, cancel all the authorization for object information before initially specifying,
allocating, or reallocating a subject to the object. When a subject obtains permissions to
access a released object, the subject cannot obtain any information generated by the activities
of the original subject.
The Euler Linux OS implements the memory object reuse mechanism.
Memory object reuse is used to prevent a new subject from obtaining information left in the
memory by a previous subject. Memory object reuse is implemented during memory
allocation. With this mechanism, memory is overwritten during memory allocation so that
reuse is prohibited.
2.2.2.7 Host Firewall

The iptables firewall is installed on the Euler Linux OS by default.
A firewall is the first line of defense against network attacks. It is located in the hubs between
networks and protects a network against attacks from other networks. The firewall must be
located at the only entry and exit point of the network to be protected and other networks. If
there is any other ingress node that can access the protected network, the firewall does not
provide any protection function.
The Euler Linux OS uses firewall rules set by the iptables tool. Figure 1 shows the structure
of iptables rules.

SingleRAN
Figure 2-3 Structure of iptables rules
2.2.3 Security Solution at the Network Layer

The security solution at the network layer takes a series of security measures to protect the
security of the network, and provides support for service systems that are running on the
network, including security protection related to network resource access and network service
usage.
Network security technologies include security design for network topology, network device
protection, network isolation, network boundary protection (such as firewall), network
security detection (such as intrusion detection system (IDS)), network data encryption (such
as virtual private network (VPN)), network security scanning, network security management,
and Layer 2 security (such as IP/MAC binding and DHCP isolation). The Euler Linux OS
focuses on internal network security. It uses the firewall techniques to ensure internal network
security. For details about the iptables content, see 2.2.2.7 Host Firewall.
2.3 Benefits
With the rapid development of network applications, information systems face more and more
security threats, and a simple security technique cannot protect system security.
While ensuring product availability, the Euler Linux OS provides comprehensive protection
by using security techniques at the management layer, system layer, and network layer. This
reduces attack possibility, ensures product security in the whole life cycle, protects the
interests of users, and reduces security risks.
The management layer provides guidance on the product use and management regulations,
ensures that the user can properly use products, and minimizes the impact of human factors on
security by implementing management regulations.
The system layer provides the following security mechanism: identity authentication, security
protocols, fine-grained access control, MAC, file integrity check, security auditing, memory

SingleRAN
reuse of object, trusted path, and security hardening. By using these security mechanisms, the
system layer provides security support for upper-layer applications, ensures product security,
prevents network attacks such as Trojan horses and viruses, and effectively controls security
risks within a reasonable range. In addition, the Euler Linux OS regularly collects and backs
up system logs so that users can perform security audit.
The network layer uses security networking to ensure the security of the products on the
network.

SingleRAN
Euler Linux OS Security Feature Parameter Description 3 Security Features
3 Security Features
3.1 Overview
This section describes the purpose, scheme, and impacts of hardening the Euler Linux system.
3.2 OS Security Hardening Features
3.2.1 SSH Service Hardening

Description
Set the algorithm and authentication parameters when the system uses the OpenSSH protocol.
SSH is a currently reliable protocol used for ensuring security of remote logins and other
network services. The SSH protocol can effectively prevent information disclosure during
remote management. All transmission data can be encrypted through SSH to prevent DNS
spoofing and IP spoofing. OpenSSH is a free and open source implementation of SSH
protocol.
Hardening the SSH service means that certain configuration of the SSH service is modified to
improve system security. Table 3-1 describes the default policies and value ranges of each
security hardening item.
NOTE
You are not advised to modify default hardening policies.
Implementation
Table 3-1 describes the current hardening policies of the Euler Linux system implemented on
the SSH service. All listed hardening items are in the SSH configuration file /etc/ssh/
sshd_config.

SingleRAN
Table 3-1 Default SSH service hardening policies

Policy Description Hardening Item Default Value
Set the local IP address ListenAddress 0.0.0.0

intercepted by the SSH
service. According to the
hardening policy, all local IP
addresses are intercepted,
that is, SSH can be used to
log in to the PC (ipv4
address).
Set the local IP address ListenAddress ::

intercepted by the SSH
hardening policy, all local IP
addresses are intercepted,
that is, SSH can be used to
log in to the PC (ipv6
address).
Set the log types of the SSH SyslogFacility AUTH

hardening policy, set the log
type to AUTH, that is,
authentication logs.
Set the hierarchy of LogLevel INFO

recording sshd log
messages.
Set whether the permissions StrictModes yes

for and ownerships of user
home directories and rhosts
files are checked before
SSH receives login requests.
Set whether the RSA RSAAuthentication yes

security verification alone is
allowed.
Set whether the public key PubkeyAuthentication yes

authentication is allowed.
Set whether the RSA RhostsRSAAuthentication no

algorithm security
verification based on rhosts
is enabled. rhosts files
record PC names that can
access a remote computer as
well as associated login
names.

SingleRAN
Set whether the host-based HostbasedAuthentication no

verification is used. Host-
based verification indicates
that any users of trusted
clients can use SSH
connection.
When a user uses SSH IgnoreUserKnownHosts yes

connection, SSH service
will verify the user's
account. This option sets
whether trusted users are
ignored in the security
verification. According to
the hardening policy, trusted
users are ignored in the
security verification.
Set whether the rhosts and IgnoreRhosts yes

shosts files are verified.
rhosts and shosts files record
PC names that can access a
remote computer as well as
associated login names.
Set whether accounts PermitEmptyPasswords no

without passwords can log
in.
Set whether a graphic X11Forwarding no

interface can be used after
logins using SSH.
Prompt the prompt Banner /etc/issue.net

information path after logins
using SSH.
Set the encryption modes. Ciphers aes128-ctr,aes192-

ctr,aes256-ctr
Set the hash algorithm. MACs hmac-sha2-256
The SSH running V2 Protocol 2

version is forcibly used.
Passwords are used for PasswordAuthentication no

authentication.
PAM is used for login UsePAM yes

authentication.
root accounts using SSH to PermitRootLogin no

log in is prohibited.

SingleRAN
Record the sftp running log Subsystem sftp /usr/lib64/ssh/sftp-

levels, which are INFO level server -l INFO -f AUTH
logs and authentication logs.
Set a timeout interval in ClientAliveInterval 1800

seconds after which if no
data has been received from
the client, If the server has
not received data from the
client when the timeout
interval expires, the server
disconnects from the client.
Set the maximum number of ClientAliveCountMax 0

allowed times the client
does not respond to requests
from the server. If the
maximum number is
reached, the server
automatically disconnects
from the client.
3.2.2 File Permissions
3.2.2.1 Setting File Permissions and Owners
Description
Linux considers all objects as files. Even a directory is considered to be a large file that
contains multiple files. Therefore, the security of files and directories is essential to Linux.
File and directory security is maintained mainly through the owner and permission.
By default, permissions and owners are set for common directories, executable files, and
configuration files in the system.
Implementation
Step 1 Modify the file permissions. Use the /bin directory as an example. By default, the permission
to the /bin directory is set to 755 as follows:
chmod 755 /bin
Step 2 Modify the file owner of the /bin directory as follows:
----End
chown root:root /bin
----End

SingleRAN
3.2.2.2 Deleting Unowned Files
Description
When a system administrator deletes a user, the administrator may forget to delete the files
owned by this user. In this case, if a new user has the same name as the deleted user, the new
user will own files that do not belong to the new user. Therefore, you are advised to delete
these files.
Implementation
Step 1 Run the find / -nouser command to find out files owned by users whose IDs do not exist and
then delete these files.
Step 2 Run the find / -nogroup command to find out files owned by groups whose IDs do not exist
and then delete these files.
----End
3.2.2.3 Setting the Umask Value for the Daemon Process
Description
The umask value is used to set the default permissions for new files and directories. If you do
not set the umask value, the generated files can be globally writable, posing potential risks.
The daemon process is responsible for a service and enables the system to accept
requirements of users or network customers. To enhance the security of files or directories
created in the daemon process, set the umask value to 027. The umask value represents two's
complement of permissions. For the values of umask and calculation of permissions, see 3.3.3
Meanings of Umask Values.
Implementation
Add the following to the configuration file /etc/rc.status: umask 027.
3.2.2.4 Deleting the Global Writable Attribute of Unauthorized Files
Description
Global writable files can be modified by any user, which affects the system integrity.
Implementation
Step 1 Run the following commands to display all the global writable files:
find / -type d $ -perm -o+w $ | grep -v proc
find / -type f $ -perm -o+w $ | grep -v proc
Step 2 Check all files (excluding files and directories that have sticky bits) listed in step 1 and delete
these files or delete their global writable attributes. You can run the following command to
delete the global writable attribute:
----End
chmod o-w <filename>

SingleRAN
----End
3.2.2.5 Limiting Operation Rights of at Commands
Description
The at commands are used to create tasks that are automatically executed at a specified time.
To prevent users from arbitrarily running the at commands, which makes the system
vulnerable to attacks, you need to specify users who can use the at commands.
Implementation
Step 1 Delete the /etc/at.deny file.
Step 2 Create the /etc/at.allow file and write root by running the following command:
echo "root" >> /etc/at.allow
Step 3 Modify the permissions for the /etc/at.allow file to 400 (read-only) by running the following
command:
chmod 400 /etc/at.allow
Step 4 Modify the file owner of the at.allow file to root:root by running the following command:
chown root:root /etc/at.allow
----End
3.2.2.6 Limiting Operation Rights of cron Commands
Description
The cron commands are used to create routine tasks. To prevent users from arbitrarily running
the cron commands, which makes the system vulnerable to attacks, you need to specify users
who can use the cron commands.
Implementation
Step 1 Delete the /etc/cron.deny file.
Step 2 Create the /etc/cron.allow file and write root by running the following command:
echo "root" >> /etc/cron.allow
Step 3 Modify the permissions for the /etc/cron.allow file to 400 (read-only) by running the
following command:
chmod 400 /etc/cron.allow
Step 4 Modify the file owner of the cron.allow file to root:root by running the following command:
chown root:root /etc/cron.allow
----End
3.2.2.7 Hardening the System Environment Variable PATH
Description
It is recommended that system paths be ranked before user paths. In this way, files in system
paths are preferentially executed compared with files of the same names in user paths. Rank

SingleRAN
entities in different paths and arrange the system paths in the following sequence before the
user paths:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
<All other paths>
Similarly, the relative paths are not allowed in the PATH variable. Therefore, you need to
delete paths beginning with "." or those starting with or ending with redundant ":". The
changes take effect upon the next login.
Implementation
Step 1 Check the system environment variables by running the following command:
echo $PATH
Step 2 Modify the sequence of each path in the system environment variable.
Modify the sequence according to instructions. For example, you can write the following at
the end of the /etc/profile file:
export PATH=/bin:/sbin/:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin <all
other paths>
Step 3 Delete the relative paths in the system environment variable. Relative paths start with "." or
"./".
----End
3.2.2.8 Adding the nodev Attribute for Specified Partitions
Description
The purpose of this policy is to restrict usage of dev device files in data partitions to prevent
unauthorized users from mounting dev devices from data partitions. This can help reduce the
possibility of system attacks.
Implementation
1. Open the /etc/fstab file.
vim /etc/fstab
2. Modify the mounting mode for the ext2/ext3/reiserfs file system partition (except the
root partition) by adding the nodev attribute.
NOTE
This hardening policy applies only to the unified storage. For the massive storage, the nodev
attribute only needs to be added for the /var directory.

SingleRAN
3. Remount the partitions.
3.2.2.9 Adding Sticky Bit Property for Globally Writable Directories
Description
A user can delete or modify files and directories in the globally writable directories. To ensure
that the files and directories in the globally writable directories are not deleted arbitrarily, you
need to add the sticky bit property for the globally writable directories.
Implementation
Step 1 Search for globally writable directories by running the following command:
find -type d -perm -0002 ! -perm -1000 -ls | grep -v proc
Step 2 Add the sticky bit property for the globally writable directories by running the following
command:
chmod +t $dirname
----End
3.2.3 Kernel Parameters Hardening
Description
Kernel parameters specify the configurations and application permissions. The kernel
provides configurable system control which can be slightly adjusted or configured. This
function can control configurable kernel parameters to improve the OS security. For example,
by slightly adjusting or configuring network options, this function can enhance the system
security.
Implementation
Step 1 Write the hardening items in Table 3-2 to the /etc/sysctl.conf file.
NOTE
The write mode is as follows:

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Table 3-2 Kernel parameter hardening policies
Set whether the ICMP net.ipv4.icmp_echo_ignore_ 1

broadcast packets are broadcasts
received. They are not
received according to the
hardening policy.

SingleRAN
Check whether the actual net.ipv4.conf.all.rp_filter 1

source address used by the
data packet is related to the net.ipv4.conf.default.rp_filte 1
routing table and whether r
the data packet using the
specified source IP address
receives the response
through the interface. This
option is enabled according
to the hardening policy.
Specify the upper limit of fs.inotify.max_user_watches 65536

watches related to each
inotify instance. The upper
limit is 65536 according to
the hardening policy.
After the primary alias of net.ipv4.conf.default.promot 1

the network card disappears, e_secondaries
the secondary alias
automatically becomes the net.ipv4.conf.all.promote_se 1
primary alias to prevent all condaries
other secondary alias from
disappearing. This option is
enabled according to the
hardening policy.
IP forwarding can prevent net.ipv4.ip_forward 0

unauthorized IP packets
from penetrating the
network. This option is
disabled according to the
hardening policy.
The accept_source_route net.ipv4.conf.all.accept_sour 0

parameter indicates that a ce_route
packet sender can specify
the sending path and net.ipv4.conf.default.accept 0
returning path of the packet. _source_route
This option is disabled
according to the hardening
policy.
Set whether the ICMP net.ipv4.conf.all.accept_redi 0

redirection packets are sent. rects
The packets are not sent
according to the hardening net.ipv4.conf.default.accept 0
policy. _redirects
Set whether the ICMP net.ipv4.conf.all.send_redire 0

redirection packets are sent cts
to another host. This option

SingleRAN
is enabled only when the net.ipv4.conf.default.send_r 0

host functions as a route. edirects
policy.
The tcp_timestamps variable net.ipv4.tcp_timestamps 0

informs the kernel of the
time stamp. If this policy is
enabled, the time stamp is
added to the tcp log file
when the tcp packets are
received or being sent. This
option is disabled according
to the hardening policy.
Forged ICMP packets will net.ipv4.icmp_ignore_bogus 1

not be recorded into logs if _error_responses
these packets are ignored,
which saves a lot of disk
space. This option is
hardening policy.
Set whether the ARP proxy net.ipv4.conf.all.proxy_arp 0

is enabled or disabled for
specified devices in the net.ipv4.conf.default.proxy_ 0
kernel. The ARP proxy is arp
disabled according to the
hardening policy.
Set whether TIME-WAIT net.ipv4.tcp_tw_reuse 1

sockets can be reused in
new TCP connections.
TIME-WAIT sockets can be
reused in new TCP
connections according to the
hardening policy.
Set whether the function of net.ipv4.tcp_tw_recycle 1

quickly reclaiming TIME-
WAIT sockets in TCP
connections is enabled.
They can be reclaimed
policy.
Set the duration of retaining net.ipv4.tcp_fin_timeout 60

sockets in FIN-WAIT-2
state. The duration is 60
seconds according to the
hardening policy.

SingleRAN
SYN Attack is a type of net.ipv4.tcp_syncookies 1

DoS attacks by occupying
system resources to forcibly
restart the system. TCP-
SYN cookie protection is
hardening policy.
Sets the maximum number net.ipv4.tcp_max_syn_backl 4096

of requests in the og
SYN_RECV state queue.
The system will not accept
any new TCP connection
requests after the number of
requests in the SYN_RECV
state queue exceeds this
value, preventing resource
exhaustion to some extent.
Set whether system receives net.ipv4.conf.all.secure_redi 0

ICMP redirection messages rects
from any host or from the
gateway in the default net.ipv4.conf.default.secure 0
gateway list. The system _redirects
receives ICMP redirection
messages from any host
policy.
Use the system to perform kernel.sysrq 0

operations such as restarting
the system, detecting
memory, synchronizing hard
disks, and killing processes.
policy.
Set the console log levels, kernel.printk 3417

default message log level,
lowest console log level,
and default console log
level.
Set the maximum number of net.netfilter.nf_conntrack_m 600000

tracking connection items, ax
that is, the maximum
number of tasks (tracking
connection items) that the
kernel netfilter can process
at a time.

SingleRAN
Start and record spoofings, net.ipv4.conf.all.log_martia 1

source routing, and ns
redirection packets.
net.ipv4.conf.default.log_ma 1
rtians
Configure restrictions for kernel.dmesg_restrict 1

non-privileged users' access
to dmesg information.
NOTE
kernel.panic indicates the waiting time (measured by seconds) needed before the kernel boots again
after the kernel panic occurs. In the release version of Euler Linux, the value of kernel.panic is 3 by
default. Users can set the value based on their needs.
Step 2 Load the kernel parameters set in the sysctl.conf file by running the following command:
sysctl -p /etc/sysctl.conf
----End
3.2.4 Authorization and Authentication
3.2.4.1 Setting Alarm Information for Remote Logins
Description
The alarm information set for remote logins warns users before their logins to the system of
possible penalty on unauthorized access to the system and deters potential attackers. At the
same time, this can also hide system architecture and other system information to prevent
targeted attacks on the system.
Implementation
This setting can be implemented by modifying the /etc/issue.net file. Replace the original
content of the /etc/issue.net file with the following information:
Authorized users only. All activities may be monitored and reported.
3.2.4.2 Prohibiting System Restart by Pressing CTRL+ALT+DEL
Description
By default, you can restart the OS by pressing Ctrl+Alt+Del. Disabling this function can
prevent data loss due to misoperations.
Implementation
Modify the /etc/inittab file by replacing "ca::ctrlaltdel:/sbin/shutdown -r -t 4 now" with
"ca::ctrlaltdel:/bin/false".

SingleRAN
3.2.4.3 Setting the Automatic Logout Time
Description
Unattended terminals can be easily intercepted or attacked, which may compromise system
security. Therefore, the terminals need to exit automatically after stopping running for a
period of time.
By default, the automatic logout time 1200s according to the security hardening policy. If the
terminal stops running for more than 1200s, the system automatically exits, thereby reducing
the risks of being attacked.
Implementation
The automatic logout time depends on the value of the TMOUT field (in the unit of second)
of the /etc/profile file. Add the following configuration to the end of the /etc/profile file:
TMOUT=1200,export TMOUT
3.2.4.4 Setting the Default Umask Value to 077
Description
The umask value is used to set the default permissions for new files and directories. If the
value of umask is too small, users have too much right, which threatens system security.
Therefore, set the default umask value of all users to 077, that is, the default permission for
files created by users is 700 and that of directories is 600. The umask value represents two's
complement of permissions. For the values of umask and calculation of permissions, see
Meanings of Umask Values.
Implementation
Step 1 Add "umask 077" to the /etc/profile, /etc/csh.login, /etc/csh.cshrc, and /etc/bash.bashrc files
by running the following command:
echo "umask 077" >> $FILE
NOTE
$FILE indicates names of the preceding files.
Step 2 Set the owner and group of the file in step 1 to root, respectively by running the following
command:
chown root.root $FILE
----End
NOTE
$FILE indicates names of files described in step 1.
3.2.5 Account and Password

SingleRAN
3.2.5.1 Shielding System Accounts
Description
In addition to user accounts, other accounts are system accounts. System accounts can only be
used inside the system and cannot be used to log in to the system or perform other operations.
Therefore, system accounts are shielded.
Implementation
Modify the shell of a system account to /bin/false by running the following command:
usermod -L -s /bin/false $systemaccount
NOTE
$systemaccount indicates the system account.
3.2.5.2 Restricting the Accounts That Use the su Command
Description
The su command is used to switch between different users. To enhance system security, it is
necessary to control the permission to use the su command. Only users in the root and wheel
groups are allowed to use the su command.
Implementation
You can modify the /etc/pam.d/su and /etc/pam.d/su-l files to control the permission to use
the su command. Add the following configuration to the end of these two files:
auth required pam_wheel.so use_uid group=wheel
Table 3-3 pam_wheel.so configuration items

Configuration Item Description
use_uid Indicates the uid of the current user.
group=wheel Indicates that only users in the wheel group

can use the su command.
3.2.5.3 Setting Password Complexity
Description
Set the password complexity as follows:
l A password needs to contain a minimum of eight characters.

l The password must contain at least one uppercase letter, one lowercase letter, one
numeric, and one special character.

SingleRAN
l A password must be different from the user name or the user name in reverse order.
Implementation
Set the password complexity by modifying the /etc/pam.d/common-password-pc file. Add
the following to the header of the /etc/pam.d/common-password-pc file:
password required pam_sek_pwck.so minlen=8 min_upper=1 min_lower=1 min_digits=1
min_special=1 remember=5 tries=5 enforce_for_root no_username root_check_dict
use_cracklib cracklib=/usr/share/cracklib/pw_dict
Table 3-4 pam_sek_pwck.so configuration items

minlen=8 A password needs to contain a minimum of

eight characters.
min_upper=1 The password must contain at least one

uppercase letter.
min_lower=1 The password must contain at least one

lowercase letter.
min_digits=1 The password must contain at least one

numeric.
min_special=1 The password must contain at least one

special character.
remember=5 A password cannot be the last 5 passwords

that have been used.
tries=5 Each password change allows a maximum

of five attempts.
enforce_for_root The setting also applies to the root user.
no_username A password must be different from the user

name or the user name in reverse order.
root_check_dict The password of root cannot be words in the

dictionary.
use_cracklib A word in the dictionary must not be the

password of a common user.
cracklib=/usr/share/cracklib/pw_dict Set the dictionary file to /usr/share/

cracklib/ pw_dict.pwd.

SingleRAN
Table 3-5 pam_unix2.so configuration items

use_authtok Write a new password to the record file (the

default file is /etc/shadow) provided by the
password module.
3.2.5.4 Setting the Password Validity Period
Description
Set the password validity period to 90 days and users will be informed of changing passwords
seven days before the password expires.
Implementation
Set the password validity period by modifying the /etc/login.defs file. Table 1 describes the
hardening items. All security hardening items are in the /etc/login.defs file. Fields in the table
can be modified by directly modifying the configuration file.
Table 3-6 login.defs configuration items

Maximum password validity PASS_MAX_DAYS 90

period
Minimum interval between PASS_MIN_DAYS 0

two password changes
Number of days in advance PASS_WARN_AGE 7

users are notified that their
passwords are about to
expire
NOTE
The login.defs file is used to set restrictions on user accounts, such as setting the longest password
validity period and maximum length. When a new account is created, the Euler Linux OS reads the
preceding configuration information from the /etc/login.defs file and writes the read information into the
corresponding account's configuration items in the /etc/shadow file. The Euler Linux OS can identify
the maximum password validity period, minimum interval between two password changes, and number
of days in advance users are notified that their passwords are about to expire. When a user logs in after
the password expires, the user will be informed of the password expiry and is required to change the
password. If the user does not change the password, the user cannot access the system.
The default configurations of root and lgnusr accounts preset in the current system are as follows:
maximum password validity period (90 days), minimum interval between two password changes (no
restriction), and number of days in advance users are notified that their passwords are about to expire
(seven days only for the lgnusr account).

SingleRAN
3.2.5.5 Setting the Password Encryption Algorithm
Description
According to password requirements, passwords cannot be stored in plaintext in the system
and must be encrypted. In addition, irreversible algorithms must be used to encrypt passwords
that do not need to be restored. Set the password encryption algorithm to sha256. The
preceding setting can effectively prevent password disclosure and ensure password security.
Implementation
Modify the system file /etc/default/passwd by changing values of the CRYPT and
CRYPT_FILES fields to sha256 as follows:
…
# Define default crypt hash. This hash will be
# used, if there is no hash for a special service
# the user is stored in.
CRYPT=sha256
…
# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=sha256
…
3.2.5.6 Locking a User After Three Failed Login Attempts
Description
According to password security requirements, set the maximum incorrect password inputs to
three and the locking time after three failed login attempts to five minutes (300 seconds).
During the locking period, any input is considered invalid and another input will not cause the
locking timer to recount. After a user account is unlocked, records of the user's incorrect input
are cleared. The preceding setting can effectively prevent violent password cracking and
enhance system security.
Implementation
Step 1 Modify the system file /etc/pam.d/common-auth-pc by adding the following to the end of
the file:
auth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root
root_unlock_time=300
The preceding parameters are described in Table 1.

Step 2 Modify the system file /etc/pam.d/common-account-pc by adding the following to the end
of the file:
----End
account required pam_tally2.so

SingleRAN
Table 3-7 pam_tally2.so configuration items
onerr=fail This is used to capture events of user login

failures.
deny=3 If the maximum number of consecutive

login failures exceeds three, the user
account will be locked.
unlock_time=300 The locking duration of common users is

300 seconds (5 minutes).
even_deny_root The root user is also restricted.
root_unlock_time=300 The locking duration of the root user is 300

seconds (5 minutes).
3.2.5.7 Managing NIS Accounts
Description
EulerLinux supports the NIS network centralized authentication service. The service can
implement centralized network account management to enhance the password security.
3.2.5.8 Setting the grub Password
Description
According to the Password security requirements in product cyber security requirements, the
Euler Linux is designed to support setting of the grub password to prevent malicious
modification of startup options.
Implementation
Launch the Euler Linux command line interface and run the following command to modify
the grub password.
NOTE
The grub user of the Euler Linux is root and the default password is osadmin@123.
3.2.6 Log Audit

SingleRAN
3.2.6.1 List of Log Files

Table 1 describes the log information in the /var/log directory of Euler Linux OS.
Table 3-8 Log information
Log File Path Description
news.crit /var/log/news/ Records the crit-level news

information.
news.err /var/log/news/ Records the err-level news

information.
news.notice /var/log/news/ Records the notice-level

news information.
mail.info /var/log/ Records the info-level mail

information.
mail.warn /var/log/ Records the warn-level mail

information.
mail.err /var/log/ Records the crit-level and

err-level mail information.
mail /var/log/ Records the mail

information.
messages /var/log/ Records system information

except the mail and news.
lastlog /var/log/ Stores information about the

login failures.
warn /var/log/ Records the warn-level, crit-

level, and err-level log
information.
NOTE
If you have self-defined log recording modules, use the self-defined modules.
3.2.6.2 Audit Configuration Guide
Description
Linux audit Subsystem (audit), is a system service. This service is used for auditing system
invoking records and writing the records to files. The user space program of the audit service
is auditd, which is used for writing audit information to disks.
You can run the auditctl command for dynamically managing auditing parameters and rules
or statically writing the audit rules to the /etc/audit/audit.rules file.

SingleRAN
Enabling or Disabling the Audit Function

l Run the following command to enable the audit function:
/etc/init.d/auditd start
l Run the following command to disable the audit function:

/etc/init.d/auditd stop
Checking Audit Status

/etc/init.d/auditd status
l If the command output is running, the audit function is enabled.

l If the command output is unused, the audit function is disabled.
Query Existing Rules

auditctl -l
Deleting All Audit Rules at a Time

auditctl -D
Adding Audit Rules in Batches

auditctl -R /etc/audit/audit.rules
/etc/audit/audit.rules is a text file containing rules in any paths.
Others
auditctl [options]
Table 1 describes the values of options.
Table 3-9 Parameter description of options

Option Name Description
-b <backlog> Set max number of buffers the kernel allows

(Default value: 64).
-e [0|1] Set enabled flag. When 0 is passed, this can

be used to temporarily disable auditing.
When 1 is passed as an argument, it will
enable auditing.
-f [0..2] Set failure flag 0=silent 1=printk 2=panic.

The default value is 1. This option lets you
determine how you want the kernel to
handle critical errors. For example: backlog
limit exceeded, out of kernel memory.
-h Help
-i Ignore errors when reading rules from a file.
-l Indicates that all rules are listed with one

rule in each line.

SingleRAN
Option Name Description
-k <key> Set a filter key on an audit rule. The filter

key is an arbitrary string of a maximum of
32 bytes. It can identify only one audit
record produced by watch.
-m text Send a user space message into the audit

system. This can only be done by the root
user. Set permission filter for a file system
watch: r=read, w=write, x=execute,
a=attribute change. These permissions are
not standard for files and are used for
system calls. Ignore the read and write
permissions for system calls in case that
helpful logs will be ignored among a large
amount of information.
-r <rate> Set the maximum number of messages

transmitted per second and the default value
is 0 which indicates no limitation.
-R <file> Reads rules from a file.
-s Reports the auditing status
-a <l,a> Indicates that rules are added to linked list 1

with "a" being the action of the rule.
Description about linked list names and
rules refer to Table 2.
-A <l,a> Indicates that rules are added to the header

of linked list 1 with the action being "a".
-d <l,a> Indicates that rules are removed from linked

list 1 which includes the "a" action.
-D Indicates that all rules and "watch" are

deleted.
-S [system call name or number|all] If this syscall is made by a program, then

start an audit record. If a field rule is given
and no syscall is specified, it will default to
all syscalls.

SingleRAN
Table 3-10 Description about linked list names and rules

Valid linked list 1 task Add a rule to
AUDIT_FILTER_TASK
(task linked list). This list is
used to configure uid and
gid when a task is created.
entry Add a rule to

AUDIT_FILTER_ENTRY
(system call entry linked
list). This list is used upon
entry to a system call to
determine if an audit event
should be created.
exit Add a rule to

AUDIT_FILTER_EXIT
(system call exit linked list).
This list is used upon exit
from a system call to
determine if an audit event
should be created.
user Add a rule to

AUDIT_FILTER_USER
(user message filter linked
list). This list is used by the
kernel to filter events
originating in user space
before relaying them to the
audit daemon. It should be
noted that the only fields
that are valid are: uid, auid,
gid, and pid.
exclude Add a rule to

AUDIT_FILTER_TYPE
(event type exclusion filter
linked list). This list is used
to filter events (recorded in
the kernel message) that you
do not want to see.
Valid action of the rules never No audit records will be

generated.
always Allocate an audit context,

always fill it in at syscall
entry time, and always write
out a record at syscall exit
time.
Examples

SingleRAN
l View all the unsuccessful open system calls by running the following command:
auditctl -a entry,always -S open -F success!=0
l Monitor the changes of the audit.rules file in the /etc/audit/ directory by running the
following command:
-w /etc/audit.rules -k TEST_audit_rules -p rxwa
3.2.6.3 Checking Audit Logs

The ausearch tool is used to query the logs in the audit background and can query all audit
background logs based on different search rules.
Description
ausearch [options]
NOTE
For further information about options, please refer to the relevant documents.
Especially, when each system call enters the kernel space, the system call has a unique event
ID. All audit events during the running of the system call share this ID. That is, an audit event
may contain multiple audit records.
Examples
To query the audit logs of operations performed on the /etc/audit/audit.rules file, run the
following command:
ausearch -k TEST_audit_rules
3.2.6.4 Generating Audit Reports

The audit system uses the aureport tool to analyze logs, summarizes the analysis results, and
generates audit reports.
The system administrator can periodically generate audit reports according to maintenance
requirements. These reports are used to analyze abnormal audit information.
Description
aureport [options]
NOTE
For further information about options, please refer to the relevant documents.
Examples
To enable reporting of failed events, run the following command:
aureport --failed
3.3 Appendix

SingleRAN
3.3.1 Host Accounts

Table 1 lists the host accounts that have been created before installation.
NOTE
All accounts are system accounts except the root user. Root accounts are privileged accounts that should
be managed only by authorized personnel.
Table 3-11 Host accounts in the wireless domain

Account Group Description
root root Super user account
nobody nobody Anonymous account. When

nogroup this account assigns
software processes, no
special permission is
required.
sshd sshd sshd daemon
messagebus messagebus Account used for

exchanging messages
between system processes
haldaemon haldaemon Account used for hardware

information collection
service, which can be used
to detect hardware devices
lgnusr Wheel Built-in common account

used for SSH login
3.3.2 Meanings of File and Directory Permissions

Permissions for files and directories in the Linux system specify users who can access and
perform operations on these files and directories. Permissions for files and directories are
classified into to read-only, write-only, and executable.
There are three types of users who can access these files and directories:
l File owner: creator of the file.

l Group user: users in the same group as the file owner
l Other user: users in a different group from the file owner
Meanings of file and directory permissions are described using the following examples:
Assume that the permission for the /usr/src file is 755. Convert 755 to 111101101 (binary
value), which has the following meanings:
l The left-most 111 indicates that the file owner can read, write, and execute this file.
l The middle 101 indicates group users can read and execute but cannot write the file.

SingleRAN
l The right-most 101 indicates that other users can read and execute but cannot write the
file.
3.3.3 Meanings of Umask Values

When a user creates a file or directory, the file or directory has a default permission value,
which is specified by the umask value.
The umask values indicate the two's complement of permission values, that is, an actual
permission value equals the default maximum value minus the umask value. The default
maximum file permission is read and write and the default maximum directory permission is
read, write, and execute. That is, the actual default permission value of a file is 666 minus the
umask value. The actual default permission value of a directory is 777 minus the umask value.

SingleRAN 4 Nessus Scanning Report --Analysis on False Vulnerability
Euler Linux OS Security Feature Parameter Description Report
4 Nessus Scanning Report --Analysis on

False Vulnerability Report
4.1 70895 - OpenSSH 6.2 and 6.3 AES-GCM Cipher

Memory Corruption
Vulnerability Description
Name 70895 - OpenSSH 6.2 and 6.3 AES-GCM Cipher Memory Corruption
Synopsis The SSH server on the remote host is affected by a memory corruption
vulnerability.
Description According to its banner, the version of OpenSSH running on the remote
host is version 6.2 or 6.3. It is, therefore, affected by a memory corruption
vulnerability in post-authentication when the AES-GCM cipher is used for
the key exchange. Exploitation of this vulnerability could lead to arbitrary
code execution.
Note that installations are only vulnerable if built against an OpenSSL
library that supports AES-GCM.
See Also http://www.openssh.com/txt/gcmrekey.adv

http://www.openssh.com/txt/release-6.4
Solution Upgrade to OpenSSH 6.4 or refer to the vendor for a patch or workaround.
Risk Factor High
CVE No. CVE-2013-4548
Plugin Publication date: 2013/11/13, Modification date: 2013/11/14

Information
Ports tcp/22

CVSS Base 7.1

Score
Analysis Result
Euler Linux uses the OpenSSL and OpenSSH running on SLES11SP3. On SLES11SP3,
OpenSSL does not support AES-GCM, and OpenSSH, which is dependent on OpenSSL, does
not support or use AES-GCM either when it is being compiled. Therefore this vulnerability is
not applicable.
4.2 78655 - OpenSSH SSHFP Record Verification

Weakness
Name 78655 - OpenSSH SSHFP Record Verification Weakness
Synopsis A secure shell client on the remote host could be used to bypass host
verification methods.
host is 6.1 through 6.6.
It is, therefore, affected by a host verification bypass vulnerability related
to SSHFP and certificates that could allow a malicious SSH server to cause
the supplied client to inappropriately trust the server.
See Also http://thread.gmane.org/gmane.network.openssh.devel/20679

http://tools.ietf.org/html/rfc4255
http://seclists.org/oss-sec/2014/q1/663
Solution Update to version 6.7 or later or apply the vendor patch.
Risk Factor Medium
CVE No. CVE-2014-2653

Information
Ports tcp/22
CVSS Base 4.3

Score
Analysis Result
The OpenSSH currently used by Euler Linux is openssh-6.2p2-0.21.1 provided by SUSE 11
SP3. This vulnerability has been resolved in 6.2p2-0.13.1. This vulnerability is falsely
reported and does not affect the OpenSSH.

4.3 73079 - OpenSSH < 6.6 Multiple Vulnerabilities

Name 73079 - OpenSSH < 6.6 Multiple Vulnerabilities
Synopsis The SSH server on the remote host has multiple vulnerabilities.
host is prior to version 6.6. It is, therefore, affected by the following
vulnerabilities:
- An error exists related to the function 'hash_buffer' in the file 'schnorr.c'
that could allow denial of service attacks. Note that the J-PAKE protocol
must be enabled at compile time via the 'CFLAGS' variable '-DJPAKE' in
the file 'Makefile.inc' in order for the OpenSSL installation to be
vulnerable. This is not enabled by default. Further note that only versions
5.3 through 6.5.x are affected by this issue. (CVE-2014-1692)
- An error exists related to the 'AcceptEnv' configuration setting in
'sshd_config' and wildcards. An attacker can bypass environment
restrictions by using a specially crafted request. (CVE-2014-2532)
See Also http://www.openssh.com/txt/release-6.6

http://www.gossamer-threads.com/lists/openssh/dev/57663#57663
Solution Upgrade to OpenSSH 6.6 or later.
Risk Factor Medium
CVE No. CVE-2014-1692

CVE-2014-2532

Information
Ports tcp/22
CVSS Base 6.8

Score
Analysis Result
l CVE-2014-1692: This vulnerability occurs only when the J-PAKE protocol is applied on
OpenSSH. The OpenSSH on SLES11SP3 used by Euler Linux does not support J-PAKE.
Therefore, this vulnerability is not applicable and does not affect the OpenSSH.
l CVE-2014-2532: The OpenSSH currently used by Euler Linux is openssh-6.2p2-0.21.1
provided by SUSE 11 SP3. This vulnerability has been resolved in 6.2p2-0.13.1. This
vulnerability is falsely reported and does not affect the OpenSSH.

4.4 33929 - PCI DSS Compliance

Name 33929 - PCI DSS compliance
Synopsis The remote host has been found to be NOT COMPLIANT with
the PCI DSS external scanning requirements.
Description The remote host is vulnerable to one or more conditions that are
considered to be 'automatic failures' according to the PCI DSS
Approved Scanning Vendors Program Guide (version 2.0). These
failures include one or more of the following:
- Vulnerabilities with a CVSS base score greater than or equal to
4.0
- Unsupported operating systems
- Internet reachable database servers (must validate whether
cardholder data is stored)
- Presence of built-in or default accounts
- Unrestricted DNS Zone transfers
- Unvalidated parameters leading to SQL injection attacks
- Cross-Site Scripting (XSS) flaws
- Directory traversal vulnerabilities
- HTTP response splitting/header injection
- Detection of backdoor applications (malware, trojan horses,
rootkits, backdoors)
- Use of older, insecure SSL/TLS versions (TLS v1.1 is the
minimum standard)
Details of the failed items may be found in the 'Output' section of
this plugin result. These vulnerabilities and/or failure conditions
will have to be corrected before you are able to submit your scan
results for validation by Tenable to meet your quarterly external
scanning requirements.
If you are conducting this scan via Nessus Cloud and either
disagree with any of the results, believe there are false-positives,
or must rely on compensating controls to mitigate the vulnerability
then you may proceed with submitting this report to our PCI portal
by clicking on 'Submit for PCI Validation'. You may login to the
Tenable PCI portal using your Nessus Cloud credentials and
dispute or provide mitigation evidence for each of the residual
findings.
See Also http://www.pcisecuritystandards.org

https://discussions.nessus.org/community/pci
Solution N/A

Risk Factor High
CVE No. N/A
Plugin Information Publication date: 2008/08/07, Modification date: 2015/07/23
Ports tcp/0
CVSS Base Score N/A
Analysis Result
This vulnerability is involved in the compliance check of the payment card industry data
security standard (PCI DSS) and is not applicable to Euler Linux.
4.5 17744 - OpenSSH >= 2.3.0 AllowTcpForwarding Port

Bouncing
Name 17744 - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing
Synopsis The remote SSH server may permit anonymous port bouncing.
Description According to its banner, the remote host is running OpenSSH,

version 2.3.0 or later. Such versions of OpenSSH allow
forwarding TCP connections. If the OpenSSH server is configured
to allow anonymous connections (e.g. AnonCVS), remote,
unauthenticated users could use the host as a proxy.
See Also http://marc.info/?l=bugtraq&m=109413637313484&w=2

http://www.nessus.org/u?2c86d008
Solution Disallow anonymous users, set AllowTcpForwarding to 'no', or

use the Match directive to restrict anonymous users.
Risk Factor Medium
CVE No. CVE-2004-1653
Ports tcp/22
CVSS Base Score 6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Analysis Result
This vulnerability affects Euler Linux only when the following two conditions are met:

l Euler Linux allows the login from an anonymous or a public ssh account.
l Euler Linux provides network services forwarded by TCP ports in addition to sshd
services.
Currently, Euler Linux does not allow anonymous or public accounts or provide network
services forwarded over TCP ports. Therefore, this vulnerability does not affect Euler Linux.
The AllowTcpForwarding value is set to no, but the scanning software still reports the
vulnerability, indicating that the scanning software does not check the AllowTcpForwarding
parameter but reports the vulnerability as long as it identifies ssh version numbers. This
vulnerability is not applicable to Euler Linux and is falsely reported.
4.6 17705 - OPIE w/ OpenSSH Account Enumeration

Name 17705 - OPIE w/ OpenSSH Account Enumeration
Synopsis The remote host is susceptible to an information disclosure

attack.
Description When using OPIE for PAM and OpenSSH, it is possible for
remote attackers to determine the existence of certain user
accounts.
Note that Nessus has not tried to exploit the issue, but rather
only checked if OpenSSH is running on the remote host. As a
result, it does not detect if the remote host actually has OPIE for
PAM installed.
See Also http://archives.neohapsis.com/archives/fulldisclosure/

2007-04/0635.html
Solution A patch currently does not exist for this issue. As a workaround,
ensure that OPIE for PAM is not installed.
Risk Factor Medium
CVE No. CVE-2007-2768
Ports tcp/22
CVSS Base Score 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Analysis Result
This vulnerability is caused by OPIE for PAM.
Vulnerability description from SUSE on its official website:
http://support.novell.com/security/cve/CVE-2007-2768.html

Due to the nature of OTP authentification, hiding existence of users is not possible. So we
will not fix this issue.
Euler Linux uses the OpenSSH running on SLES11SP3, and OPIE (one-time passwords for
login mechanism) package is not installed on Euler Linux. Therefore, this vulnerability is not
applicable to Euler Linux and is falsely reported.
Checking method:
Check whether /lib64/security/pam_opie.so exists in Euler Linux.
4.7 17704 - OpenSSH S/KEY Authentication Account

Enumeration
Name 17704 - OpenSSH S/KEY Authentication Account Enumeration
Synopsis The remote host is susceptible to an information disclosure

attack.
Description When OpenSSH has S/KEY authentication enabled, it is

possible to determine remotely if an account configured for
S/KEY authentication exists.
Note that Nessus has not tried to exploit the issue, but rather
only checked if OpenSSH is running on the remote host. As a
result, it will not detect if the remote host has implemented a
workaround.
See Also http://www.nessus.org/u?87921f08
Solution A patch currently does not exist for this issue. As a workaround,
either set 'ChallengeResponseAuthentication' in the OpenSSH
config to 'no' or use a version of OpenSSH without S/KEY
support compiled in.
Risk Factor Medium
CVE No. CVE-2007-2243
Ports tcp/22
CVSS Base Score 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Analysis Result
This vulnerability occurs when S/KEY authentication is enabled for SSH.
Vulnerability description from SUSE on its official website:
http://support.novell.com/security/cve/CVE-2007-2243.html

This issue does not affect openssh in SLES 9 and SLES 10, as no S/KEY support is built into
our packages.
(This vulnerability was resolved in 2007 before SLES11 is released. Therefore, it does not
affect OpenSSH.)
Euler Linux uses the OpenSSH running on SLES11SP3. The compilation parameters of
OpenSSH are ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/ssh --
without-zlib-version-check --with-tcp-wrappers --without-openssl-header-check --with-pam
(excluding the --with-skey[=PATH] option). Therefore, SSH does not support S/KEY
authentication. This vulnerability is not applicable and is falsely reported.
4.8 85690 - OpenSSH < 7.1 PermitRootLogin Security

Bypass
Name 85690 - OpenSSH < 7.1 PermitRootLogin Security Bypass
Synopsis The SSH server running on the remote host is affected by a

security bypass vulnerability.
Description According to its banner, the version of OpenSSH running on the

remote host is prior to 7.1. It is, therefore, affected by a security
bypass vulnerability due to a logic error that is triggered under
certain compile-time configurations when PermitRootLogin is
set to 'prohibit-password' or 'without-password'. An
unauthenticated, remote attacker can exploit this to permit
password authentication to root while preventing other forms of
authentication.
Risk Factor Low
CVE No. n/a
Ports tcp/22
CVSS Base Score 2.6 (CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)
Analysis Result
The vulnerability exists only when PermitRootLogin is set to prohibit-password or
without-password. PermitRootLogin is set to no by default in all Euler Linux versions.
Therefore, this vulnerability is falsely reported and does not affect Euler Linux.

4.9 84638 (2) - OpenSSH < 6.9 Multiple Vulnerabilities

Name 84638 (2) - OpenSSH < 6.9 Multiple Vulnerabilities
Synopsis The SSH server running on the remote host is affected by

multiple vulnerabilities.

remote host is prior to 6.9. It is, therefore, affected by the
following vulnerabilities:
- A flaw exists within the x11_open_helper() function in the
'channels.c' file that allows connections to be permitted after
'ForwardX11Timeout' has expired. A remote attacker can
exploit this to bypass timeout checks and XSECURITY
restrictions. (CVE-2015-5352)
- Various issues were addressed by fixing the weakness in agent
locking by increasing the failure delay, storing the salted hash of
the password, and using a timing-safe comparison function.
- An out-of-bounds read error exists when handling incorrect
pattern lengths. A remote attacker can exploit this to cause a
denial of service or disclose sensitive information in the
memory.
- An out-of-bounds read error exists when parsing the
'EscapeChar' configuration option.

http://www.nessus.org/u?725c4682
Risk Factor High
CVE No. CVE-2015-5352
Ports tcp/22
CVSS Base Score 8.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C)
Analysis Result
The OpenSSH used by Euler Linux is provided by SUSE 11 SP3 and has been upgraded to
the latest version 6.2p2-0.21.1, in which this problem has been resolved. This vulnerability is
falsely reported and does not affect the OpenSSH. For details, go to the following SUSE
official website:
https://www.suse.com/security/cve/CVE-2015-5352.html

4.10 85382 - OpenSSH < 7.0 Multiple Vulnerabilities

Name 85382 - OpenSSH < 7.0 Multiple Vulnerabilities
Synopsis The SSH server running on the remote host is affected by

multiple vulnerabilities.

remote host is prior to 7.0. It is, therefore, affected by the
following vulnerabilities:
- A flaw exists in the kbdint_next_device() function in file auth2-
chall.c that allows the circumvention of MaxAuthTries during
keyboard-interactive authentication.
An attacker can exploit this issue to force the same
authentication method to be tried thousands of times in a single
pass by using a crafted keyboard-interactive 'devices' string, thus
allowing a brute-force attack or causing a denial of service.
(CVE-2015-5600)
- A security bypass vulnerability exists in sshd related to PAM
support. An authenticated, remote attacker can exploit this to
impact the pre-authentication process, allowing the possible
execution of arbitrary code. Note that this issue only affects
Portable OpenSSH.
(OSVDB 126030)
- A flaw exists in sshd due to setting insecure world-writable
permissions for TTYs. A local attacker can exploit this, by
injecting crafted terminal escape sequences, to execute
commands for logged-in users.
(OSVDB 126031)
- A use-after-free error exists in sshd related to PAM support. A
remote attacker can exploit this to impact the pre-authentication
process, allowing the possible execution of arbitrary code. Note
that this issue only affects Portable OpenSSH. (OSVDB 126033)
Risk Factor Critical
CVE No. CVE-2015-5600
Ports tcp/22
CVSS Base Score 10.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C)

Analysis Result
official website:
https://www.suse.com/security/cve/CVE-2015-5600.html.
4.11 86328 - SSH Diffie-Hellman Modulus <= 1024 Bits

(Logjam)
Name 86328 - SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam)
Synopsis The remote host allows SSH connections with one or more
Diffie-Hellman moduli less than or equal to 1024 bits.
Description The remote SSH server allows connections with one or more
Diffie-Hellman moduli less than or equal to 1024 bits. Through
cryptanalysis, a third party can find the shared secret in a short
amount of time (depending on modulus size and attacker
resources).
This allows an attacker to recover the plaintext or potentially
violate the integrity of connections.
See Also http://weakdh.org/

https://stribika.github.io/2015/01/04/secure-secure-shell.html
Solution Reconfigure the service to use a unique Diffie-Hellman moduli

of 2048 bits or greater.
Risk Factor Low
CVE No. CVE-2015-4000
Ports tcp/22
CVSS Base Score 2.6 (CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)
Analysis Result
official website:

4.12 56209 - PCI DSS Compliance: Remote Access

Software Has Been Detected
Name 56209 - PCI DSS Compliance: Remote Access Software Has
Been Detected
Synopsis Remote access software has been detected.
Description Due to increased risk to the cardholder data environment when

remote access software is present, please 1) justify the business
need for this software to the ASV and 2) confirm it is either
implemented securely per Appendix D in the ASV Program
Guide, or disabled / removed. Please consult your ASV if you
have questions about this Special Note.
See Also N/A
Solution N/A
Risk Factor Medium
CVE No. N/A
Ports tcp/0
CVSS Base Score N/A
Analysis Result
This vulnerability is involved in the compliance check of the PCI DSS and is not applicable to
Euler Linux.
4.13 71049 - SSH Weak MAC Algorithms Enabled

Name 71049 - SSH Weak MAC Algorithms Enabled
Synopsis The remote SSH server is configured to allow MD5 and 96-bit
MAC algorithms.
Description The remote SSH server is configured to allow either MD5 or 96-
bit MAC algorithms, both of which are considered weak.
Note that this plugin only checks for the options of the SSH
server, and it does not check for vulnerable software versions.

See Also N/A
Solution Contact the vendor or consult product documentation to disable

MD5 and 96-bit MAC algorithms.
Risk Factor Low
CVE No. N/A
Ports tcp/22
CVSS Base Score 2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Analysis Result
The MAC algorithms enabled for the remote SSH server are hmac-sha2-256 and hmac-sha1,
which are not weak algorithms. This vulnerability is not applicable to Euler Linux.
4.14 93370 - SUSE SLES11 Security Update: kernel (SUSE-

SU-2016:2245-1)
Name 93370 - SUSE SLES11 Security Update: kernel (SUSE-
SU-2016:2245-1)
Synopsis The remote SUSE host is missing one or more security updates.
Description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to
receive various security and bugfixes.
See Also https://www.suse.com/security/cve/CVE-2013-4312.html

Solution To install this SUSE Security Update use YaST online_update.
Risk Factor Critical
CVE No. CVE-2016-3955, CVE-2016-4998, CVE-2015-7513,

CVE-2013-4312, CVE-2016-4997, CVE-2016-5829,
CVE-2016-4470, CVE-2016-5244, CVE-2016-1583,
CVE-2016-4913, CVE-2016-4580, CVE-2016-4805,
CVE-2016-0758, CVE-2015-7833, CVE-2016-2187,
CVE-2016-4482, CVE-2016-4565, CVE-2016-2053,
CVE-2016-4485, CVE-2016-4578, CVE-2016-4569,
CVE-2016-4486, CVE-2016-3134, CVE-2016-5696, and
CVE-2016-6480

Ports tcp/0
CVSS Base Score 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Analysis Result
The vulnerabilities of the kernel are fixed by installing patches. The kernel was not upgraded.
Patches have been installed to fix the CVEs. These vulnerabilities are falsely reported and do
not affect the kernel.

SU-2016:2614-1) (Dirty COW)
Name 94281 - SUSE SLES11 Security Update: kernel (SUSE-
SU-2016:2614-1) (Dirty COW)
Description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to
fix one security issue. This security bug was fixed:
- CVE-2016-5195: Local privilege escalation using
MAP_PRIVATE. It is reportedly exploited in the wild
(bsc#1004418).
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory.
Tenable has attempted to automatically clean and format it as
much as possible without introducing additional issues.
See Also https://bugzilla.suse.com/1004418

http://www.nessus.org/u?6096a02c
Risk Factor High
CVE No. CVE-2016-5195
Ports tcp/0
CVSS Base Score 7.2 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

Analysis Result
The vulnerability of the kernel is fixed by installing patches. The kernel was not upgraded.
Patches have been installed to fix the CVE. This vulnerability is falsely reported and does not
affect the kernel.

SU-2016:1203-1)
Name 90884 - SUSE SLED11 / SLES11 Security Update: kernel (SUSE-
SU-2016:1203-1)
Description The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated
to 3.0.101 and also includes various other bug and security fixes.

Alternatively you can run the command listed for your product:
SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t
patch slessp3-kernel-8823 slessp3-kernel-8827
SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-
kernel-8823 slessp3-kernel-8824 slessp3-kernel-8825 slessp3-
kernel-8826 slessp3-kernel-8827
SUSE Linux Enterprise High Availability Extension 11 SP3:
zypper in -t patch slehasp3-kernel-8823 slehasp3-kernel-8824
slehasp3-kernel-8825 slehasp3-kernel-8826 slehasp3-kernel-8827
SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch
sledsp3-kernel-8823 sledsp3-kernel-8827
To bring your system up-to-date, use 'zypper patch'.
Risk Fctor Critical
CVE No. CVE-2013-7446
Ports tcp/0
CVSS Base Score 10.0
Analysis Result
Vulnerability CVE-2013-7446 is caused by local user attacks. However, the product where
Euler Linux is installed is a closed system, which cannot be attacked in this way. Therefore,
the impacts of this vulnerability are controllable.

The vulnerability of the kernel is fixed by installing patches. The kernel was not upgraded.
Patches have been installed to fix the CVE. Alternatively, that the CVE has no impacts on the
kernel has been declared. This vulnerability is falsely reported and does not affect the kernel.

SingleRAN
Euler Linux OS Security Feature Parameter Description 5 Differences Between History Versions
5 Differences Between History Versions
5.1 History Versions

History versions and corresponding products:
l V100R001C10SPC100 OMUd/UVP/VMware
l V100R001C10SPC102 OMUd/UVP/Vmware
5.2 V100R001C10SPC100~V100R001C10SPC101
l Rectify system vulnerabilities scanned out by the Nessus, and harden the operating
system security.
l Upgrade the glibc version from 2.11.3-17.54.1 to 2.11.3-17.62.1 to enhance operating
system security.
l Rectify system peripherals package vulnerabilities scanned out by the Nessus to enhance
operating system security.

SingleRAN
l Fix security vulnerabilities: 70895 (1) - OpenSSH 6.2 and 6.3 AES-GCM Cipher
Memory Corruption.
l Fix CVE security vulnerabilities (CVE-2014-3144, CVE-2014-3145, and
CVE-2014-3122)
5.3 V100R001C10SPC101~V100R001C10SPC102
l Rectify the OpenSSL security issue (CVE-2014-0224).
l Upgrade the ntp version from 4.2.4p8-1.22.1 to 4.2.4p8-1.24.1 to enhance operating
system security.
l Upgrade the sudo version from 1.7.6p2-0.17.5 to 1.7.6p2-0.21.1.
l Fix CVE security vulnerabilities (CVE-2014-1739, CVE-2014-4652, CVE-2014-4654,
CVE-2014-4655, CVE-2014-4656, CVE-2014-4608, CVE-2014-4667, CVE-2014-4699,
CVE-2014-4171, CVE-2014-4027, and CVE-2014-4653)
5.4 V100R001C10SPC102~V100R001C10SPC103
l Rectify system vulnerabilities scanned out by the Nessus, and harden the operating
system security.
l Software integrity check MD5 checksum modified by way of sha256 check mode.
l Fix CVE security vulnerabilities (CVE-2014-6271 and CVE-2014-5206)
5.5 V100R001C10SPC103~V100R001C10SPC105
l Delete system useless Account.
l Rectify system vulnerabilities to update the peripheral package based on the result of
Nessus peripheral package scan.
CVE-2014-3566, and CVE-2014-3568)
5.6 V100R001C10SPC105~V100R001C10SPC200
l Rectify system vulnerabilities scanned out by the Nessus.
l Fix the CVE security vulnerability (CVE-2014-7185)
5.7 V100R001C10SPC200~V100R001C10SPC201
Fix CVE security vulnerabilities (CVE-2014-9322, CVE-2014-8559, CVE-2014-7825, and
CVE-2014-7826)
5.8 V100R001C10SPC201~V100R001C10SPC300
l Delete link file which links null.

SingleRAN

CVE-2014-3707, and CVE-2014-8150)
5.9 V100R001C10SPC300~V100R001C10SPC301
CVE-2014-9584, CVE-2014-9585, CVE-2015-1593, and CVE-2014-7822)
5.10 V100R001C10SPC301~V100R001C10SPC302
CVE-2013-7421, and CVE-2014-9644)
5.11 V100R001C10SPC302~V100R001C10SPC305
l Grub password complexity check is added for grub password setting.
l Upgrade the peripheral package based on the result of Nessus peripheral package scan.
CVE-2015-2695, CVE-2014-3591, and CVE-2015-0837)
5.12 V100R001C10SPC305~V100R001C10SPC307
l Add the command iostat and smartctl.
l Rectify the defect that alarms cannot be correctly reported when the internal network
adapter encounters packet errors.

SingleRAN
CVE-2015-7547, CVE-2015-8776, CVE-2015-8778, CVE-2014-9761, and
CVE-2015-8779).
5.13 V100R001C10SPC307~V100R001C10SPC308
l The user permission for the home directory of the nobody user has been modified to
750.
l Controlled access to the /dev/mem directory and controlled access of non-privileged
users to dmesg have been enabled.
l CSEC security code rectification has been conducted to prevent array threshold crossing,
initialize variables that have not been uninitialized, delete unused variables, and enhance
checking on input parameters.
CVE-2016-0723, CVE-2015-7566, CVE-2015-7550, CVE-2015-8539, and
CVE-2016-0774).
5.14 V100R001C10SPC308~V100R001C10SPC309
l Perform security rectification such as enhancing the partition mount attribute.
l Rectify issues such as no system file owner and illegal password field.
l Rectify kernel rlock and oops issues.
l Rectify abnormal reset of the BNX2 driver.
CVE-2016-4956, and CVE-2016-4957).

SingleRAN
5.15 V100R001C10SPC309~V100R001C10SPC311
CVE-2016-7141, CVE-2016-5420, CVE-2016-5419, CVE-2015-1283,CVE-2016-0718,
and CVE-2016-2180).

SingleRAN
Euler Linux OS Security Feature Parameter Description 6 Parameters
6 Parameters
There are no specific parameters associated with this feature.

SingleRAN
Euler Linux OS Security Feature Parameter Description 7 Counters
7 Counters
There are no specific counters associated with this feature.

SingleRAN
Euler Linux OS Security Feature Parameter Description 8 Glossary
8 Glossary
Table 8-1 Acronyms and abbreviations

Acronym and Abbreviation Full Name
ACL Access Control List
CRC Cyclic Redundancy Check
DAC Discretionary Access Control
HTTPS Hypertext Transfer Protocol Secure
IDS Intrusion Detection System
IPsec Internet Protocol Security
LSM Linux Security Module
MAC Mandatory Access Control
MD5 Message Digest Algorithm
MOR Memory Object Reuse
MTBF Mean Time Between Failure
PAM Pluggable Authentication Module
RAID Redundant Array of Independent Disk
SAK Secure Attention Key
SHA Secure Hash Algorithm
SSL Secure Socket Layer
TLS Transport Layer Security

SingleRAN
Euler Linux OS Security Feature Parameter Description 9 Reference Documents
9 Reference Documents
Euler Linux V100R001C10 User Guide


Euler Linux OS Security (SingleRAN - 06)

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Euler Linux OS Security (SingleRAN - 06)

Hochgeladen von

Copyright:

Verfügbare Formate

SingleRAN

Euler Linux OS Security Feature

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 06 (2016-12-30) Huawei Proprietary and Confidential i

1 About This Document.................................................................................................................. 1

Issue 06 (2016-12-30) Huawei Proprietary and Confidential ii

3.2.2.8 Adding the nodev Attribute for Specified Partitions.............................................................................................. 19

4 Nessus Scanning Report --Analysis on False Vulnerability Report................................. 38

Issue 06 (2016-12-30) Huawei Proprietary and Confidential iii

4.16 90884 - SUSE SLES11 Security Update: kernel (SUSE-SU-2016:1203-1).............................................................. 52

5 Differences Between History Versions................................................................................... 54

Issue 06 (2016-12-30) Huawei Proprietary and Confidential iv

1 About This Document

1.2 Intended Audience

l Need to understand the features described herein.

1.3 Change History

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 1

Change Type Change Description Parameter Change

Feature change Added "5.15 None

Editorial change None None

Change Type Change Description Parameter Change

Feature change Added "5.13 None

Editorial change None None

Change Type Change Description Parameter Change

Feature change Added "5.12 None

Editorial change None None

Change Type Change Description Parameter Change

Feature change Added "4 Nessus Scanning Report -- None

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 2

Change Type Change Description Parameter Change

Editorial change None None

Change Type Change Description Parameter Change

Feature change Added the new chapter "5 None

Editorial change None None

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 3

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 4

2.1.1 Security Threats

2.1.2 Security Policies

Figure 2-1 Security policies of the Euler Linux OS

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 5

2.2 Security Techniques

2.2.1 Security Solution at the Management Layer

Organization and Process

Account and Rights Management

Log Check and Audit

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 6

2.2.2 Security Solution at the System Layer

2.2.2.1 Security Architecture at the System Layer

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 7

Figure 2-2 Security architecture of the Euler Linux OS

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 8

2.2.2.2 Identity Authentication

2.2.2.3 Security Protocols

2.2.2.4 Discretionary Access Control

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 9

2.2.2.5 Mandatory Access Control

2.2.2.6 Memory Object Reuse

2.2.2.7 Host Firewall

Issue 06 (2016-12-30) Huawei Proprietary and Confidential 10

Figure 2-3 Structure of iptables rules

2.2.3 Security Solution at the Network Layer