Security Hardening
Setting the Login Session Timeout
A login session times out if it is inactive for 30 minutes or shorter.
- Log in to the node where BoostIO is installed.
- Open the /etc/profile file.
vim /etc/profile
- Press i to enter the insert mode and add the following content to the end of the file:
export TMOUT=1800 readonly TMOUT
- Press Esc, type :wq!, and press Enter to save the file and exit.
Setting the umask Value
You are advised to set the umask of the server to a value ranging from 027 to 777 to increase the file permission.
In this example, umask is set to 027.
- Log in to the server as the root user and open the /etc/profile file.
vim /etc/profile
- Add umask 027 to the end of the /etc/profile file, save the file, and exit.
- Make the setting take effect.
source /etc/profile
Security Configuration Baseline
Functional Domain/Function |
TLS certificate switch |
|---|---|
(Optional) O&M Object |
N/A |
(Optional) Configuration Parameters |
N/A |
Rule Category (Customization Supported) |
Certificate management |
Rule Category ID |
N/A |
Rule Subcategory (Customization Supported) |
TLS certificate authentication |
Rule Subcategory ID |
N/A |
Rule Name |
Enabling TLS authentication |
Rule ID |
N/A |
Risk Level |
Medium |
Rule Description |
After this function is enabled, TLS authentication should be enabled or disabled synchronously on all clients and servers in the cluster. Otherwise, the connection fails. In addition, TLS authentication should be enabled on all compute nodes in the BoostIO cluster. |
Risk Description |
If TLS authentication is not enabled, network communication data is not encrypted and may be disclosed. |
Repair Impact |
After this function is enabled, data within the communication channel is encrypted for transmission. |
Value Range |
[True, False] |
Recommended Security Value |
True |
Default Value |
True |
Rectification Suggestions |
None |
Mandatory or Not |
Yes |
Default Security or Not |
Yes |
Updating Keys
The BoostIO service needs to be restarted after keys are updated. Properly plan the key update period. For details about key management, see Enabling TLS Authentication.
Buffer Overflow Prevention
To prevent buffer overflow attacks, you are advised to use the address space layout randomization (ASLR) technology to randomize the layout of linear areas such as the heap, stack, and shared library mapping to make it more difficult for attackers to predict target addresses and locate code. This technology can be applied to heaps, stacks, and memory mapping areas (mmap base addresses, shared libraries, and vDSO pages).
How to enable ASLR:
echo 2 >/proc/sys/kernel/randomize_va_space