Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Vulnerability Update and Security Hardening

Vulnerability Update

Before the ExaGear release, the involved guest OS vulnerabilities will be updated and synchronized to the official guest OS website. After the ExaGear release, users need to fix vulnerabilities based on patches provided by the official guest OS website. For example, visit the official CentOS website (https://www.centos.org/) to learn the vulnerability patch updates. For details about how to fix vulnerabilities of the ExaGear software itself, visit the Kunpeng community to obtain the latest progress of ExaGear.

Security Hardening

  • Accounts and Passwords

    User accounts are shared between the host and guest systems. The guest system has the same permissions as the host system. If security hardening is required, you are advised to perform it on the host system.

  • File Permissions

    On Linux, all objects are processed as files. Even a directory will be processed as a large file containing many files. Therefore, the most important thing on Linux is the security of files and directories. Their security is ensured by permissions and owners.

    By default, permissions and owners are configured for common directories, executable files, and configuration files on the system.

    /usr/bin/readelf and /usr/bin/objdump belong to the binutils RPM package on which rpm-build and kmod depend. Therefore, the guest OS involved in the ExaGear installation package must contain this tool. To avoid security risks, you are advised to set the permission of these files to 750 and the owner to root.

    In addition, the following files on the guest system are shared with the host system. The permission and owner of these files are the same as those of the host system. If security hardening is required, you are advised to perform security hardening on the host system. Other files that are not shared with the host system can be directly hardened on the guest system.

    Table 1 Directory structures

    etc Directory

    usr Directory

    Other Directory

    /etc/host.conf

    /usr/share/icons/

    /home/

    /etc/hostname

    /usr/share/pixmaps/

    /root/

    /etc/hosts

    /usr/share/X11/

    /proc/

    /etc/hosts.allow

    		   

    /dev/

    /etc/hosts.deny

    		   

    /sys/

    /etc/hosts.equiv

    		   

    /tmp/

    /etc/resolvconf/

    		   

    /run/

    /etc/resolv.conf

    		   

    /mnt/

    /etc/yp.conf

    		   

    /media/

    /etc/nscd.conf

    		   

    /var/log/

    /etc/nslcd.conf

    		   

    /var/lib/dbus/

    /etc/nsswitch.conf

    		      

    /etc/adduser.conf

    		      

    /etc/deluser.conf

    		      

    /etc/netgroup

    		      

    /etc/netgroup-

    		      

    /etc/group

    		      

    /etc/group-

    		      

    /etc/group+

    		      

    /etc/passwd

    		      

    /etc/passwd-

    		      

    /etc/passwd+

    		      

    /etc/gshadow

    		      

    /etc/gshadow-

    		      

    /etc/gshadow+

    		      

    /etc/shadow

    		      

    /etc/shadow-

    		      

    /etc/shadow+

    		      

    /etc/login.defs

    		      

    /etc/machine-id

    		      

    /etc/ldap.conf

    		      

    /etc/ldap/

    		      

    /etc/sudoers

    		      

    /etc/sudoers.d/

    		      

    /etc/securetty

    		      

    /etc/fstab

    		      

    /etc/fstab.d/

    		      

    /etc/fuse.conf

    		      

    /etc/mtab

    		      

    /etc/mtab.fuselock

    		      

    /etc/mtab.old

    		      

    /etc/blkid.conf

    		      

    /etc/blkid.tab

    		      

    /etc/mke2fs.conf

    		      

    /etc/services

    		      

    /etc/protocols

    		      

    /etc/security/

    		      

    /etc/inputrc