Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Vulnerability Update and Security Hardening

Vulnerability Update

Before the ExaGear release, the involved guest OS vulnerabilities will be updated and synchronized to the official guest OS website. After the ExaGear release, users need to fix vulnerabilities based on patches provided by the official guest OS website. For example, visit the official CentOS website (https://www.centos.org/) to learn the vulnerability patch updates. For details about how to fix vulnerabilities of the ExaGear software itself, visit the Kunpeng community to obtain the latest progress of ExaGear.

Security Hardening

  • Accounts and Passwords

    The guest system account is shared by the host system. Permissions of the guest system are the same as those of the host system. If security hardening is required, you are advised to perform security hardening on the host system.

  • File Permissions

    On Linux, all objects are processed as files. Even a directory will be processed as a special file that contains references to other files. Therefore, the security of files and directories is critical in the Linux system. The system ensures the security of these resources through permission settings and owner information. By default, the system assigns appropriate permissions and owners to common directories, executable files, and configuration files to establish a basic security protection system.

    /usr/bin/readelf and /usr/bin/objdump belong to the binutils package, which is depended on by components such as rpm-build and kmod. Therefore, the ExaGear guest installation package must contain this toolchain. To reduce potential security risks, you are advised to set the permission on these files to 750 and set the owner to root.

    In addition, the following files and directories of the guest system are shared with the host system. The permission and owner of these files and directories are the same as those of the host system. If security hardening is required, you are advised to perform the operations on the host system. Other files that are not shared with the host can be directly hardened on the guest system.

    Table 1 Files and directories shared by the guest system and host

    etc Directory

    /etc/host.conf

    /etc/hostname

    /etc/hosts

    /etc/hosts.allow

    /etc/hosts.deny

    /etc/hosts.equiv

    /etc/resolvconf/

    /etc/resolv.conf

    /etc/yp.conf

    /etc/nscd.conf

    /etc/nslcd.conf

    /etc/nsswitch.conf

    /etc/adduser.conf

    /etc/deluser.conf

    /etc/netgroup

    /etc/netgroup-

    /etc/group

    /etc/group-

    /etc/group+

    /etc/passwd

    /etc/passwd-

    /etc/passwd+

    /etc/gshadow

    /etc/gshadow-

    /etc/gshadow+

    /etc/shadow

    /etc/shadow-

    /etc/shadow+

    /etc/login.defs

    /etc/machine-id

    /etc/ldap.conf

    /etc/ldap/

    /etc/sudoers

    /etc/sudoers.d/

    /etc/securetty

    /etc/fstab

    /etc/fstab.d/

    /etc/fuse.conf

    /etc/mtab

    /etc/mtab.fuselock

    /etc/mtab.old

    /etc/blkid.conf

    /etc/blkid.tab

    /etc/mke2fs.conf

    /etc/services

    /etc/protocols

    /etc/security/

    /etc/inputrc

    usr Directory

    /usr/share/icons/

    /usr/share/pixmaps/

    /usr/share/X11/

    Other Directory

    /home/

    /root/

    /proc/

    /dev/

    /sys/

    /tmp/

    /run/

    /mnt/

    /media/

    /var/log/

    /var/lib/dbus/