No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00SPC200, 300, and 500 Local HA System Software Installation Guide (SUSE Linux + Oracle + Veritas) 11

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Hardening

Security Hardening

Security hardening aims to enhance the defense capabilities of the operating system.

Security Hardening Overview

Security hardening can disable operating system services that are not required by eSight to reduce the possibility of remote malicious attacks. It also strictly restricts the file permission and environment variables of the operating system to reduce the possibility of unauthorized operations.

Security Hardening Content

The security hardening tool supports the following operations to check and improve security of the SUSE Linux operating system:

  • Audit logs.
  • Implement minimum authorization.
  • Add alarm identifiers.
  • Harden built-in services of the system.
  • Adjust the system kernel parameters.
  • Strictly control access to the system.
  • Control read and write operations on the system files.
  • Properly design the disk partitioning before operating system installation.
  • Clear restricted accounts in the system and check password complexity.

Security Hardening Impacts

  • Impacts on an operating system
    • The hardening is invalid for existing sessions. After the hardening, quit all the sessions and log in again.
    • After the SUSE operating system is hardened, the root user can only log in to the server in local mode. If you need to perform a certain operation as the root user after remote login, log in to the server as the ossuser user and switch to the root user.
    • To remotely log in to the server using an Xshell terminal after the SUSE operating system is hardened, use Xshell 5 or a later version.
  • Impacts on a service

    eSight needs to be stopped during the hardening and rollback.

Hardening the SUSE Linux Operating System

This section describes how to use the SetSuSE tool to harden the SUSE Linux operating system.

Prerequisites

Procedure

  1. Log in to the operating system of the active server as the root user. For details, see Logging in to the SUSE Linux Server.

    Right-click on the desktop of the operating system and choose Open Terminal from the shortcut menu.

  2. Verify that data replication is complete between the active and standby servers.

    1. Run the following command on the active server to check the current replication status:

      # vradmin -g datadg repstatus datarvg

      • If Replication status is displayed as replicating (connected) and Data status is displayed as consistent, up-to-date, data synchronization in the HA system is complete.
      • If Replication status is displayed as resync in progress (autosync), Data status is displayed as inconsistent, and the value next to DCM decreases, data is being synchronized between the active and standby servers. The data replication duration depends on the stability of network bandwidth and the amount of data. Please wait
      • If Replication status is displayed as logging to DCM (needs dcm resynchronization), you must run the vradmin -g datadg resync datarvg command on the active server as the root user to perform manual synchronization.
      Secondary: 
        Host name:                  192.168.10.7 
        RVG name:                   datarvg 
        DG name:                    datadg 
        Data status:                consistent, up-to-date 
        Replication status:         replicating (connected) 
        Current mode:               asynchronous 
        Logging to:                 SRL 
        Timestamp Information:      behind by 0h 0m 0s

  3. Run the following command on the active and standby servers to lock the resource group:

    # hagrp -freeze AppService -persistent

    If no error message is displayed, the operation is successful.

  4. Install the SetSuSE hardening tool on the active server.

    1. Decompress the security hardening package.

      # cd /opt/setsuse

      # unzip eSight_V300R010C00SPC500_ReinforcementTools_For_SUSE12_SP2.zip

      /opt/setsuse: directory where the security hardening package is located. Replace it with the actual directory.

    2. Run the following command to install the SetSuSE tool:

      # sh install.sh

      If the following information is displayed, the installation is successful:

      check the install path...
      copy the file...
      set the path variable...
      Install successfully

  5. Run the following command to harden the operating system:

    Do not perform other operations during security hardening.

    # sek -x all

    After security hardening is complete, the result is displayed. If any security item fails to be hardened, view the failure cause based on the displayed information.

    --------------------------------------------------------------------------
            Summary of harden
    --------------------------------------------------------------------------
            Total Policies harden           :64
            Total Policies Success          :64
            Total Policies Failed           :0

  6. Run the following commands to restart the operating system for the security hardening items to take effect:

    # sync;sync;sync;sync

    # shutdown -r now

  7. Repeat 4 to 6 on the standby server to perform security hardening for the standby server.
  8. Run the following command on the active and standby servers to lock the resource group:

    # hagrp -unfreeze AppService -persistent

    If no error message is displayed, the operation is successful.

  9. Log in to the active server as the root user and run the following command to start eSight:

    # hagrp -online AppService -sys $(hostname)

Download
Updated: 2019-12-13

Document ID: EDOC1100044372

Views: 38396

Downloads: 26

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next