No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Maintenance Guide 07

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview

Overview

This section describes the purpose and principles of security maintenance and provides some suggestions.

Purpose

Maintenance personnel can perform security maintenance operations on eSight to avoid problems, such as service interruption and system breakdown. A security barrier must be established and maintained in terms of multiple aspects for the overall management system, helping detect and handle security risks in advance.

Principles

This section describes the principles for maintenance operations.

  • Minimal Services and Components
    • Minimal services and components: Specify the functions and roles of servers and install only required services and components.
    • Minimum internal service constitutions based on the preceding rules.
  • Minimal Accounts
    • Impose strict account management policies.
    • Strictly control adding, modifying, and deleting accounts and user groups.
    • Delete accounts and user groups as soon as they are no longer needed.
  • Minimal Permissions
    • Assign the lowest level of permissions to services, groups, and accounts that will allow them to perform all their required functions.
    • Strictly control OS authorization.
    • Prevent accounts from accessing resources beyond their permissions.
  • Exclusivity
    • Allow each host to provide only one type of services.
    • Isolate partitions where the OS, applications, and data are located.
  • Audit Principles
    • Monitor operations on hosts using logs or other suitable methods.
    • Audit successful access to key system resources.
    • Audit successful and failed access control list (ACL) modification.

Suggestions

This section describes the precautions and suggestions for maintenance operations.

  • Account Maintenance

    System administrators are advised to routinely check the following items related to accounts:

    • Whether unnecessary OSs or database accounts and temporary accounts have been deleted
    • Whether accounts are assigned proper permissions
    • Login and operation logs of accounts
  • Password Maintenance and Complexity Requirements

    User identity authentication is fundamental to system security. The complexity and validity period of a user name and password are configured based on customer requirements.

    Password maintenance suggestions are as follows:
    • Do not use a password for more than 90 days.
    • Assign a dedicated person to manage the password of user root.
    • Encrypt a password before transmitting it and do not transmit it using an email.
    • Encrypt a password before storing it.
    • Remind customers to change passwords after system handover.
    • In the Linux operating system, enter a password in interactive mode. (Directly entering a password may lead to password leakage.)
    Password complexity suggestions are as follows:
    • The password cannot contain the user name or the user name in reverse order.
    • The number of characters contained in a password must meet system requirements.
    • A password contains at least one uppercase letter (A to Z), one lowercase letter (a to z), and one digit (0 to 9).
    • A password contains at least one special character.
    • A password cannot contain two or more same consecutive characters.
    • The same character can be used three times at most.
    • A password cannot be the same as the recent 3 passwords.
    • Do not change a password at an interval shorter than 5 minutes.
    NOTE:

    The password complexity requirements vary with systems. Change a password based on requirements in the subsequent sections or on a password modification page. If no requirements are provided, change passwords based on suggestions above.

  • Log Maintenance

    eSight can help detect potential risks using audit logs and records important operations, such as system parameter settings, resource allocation, and service provisioning, in logs. System hardening is required to protect these logs.

    • Periodically checking logs

      O&M personnel need to periodically check system logs, operation logs, and security logs. If any faults are detected, they must report them to the upper-level departments in a timely manner. If the causes cannot be located or the faults cannot be rectified, they need to contact the local representative office or Huawei technical support.

    • Periodically backing up log files

      The system periodically backs up log files to external storage media, such as disks, tapes, and CD-ROMs. After the backup is successful, delete the original log files to release the space.

    • Modifying the audit function

      The audit function is configured by default during system installation. You are advised not to modify the audit function. Any modification must be approved by the upper-level department and written down in records.

  • Security Evaluation

    It is recommended that customers perform security evaluation on eSight, especially in the cases of large-scale network changes, such as major system upgrade, network migration, and system scale-up.

    Customers are advised to invite qualified professional institutions to perform security evaluation. Huawei technical support engineers must participate in the security evaluation.

  • Backup

    To meet security maintenance requirements, back up data in the following scenarios:

    • Before and after system hardening (In this scenario, full backup is implemented on system data.)
    • During routine configuration maintenance and before and after troubleshooting
    • Before patch installation and upgrade (For details, see related documents.)
Translation
Download
Updated: 2019-06-30

Document ID: EDOC1100044373

Views: 25065

Downloads: 74

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next