Security Hardening

Security Hardening of Operating Systems

The OceanStor Dorado V6 series storage system uses a dedicated operating system. Security of the storage system has been hardened before the storage system is delivered. Security hardening of operating systems covers the following aspects:

• Service minimization

  Disable unnecessary or risky background processes and services to prevent potential intruders from using some services and efficiently reduce risks.

• Setting the permission for accessing files and directories

  Minimize permissions for files based on security hardening standards and application requirements in the industry. If permissions for files are incorrect, unauthorized access may occur. For example, a common user accesses files as an administrator.

• Account security

  Delete unnecessary accounts to prevent intruders from using these accounts. Set different permissions for different accounts to prevent unauthorized access.

• Password security

  Enable password complexity check, password validity period, and the maximum number of allowed login retries to prevent brute force password cracking.

• Logs and audit

  Record run logs of services and processes as well as all operation logs of the storage system.

Security Hardening of Web Services

Security hardening of DeviceManager web services covers the following aspects:

• Preventing cross-site scripting attacks

  This prevents attackers from injecting malicious executable code into a web page and using insecure websites as platforms to attack access users.

• Preventing cross-site request forgery

  This prevents attackers from logging in to website A to tamper with critical user information by using the still valid session of website A if a user logs in to website A and then logs in to website B (containing exploits) before the session on website A times out.

• Restricting file uploading and downloading

  You are not allowed to randomly upload or download files, preventing sensitive files from being leaked and malicious files from being uploaded.

• Preventing unauthorized URL access

  This uses roles to restrict unauthorized users' access to URL resources.

• Enhancing security of DeviceManager security certificates

  For details about the policies for enhancing security of DeviceManager security certificates, you can see "How Do I Remove the Privacy Warning Displayed When I Log In to DeviceManager" in the initialization guide.

• Replacing a security certificate

  To enhance the storage system security, you are advised to replace the default security certificates of the DeviceManager server and browser with your own security certificate and private key. For details about how to replace the certificate of the DeviceManager server, see the command reference.

When replacing a security certificate, enter the encrypted password of the private key if the private key file is encrypted; otherwise, the replacement fails.

• OceanStor DeviceManager supports the following Transport Layer Security (TLS) versions: TLS V1.2 and TLS V1.3.

Security Hardening of the HTTP Service

Security hardening of the HTTP service covers the following aspects:

• Enabling denial of service (DoS) attack prevention

  Prevent attackers from using vulnerabilities or abusing functions to run out of critical system resources and lead to DoS of the HTTP service.

• Preventing buffer overflow attacks

  Restrict the size of HTTP requests after the WebDAV function is disabled, effectively preventing buffer from overflowing and greatly improving website security. If the WebDAV function is enabled, the size of HTTP requests is not restricted because large-size files may be uploaded.

• Disabling the Server Side Include (SSI) and Common Gateway Interface (CGI) functions

  Prevent attackers from using the SSI or CGI function to execute the shell command or run other programs.

• Preventing unauthorized URL access

  Restrict users' access to other system directories with the exception of the HTTP root directory or unauthorized users' access to the storage system.

• Preventing cross-site TRACE attacks

  Disable the TRACE method to prevent attackers from using cross-site script vulnerabilities to deceive authorized users and obtain their private information.

• Disabling insecure OpenSSL cipher suites

  The system supports multiple OpenSSL cipher suites but only secure ones are enabled by default. This prevents security vulnerabilities through which unauthorized users can attack the system or steal important data.

If the client used by the user to access DeviceManager only supports insecure OpenSSL cipher suites, run change devicemanager ciphersuite suite=compatible to change the suite to compatible mode and then run reboot storage service service_name=devicemanager to restart DeviceManager for the change to take effect. This mode may cause security vulnerabilities. Perform this operation with caution.

Security Hardening of Other Components

• When configuring HyperMetro, a quorum server takes the following measures to deliver full assurances in the protection of private keys of certificates.
  • The private key of the quorum server certificate cannot be exported.
  • The private key of the quorum server certificate is encrypted and stored in AES256-CBC and is updated automatically every 90 days.
  • The encryption key of the quorum server certificate's private key is encrypted and stored in AES256-CBC.
  • The private key cannot be imported externally.
  • Replacing the quorum server certificate is to import a certificate issued by the CA. For details, see the HyperMetro feature guide.