A Process That Never Ends
The EulerOS team does its utmost to protect the safety of our customers, and we regard software security as a continuous development process. We implement the following measures:
•Promptly react to security incidents and deliver premium quality security updates
•Continuously improve the security-related functionality in EulerOS products
•Continuously contribute to the rapidly growing maturity of Open Source Software
•Respect the Open Source Software security principles of openness, transparency and traceability
Software security is a complex challenge. Software can provide many of its own security features, such as authentication methods, encryption, intrusion prevention and detection, and backup. At the same time, it can also contain errors (both deliberate and accidental) that can affect the system's security, including design flaws, programming errors, and backdoors. The EulerOS Security Team addresses all of these aspects of software security to ensure the security of the customer's system.
Two Sides Of Security
Software provides security features (such as authentication methods, encryption, intrusion prevention and detection, backup and others), but it also contains errors (such as design flaws, programming errors, and even backdoors) that often turn out to be relevant for the system's security. The EulerOS Security Team's task is to addresses all of these aspects of software security, in conviction that security in software is a challenge that never ends.
•A modern Linux Operating System feature a rich set of security programs and functions that range from access controls, intrusion prevention and detection, flexible and trustworthy authentication mechanisms, encryption for files and network connections, file integrity checking utilities, network analysis tools and monitoring/logging utilities for your system.
•To complement this, there are advanced tools that help you to securely configure and administer your system, and to securely download and install update packages. The update packages fix security bugs that have been found after your product has been made.
•The security features of your Linux system are waiting for you to explore them. Take advantage of them to further improve the level of privacy and security that is built into your system already by default!
•Programs are (usually) written by humans, and humans make mistakes. By consequence, all software contains errors. Some of these errors appear as instabilities (the software or the entire system crashes), while others may not have any apparent, visible effect. However, some software errors may introduce a security risk.
•A local or a remote attacker may be able to feed specially drafted data to the software which takes advantage of the programming error (in the case of a remotely exploitable bug, the data comes from an attached network device, such as a cable or DSL modem, or a wireless network interface card). The application then either crashes, resulting in a Denial of Service (DoS) attack, or it executes code that originates from the attacker, transferring control over the execution context from what the programmer intended to what the attacker has in mind for the exploitation of the error. Depending on the software's function, the resulting security breach can impose little or high security risks for your data and your system, potentially giving an attacker the opportunity to delete, alter or even steal your data, or use the system for his own purposes.
What We Do For Security
•Help to carefully select and configure the software used in EulerOS.
•Develop security tools and applications.
•Regularly conduct source code audits of Open Source Software. A source code audit is a detailed in-depth analysis of the program text that the programmer wrote to implement the functions of the software.
•Monitor security mailing lists for security related errors in software.
•Maintain contact to software authors, individuals that specialize in software security and software security organizations (such as the CERT) to communicate and coordinate technical and organizational details about security related malfunctions in software.
•Provide solutions for software security breaches in the form of security updates.
•Communicate the error and the availability of security updates (update packages).
Security Support Management
EulerOS provides the following security services:
•Reads and responds (non-automated) to all email communication within three working days.
•Keeps you informed. If the issue you tell us about is complicated and requires greater attention from our technical staff, we contact you to explain this and when to expect a more detailed response.
•Works with you to identify other organizations, such as other open source software vendors, that you may wish to also contact about the issue.
•Directs all customers without security-related inquiries to more appropriate contact points.
EulerOS Security provides objective information about security risks that affect you. We use the following workflow to communicate accurate information about how these vulnerabilities affect you, so you can make informed decisions.
This diagram shows the high-level steps involved in triaging, testing and remediating the issue.
•We use an array of communication channels to monitor and identify security issues. E.g. OSS-security, NVD, Huawei PSIRT.
•Then EulerOS Security TEAM will investigate issues that are related to EulerOS and access the severity according to CVSSv3 scores. For a detailed information about the severity, please see EulerOS security ratings section. The fixing policy is related with the severity. Critical vulnerabilities are fixed within a defined time frame, while lower priority vulnerabilities might not be fixed immediately according to the results of a case by case analysis.
•The next important step is that EulerOS developers build EulerOS security patches based on community patches and test.
•At last, the update package will be pushed to EulerOS official Repo and the security advisory will be published on EulerOS Security Center.
EulerOS security ratings
EulerOS rates the impact of security issues found in products using a four-point scale (Low, Moderate, Important, and Critical), as well as Common Vulnerability Scoring System (CVSS) base scores. For a detailed description of the CVSS V3 standard, please refer to the following official link: https://www.first.org/cvss/calculator/3.0 These provide a prioritized risk assessment to help you understand and schedule upgrades to your systems, enabling informed decisions on the risk each issue places on your unique environment.
|CVSS V3 Score||Severity Rating||Description|
|9~10||Critical impact||This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical impact.|
|7~8.9||Important impact||This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service.|
|4~6.9||Moderate impact||This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources, under certain circumstances. These are the types of vulnerabilities that could have had a Critical impact or Important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.|
|0~3.9||Low impact||This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.|
Vulnerability Assessment Tools
An assessment can start by using some form of an information-gathering tool. When assessing the entire network, map the layout first to find the hosts that are running. Once located, examine each host individually. Focusing on these hosts requires another set of tools. Knowing which tools to use may be the most crucial step in finding vulnerabilities. The following are some of the tools that are commonly used by EulerOS for security.
•Nmap is a popular tool that can be used to determine the layout of a network. Nmap has been available for many years and is probably the most often used tool when gathering information. Administrators can use Nmap on a network to find host systems and open ports on those systems.Nmap is a competent first step in vulnerability assessment. You can map out all the hosts within your network and even pass an option that allows Nmap to attempt to identify the operating system running on a particular host. For more information about using Nmap, see the official homepage at the following URL: http://www.insecure.org/
•Greenbone Security Manager (GSM) is a full-featured and powerful security scanning tool developed based on the openVAS community to provide mature vulnerability analysis and management solutions. GSM is updated frequently, with host scanning and real-time vulnerability search functions, and can provide complete reports. Even if GSM is powerful and frequently updated, there may be false positives and false negatives. For more information about GSM, please visit the official website: https://www.greenbone.net/
EulerOS provides official detailed security recommendations, as well as CVE related instructions. You can perform system repair or upgrade according to the actual situation. For details, please refer to the corresponding section. EulerOS provides a machine-readable page where the user needs to crawl the corresponding content using the following address:https://developer.huaweicloud.com/ict/site-euleros/euleros/server/front_interface/security_titleList.jspx
The xml file of Security Advisories:https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-xxxx-xxxx.xml