Professional Documents
Culture Documents
Version: V12.17.30
ZTE CORPORATION
No. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://support.zte.com.cn
E-mail: 800@zte.com.cn
LEGAL INFORMATION
Copyright © 2017 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit the ZTE technical support website http://support.zte.com.cn to inquire for related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Figures............................................................................................................. I
Tables ............................................................................................................ III
Glossary .........................................................................................................V
II
User authentication System administrators customize their own security For details, refer
authentication policy settings based on their to 1.1 Setting User
requirements. The configuration files include Authentication.
/etc/pam.conf and the files in /etc/pam.d/. By
default, the Pluggable Authentication Module (PAM)
function is enabled on the system.
System logs Users check log records in /var/log/. By default, For details, refer
the system provides a sophisticated log function. to 1.2 Querying
System Logs.
Security audit Users can set the daemon process, add audit rules, For details, refer
and start the daemon process to use the security audit to 1.3 Setting the
function. By default, this function is enabled on the Security Audit
system. Function.
Forcible access control The system provides the access control function by For details, refer
reading policy rules and security context. By default, to 1.4 Setting the
the forcible access control function is enabled on the Forcible Access
system. Control Function.
System customization Highly-customized system functions and services For details, refer
can be provided based on product requirements. By to 1.5 Customizing
default, the system provides minimized services. System Services.
System security Security policies can be started by running specified For details, refer
patches security hardening scripts or commands on the system to 1.6 Setting
after the system is installed. By default, the system System Security
provides the OS security hardening function. Hardening.
Table of Contents
Setting User Authentication ........................................................................................1-2
Querying System Logs ...............................................................................................1-4
Setting the Security Audit Function.............................................................................1-5
1-1
Prerequisite
The PAM installation package is available.
Context
PAM is a sub-system of a Linux system. PAM is used to provide user authentication and
authorization.
Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the related software package is already installed.
# rpm -qa|grep pam
3. If not, run the command to install the package.
# rpm -ivh "PAM software package"
4. Run the command to verify that the software package version is correct.
# rpm -qi "PAM software package"
5. Check the PAM security module types in /lib64/security/. The corresponding
configuration file is located in /etc/security/.
# ls /lib64/security/
pam_access.so
pam_ftp.sopam_mkhomedir.sopam_securetty.sopam_unix_acct.so
……
6. In the files of /etc/pam.d/ path or in the /etc/pam.conf file, view or add security
authentication rules.
7. In the directories specified in the rules that you have just added in Step 6., define the
configuration files based on your security needs.
– End of Steps –
1-2
Example
The following example shows how the PAM controls user login security. The system
security requirements are as follows:
Users logging in to the system need to be controlled. Only the root user can log in to the
Linux system locally. Only the liyang user can remotely log in to the Linux system from
192.168.13.*. Other users are forbidden to log in to the Linux system.
Modify /etc/pam.d/login to add a new security authentication rule. Perform the
following steps:
[root@root pam.d/]# cat login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required /lib/security/pam_access.so accessfile=/etc/login.conf
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the
user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
[root@root pam.d]#
+ : root : LOCAL
+ : liyang : 192.168.13.
- : ALL : ALL
+ : root : LOCAL: indicates that the root user can log in to the system locally.
+ : liyang: 192.168.13.: indicates that the liyang user can log in to the Linux system
remotely from the 192.168.13.*/24 subnet (192.168.13 is a subnet).
1-3
- : ALL : ALL: indicates that all the other users are forbidden to log in to the system. The
access permissions that the ALL field indicates must be placed at the end of the file.
Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Based on system logs, use log query commands and tools to analyze logs.
Common commands include who, w, users, last, lastlog, and ac. Common tools include
dmesg, tail, more, and less.
– End of Steps –
Example
Run the dmesg command to query the logs generated when the system was last booted.
[root@root/]# dmesg
Linux version 2.6.18-164.el5 (root@localhost.localdomain) (gcc version 4.1.2 20080704
(Red Hat 4.1.2-46)) #1 SMP Fri Dec 3 09:02:01 CST 2010
BIOS-provided physical RAM map:
BIOS-e820: 0000000000010000 - 000000000009fc00 (usable)
BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 000000007dda0000 (usable)
BIOS-e820: 000000007dda0000 - 000000007ddae000 (ACPI data)
BIOS-e820: 000000007ddae000 - 000000007ddf0000 (ACPI NVS)
BIOS-e820: 000000007ddf0000 - 0000000080000000 (reserved)
BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)
BIOS-e820: 00000000fff00000 - 0000000100000000 (reserved)
Run the who /var/log/wtmp command to check the current login information.
[root@root/]# who /var/log/wtmp
root :0 2014-07-11 15:03
root :0 2014-07-11 15:03
root pts/0 2014-07-11 15:04 (:0.0)
root :0 2014-07-11 15:46
root :0 2014-07-11 15:46
root pts/0 2014-07-11 15:46 (:0.0)
root :0 2014-07-15 14:43
root :0 2014-07-15 14:43
1-4
Prerequisite
The audit-related installation packages are available.
Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the audit-related software package is already
installed.
# rpm -qa|grep audit
3. If not, run the command to install the package.
# rpm -ivh "audit software package"
4. Run the command to verify that the software package version is correct.
# rpm -qi "audit software package"
5. Set the audit daemon process auditd.
6. Add audit rules and watchdogs to collect required data.
7. Start the auditd process, which starts the audit system in the kernel and starts
recording logs.
8. The logs will be regularly searched and the corresponding audit reports will be
generated. Users can check the reports and analyze the data.
– End of Steps –
Example
The default configuration file for the auditd process is /etc/audit/auditd.conf.
Users can set the parameters in this file to customize audit logs generated.
An example of this file is as follows:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
1-5
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
Based on the settings, access control can be implemented. For example, a process can
only access files required for the tasks of the process.
Prerequisite
The relevant SELinux installation package is available.
1-6
Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the related software package is already installed.
# rpm -qa|grep selinux
3. If not, run the command to install the package.
# rpm -ivh "selinux software package"
4. Run the command to verify that the software package version is correct.
# rpm -qi "selinux software package"
5. Modify /etc/selinux/config to start or disable SELinux. Run the command to
restart the system.
# reboot
6. Run the SELinux-related commands to set access control.
– End of Steps –
Example
Start the SELinux service:
[root@root/]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
[root@root/]# /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
1-7
Prerequisite
You have logged in to the OS as the root user.
Steps
l Customize system services through GUI.
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. On the OS desktop, select System > Administrator > Services. The Service
Configuration dialog box is displayed, see Figure 1-1.
This dialog box can also be displayed if you run the command in a terminal window
(XTerm or GNOME).
# system-config-services
3. Enable the services that you want to start when the system is started.
# ntsysv
l Customize system services through commands.
1-8
# service
To start a service: run the #service <service> start command.
To stop a service: run the #service <service> stop command.
To restart a service: run the #service <service> restart command.
– End of Steps –
Example
This example describes how to run the command to start and stop the sshd service.
# chkconfig
Run the following command to enable the sshd service when the system is started at
runlevel 3, 4, or 5:
#chkconfig --level 345 sshd on
Run the following command to disable the sshd service when the system is started:
#chkconfig sshd off
Run the following command to check the enablement status of the sshd service:
1-9
Prerequisite
The security hardening installation package is available.
Steps
1. Run the cat /etc/klinux-release command to query the version of the current OS.
2. Run the rpm -ivh “rpm software package” command to install the one-click installation
package of the security hardening function corresponding to the current OS.
Example
This example describes how to enable the security hardening function of a ZTE server
security policy.
1. Check the current OS version information.
[root@localhost ~]# cat /etc/klinux-release
CGSL V4.x version information is as follows:
TAG_CGS_MAIN_V4_03_20_P1
2. Install the one-click installation package of the security hardening function.
For CGSL V4.x, run the following command:
1-10
Security information Create Oracle login, logout, and login failure triggers to For details, refer
recorded in database record relevant information. to 2.1 Setting
logs the Database
Log Recording
Function.
Remote login Set remote login permissions of a database user with For details, refer
restriction super administrator privileges. to 2.2 Forbidding
Users From
Logging In to
the Database
Remotely.
Weak password Change the passwords of default accounts of the For details, refer
modification database system to complicated ones. to 2.4 Modifying a
Weak Password.
Table of Contents
Setting the Database Log Recording Function............................................................2-1
Forbidding Users From Logging In to the Database Remotely ....................................2-4
Setting Password Strength .........................................................................................2-5
Modifying a Weak Password ......................................................................................2-6
2-1
This function helps record database login information including login accounts, login time,
logout time, and IP addresses that users use to remotely log in to the database.
Prerequisite
You have the database SYSDBA permission.
Steps
1. Log in to the database.
#su - oracle
$sqlplus /nolog
SQL>conn / as sysdba
2. Create LOGON_TABLE, which is used to record database login information.
SQL>CREATE TABLE sys.LOGIN_LOG
(
AUDSID NUMBER,
SID NUMBER,
SERIAL# NUMBER,
LOGIN_TIME DATE,
LOGOUT_TIME DATE
USERNAME VARCHAR2(30 BYTE),
MACHINE VARCHAR2(64 BYTE),
IP VARCHAR2(20 BYTE),
PROGRAM VARCHAR2(48 BYTE)
);
2-2
FROM v$mystat
WHERE ROWNUM = 1)
AND audsid = SYS_CONTEXT ('USERENV', 'SESSIONID')
AND program NOT LIKE 'JDBC%'
AND username <> 'SYSMAN'
AND TYPE <> 'BACKGROUND';
EXCEPTION
WHEN OTHERS
THEN
NULL;
END;
/
4. Create a logout trigger. The oblique stroke on the last line must be entered.
SQL>CREATE OR REPLACE TRIGGER login_off_info
BEFORE LOGOFF
ON DATABASE
BEGIN
UPDATE sys.login_log
SET LOGOUT_TIME = SYSDATE
WHERE audsid = USERENV ('SESSIONID')
AND SID = (SELECT SID
FROM v$session s
WHERE SID IN (SELECT SID
FROM v$mystat
WHERE ROWNUM = 1))
AND serial# = (SELECT serial#
FROM v$session s
WHERE SID IN (SELECT SID
FROM v$mystat
WHERE ROWNUM = 1));
EXCEPTION
WHEN OTHERS
THEN
NULL;
END;
/
– End of Steps –
Result
1. Use a database user to log in to the database. Query sys.login_log. The login
information should be recorded in the table.
Run the following SQL command to query the LOGIN_LOG table:
2-3
Prerequisite
You have the database SYSDBA permission.
Steps
1. Log in to the database.
#su - oracle
$sqlplus /nolog
SQL>conn / as sysdba
2. Run the following command to forbid the users from logging in to the database
remotely.
SQL>alter system set REMOTE_LOGIN_PASSWORDFILE=none
scope=spfile;
Result
The following error occurs when a SYSDBA user tries to log in to the database.
2-4
Note:
This operation is only applicable to the Oracle 10g version, not apply to the Oracle 11g
version.
Prerequisite
You have the Oracle database SYSDBA permission.
Steps
1. Modify the $ORACLE_HOME/rdbms/admin/utlpwdmg.sql Oracle script.
Change the following contents:
-- Check for the minimum length of the password
IF length(password) < 8 THEN
raise_application_error(-20002, 'Password length less than
8');
END IF;
2. Modify the $ORACLE_HOME/rdbms/admin/utlpwdmg.sql Oracle script.
Change the following contents:
ALTER PROFILE DEFAULT LIMIT
--PASSWORD_LIFE_TIME 60
--PASSWORD_GRACE_TIME 10
--PASSWORD_REUSE_TIME 1800
--PASSWORD_REUSE_MAX UNLIMITED
--FAILED_LOGIN_ATTEMPTS 3
--PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION verify_function;
3. Run the following SQL command to log in to the Oracle database and enable password
management.
#su - oracle
$sqlplus /nolog
SQL>conn / as sysdba
2-5
SQL>@$ORACLE_HOME/rdbms/admin/utlpwdmg.sql;
SQL>exit
– End of Steps –
Result
1. Log in to the database as the SYSDBA user.
#su - oracle
$sqlplus /nolog
SQL>conn / as sysdba
2. Create a user named abc1 and set its password to abc1.
SQL>create user abc1 identified by abc1;
The command fails. The errors are as follows:
alter user abc1 identified by abc1
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20003: Password should contain at least one digit, one character and one
punctuation.
Prerequisite
You have the database SYSDBA permission.
Steps
1. Log in to the database and query the default accounts in normal status. It is
unnecessary to modify the passwords of expired or locked accounts.
#su - oracle
$sqlplus /nolog
SQL>conn / as sysdba
SQL>select username from dba_users t where t.account_status =
'OPEN' and default_tablespace in('SYSTEM','SYSAUX','USERS');
2. Run the following command to modify the password of a user that you have queried:
SQL>ALTER USER username IDENTIFIED BY password;
For example, if you want to modify the password of the test account to Ems_1234, run
the following command:
2-6
Result
Use the new password to log in to the database:
#su - oracle
$sqlplus /nolog
2-7
2-8
Firewall Users can specify filtering rules by using firewall-related For details, refer
commands. By default, the firewall function is enabled to 3.1 Customizing
on the system. Users can determine the specified Firewall Filtering
settings. Rules.
File transfer channel The system transfers files by means of SSH and SFTP, For details, refer
security instead of conventional plain-text file transfer methods to 3.2 Setting File
such as Telnet and FTP. By default, system services Transfer Channel
such as FTP, Telnet, and file sharing are disabled. Security.
Table of Contents
Customizing Firewall Filtering Rules ...........................................................................3-1
Setting File Transfer Channel Security .......................................................................3-2
Prerequisite
The installation package of iptables (a user space tool) is available.
Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the related software package is already installed.
# rpm -qa|grep iptables
3. If not, run the command to install the package.
# rpm -ivh "iptables software package"
4. Run the command to verify that the software package version is correct.
3-1
Example
Run the following command to specify the default destination of the INPUT link to DROP.
This means that any packet that does not match any rule in the INPUT link will be discarded.
# iptables -P INPUT DROP
Run the following commands to enable all TCP and UDP packets to match this rule. “!
ICMP” indicates to exclude ICMP and allow all the other protocols (TCP and UDP in this
example).
# iptables -A INPUT -p TCP, UDP
# iptables -A INPUT -p ! ICMP
Prerequisite
The transfer tool installation package related to the current OS version is available.
Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the related software package is already installed.
# rpm -qa|grep "tool name"
3. If not, run the command to install the package.
3-2
4. Run the command to verify that the software package version is correct.
# rpm -qi "rpm software package"
5. Test the secure file transfer tool.
– End of Steps –
Example
This example uses SSH as an example to describe how to use the secure file transfer
channel.
[root@root /]# /etc/init.d/sshd restart
Stop sshd: [OK]
Start sshd: [OK]
3-3
3-4
User security User security attributes can be For details, refer to “4.1.5 Creating a User”.
attribute query queried in user information details.
User Ciphertext is used when a user logs For details, refer to “4.1.5 Creating a User”.
identification in to the NetNumen U31 and queries
user information.
Security Users can be granted permissions For details, refer to “4.1.1 Creating a
behavior to perform operations on specified Department”.
management functional modules of the NetNumen For details, refer to “4.1.2 Creating an
U31. Unauthorized users are Operation Set”.
forbidden to perform relevant For details, refer to “4.1.3 Creating a Role”.
operations. For details, refer to “4.1.4 Creating a Role
Set”.
For details, refer to “4.1.5 Creating a User”.
For details, refer to “4.1.13 Setting the User
Login Mode”
For details, refer to “4.1.14 Querying Login
Users”.
For details, refer to “4.1.15 Logging Out a
User”.
For details, refer to “4.1.16 Modifying
Common User Passwords in Batches”.
For details, refer to “4.1.18 Clearing Invalid
Accounts”.
4-1
Security Users that are not granted the For details, refer to “4.1.1 Creating a
attribute security management and user Department”.
management management functions are forbidden For details, refer to “4.1.2 Creating an
to modify security attributes. Operation Set”.
For details, refer to “4.1.3 Creating a Role”.
For details, refer to “4.1.4 Creating a Role
Set”.
For details, refer to “4.1.5 Creating a User”.
Strong Strong passwords are supported to For details, refer to “4.1.6 Customizing the
password prevent password attacks. User Account Rule”.
Permission Multiple roles can be set. Different For details, refer to “4.1.1 Creating a
management roles have different levels of Department”.
management permissions. Users For details, refer to “4.1.2 Creating an
can be associated with roles so Operation Set”.
that user management scope and For details, refer to “4.1.3 Creating a Role”.
permissions can be specified and For details, refer to “4.1.4 Creating a Role
unauthorized operations can be Set”.
prevented. For details, refer to “4.1.5 Creating a User”.
Internal The database account and For details, refer to “4.1.9 Modifying the
control password, and FTP account and Password of a Database Account”.
management password of the NetNumen U31 can For details, refer to “4.1.10 Modifying the
be set. Password of an FTP Account”.
Authentication After the number of user For details, refer to “4.1.7 Viewing Locked
failure authentication failures reaches Users”.
processing a specified value, the user account
will be locked. The maximum
number of failures allowed for a user
can be set. User authentication
information must be recorded in logs.
Concurrent Sessions that a user can have at a For details, refer to “4.1.12 Restricting
session time can be specified. Concurrent Sessions”.
restriction
Session If a user performs no operation during For details, refer to “4.1.8 Setting Logout Idle
termination a specified period after logging in Time”.
to the system, the system will
terminate the session automatically.
To perform operations, the user
must log in to the system again to
establish a new session.
4-2
Session If a user performs no operation For details, refer to “4.1.11 Locking a Client
locking during a specified period (different Session”.
from the period specified for session
termination) after logging in to the
system, the system will lock the
session automatically. Authorized
users can manually lock sessions.
Table of Contents
Security Management ................................................................................................4-3
Data Transfer Channel Management........................................................................4-41
4-3
l The management rights of a user is determined by the role set and the role which it
belongs to.
l A role set is a collection of one or more roles, so the rights of a role set are the collection
of rights of multiple roles.
l The rights of a role are defined by the operation and resource together.
l The operation set is a set of one or more operation permission.
The system provides a root department by default. All newly-created departments are
subordinates of the root department.
Steps
1. In the main window of the client, select Security > User Management. The User
Management window is displayed.
2. In the User Management window, right-click a department or root department, and
then select New Sub-department from the shortcut menu. The basic information for
the new department is displayed on the Basic Information tab in the right pane, see
Figure 4-2.
4-4
Parameter Description
Superior Existing department, that is, the superior department for the selected
Department department. The default selected superior department is the department
selected in Step 2..
Context
The system has five predefined operation sets. These five default operation sets cannot
be modified, and they meet basic permission allocation, so the maintenance personnel can
use them directly. If there are other permission allocation requirements, the maintenance
personnel can customize an operation set.
Table 4-3 shows five predefined operation sets.
Administrator Right Administrator right is the preset operation set with the highest right. Only
the administrator has the rights in the administrator right operation set.
Therefore, the administrator right cannot be assigned. In the operation
set pane, the Administrator Right is always in gray. Only when the
Administrator role is selected in the role tree, the Administrator Right
operation set is available for selection.
Administrator right means that you have unrestricted access right to the
NetNumen U31 system and the managed network.
4-5
Double-click the Administrator Right and you can see that it has rights
over all the operation codes.
System Maintenance System maintenance right means that you don't have the right to maintain
Right the system security information. Except this, you have all the rights over
the system and the managed network.
Operation Right Operation right means that you can view the network information and
conduct normal configuration modifications, so that you can perform
operations such as daily maintenance and failure processing. However,
you cannot backup or restore the system. You cannot modify sensitive NE
configuration information either, such as the NE account.
View Right View right means that you can browse the network information. For
example, you can conduct operations such as creating reports and
querying data. But you cannot modify configurations. This right is used in
daily monitoring.
No Right No right means that you don't have any right over the network information.
If a resource is assigned with this right, you don't have any operation right
over this resource.
Steps
1. In the main window of the client, select Security > Role Management. The Role
Management window is displayed.
2. In the Role Management window, click a role under Role. The information of the role
is displayed in the right pane, see Figure 4-3.
4-6
3. Perform one of the following operations to display the New Operation Set dialog box,
see Figure 4-4.
l Click ▼Click to maintain operation sets to select New Operation Set from the
shortcut menu.
l Right-click the operation set and then select New Operation Set from the shortcut
menu.
4. Set the general information and the operation rights for this operation set.
5. Click OK. The new operation set is displayed in the operation set list.
– End of Steps –
4-7
When predefined roles cannot meet the system requirement, the maintenance personnel
can customize a role. After a role is customized, the maintenance personnel can allocate
the resources and operation set to the new role.
Context
Table 4-4 shows predefined roles. These predefined roles cannot be modified.
Table 4-4 Predefined Roles
Administrator Role Administrator role has unrestricted access right to the NetNumen U31
system and the managed network, including the right to modify the core
information such as the system account.
Maintenance Role Maintenance role doesn't have the right to maintain the system security
information. Except this, you have all the rights over the system and the
managed network.
Operator Role Operation role has the right to view the network information and conduct
normal configuration modifications. However, you cannot backup or restore
the system. You cannot modify sensitive NE configuration information
either.
Supervisor Role Supervisor role has the right to view the network information. For example,
you can conduct operations such as creating reports and querying data.
But you cannot modify configurations.
Steps
1. In the main window of the client, select Security > Role Management. The Role
Management window is displayed.
2. Right-click any node under the Role node in the Role Management window, and then
select New Role from the shortcut menu.
The basic information and rights information for the new role are displayed in the right
pane, see Figure 4-5.
4-8
Parameter Description
Lock the Role When a role is locked, users with this role cannot use the rights of
this role. At the same time, the user with only this role cannot log in
to the system.
Access Resource Select an option from the Resource Type drop-down list to filter
Rights Type the current physical resource.
Resource
Click to find management resources in accordance with the
Name
entered resource name.
Operation Set The operation set name of this operation. It defines the operation
Name right of a role.
Operators can customize an operation set, or use a default
operation set.
4-9
b. On the left of the Access Rights area, click a physical resource node.
Note:
If the permission of this node is consistent its parent node or daughter node,
you can right-click this node and then select Follow Parent Node's Right or
Synchronize Rights of Sub-nodes.
c. On the right of the Access Rights area, select an operation set for the physical
resource node.
d. Repeat Steps a.~c. till all physical resources are allocated with an operation set.
5. Click OK to create a new role.
– End of Steps –
4-10
Steps
1. In the main window of the client, select Security > Role Management. The Role
Management window is displayed.
2. In the Role Management window, right-click a role set, and then select New Role Set
from the shortcut menu.
3. Specify Role Set Name, Role Set Description, and Assigned Roles, see Figure 4-7.
Parameter Description
Role Set Name Enter the role set name in this box.
Mandatory, range: 1 to 50 characters.
Lock the Role Set Once the role set is locked, the associated operation permission
is suspended.
4-11
Parameter Description
Available Roles Available roles in the system. Select a role and then click the
icon to add it to the Assigned Roles area.
Assigned Roles Names of roles that have been added to this role set.
Note:
If a user is not assigned any role or role set, then the user does not have any right after
logging in to the system.
Prerequisite
The user having the user management right logs in to the NetNumen U31 server.
Context
If the user account customization rule is enabled (refer to “4.1.6 Customizing the User
Account Rule”), the account and password of a newly created user must satisfy the user
account customization rule; otherwise, a prompt will be displayed during the user creation
process. For example, the minimum password length, the maximum password length, and
the number of days during which the new password cannot be the same as the last old
password.
If the password of a user will expire, a prompt will be displayed when the user logs in to
the system, indicating that the password should be modified. If a user account is locked,
an alarm message will be reported in alarm management.
Steps
1. In the main window of the client, select Security > User Management. The User
Management window is displayed.
4-12
2. In the user management tree, right-click a node and then select New User from the
shortcut menu.
The basic information, rights, log view range, user department, and the advanced
information for the new user are displayed in the right pane, see Figure 4-8.
The new user belongs to the selected node. For example, when you right-click Root
Department, the new user will belong to the root department.
Parameter Description
User Password Password for user login. The length for this password
can be set in the user account rule, refer to “4.1.6
Customizing the User Account Rule”.
4-13
Parameter Description
Password User Must Modify Whether the user needs to modify the password before
Control Password Before Next the next login. If this check box is selected, the User
Login cannot Modify Password parameter cannot be set.
User cannot Modify Whether the user can modify the password. If
Password this check box is selected, the User Must Modify
Password Before Next Login parameter cannot be
set.
Set Maximum Password Maximum time during which the user password is
Age (days) valid. The validity period of a password begins when
the password is used. When the maximum validity
period set by this parameter expires, you must reset
the password.
Set Minimum Password Minimum time during which the user password is
Age (days) valid. The validity period of a password begins when
the password is used. The password cannot be
modified before the minimum validity period set by this
parameter expires.
Account Disable Whether to disable this user account. You only choose
Control one of the following ways:
Disable Start Time
l Disable: The new user account is disabled
Auto Disable If Account
immediately.
Is Idle for the Following
l Disable Start Time: The user account will be
Period
disabled in the defined start time.
l Auto Disable If Account Is Idle for the
Following Period: The user account will be
disabled if the system is not logged in to within
the set days.
4-14
Parameter Description
Set Account Validity The validity period of an account begins when the
Period (days) account is created. If the validity period of an account
expires, the account becomes invalid and cannot be
used to log in to the system.
Set Account Stop Period The account stopping period begins when the account
(days) is suspended. After the account stopping period of an
account expires, the account is resumed.
3. On the Basic Information tab, set the basic information for the new user.
4. Click the Right tab, and then assign the role(s), role set(s), or both for the user, see
Figure 4-9.
The user has the rights of the assigned role or role set. A role or role set can be shared
by multiple users.
Note:
If no role or role set is configured for the user, you may click Click Here to GO to Role
Management.
4-15
5. Click the Log View Range tab, and then select the roles, role sets, or both that you
want to view user log, see Figure 4-10.
4-16
The user with the permission of the system administrator can view logs of all users.
However, the normal user can only view its own logs and logs of users related to the
selected roles or role set.
When the Select All Roles and Role Sets check box is selected, the user can view
logs of all users, including the system administrator.
6. Click the User Department tab, and then select the department that the user belongs
to, see Figure 4-11.
7. Click the Advanced Information tab, and then set the additional user information, the
connect type, the IP range, and the GUI MAC Binding, see Figure 4-12.
4-17
Parameter Description
Email The E-mail of the new user. The Character @ is required in the E-mail.
Concurrent Logins Maximum number of users that log in to the client with the account
simultaneously.
If this parameter is set to 10, it indicates that at most 10 users can log in
to the client with the account simultaneously.
4-18
Parameter Description
User Working Time You can click Set or View the Working Time and set the working time
during which the user can log in to the system.
Logout Idle Time Whether the user can automatically log off after a period of time during
(minutes) which no operations are performed.
If this parameter is enabled, it sets the waiting time before the user
automatically logs off.
Connect Type Connection types for a newly created user. The user can log in to the
server from a client only when GUI is selected.
GUI MAC Binding Newly created users can only log in to the server from machines with the
bounded MAC addresses.
8. Click OK.
– End of Steps –
Steps
1. In the main window of the client, select Security > Set User Account Rule.
The Set User Account Rule dialog box is displayed, see Figure 4-13.
4-19
2. In the Password Rule tab, set the password policy in accordance with the actual
requirements.
3. Click the Account Rule tab, see Figure 4-14.
4-20
Parameter Description
Account Never Lock The user is not locked no matter how many times of failure
Lock Rule login when this check box is selected.
Lock Permanently If the times of user failure login reaches the threshold, this user
will be locked.
Lock Temporarily When the times of user login reaches the set threshold for the
Lock at password error, the user will be locked. After the
duration set for the Unlock after parameter, the user will be
unlocked.
4-21
Parameter Description
Period for When the number of wrong passwords within period time, the
password input user will be locked.
errors
Lock at password When the number of wrong passwords exceeds the set
error threshold, the user will be locked.
Range: 2 to 20.
Unlock after After the set duration, the locked user will be unlocked.
Range: 1 to 72.
Lock account with If this check box is selected, the system will lock the user in
IP accordance with the IP address.
Do not lock admin If this check box is selected, the system will never lock the
default system administrator (admin).
Account Cannot be user If this check box is selected and a value is set (for example, 5),
Checking accounts deleted you cannot set a user account same as an account that has
in the last (days) been deleted within the latest 5 days.
Range: 1 to 100.
Notify account To enable the password expiry notification function, select this
expiry in an check box and enter the number of days (for example, 5). Then
advance of (days) the system will prompt the password will expires in advance of
5 days while the user logs in.
Range: 1 to 90.
4-22
Steps
1. In the main window of the client, select Security > Set User Account Rule. The Set
User Account Rule dialog box is displayed.
2. Click the Account Rule tab. Set the account lockout rule, see Figure 4-15.
For example, select Lock Temporarily and set Lock at password error(J) to 3. In
this case, the system will lock a non-admin user when this user tries to log in to the
system but has entered a wrong password for three consecutive times.
3. In the main window of the client, select Security > User Lock Details. The User Lock
Details dialog box is displayed, see Figure 4-16.
4-23
4. (Optional) If a user needs to be unlocked, click Unlock and then click OK in the confirm
message box.
5. Click Close to close the User Lock Details dialog box.
– End of Steps –
Steps
1. In the main window of the client, select Security > Set Logout Idle Time.
The Set Logout Idle Time dialog box is displayed, see Figure 4-17.
4-24
3. Select the users to be set in All Users, click to add the user to Selected Users.
4. Click OK.
– End of Steps –
4-25
Prerequisite
You have logged in to a NetNumen U31 client as the system administrator.
Steps
1. Double-click the U31 Client icon on the client desktop. The Login dialog box is
displayed.
2. Set User Name, Password, and Server Address. Click OK. The client portal is
displayed, see Figure 4-18.
4-26
4. Select Security > Inner Control Management. The Inner Control Management
dialog box is displayed, see Figure 4-20.
5. Right-click the sub-node under the Database node. Select Connect to Database.
The Database Login dialog box is displayed, see Figure 4-21.
6. Enter the password of the SYSTEM user. Click OK. The database is logged in to.
7. Right-click a database account in the right pane, see Figure 4-20. Select Change
Password. The Modify Database Accounts’Passwords dialog box is displayed,
see Figure 4-22.
4-27
Note:
The passwords of UEP3X and CN_RPT database accounts are not modified.
8. Enter the original password in Old Password. Set a new password in New Password.
Enter the new password again in Confirm Password.
– End of Steps –
Prerequisite
You have logged in to a NetNumen U31 client as the system administrator.
4-28
Steps
1. Double-click the U31 Client icon on the client desktop. The Login dialog box is
displayed.
2. Set User Name, Password, and Server Address. Click OK. The client portal is
displayed.
3. Click System Maintenance. The System Maintenance window is displayed.
4. Select Security > Inner Control Management. The Inner Control Management
dialog box is displayed.
5. Select the FTP Account node. The FTP accounts are displayed in the right pane, see
Figure 4-23.
7. Enter the original password in Old Password. Set a new password in New Password.
Enter the new password again in Confirm Password.
4-29
9. Restart the NetNumen U31 server so that the settings will take effect.
– End of Steps –
Steps
l Manually lock a session.
1. In the main window of the client, select System > Lock Screen. The Select Lock
Type dialog box is displayed, see Figure 4-25.
4-30
à If Lock Operation is selected, the user must press Ctrl + U when the user
wants to perform operations on the client. The Unlock login dialog box is then
displayed.
l Automatically lock a session.
1. In the main window of the client, select System > Preferences. The Preferences
dialog box is displayed, see Figure 4-27.
4-31
When the period during which a user performs no operations on the client exceeds
the predefined period:
à If Lock Screen is selected, the Unlock dialog box is displayed on the client,
see Figure 4-26.
à If Lock Operation is selected, the user must press Ctrl + U when the user
wants to perform operations on the client. The Unlock login dialog box is then
displayed.
– End of Steps –
Steps
1. In the main window of the client, select Security > User Management. The User
Management window is displayed.
2. From the user management tree, select a user. In the right pane, the user information,
including the basic information, permissions, log view range, user department, and
advanced information, is displayed.
4-32
5. Click OK.
– End of Steps –
Result
When the number of times that the account is used to log in to a NetNumen U31 client
simultaneously exceeds the value of Concurrent Logins, this account cannot be used to
log in to the client one more time except when a session is released.
Note:
Only the user with the permission of the system administrator can set the user login mode.
Prerequisite
The user with the permission of the system administrator has logged in to the client.
Steps
1. In the main window of the client, select Security > Set User Login Mode.
The Set User Login Mode dialog box is displayed, see Figure 4-29.
4-33
3. Click OK.
– End of Steps –
Steps
1. In the main window of the client, select Security > Login User Management.
The Login User Management dialog box is displayed, see Figure 4-30.
4-34
Note:
Only the administrator can forcefully disconnect these users. In addition, the current
session cannot be deleted by the user.
Steps
1. In the main window of the client, select Security > Login User Management. The
Login User Management dialog box is displayed.
2. Click a login user, and then click Force to Log Out (K). The Confirm message box is
displayed.
3. Click OK.
4. Click Close to close the Login User Management dialog box
– End of Steps –
4-35
Steps
1. In the main window of the client, select Security > Batch Modify Common Users'
Passwords. The Batch Modify Common Users' Password dialog box is displayed,
see Figure 4-32.
4-36
2. Enter the new password in the New Password and Confirm Password text boxes.
3. Add the matching users to Users to Be Modified.
4. Click OK.
– End of Steps –
4-37
The user in the blacklist cannot log in to the NetNumen U31 system.
Note:
Only the user with the role of the system administrator can add a user to the blacklist.
Prerequisite
The user with the role of the system administrator has logged in to the client.
Steps
1. In the main window of the client, select Security > User Blacklist.
4-38
2. Select a user to be added to the blacklist, and then click the icon to add the user
to the Users in Blacklist box.
3. Click OK.
– End of Steps –
4-39
Note:
Only the user with the role of the system administrator can disable or delete invalid
accounts.
Prerequisite
The user with the role of the system administrator has logged in to the client.
Steps
1. In the main window of the client, select Security > Clean Up Accounts.
4-40
To... Do...
Disable the accounts that i. Click the Disable accounts that are idle in the last 60 day (s)
are idle within N days option.
Delete the accounts that i. Click the Delete accounts that are idle in the last 90 day(s).
are idle within N days
ii. In the Matching Accounts box, select the account to be deleted
and then click the icon to add the account to the Deleted
Account box.
3. Click OK.
When invalid accounts are cleared successfully, click OK.
– End of Steps –
Steps
Starting the SSH Server on the NetNumen U31 Server
1. Enter the uif directory of the installation directory of the NetNumen U31 server.
Run the runPlugCenter.sh file to start the NetNumen U31 Unified Management
System-configuration center.
2. In the left navigation tree, select Common Configuration > Common Property.
3. In the Server area of the right pane, select Global Configuration > Encrypted
Communication Configuration > Whether to start SSH forward service, see
Figure 4-35.
4-41
Figure 4-35 Starting the Service for Forwarding Data Through SSH
4-42
4-43
12. Set User Name, Password, and Server address. Select SSH Port. Enter an SSH
port for forwarding data. By default, the port number is 21140.
13. Click OK. The client accesses the NetNumen U31 server through SSH.
– End of Steps –
4-44
II
III
IV
NAT
- Network Address Translation
- 网络地址转换
SFTP
- Secure File Transfer Protocol
- 安全文件传输协议
SSH
- Secure Shell
- 安全外壳
TCP
- Transmission Control Protocol
- 传输控制协议
UDP
- User Datagram Protocol
- 用户数据报协议
VNC
- Virtual Network Computing
- 虚拟网络计算
ZTE
- Zhongxing Telecommunications Equipment
- 中兴通讯