Security FAQs: A Deep Dive into openEuler Tools

October is cybersecurity month and openEuler is dedicated to providing a secure, compliant, and resilient platform.

Today, we are excited to share our latest insights on security and compliance at the Open Compliance Summit in Tokyo. Tony Yang , a member of the openEuler Security Committee, discusses how we adopted ISO 18974 for open source security assurance in the panel: Using Case Studies to Inspire: The Value and Process of Sharing Experience with the Community. Stay tune for the panel recording!

In the meantime, let's explore some FAQs about openEuler's security features. These features, including SecureGuardian, secGear, and secDetector, help you build a dynamic, comprehensive security system and harden security. This ensures that applications based on your OS can maintain information confidentiality, integrity, and availability.

What is SecureGuardian?

SecureGuardian is a Linux security check tool built on openEuler's security baseline. It helps system administrators assess and elevate system security.

Components:

• Check scripts: Provides individual scripts for each security check which can be easily updated to adapt to new standards or findings.
• Configuration files: Defines checks and manages exceptions. These files can be tailored to different environments.
• Execution engine: Coordinates script execution, gathers results, and formats output into detailed analysis and summary reports.
• User Interfaces: Offers command-line based user interfaces for specifying checks and viewing reports and configuration settings.

Key features:

• Flexible configuration, allowing you to enable or disable specific check items as needed.
• Detailed security check reports, including success/failure reports with reasons and solution links
• Automatic generation of HTML reports for easy viewing in web browsers
• Support for specifying configuration files with command line arguments
• Storage of check script execution results in JSON files for generating HTML reports

By leveraging SecureGuardian, you can significantly strengthen the security of your OS. For more details, dive into its usage instruction on GitHub.

I've heard of secScanner but what features exactly does it have?

Glad you asked! secScanner is a robust security scanning tool that offers a variety of functions to enhance system security. It provides security hardening, vulnerability scanning, rootkit detection, and more for operating systems. Through customized parameter configurations, you can tailor security scanning and detection to meet your specific needs. Meeting the requirements of system baseline security hardening, this tool allows you to scan for vulnerabilities in the customized software packages you select.

For more information, check its code repository.

How does secPaver help with policy development?

secPaver is an SELinux policy development tool to help you create security policies for applications. It guides you through the entire process, from initial policy design to final deployment.

Policy design: Simplifies policy configuration with a unified file format, shielding underlying security mechanism details to a great extent.

Policy development: Swiftly generates multiple security mechanism policies — no manual compilation needed.

Policy test: Leverages unified operation interfaces to query, load, and unload different security mechanism policies.

Policy release: Exports policy packages with automatically generated policy installation scripts.

To get started, visit our GitHub repository.

I saw CT-OVAL in openEuler's September Bulletin and it says CT-OVAL is primarily used for evaluating the security of CTyunOS. Can I use it in other OSs?

Thanks for following us! Yes, CT-OVAL is a golang-based system security assessment tool that is primarily used for evaluating the security of CTyunOS, a Linux OS developed by eSurfing Cloud. It is now open-sourced on Gitee. You can download it, modify it, and develop a security assessment tool that suits your own OS!

Key features:

• Converts CVE data from various sources into corresponding OVAL data and stores it in the database.
• Filters and generates OVAL XML files by platform, time, severity, keywords, and type.
• Cleans and organizes OVAL-related data elements in the database, classifying and categorizing the unified definitions, objects, tests, states, and other data elements.
• Enables batch execution of OVAL-defined tests using OpenSCAP, allowing for security assessments based on customized OVAL testing policies and detailed reporting.

For more details, dive into its code repository on Gitee.

I've heard of secGear, but what key features does it offer for confidential computing?

secGear is an exciting unified framework launched by openEuler to streamline the development of confidential computing solutions in cloud environments. As more enterprises move their services to the cloud, safeguarding your data from potential breaches is crucial. Confidential computing utilizes hardware-based trusted execution environments (TEEs) to ensure data confidentiality and integrity.

secGear offers two key features: switchless and secure channel.

• Switchless minimizes context switches and data copies between the rich execution environment (REE) and TEE by utilizing shared memory, enhancing performance during data interactions.
• Secure channel encrypts data transfers between the data owner and the TEE, ensuring secure key negotiation and data protection during transit while reducing exposure in REE memory.

secGear safeguards your data throughout the entire cloud computing process!

For more information, check out the code repository.

What is CVE-ease and how does it assist me with vulnerabilities?

CVE-ease is an innovative platform for managing common vulnerabilities and exposures (CVEs). It collects CVE information from multiple security platforms and notifies you through various channels, including email, and popular Chinese messaging applications—WeChat for social media interactions, and DingTalk for enterprise communication and collaboration.

With its capabilities in real-time tracking, information extraction, database management, historical queries, and real-time reporting, CVE-ease helps you quickly understand and address vulnerabilities, enhancing system security and stability. You can access detailed CVE descriptions, impact scopes, and suggested fixes, allowing them to choose appropriate solutions.

What is secDetector, and how does it realize intrusion detection?

Now, let's dive into secDetector! The built-in intrusion detection system in openEuler is designed to identify and respond to real-time threats, helping you catch potential intrusions before they escalate. It enhances operating system security by providing a robust framework for critical information infrastructure, reducing development costs while improving the effectiveness of third-party security tools. secDetector uses ATT&CK attack patterns to identify and block threats in real time, offering adaptable response strategies.

secDetector realizes intrusion detection through three operational modes:

• User-enabled mode: Allows you to generate alarms and manage abnormal events directly.
• Integrated mode: Collaborates with security awareness services to analyze complex threats, such as APTs, and enables real-time blocking of critical events.
• Development mode: Empowers security practitioners to build custom intrusion detection capabilities using an extensible framework.

With secDetector, you gain real-time, accurate insights into security threats, enhancing your overall system protection!

For more information, check its code repository.

What is safeguard and how does it enhance security in openEuler?

Let's take a closer look at safeguard! It integrates extended Berkeley Packet Filter (eBPF) and Linux Security Module (LSM) to provide comprehensive security auditing and system protection in openEuler, allowing efficient monitoring and enhancement of kernel capabilities without the need for modifying the kernel source code. Utilizing the eBPF, safeguard runs sandboxed programs in kernel space to efficiently enhance kernel capabilities. When combined with the LSM framework, it forms a Kernel Runtime Security Instrumentation (KRSI) extension, enabling the implementation and enforcement of custom security policies and audit rules at runtime.

Safeguard provides key security features, including:

• Audit: Records behavior based on configuration settings and generates logs.
• Control: Secures access to files, processes, and networks.
• Behavior analysis: Analyzes resource usage and exceptions, strengthening overall system security.

The project is now open-sourced and maintained by openEuler's ebpf SIG.

For more information, visit the code repository.

At openEuler, we truly value security, providing you with a robust set of features to protect your systems. We believe that collaboration and shared knowledge are vital for strengthening security within the open source community. With this in mind, we warmly invite you to join us at the openEuler Summit 2024, taking place on November 15–16 in Beijing. Together, we can explore the future of security in open source. Stay secure, stay informed, and we can't wait to see you there!