Shulou(Shulou.com)11/24 Report--

Thank CTOnews.com netizens Cainiao N for the clue delivery! CTOnews.com news on December 24, the United letter software recently released the "unified letter UOS server security use guide", unified letter server operating system V20 (referred to as: unified letter Youyue, UMountain. It is a platform-level software used to build an information infrastructure environment, providing full-stack server operating system with rich ecology. UOS V20, a server in the Tongxin UOS family, has done a lot of work in security, providing customers with a reinforced OS security base for their business.

Patch push server OS is a large software system, which contains many software components, which inevitably leads to a variety of problems, defects or security vulnerabilities. In order to ensure the safe and stable operation of the server, Tongxin software will push an update announcement every 21 days, including a series of security updates, defect updates, and so on:

UTSA,Uniontech Security Advisory, the security update announcement

UTBA,Uniontech Bugfix Advisory, that is, defect repair update announcement

Users can connect to the software repository in the server UOS for announcement query, patch repair and other operations. The Update announcement tool provides the following functions:

Query announcement information-list the published announcements, and specify a specific bulletin number to query, including danger, bulletin number, CVE information, BUG information, etc.

Specify CVE updates-specifying a specific CVE in the announcement to update will update all multiple packages that contain that CVE.

Specify bulletin number update-specify a specific bulletin number to update as a whole, and all packages contained in that bulletin number will be updated.

For intranet users, use reposync to synchronize the packets of the DNF remote warehouse to the local directory, make a copy of the remote repository locally, and also receive patch push in the intranet environment.

The published CVE repair information can be searched and viewed in the Universe Security Emergency response Center (USRC).

02 kernel hot patch mechanism kernel hot patch is a technique to repair defects in the kernel or kernel module without restarting the operating system or plugging or unplugging the kernel module. Server UOS provides kernel hot patch mechanism, which can modify functions in kernel or kernel module without restarting operating system and interrupting business, and achieve the purpose of dynamically replacing functions in kernel or kernel module. Examples of usage scenarios are as follows:

When there are security vulnerabilities in the operating system, defect functions or security patches can be made into kernel hot patches into the system. To fix vulnerabilities without business interruption.

In the process of developing the kernel or kernel module, you need to add print information to a function, which can be achieved in the form of kernel hot patch, without the need to recompile the kernel or kernel module, install, restart.

03 system security software UHarden Unified Information system Security Software (abbreviated as UHarden) is a security reinforcement and security configuration tool developed by United Information Software. UniCredit can open security modules such as separation of powers and integrity measurement with one button, and allow users to switch system security levels with one button.

UHarden is designed in accordance with "GB / T 20272-2019 operating system Security Technical requirements" and "GB / T 22239-2019 Network Security level Protection basic requirements". It provides multi-level security reinforcement scheme (low, standard, strict, etc.), the initial default "standard" level, and users can also switch to other system security levels with one click according to their needs. And UHarden adapts to CentOS 7amp 8, which reinforces the security of the business environment with CentOS 7amp 8 as the base under the off-service background to further improve the system security.

04 safe operation environment UOE safe operation environment software (abbreviated as: Universe Youquan, UOE) is a security isolation environment software developed by Uni-trust software. It allows developers to run a Linux environment directly on the Universe server operating system V20, including running command-line tools, components and applications.

UOE is so lightweight that users can easily run dozens of instances and manage them.

05 full-stack Guomanxin software complies with the design requirements of "GM / T 0028-2014 cryptographic module security technical requirements" to design UOS cryptographic module. Unified Information Software provides a full stack of state secret solutions, built-in complete state secret infrastructure, and supports out-of-the-box state secret infrastructure and application development toolkits. These include:

Kernel module signature-call the national secret algorithm to sign the kernel module

IMA Security Mechanism-- using National Secret algorithm to transform IMA signature

Open source software transformation-using the national secret algorithm to transform 9 basic components

Visit the National Secret site-- access the National Secret Certificate site through OpenSSL

Installer modification-installer supports national secret algorithm encryption

06 is the first product in the industry to adopt the latest standard 020272-2019, Information Security Technology, operating system Security Technical requirements (level 4). The unified trust server operating system V20 meets the four levels of equal protection, and realizes the guarantee requirements such as identity authentication, access control, security audit, trust verification and so on.

07 kernel security interface USKI Unified Information Kernel Security Interface (Uniontech Security Kernel Inter- face, abbreviated as: USKI) provides an interface for dynamically constructing third-party security modules in the form of LKM (Loadable Kernel Module). As part of the kernel security mechanism, USKI provides a third-party security module interface, and USKI checks the security of the three-party security module. The successfully registered three-party security module has the same function as the selected security module in the kernel compilation phase.

USKI provides a concise hook registration / logout interface for security developers or users with secure operation and maintenance capabilities. Users only need to call the API to complete registration according to the development specification.

Customers only need to adapt the USKI interface for applications developed based on uos-kernel, regardless of kernel version changes and related kernel-dependent interface API changes. And even if the relevant content changes, customer applications do not need to re-adapt to upgrade. It greatly improves the development efficiency of customers and the application compatibility with UOS. USKI has the following advantages:

High compatibility-based on uos-kernel development, adapting to USKI interface applications, regardless of the subsequent kernel version changes and related kernel-dependent interface API changes.

Easy to expand-support to run multiple security modules at the same time, easy to expand.

Easy to understand-simple interface, easy to understand and use.

Modularization-easy to develop security modules in a modular manner, easy to develop and debug.

Lightweight-low performance overhead, based on LSM Linux security module) implementation, efficient operation.

08 UOS active Security Protection Plan UAPP in order to better promote the development of information technology application innovation network security industry, ensure network security, and improve the level of basic software security protection, the key Laboratory of Network Security Technology and Industrial Development of the Ministry of Software and Industry and Information Technology, together with a number of head security manufacturers in the United Nations, comprehensively released UOS active Security Protection Plan UAPP (UOS Active Protections Program). Create an operating system with the world's highest level of security.

Security application continuous compatibility sub-plan-to develop security interface standards and specifications to help security manufacturers improve the continuous compatibility of security applications.

Security response Subprogram-helps security partners get vulnerability information in advance so that security updates can be provided more quickly.

Computer virus information sharing sub-program-based on the core security capabilities of security partners to improve the protection level of the operating system.

CTOnews.com has learned that the above functions have been implemented on the recently released commercial version of the Unified Information Server operating system V20 (1050u2), in addition to other security improvements, such as support for UEFI security startup, file safe, firewall and antivirus, Rust rewriting basic components, and so on.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.