Overview
SBC SWe instance security policies align with the latest AWS requirements:
- “root” login from “linuxadmin” is disabled
- "linuxadmin" user "sudo" access tightened:
- On AMI Instance start-up the "linuxadmin” user will not be in the “sudo” group
- When any valid licence is installed, the “linuxadmin” user will be given sudo access
Support only SSH Key login for the “admin” user
- No default passwords for all Linux accounts on installation
- The “linuxadmin” and “admin” users permit only key based SSH
- The default "root" user password is removed
- To use EMA or other services which require passwords, the customer must add a user with a user password after installation/upgrade of the SBC has completed
- - After AMI Instance Initiation
- Ensure only default users in sshd_config file
- No unexpected users are configured in the "sudo" group
- Logging in with "ssh" is only available to the "linuxadmin" and "admin" users
- For any unexpected users configured on the system:
- All accounts should be locked/removed from /etc/passwd (using "mod user -l")
- Ensure only white list users are configured in /etc/sudoers.d
The following figure displays the Key entry fields in the AWS Cloud Formation Templates (CFNs) to access the SBC SWe for “linuxadmin” and “admin” users.
Security Configuration Window
Obtaining and Inserting Keys into the New AWS CFTs
Perform the following steps to obtain and insert the keys into the new AWS CFTs for “linuxadmin” and “admin” Users
Generate keys for the SBC SWe
Generate the following keys to to use with the SBC using AWS console EC2 > Network & Security > Key Pairs
- “linuxadmin”
- “admin” users on the SBC (You can create the admin SSH key that is the same or different to the linuxadmin SSH key)
Use the Keys in the CFN
- Field “LinuxAdminSshKey”: use the “linuxadmin” key(pem) obtained above.
- Field "AdminSshKey": enter the Public key string obtained using the following process:
- Transfer the .pem file generated by AWS to a Linux server. Use the following AWS instructions to generate the key pair: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair
- Run: ssh-keygen -y -f <pem_file>. It will output a Public key string
- Cut/paste the key: “ssh-rsa <key>” into the “AdminSshKey” field
Steps to install initial license on AWS SBC Swe
- Get the Chassis number from the SBC logging in as “admin” to CLI
- ssh -i <admin_pem> admin@<sbc_ip>
- show table system serverStatus
- Extract the SERIAL NUM – eg EC2655E1-AC17-C688-1C3E-72562BB72000
- Acquire license from Ribbon Support Portal / the account team.
- SCP the license file onto the SBC as “linuxadmin” user using port 2024:
- scp -i <pem_file> -P 2024 <license_file.xml> linuxadmin@<aws_ip>:/opt/sonus/external
- As the “admin” user run the CLI “request” command to initially install the license for “linuxadmin” to gain sudoers permissions
- ssh -i <admin_pem> admin@<sbc_ip>
- request system admin <system_name> license loadLicenseFile bundleName b1 fileName <license_file.xml>
sbcDiagnostic.sh
If the SBC fails to start and the “linuxadmin” user does not yet have Sudo permissions we can debug the issue with the Diagnostics tool.
Run the following command as “linuxadmin” user:
sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh 1
This diagnostics tool:
• Checks "cloud-init", "cps", "lca" and "sbx" services current status
• Report issue, if SBC application is not up
• Dumps limited set of logs for further investigation
Usage: Run the following command as “linuxadmin” user:
- sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh [0] - Dumps System Information and Status
- sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh 1 - Captures logs for investigation
- sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh 2 - Runs System Dump
linuxadmin@vsbc1:~$ sbcDiagnostic -h
usage: sbcDiagnostic.sh 0|1|2
-h : This usage help.
-s : Start SBC.
-t : Stop SBC.
-x : Restart SBC.
-r : Reboot Instance.
sbcDiagnostic.sh [0] - Dumps System Information and Status
sbcDiagnostic.sh 1 - Captures logs for investigation
sbcDiagnostic.sh 2 - Runs System Dump
linuxadmin@vsbc1:~$
The EMS and Platform Manager both require an admin password to login.
To set up an Admin password:
- log in to admin using SSH key.
set oam localAuth user admin passwordLoginSupport enabled
commit