WeOSGeneral Information
Hardening Overview
The hardening practices are provided in two sections;
-
Fundamental Hardening reflects hardening practices that should be considered as mandatory, regardless of implemented design or environment. Fundamental Hardening does not require any external dependencies.
-
Enhanced Hardening reflects hardening practices that provide enhanced security. Generally specific to implemented design, environment or system requirements. Enhanced hardening may rely on external dependencies, which introduces additional requirements for systems outside the device itself.
Security Maintenance
Configuration Context
Throughout the hardening guide, how to get to a given context has
intentionally been left out. Carefully note each context which a
given setting is applicable to. As example, config / system
context must be entered before typing encrypt-secrets password.
example:/config/system/#> encrypt-secrets password
Working with Configuration
WeOS has multiple configurations, stored in persistent storage and an active copy running in memory. Permanent changes to the configuration should be saved or committed to prevent configuration inconsistencies if the device is rebooted or loses power. Configuration changes can be saved on a device with the following command:
Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
Use an encrypted protocol for backup & restore configurations via remote interfaces, such as HTTPS. Backup/archived configurations, and the backup repository, must be protected from unauthorized access.
Monitor Security Advisories
Stay informed about vulnerabilities and recommended mitigations by subscribing to Westermo security advisories:
Report Vulnerabilities
If you discover a security vulnerability, report it to Westermo PSIRT:
Keep Firmware Updated
Firmware updates and upgrades are released regularly to address security vulnerabilities, and add new security capabilities. It is therefore important to continuously monitor for new releases and apply patches when appropriate, based on operational requirements and risk assessments. When applying a firmware update or upgrade, it is recommended to use an encrypted transfer protocol, such as HTTPS, especially when performing updates via remote interfaces. This ensures the integrity and confidentiality of the update process and helps prevent unauthorized access or tampering during transmission, however this is of higher importance for non-secure-boot-devices.
Removal of Secrets
Clear Secrets
Factory Reset via Web Interface, CLI or Console will clear all secrets described in Factory Reset. Example for performing factory reset can be performed with the following command:
example:/#> factory-reset
Reference: Factory Reset
Purge Secrets
Performing Factory Reset via Bootloader: This operation can only be executed through the Console port. It will purge the configuration partitions, including those where sensitive data such as secrets are stored, including secrets mentioned in Factory Reset. This approach is recommended when the device is taken out of its installed environment.
-
To enter the bootloader menu, press
Ctrl + Cupon boot.’ -
Enter 4andPress Enterwhen the following boot menu is presented:Barebox Boot Menu 1: Primary Partition 2: Secondary Partition 3: Network (BOOTP) 4: Factory Reset 5: System Recovery -
Enter yandPress Enterwhen the following option is presented:Performing a factory reset will erase all configuration data, but will keep the currently installed firmware.
Are you sure that want to erase all configuration data? y/[n]
Important
The prompt is case-sensitive. If the correct character
yis not entered exactly, the purge operation will not be executed. -
The device will now purge the partitions and reboot
Erasing Barebox configuration ................................... [ OK ] Erasing System configuration .................................... [ OK ] Device was successfully factory reset.
The device will now reboot.