General Information

Hardening Overview

The hardening practices are provided in two sections;

  • Fundamental Hardening reflects hardening practices that should be considered as mandatory, regardless of implemented design or environment. Fundamental Hardening does not require any external dependencies.

  • Enhanced Hardening reflects hardening practices that provide enhanced security. Generally specific to implemented design, environment or system requirements. Enhanced hardening may rely on external dependencies, which introduces additional requirements for systems outside the device itself.

Security Maintenance

Configuration Context

Throughout the hardening guide, how to get to a given context has intentionally been left out. Carefully note each context which a given setting is applicable to. As example, config / system context must be entered before typing encrypt-secrets password.

example:/config/system/#> encrypt-secrets password

Working with Configuration

WeOS has multiple configurations, stored in persistent storage and an active copy running in memory. Permanent changes to the configuration should be saved or committed to prevent configuration inconsistencies if the device is rebooted or loses power. Configuration changes can be saved on a device with the following command:

Remember "copy run start" to save to flash (NVRAM).
example:/#> copy run start

Use an encrypted protocol for backup & restore configurations via remote interfaces, such as HTTPS. Backup/archived configurations, and the backup repository, must be protected from unauthorized access.

Monitor Security Advisories

Stay informed about vulnerabilities and recommended mitigations by subscribing to Westermo security advisories:

Report Vulnerabilities

If you discover a security vulnerability, report it to Westermo PSIRT:

Keep Firmware Updated

Firmware updates and upgrades are released regularly to address security vulnerabilities, and add new security capabilities. It is therefore important to continuously monitor for new releases and apply patches when appropriate, based on operational requirements and risk assessments. When applying a firmware update or upgrade, it is recommended to use an encrypted transfer protocol, such as HTTPS, especially when performing updates via remote interfaces. This ensures the integrity and confidentiality of the update process and helps prevent unauthorized access or tampering during transmission, however this is of higher importance for non-secure-boot-devices.

Removal of Secrets

Clear Secrets

Factory Reset via Web Interface, CLI or Console will clear all secrets described in Factory Reset. Example for performing factory reset can be performed with the following command:

example:/#> factory-reset

Reference: Factory Reset

Purge Secrets

Performing Factory Reset via Bootloader: This operation can only be executed through the Console port. It will purge the configuration partitions, including those where sensitive data such as secrets are stored, including secrets mentioned in Factory Reset. This approach is recommended when the device is taken out of its installed environment.

  1. To enter the bootloader menu, press Ctrl + C upon boot.’

  2. Enter 4 and Press Enter when the following boot menu is presented:

    Barebox Boot Menu
          1: Primary Partition
          2: Secondary Partition
          3: Network (BOOTP)
          4: Factory Reset
          5: System Recovery
    

  3. Enter y and Press Enter when the following option is presented:

    Performing a factory reset will erase all configuration data,
    but will keep the currently installed firmware.

    Are you sure that want to erase all configuration data? y/[n]

    Important

    The prompt is case-sensitive. If the correct character y is not entered exactly, the purge operation will not be executed.

  4. The device will now purge the partitions and reboot

    Erasing Barebox configuration ................................... [ OK ]
    Erasing System configuration .................................... [ OK ]
    Device was successfully factory reset.

    The device will now reboot.