Extended Security Hardening for

Avaya Aura® for Release 7.1.2

An External White Paper
December 14, 2017
Issue 1.0

Abstract:
All of the Avaya Aura® products do provide a standard level of security hardening. The
commands described in this document invoke an additional set of hardening (hence the name
“Extended”).
This document is designed to provide a basic introduction for the use of OS level CLI commands
that will invoke built in script programs in the Avaya Aura ® server application products for the
purpose of automatically providing the administration steps necessary to conform with the
security requirements of the Operating System STIGs (including Red Hat Enterprise Linux 7).
A summary of these command scripts is provided in this paper.

These enhanced OS-Hardening scripts are available in R7.1.2 for both commercial and
government customers.
a) The Communication Manager’s MUDG (Military Unique Deployment Guide) configuration
is nearly 60 pages in length and describes a series of manual steps which must be
executed with Root account permission. These OS-Hardening scripts provide an
automated means for providing this administration and helping to limit the net amount of
manual administration.
b) These scripts provide the commercial customer with the ability to harden his/her system
to an equivalent level as to what the government customers have historically deployed.
It should be noted that these OS-hardening scripts can be executed from a customer account
level and do not require the OS system to create a root account to support these administrative
steps.

1
Table of Contents
1 Reference Documentation ...................................................................................... 3
2 Document Change History...................................................................................... 3
3 Glossary ..................................................................................................................... 3
3.1 Terminology and Acronyms................................................................................. 3
4 Feature Overview ..................................................................................................... 6
4.1 Considerations Regarding Hardening and Running Security Scans .................... 6
5 Product Feature Support for Avaya Aura R7.1.2 Products ............................... 7
5.1 Communication Manager OS-Hardening Scripts ................................................ 7
5.1.1 setCMAuditd OS-Hardening Script .............................................................. 7
5.1.2 setCMSelinux OS-Hardening Script ............................................................. 7
5.1.3 MUDG_part1 OS-Hardening Script ............................................................. 7
5.1.4 Commands for use with AIDE Operation ..................................................... 8
5.1.5 Commands for use with clamav Anti-Virus Operation ................................ 8
5.1.6 Command for Enabling FIPSMode Operation ............................................. 9
5.2 Session Manager OS-Hardening Scripts ............................................................ 10
5.3 System Manager OS-Hardening Scripts ............................................................ 11
5.3.1 Commands for use with Commercial Grade Hardening ............................. 11
5.3.2 Commands for use with Military Grade Hardening ................................... 12
5.3.3 Optional Settings for Further Security Hardening ...................................... 12
5.4 AVP OS-Hardening Scripts ............................................................................... 13
5.4.1 AVP Host Hardening Script........................................................................ 13
5.4.2 Enable Out-of-Band Management (OOBM) .............................................. 13
5.4.3 Configure Access Control ........................................................................... 13
5.4.4 Configure Remote Logging ........................................................................ 14
5.4.5 AVP Hardening Status Check ..................................................................... 14
5.4.6 Check for Unauthorized Setuid and Setgid Files: ....................................... 14
5.5 Utility Services OS-Hardening Scripts .............................................................. 15
5.5.1 Enable FIPS Mode ...................................................................................... 15
5.5.2 Enable Out-of-BAND Management ........................................................... 15
5.5.3 Local Users Account Management ............................................................. 15
5.5.4 Configure Password Settings ...................................................................... 15
5.5.5 Configure Access Control List.................................................................... 16
5.5.6 Configure Remote Logging ........................................................................ 16
5.5.7 Configure LDAP ......................................................................................... 16
5.5.8 Configure EASG ......................................................................................... 16
5.5.9 Configure Serviceability Agent Certificates ............................................... 16
5.5.10 Configure the Login Banner ....................................................................... 16
5.5.11 Generate the AIDE Report .......................................................................... 16
5.5.12 Generate the Auditd Report ........................................................................ 16
6 Product Feature Support for Avaya Aura Pre-R7.1.2 Products ...................... 17
6.1 CMM R7.0.1 ...................................................................................................... 17

2
 1 Reference Documentation

The following documents provide a detailed description of these security features.

• Avaya Aura® Release 7.1 Military Unique Deployment Guide: This is a PDF book
which contains individual booklets for:
o Communication Manager
o System Manager
o Session Manager
o AVP
o Utility Services
This document is only available to the Avaya Government Solutions customers.

• Red Hat Enterprise Linux 7 Security Technical Implementation Guide, Version 1

• “Military Unique Deployment Guide for Avaya Aura® Communication Manager &
Communication Manager Messaging 7.0.1-TN 1532801”, February, 2017.
• Maintenance Commands for Avaya Aura® Communication Manager, Branch Gateways,
and Servers, Release 7.1.2, Issue 2, December, 2017.
• Administering Avaya Aura® System Manager for Release 7.1.2, December, 2017.

2 Document Change History

EVENT DOCUMENT DATE CHANGE DESCRIPTION

nd
Draft 0.4 issued for 2 review 07 Dec 2017 Stored in 178247
Version 1.0 issued for Posting on 14 Dec 2017
Support site.
Table 1: Document Change History

3 Glossary

3.1 Terminology and Acronyms

TERM MEANING
Advanced Intrusion Detection Environment– This security
AIDE
module creates a database from the regular expression rules
that it finds from the config file(s). Once this database is
initialized it can be used to verify the integrity of the files
going forward.
Avaya Communication Manager – The current name for
CM
the Avaya Call Processing platform used on our call server
platforms.
Federal Information Processing Standard (FIPS) – This is a
FIPS
United States government specification that determines
which Cryptographic algorithms are to be supported, what

3
 TERM MEANING
are the encryption key lengths, and what are the policies
that govern the use of these algorithms.
FIPS 140-2 Level 1 defines the commercial grade
passivation to provide secure protection of the
cryptographic algorithms for a give product module.
• Note that this is what the G430/G450 will support.
Levels 2, 3 and 4 specify tamper evident coating and
overall physical security in terms of not allowing access to
electrical part identification.
Joint Interoperability Test Command (US Government)
JITC
Kernel Virtual Machine
KVM
Lightweight Directory Access Protocol - This protocol
LDAP
defines a standard manner of organizing directory
hierarchies and a standard interface for clients to access
directory servers.
MG Media Gateway – refers to a product that aggregates and
translates between various types of media sources for
example analog, DCP, and IP.
MUDG Military Unique Deployment Guide – refers to a product
configuration guide that is focused on the necessary OS
security administration steps required to provide the
operational governance for this product.
OVA Open Virtualization Appliance
SAR Self-Assessment Report – This is a detailed spreadsheet
that provides a Vendor’s response to the requirements
listed in the US Government’s Security Implementation
Guides. This is the second step in the submission of a
product for JTIC testing.
SDM Solution Deployment Manager – This is a functional
module that resides within System Manager. It provides an
administrative interface in support of OVA installation for
the Avaya Aura ™ server products. The SDM module may
be alternatively provided as a stand-alone client which
resides on a work station.
SELinux Security Enhanced Linux – This is a Linux kernel security
module that provides a mechanism for supporting access
control security policies, including United States
Department of Defense–style mandatory access controls
(MAC).
SM Avaya’s Session Manager – This product is responsible for
routing of SIP traffic in an enterprise network. This product

4
 TERM MEANING
also manages the role of a SIP proxy registrar.
SMGR Avaya’s System Manager – This product is responsible for
serving as a central administrative manager and is a data
base manager for PPM profiles.. This product also serves
as a Certificate Authority and can provide the SCEP server
for automatic certificate signing for SIP & H.323 phones.
STIG Security Technical Implementation Guide – This is a series
of documents which provide implementation guidelines for
how to build a product which is conformant with the
United States DOD’s Unified Capabilities Requirements
(UCR) for various security feature areas.
US Utility Services – This product serves as a general purpose
server, providing DHCP services and an http server for the
Avaya clients.

Table 2: Terms and Acronyms

5
4 Feature Overview
OS-Hardening involves a series of steps to configure OS-Security features in the Linux operating
system. Some of the Avaya Aura products employ the Red Hat Linux R7.x security management
module. Some of the Java-based products employ Bouncy Castle security management. Finally
some of the embedded products (media gateways and endpoints) support home grown security
management. For all of these products, OS-hardening entails providing the configurations as
specified in the RHEL-7 and Java-based Security Technical Implementation Guides (STIG).
A key summary of the configuration is listed below:
• Enablement of Auditd
• Enablement of Security Enhanced Linux (Selinux)
• Enablement of the AIDE intrusion detection software for data bases
• Enablement of the clamav intrusion detection software
• Configuration of the password policy rules
• Limitation of remote access (SSH) policies
• Configuration of privileged user accounts
• Disablement of certain services that operate with little or no security policy
• Configuration of the permissions for the file system.

4.1 Considerations Regarding Hardening and Running Security Scans

Security scan programs provide a very “literal” execution of the requirements contained within a
government defined document, such as a STIG specification. In practice, it is important to note
that a customer or product vender (such as Avaya) may have reasons for operation that deviate
as follows:

Vendor
o A Vendor may have performance concerns about full-time operation of security
packages such as SELinux or AIDE. The vendor may alter the design to make
the subsequent use fo these programs to be optional, with an administrative
mechanism to enable/disable these features.
o The configuration of permissions of the file system may have some special
reason for interaction with other software products (that form a solution) in such a
way that there may be fine differences of read/write/execute from the STIG
recommendations.
o Some products do not have all possible features integrated into the standard
software base. An example of this is LDAP. If a customer desires these features,
there may need to be a loose integration with a third party product.

Customer
o A customer may desire to have a particular set of password policies which
exceed/deviate from the written STIG recommendations.
o A customer may desire to disable/enable a feature such as LDAP.
o A customer may wish to modify authentication procedures to accommodate a
special sign-on need. This may require modification to the solution deployment to
require a CAC reader or a hardened workstation that provides unique admission
to always require access to Avaya Aura®’s System Manager (for example).

In summary, it is difficult to apply a “universal” test vector without first inspecting the specific
vendor product specifications and the customer’s security administration policies. The results of a
security scan may need to be analyzed carefully to take these issues into fair consideration.

6
5 Product Feature Support for Avaya Aura R7.1.2 Products

5.1 Communication Manager OS-Hardening Scripts

The summary of OS_Hardening script commands is listed below:
o It should be noted that these commands can be executed from a customer login account.
 SetCMAUditd
 setCMSelinux
 MUDG_part1
 sudo updateRegistry UseAIDE=enabled
 sudo updateRegistry UseClamav=enabled

The complete description of these commands is contained in the customer document,

“Maintenance Commands for Avaya Aura® Communication Manager, Branch Gateways, and
Servers, Release 7.1.2”.

5.1.1 setCMAuditd OS-Hardening Script

The command for enabling/disabling the system level auding is:
setCMAuditd [ -f ] <enabled|disabled>

o Use this command to enable or disable the operating system level auditing on the CM server.
o Note: Using this command will impact system performance. Initial tests show a performance
impact of 5 %. Run this command when the system’s performance is not fully utilized.

5.1.2 setCMSelinux OS-Hardening Script

The command for enabling/disabling the Security Enhanced Linux feature group is:
setCMSelinux [ -f ] <disabled|permissive|enforcing>

Use this command to change the state of selinux on the CM server.

o Turning on selinux will automatically enable auditd (even if auditd is not explicitly enabled
with the setCMAuditd command.
o When selinux is enabled, you must change state in steps by moving from “disabled” to
“permissive”, then to “enforcing”.
o Note: Using this command will impact system performance. Initial tests show a
performance impact of 5 %. Run this command when the system’s performance is not
fully utilized.

5.1.3 MUDG_part1 OS-Hardening Script

The command for enabling several of the desired individual Red Hat OS settings is:
MUDG_part1
Use this command to configure the system OS security parameters into a “hardened state”. For
government customers this covers several of the manual actions directed by the MUDG
document.
When you run this command, the CM OS will undergo the following changes:
o Removes console.perms and console.perm.d.
o Only allow console access in /etc/securetty. Disable the kdump service for kernel crash
monitoring.
o Configure the password strength and expiration policy.
o Configure the failed login account locking.
o Change ownership of ppp-login shell to root:root.
o Restrict audit tool permissions to privileged users.
o Restrict crontab permissions to root user.
o Remove the unused rasaccess user.
o Configure session time outs to 600 seconds for command line and SMI web interfaces.

7
 o Change default lock time for expired accounts to “immediate”.
o Set the maximum polling time for ntp to 1024 seconds.
o Start ntpd and verify that it is enabled to start at the next boot.
o Constrain modules and options used in web server directories.

5.1.4 Commands for use with AIDE Operation

The following commands are useful with AIDE operation:
1. UseAIDE registry option
Run the following commands as a super-user:
sudo updateRegistry UseAIDE=enabled
sudo setPlatformAttributes

o Use this command to generate a report every night for the modified system files.
o When you run this command, a cron job is set up that will run every night to check
the system state. Additionally, the initial AIDE database is created
o USeAIDE may be configured as “disabled” alternatively.

2. aideCheck command
o Use “aideCheck” to perform a file integrity check manually against the AIDE
database.
o After the command is executed, a report is generated on the terminal.

3. aideDBUpdate command
o NOTE: AIDE must be enabled before running this command as a super-user
o Use this command to update the AIDE database when the following scenarios:
 Patches are installed
 Configurations are updated

5.1.5 Commands for use with clamav Anti-Virus Operation

The following commands are useful with clamav operation:
o The UseClamav registry option
Run the following commands as a super-user:
sudo updateRegistry UseClamav=<newvalue>
sudo setPlatformAttributes

o Where <newvalue> can be one of the following modes:

 enabled–this allows the scan to operate
 disabled –this disables the virus scan.
o This command is a feature specific to the CM Application.
o Use this command to scan the system every night for viruses and malware.
o NOTE: in R7.1.x releases, you must install a service pack with ClamAV RPMs before
ClamAV starts executing. After the SSP is installed with these RPMs, the system is
configured automatically to start the scan every night.
 The Clamav can also be used to update the virus definition files several times a
day.
 If you do not have network connectivity, you must use manual mode to disable
these daily updates.

o ClamavUpdate command
Run the following commands as a super-user:
sudo ClamavUpdate=<newvalue>

o Where <newvalue> can be one of the following modes:

 wget – initial configuration is performed in this mode. When this mode is used,
the probability of successful updates in your network is high.

8
  freshclam – robust and best mode to use.
 Manual – used to disable the daily updates when there is no network connection.
o Use this command to scan the system every night for viruses and malware.

o clamscanDaily command
o When you run this command, a scan is initiated and the results appear after a few
minutes.
o Use clamscanDaily to manually run a virus scan only when:
 clamav is enabled.
 Any 7.1 SSP greater than RHEL7.2ssp001 is installed.

5.1.6 Command for Enabling FIPSMode Operation

The following command is used to place the Linux OS into FIPS mode.
fips_mode enabled
o The Security Administrator can execute this command must belong to the “susers” group.
o The Security Administrator will be prompted for a “y/n” and then the CM server will reboot
automatically
To disable FIPSMode, execute the “fips_mode disabled” command
o The Security Administrator will be prompted for a “y/n” and then the CM server will reboot
automatically

9
5.2 Session Manager OS-Hardening Scripts
In order to provide the correct administration to accommodate STIG OS requirements, run the
following command
setSecurityPolicy

o Select the “Hardened” profile

o A warning will be shown to point out that certain software components will be removed.
Select “yes” to continue.
 Cassandra is not FIPS-compliant in 7.1.2 and will be removed in hardened mode.
Centralized call logs and AADS no longer work after Cassandra has been
removed.
o Note: Once the Hardened profile is applied, it cannot be undone. A redeploy of SM is
required.

10
5.3 System Manager OS-Hardening Scripts
The complete description of these commands is contained in the customer document,
“Administering Avaya Aura® System Manager for Release 7.1.2”.
It should be noted that many of the OS-hardening tasks are already contained in the standard
hardening offer for System Manager.

In order to provide the correct administration to accommodate STIG OS requirements, log in to

the System Manager command line interface and type the following command:
setSecurityProfile enable_commercial_grade

Alternatively, for a government customer, they can seek the more restrictive mode by typing
setSecurityProfile enable_military _grade
With this mode, the user will be prompted to also?
• Enable or disable SELinux
• Enable or disable AIDE

As a summary, the “Commercial grade” applies the following security upgrades:

Modifications for password policy management

Modifications for session management

Sets “FIPS mode”

Modifications for audit management

Additionally, the “Military grade” applies the following security upgrades:

Enhancements for password policy management

Modifications for audit management to include OS-audits

Enablement of SELinux

Enablement of AIDE for file tampering prevention

5.3.1 Commands for use with Commercial Grade Hardening

The following command is helpful for displaying the system configuration with Commercial Grade
hardening:
getSecurityprofile

This would provide a display as follows.

Profile Mode : commercial grade hardened mode enabled

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
FIPS State : FIPS enabled.

11
5.3.2 Commands for use with Military Grade Hardening
The following command is helpful for displaying the system configuration with Military Grade
hardening:
getSecurityprofile

This would provide a display as follows.

Profile Mode : military grade hardened mode enabled

SELinux status: enabled

SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

FIPS State : FIPS enabled.

Audit logging Enabled..
AIDE Tool Enabled..

5.3.3 Optional Settings for Further Security Hardening

The following command options may be invoked as part of the customer’s security environment.
These are all described in the “Administration Guide for Avaya Aura® System Manager for
Release 7.1.2”.

Enable Out-of-Band Management

o This must be enabled for Military customers

The password policies may be strengthened to a degree more restrictvie.

Configure Remote Logging
o This must be enabled for Military customers

Configure LDAP
o This must be enabled for Military customers

Configure EASG
o This must be disabled for Military customers

Change login banner for the given customer’s requirement

12
5.4 AVP OS-Hardening Scripts
The summary of OS_Hardening script commands is listed below:

Configure Host Hardening

Enabled Out-of-Band Management

Configure Access Control

Configure Remote Logging

Status Checks for Unauthorized Setuid and Setgid files

5.4.1 AVP Host Hardening Script

The following command script is used to provide much of the general configuration to satisfy the
vSphere VMware ESXi 6.0 STIG requirements.
/etc/init.d/avaya-harden start

o Reboot is required
o Warning: Hardening cannot be undone. A new re-install is required to undo the
hardening administration.
o These configuration settings include
 SSH settings
 Session settings (including file permissions)
 Web access virtual switch
 Password policy

5.4.2 Enable Out-of-Band Management (OOBM)

The following command script for enabling OOBM is:
/opt/avaya/bin/set_oobm enable

o Provides a physically and logically separate network connection between management

and the user.
o This command script is optional and should only be enabled as part of a solution wide
implementation, i.e. not to be enabled in isolation.
o WARNING: Performing this change will cause access to the AVP host’s management
port to change from vSwitch0 (eth0) to vSwitch2 (eth2).
o Note: This can also be configured as part of the initial installation via the AVP kickstart
file.

5.4.3 Configure Access Control

The following command script for defining remote access for users and network access for
services is:
/etc/init.d/avaya-harden manual_fixes

o This defines the allowed users and the allowed networks that can access the AVP
host remotely.
o WARNING: Access for Avaya Services requires the following network to be allowed,
this should be defined as an allowed network : 192.168.13.0/29.

13
5.4.4 Configure Remote Logging
Use the following command script to enable remote logging:
esxcli system syslog config set --loghost
udp://192.168.13.1,<transport protocol://site specific
syslog server address:port>

o Note: It is very important to ensure that the following setting is not removed as this is
used for AVP alarming functionality: udp://192.168.13.1

5.4.5 AVP Hardening Status Check

The following command script is used to check the hardening status:
/etc/init.d/avaya-harden status

o Check the hardening status for additional requirements applicable to the AVP host that
may require manual updates.
o Update manually if prompted and if applicable.

5.4.6 Check for Unauthorized Setuid and Setgid Files:

The following commands can be used to perform a weekly check for extraneous device, setuid
and setgid files.
 cat /vmfs/volumes/server-local-
disk/jitc/log/devicefiles/result.txt
 cat /vmfs/volumes/server-local-
disk/jitc/log/setuid/result.txt
 cat /vmfs/volumes/server-local-
disk/jitc/log/setgid/result.txt

o The AVP hardening script baselines the devices, setuid and setgid files. It configures a
cron job to perform a weekly check for changes. You can check the results with these
commands:

14
5.5 Utility Services OS-Hardening Scripts
Avaya Aura® Utility Services only supports extended hardening when deployed in one of the
following modes:
• “Services Port Only” mode
• “Hardened Mode Services” Port Only mode
rd
When FIPS mode is enabled on Utility Services, 3 party hosted certificates must be used for the
Serviceability Agent.

The summary of OS_Hardening functions is listed below:

Enable FIPS Mode

Enable Out-of-Band Management

Local Users Account Management

Configure Access Control

Configure Remote Logging

Configure LDAP

Configure EASG

Configure Serviceability Agent Certificates

Generate AIDE Reports (this is only applicable in Hardened Mode Services Port Only
mode).

Generate Auditd Reports (this is only applicable in Hardened Mode Services Port
Only mode).

Change Login Banner (needed when deployed in Hardened Mode to change from
the DoD banner).

5.5.1 Enable FIPS Mode

The following US command script is used to enable FIPS mode:
/opt/util/bin/fips_mode_enable

o This will initiate a US reboot.

5.5.2 Enable Out-of-BAND Management

The following US command script is used to enable OOBM:
sudo /opt/avaya/common_services/ovf_set_oobm OOBM_Enabled

o Warning: Enablement of OOBM must be coordinated with all other Avaya Aura® product
components that form the enterprise solution.

5.5.3 Local Users Account Management

The following US command scripts are used for local user account management:
/opt/util/bin/Add_Local.sh
/opt/util/bin/Chg_Local.sh
/opt/util/bin/Del_Local.sh

5.5.4 Configure Password Settings

The following US command script is used to configure password settings:
/opt/util/bin/Password_Settings.sh

15
5.5.5 Configure Access Control List
The following US command script is used to configure the Access Control List (ACL):
/opt/util/bin/Configure_SSH_ACL.sh

5.5.6 Configure Remote Logging

The following US command scripts are used to configure Remote Logging:
/opt/util/bin/Add_RSYSLOG.sh
/opt/util/bin/Chg_RSYSLOG.sh
/opt/util/bin/Del_RSYSLOG.sh

5.5.7 Configure LDAP

The following US command scripts are used to configure LDAP:
Chg_LDAP.sh
Disable_LDAP.sh
Enable_LDAP.sh
Install_LDAP_Cert.sh

5.5.8 Configure EASG

The following US command scripts are used to configure EASG:
/opt/util/bin/Enable_EASG.sh
/opt/util/bin/Disable_EASG.sh
sudo /opt/util/bin/PermanentEASGRemoval.sh

5.5.9 Configure Serviceability Agent Certificates

rd
The following US command script is used to configure 3 party certificates for the Serviceability
Agent which provides alarming functionality. This is required when FIPS Mode is enabled to
ensure alarming continues to work:
/opt/util/bin/add_spirit_certs

5.5.10 Configure the Login Banner

The following US command script is used to configure the Login Banner:
sudo /opt/avaya/common_os/bin/setLoginBanner.sh

5.5.11 Generate the AIDE Report

The following US command is used to initiate an AIDE check against the baselined AIDE
database and generate a report of any differences found:
sudo /usr/sbin/aide --check

5.5.12 Generate the Auditd Report

The following US command is used to generate an auditd report:
sudo /usr/sbin/ausearch <options>

o Refer to the auditd man page for further details.

16
6 Product Feature Support for Avaya Aura Pre-R7.1.2 Products
There are situations in which an older product may be a component of an enterprise
solution which offers new security features that are not a standard part of that older
product. In order to prescribe a uniform security policy, this will require that each product
be administered in a careful manner to best meet the customer’s security needs. In some
cases, that older product may need to be replaced by a newer software release.

The subsections which follow contain some special guidelines.

6.1 CMM R7.0.1

If a customer has need to deploy a CMM messaging product and is running on R7.0.1, the new
hardening scripts as described in Section 5 that do not apply. Instead, the customer must go to
the R7.0.1 MUDG for CM/CMM and manual deploy the necessary hardening configurations.
Please refer to:
“Military Unique Deployment Guide for Avaya Aura® Communication Manager & Communication
Manager Messaging 7.0.1-TN 1532801”, February, 2017.

Technical Note: The CMM application and the CM application share a common OS security
platform. This is why the OS security configuration steps for the R7.0.1 MUDG apply to both the
CM and CMM products.

17