To protect the Python script from unintended changes, the SR OS supports a new Python script file format:SRPY. SRPY includes a key based hash (HMAC) of the original script content. When the system loads a script with SRPY format, a hash is computed by using a configured key and script content. The result hash is compared to the embedded hash. If it is the same, then this script is considered valid. Otherwise, the system aborts with a warning message.
Users can configure protection hmac-sha256 key key within a Python script. To mandate, all configured scripts must be in SRPY format.
The system provides a tools command (tools perform python-script protect) to convert a Python script into SRPY format.
There are also running time limitations for Python scripts to prevent DoS attacks:
Centralized:
Initial run: 100 ms
Subsequent run: 10ms
Distributed:
Initial run: 10 ms
Subsequent run: 1ms