OS Hardening Overview

This chapter describes the purpose and solution of openEuler system hardening.


The OS, as the core of the information system, manages hardware and software resources and is the basis of information system security. Applications must depend on the OS to ensure the integrity, confidentiality, availability, and controllability of information. Without the OS security protection, protective methods against hackers and virus attacks at other layers cannot meet the security requirements.

Therefore, security hardening is essential for an OS. Security hardening helps build a dynamic and complete security system, enhance product security, and improve product competitiveness.


This section describes the openEuler security hardening solution, including the hardening method and items.

Security Hardening Method

You can manually modify security hardening configurations or run commands to harden the system, or use the security hardening tool to modify security hardening items in batches. The openEuler security hardening tool runs as openEuler-security.service. When the system is started for the first time, the system automatically runs the service to execute the default hardening policy, and automatically set the service not to start as the system starts.

You can modify the security.conf file and use the security hardening tool to implement user-defined security hardening.

security hardening impacts

Security hardening on file permissions and account passwords may change user habits, affecting system usability. For details about common hardening items that affect system usability, see Table 1.

Table 1 Security hardening impacts




Configured By Default

Timeout setting on the text-based user interface (TUI)

When the TUI is idle for a long period of time, it automatically exits.


When a user logs in to the system using SSH, the timeout period is determined by the smaller value of the TMOUT field in the /etc/profile file and the ClientAliveInterval field in the /etc/ssh/sshd_config file. You are advised to set this parameter to 300 seconds.

If you do not perform any operation on the TUI for a long time, TUI automatically exits.


Password complexity

The password is a string containing at least eight characters chosen from three or four of the following types: uppercase letters, lowercase letters, digits, and special characters.

All passwords must comply with the complexity requirements.


Password retry limits

If a user fails to enter the correct password for three consecutive times when logging in to the OS, the user account will be locked for 60 seconds.

After the account is locked, the user can log in to the system only after 60 seconds.


Default umask value

The default umask value of all users is set to 077 so that the default permission on files created by users is 600 and the default permission on directories is 700.

Users must modify the permission on specified files or directories as required.


Password validity period

The password validity period can be modified in the /etc/login.defs file and is set to 90 days by default. It can be modified in any time. An expiration notification will be displayed seven days before a password is to expire.

When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system.


su permission control

The su command is used to switch user accounts. To improve system security, only the user root and users in the wheel group can use the su command.

Common users can successfully run the su command only after joining in the wheel group.


Disabling user root from logging in using SSH

Set the value of the PermitRootLogin field in the /etc/ssh/sshd_config file to no. In this way, user root cannot directly log in to the system using SSH.

You need to log in to the system as a common user in SSH mode and then switch to user root.


Strong SSH encryption algorithm

The MACs and Ciphers configurations of SSH services support the CTR and SHA2 algorithms and do not support the CBC, MD5, and SHA1 algorithms.

Some early Xshell and PuTTY versions do not support aes128-ctr, aes192-ctr, aes256-ctr, hmac-sha2-256, and hmac-sha2-512 algorithms. Ensure that the latest PuTTY (0.63 or later) and Xshell (5.0 or later) are used.





提交类型 issue

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;


● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;


● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;


● 对重要数据或系统存在风险的操作,缺少安全提示;


● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;