OS Hardening Overview

This chapter describes the purpose and solution of openEuler system hardening.

security-hardening-purpose

The OS, as the core of the information system, manages hardware and software resources and is the basis of information system security. Applications must depend on the OS to ensure the integrity, confidentiality, availability, and controllability of information. Without the OS security protection, protective methods against hackers and virus attacks at other layers cannot meet the security requirements.

Therefore, security hardening is essential for an OS. Security hardening helps build a dynamic and complete security system, enhance product security, and improve product competitiveness.

security-hardening-solution

This section describes the openEuler security hardening solution, including the hardening method and items.

Security Hardening Method

You can manually modify security hardening configurations or run commands to harden the system, or use the security hardening tool to modify security hardening items in batches. The openEuler security hardening tool runs as openEuler-security.service. When the system is started for the first time, the system automatically runs the service to execute the default hardening policy, and automatically set the service not to start as the system starts.

You can modify the security.conf file and use the security hardening tool to implement user-defined security hardening.

security hardening impacts

Security hardening on file permissions and account passwords may change user habits, affecting system usability. For details about common hardening items that affect system usability, see Table 1.

Table 1 Security hardening impacts

Item

Suggestion

Impact

Configured By Default

Timeout setting on the text-based user interface (TUI)

When the TUI is idle for a long period of time, it automatically exits.

NOTE:

When a user logs in to the system using SSH, the timeout period is determined by the smaller value of the TMOUT field in the /etc/profile file and the ClientAliveInterval field in the /etc/ssh/sshd_config file. You are advised to set this parameter to 300 seconds.

If you do not perform any operation on the TUI for a long time, TUI automatically exits.

No

Password complexity

The password is a string containing at least eight characters chosen from three or four of the following types: uppercase letters, lowercase letters, digits, and special characters.

All passwords must comply with the complexity requirements.

No

Password retry limits

If a user fails to enter the correct password for three consecutive times when logging in to the OS, the user account will be locked for 60 seconds.

After the account is locked, the user can log in to the system only after 60 seconds.

Yes

Default umask value

The default umask value of all users is set to 077 so that the default permission on files created by users is 600 and the default permission on directories is 700.

Users must modify the permission on specified files or directories as required.

Yes

Password validity period

The password validity period can be modified in the /etc/login.defs file and is set to 90 days by default. It can be modified in any time. An expiration notification will be displayed seven days before a password is to expire.

When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system.

No

su permission control

The su command is used to switch user accounts. To improve system security, only the user root and users in the wheel group can use the su command.

Common users can successfully run the su command only after joining in the wheel group.

Yes

Disabling user root from logging in using SSH

Set the value of the PermitRootLogin field in the /etc/ssh/sshd_config file to no. In this way, user root cannot directly log in to the system using SSH.

You need to log in to the system as a common user in SSH mode and then switch to user root.

No

Strong SSH encryption algorithm

The MACs and Ciphers configurations of SSH services support the CTR and SHA2 algorithms and do not support the CBC, MD5, and SHA1 algorithms.

Some early Xshell and PuTTY versions do not support aes128-ctr, aes192-ctr, aes256-ctr, hmac-sha2-256, and hmac-sha2-512 algorithms. Ensure that the latest PuTTY (0.63 or later) and Xshell (5.0 or later) are used.

Yes

有奖捉虫

“有虫”文档片段

存在的问题

提交类型 issue
有点复杂...
找人问问吧。
PR
小问题,全程线上修改...
一键搞定!
问题类型
规范和低错类

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;

易用性

● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

正确性

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;

风险提示

● 对重要数据或系统存在风险的操作,缺少安全提示;

内容合规

● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;

您对文档的总体满意度

非常不满意
非常满意
创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。