LTS

    Innovation Version

      OS Hardening Overview

      This chapter describes the purpose and solution of openEuler system hardening.

      security-hardening-purpose

      The OS, as the core of the information system, manages hardware and software resources and is the basis of information system security. Applications must depend on the OS to ensure the integrity, confidentiality, availability, and controllability of information. Without the OS security protection, protective methods against hackers and virus attacks at other layers cannot meet the security requirements.

      Therefore, security hardening is essential for an OS. Security hardening helps build a dynamic and complete security system, enhance product security, and improve product competitiveness.

      security-hardening-solution

      This section describes the openEuler security hardening solution, including the hardening method and items.

      Security Hardening Method

      You can manually modify security hardening configurations or run commands to harden the system, or use the security hardening tool to modify security hardening items in batches. The openEuler security hardening tool runs as openEuler-security.service. When the system is started for the first time, the system automatically runs the service to execute the default hardening policy, and automatically set the service not to start as the system starts.

      You can modify the security.conf file and use the security hardening tool to implement user-defined security hardening.

      security hardening impacts

      Security hardening on file permissions and account passwords may change user habits, affecting system usability. For details about common hardening items that affect system usability, see Table 1.

      Table 1 Security hardening impacts

      Item

      Suggestion

      Impact

      Configured By Default

      Timeout setting on the text-based user interface (TUI)

      When the TUI is idle for a long period of time, it automatically exits.

      NOTE:

      When a user logs in to the system using SSH, the timeout period is determined by the smaller value of the TMOUT field in the /etc/profile file and the ClientAliveInterval field in the /etc/ssh/sshd_config file. You are advised to set this parameter to 300 seconds.

      If you do not perform any operation on the TUI for a long time, TUI automatically exits.

      No

      Password complexity

      The password is a string containing at least eight characters chosen from three or four of the following types: uppercase letters, lowercase letters, digits, and special characters.

      All passwords must comply with the complexity requirements.

      No

      Password retry limits

      If a user fails to enter the correct password for three consecutive times when logging in to the OS, the user account will be locked for 60 seconds.

      After the account is locked, the user can log in to the system only after 60 seconds.

      Yes

      Default umask value

      The default umask value of all users is set to 077 so that the default permission on files created by users is 600 and the default permission on directories is 700.

      Users must modify the permission on specified files or directories as required.

      Yes

      Password validity period

      The password validity period can be modified in the /etc/login.defs file and is set to 90 days by default. It can be modified in any time. An expiration notification will be displayed seven days before a password is to expire.

      When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system.

      No

      su permission control

      The su command is used to switch user accounts. To improve system security, only the user root and users in the wheel group can use the su command.

      Common users can successfully run the su command only after joining in the wheel group.

      Yes

      Disabling user root from logging in using SSH

      Set the value of the PermitRootLogin field in the /etc/ssh/sshd_config file to no. In this way, user root cannot directly log in to the system using SSH.

      You need to log in to the system as a common user in SSH mode and then switch to user root.

      No

      Strong SSH encryption algorithm

      The MACs and Ciphers configurations of SSH services support the CTR and SHA2 algorithms and do not support the CBC, MD5, and SHA1 algorithms.

      Some early Xshell and PuTTY versions do not support aes128-ctr, aes192-ctr, aes256-ctr, hmac-sha2-256, and hmac-sha2-512 algorithms. Ensure that the latest PuTTY (0.63 or later) and Xshell (5.0 or later) are used.

      Yes

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份