Long-Term Supported Versions

    Innovation Versions

      Account Passwords

      Shielding System Accounts

      Description

      Accounts excluding user accounts are system accounts. System accounts cannot be used for logins or performing other operations. Therefore, system accounts must be shielded.

      Implementation

      Modify the shell of a system account to /sbin/nologin.

      usermod -L -s /sbin/nologin $systemaccount
      

      NOTE: $systemaccount indicates the system account.

      Restricting Account Permissions on the su Command

      Description

      The su command is used to switch user accounts. To improve system security, only the user root and users in the wheel group can use the su command.

      Implementation

      Modify the /etc/pam.d/su file as follows:

      auth         required      pam_wheel.so use_uid
      

      Table 1 Configuration item in pam_wheel.so

      Item

      Description

      use_uid

      UID of the current account.

      Setting Password Complexity

      Description

      You can set the password complexity requirements by modifying the corresponding configuration file. You are advised to set the password complexity based on the site requirements.

      Implementation

      The password complexity is implemented by the pam_pwquality.so and pam_pwhistory.so modules in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. You can modify the configuration items of the two modules to change the password complexity requirements.

      Example

      This section provides an example for configuring password complexity.

      Password Complexity Requirements

      1. Contains at least eight characters.

      2. Contains at least three types of the following characters:

        • At least one lowercase letter

        • At least one uppercase letter

        • At least one digit

        • At least one space or one of the following special characters: ` ~ ! @ # $ % ^ & * ( ) - _ = + \ | [ { } ] ; : ' " , < . > / ?

      3. Cannot be the same as an account name or the account name in reverse order.

      4. Cannot be the last five passwords used.

      Implementation

      Add the following content to the first two lines of the password configuration item in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:

      password    requisite     pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0 
      password    required      pam_pwhistory.so use_authtok remember=5 enforce_for_root
      

      Configuration Item Description

      For details about the configuration items of pam_pwquality.so and pam_pwhistory.so, see Table 2 and Table 3, respectively.

      Table 2 Configuration items in pam_pwquality.so

      Item

      Description

      minlen=8

      A password must contain at least eight characters.

      minclass=3

      A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters.

      ucredit=0

      A password contains any number of uppercase letters.

      lcredit=0

      A password contains any number of lowercase letters.

      dcredit=0

      A password contains any number of digits.

      ocredit=0

      A password contains any number of special characters.

      retry=3

      Each time a maximum of three password changes is allowed.

      enforce_for_root

      This configuration is also effective for user root.

      Table 3 Configuration items in pam_pwhistory.so

      Item

      Description

      remember=5

      A password must be different from the last five passwords used.

      enforce_for_root

      This configuration is also effective for user root.

      Setting the Password Validity Period

      Description

      To ensure system security, you are advised to set the password validity period and notify users to change passwords before the passwords expire.

      Implementation

      The password validity period is set by modifying the /etc/login.defs file. Table 4 describes the hardening items. All hardening items in the table are in the /etc/login.defs file. You can directly modify the items in the configuration file.

      Table 4 Configuration items in login.defs

      Item

      Description

      Suggestion

      Configured as Suggested

      PASS_MAX_DAYS

      Maximum validity period of a password.

      90

      No

      PASS_MIN_DAYS

      Minimum interval between password changes.

      0

      Yes

      PASS_WARN_AGE

      Number of days before the password expires.

      7

      Yes

      NOTE: The login.defs file is used to set restrictions on user accounts, such as setting the maximum password validity period and maximum length. The configuration in this file is invalid for the user root. If the /etc/shadow file contains the same items, the /etc/shadow configuration takes precedence over the /etc/login.defs configuration. When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system.

      Setting Password Encryption Algorithms

      Description

      For system security, passwords cannot be stored in plaintext in the system and must be encrypted. The passwords that do not need to be restored must be encrypted using irreversible algorithms. Set the password encryption algorithm to SHA-512. This item has been set by default in openEuler. The preceding settings can effectively prevent password disclosure and ensure password security.

      Implementation

      To set the password encryption algorithm, add the following configuration to the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:

      password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
      

      Table 5 Configuration items in pam_unix.so

      Item

      Description

      sha512

      The SHA-512 algorithm is used for password encryption.

      Locking an Account After Three Login Failures

      Description

      To ensure user system security, you are advised to set the maximum number of failed login attempts (three attempts are recommended) and the automatic unlocking time (300 seconds are recommended) for a locked account.

      If an account is locked, any input is invalid but does not reset the locking countdown timer. Records of the user's invalid inputs are cleared once unlocked. The preceding settings protect passwords from being forcibly cracked and improve system security.

      NOTE: By default, the maximum number of failed login attempts is 3 in openEuler. After an account is locked, the automatic unlock time is 60 seconds.

      Implementation

      The password complexity is set by modifying the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. The maximum number of failed login attempts is set to 3, and the unlocking time after an account is locked is set to 300 seconds. The configuration is as follows:

      auth        required      pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=300
      auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
      auth        sufficient    pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=300
      

      Table 6 Configuration items in pam_faillock.so

      Item

      Description

      authfail

      Captures account login failure events.

      deny=3

      A user account will be locked after three failed login attempts.

      unlock_time=300

      A locked common user account is automatically unlocked after 300 seconds.

      even_deny_root

      This configuration is also effective for user root.

      Hardening the su Command

      Description

      To enhance system security and prevent the environment variables of the current user from being brought into other environments when you run the su command to switch to another user, this item has been configured by default in openEuler. The PATH variable is always initialized when the su command is used to switch users.

      Implementation

      Modify the /etc/login.defs file. The configuration is as follows:

      ALWAYS_SET_PATH=yes
      

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份