LTS

    Innovation Version

      Authentication and Authorization

      Setting a Warning for Remote Network Access

      Description

      A warning for remote network access is configured and displayed for users who attempt to remotely log in to the system. The warning indicates the penalty for authorized access and is used to threaten potential attackers. When the warning is displayed, system architecture and other system information are hidden to protect the system from being attacked.

      Implementation

      This setting can be implemented by modifying the /etc/issue.net file. Replace the original content in the /etc/issue.net file with the following information (which has been set by default in openEuler):

      Authorized users only. All activities may be monitored and reported. 
      

      Forestalling Unauthorized System Restart by Pressing Ctrl+Alt+Delete

      Description

      By default, you can restart the system by pressing Ctrl+Alt+Delete. You are advised to disable this function to prevent data loss due to misoperations.

      Implementation

      To disable the feature of restarting the system by pressing Ctrl+Alt+Delete, perform the following steps:

      1. Run the following commands to delete the two ctrl-alt-del.target files:

        rm -f /etc/systemd/system/ctrl-alt-del.target
        rm -f /usr/lib/systemd/system/ctrl-alt-del.target
        
      2. Change #CtrlAltDelBurstAction=reboot-force to CtrlAltDelBurstAction=none in the /etc/systemd/system.conf file.

      3. Run the following command to restart systemd for the modification to take effect. Note that running the command may cause system services to be unavailable or restarted temporarily. In addition, you must be the root user or a user with the sudo permission to perform this operation.

        systemctl daemon-reexec
        

      Setting an Automatic Exit Interval for Shell

      Description

      An unattended shell is prone to listening or attacks. Therefore, it is advised that a mechanism be configured to ensure that a shell can automatically exit when it does not run for a period.

      Implementation

      At the end of file /etc/profile, set the TMOUT field (unit: second) that specifies the interval for automatic exit as follows:

      export TMOUT=300
      

      Setting the Default umask Value for Users to 0077

      Description

      The umask value is used to set default permission on files and directories. A smaller umask value indicates that group users or other users have incorrect permission, which brings system security risks. Therefore, the default umask value must be set to 0077 for all users, that is, the default permission on user directories is 700 and the permission on user files is 600. The umask value indicates the complement of a permission. For details about how to convert the umask value to a permission, see umask Values.

      NOTE: By default, the umask value of the openEuler user is set to 0022.

      Implementation

      1. Add umask 0077 to the /etc/bashrc file and all files in the /etc/profile.d/ directory.

        echo "umask 0077" >> $FILE
        

        NOTE: $FILE indicates the file name, for example, echo "umask 0077" >> /etc/bashrc.

      2. Set the ownership and group of the /etc/bashrc file and all files in the /etc/profile.d/ directory to root.

        chown root.root $FILE
        

        NOTE: $FILE indicates the file name, for example, chown root.root /etc/bashrc.

      Setting the GRUB2 Encryption Password

      Description

      GRand Unified Bootloader (GRUB) is an operating system boot manager used to boot different systems (such as Windows and Linux). GRUB2 is an upgraded version of GRUB.

      When starting the system, you can modify the startup parameters of the system on the GRUB2 screen. To ensure that the system startup parameters are not modified randomly, you need to encrypt the GRUB2 screen. The startup parameters can be modified only when the correct GRUB2 password is entered.

      NOTE: The default password of GRUB2 is openEuler#12. You are advised to change the default password upon the first login and periodically update the password. If the password is leaked, startup item configurations may be modified, causing the system startup failure.

      Implementation

      1. Run the grub2-mkpasswd-pbkdf2 command to generate an encrypted password.

        NOTE: SHA-512 is used as the GRUB2 encryption algorithm.

        $ grub2-mkpasswd-pbkdf2
        Enter password: 
        Reenter password: 
        PBKDF2 hash of your password is 
        grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08
        

        NOTE: Enter the same password in the Enter password and Reenter password lines.
        After openEuler#12 is encrypted by grub2-mkpasswd-pbkdf2, the output is grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08. The ciphertext is different each time.

      2. Open grub.cfg in a vi editor. Append the following fields to the beginning of grub.cfg.

        set superusers="root"
        password_pbkdf2 root grub.pbkdf2.sha512.10000.5A45748D892672FDA02DD3B6F7AE390AC6E6D532A600D4AC477D25C7D087644697D8A0894DFED9D86DC2A27F4E01D925C46417A225FC099C12DBD3D7D49A7425.2BD2F5BF4907DCC389CC5D165DB85CC3E2C94C8F9A30B01DACAA9CD552B731BA1DD3B7CC2C765704D55B8CD962D2AEF19A753CBE9B8464E2B1EB39A3BB4EAB08
        

        NOTE:

        • In different modes, the paths of the grub.cfg file are different: In the UEFI mode of the x86 architecture, the path is /boot/efi/EFI/openEuler/grub.cfg. In the Legacy BIOS mode of the x86 architecture, the path is /boot/grub2/grub.cfg. In the aarch64 architecture, the path is /boot/efi/EFI/openEuler/grub.cfg.
        • The superusers field is used to set the account name of the super GRUB2 administrator.
        • The first parameter following the password_pbkdf2 field is the GRUB2 account name, and the second parameter is the encrypted password of the account.

      Setting the Secure Single-user Mode

      Description

      When you log in to the system as user root in single-user mode, if the root password is not set, high security risks exist.

      Implementation

      This setting can be implemented by modifying the /etc/sysconfig/init file. Set SINGLE to SINGLE=/sbin/sulogin.

      Disabling Interactive Startup

      Description

      With interactive guidance, console users can disable audit, firewall, or other services, which compromises system security. Users can disable interactive startup to improve security. This item is disabled by default in openEuler.

      Implementation

      This setting can be implemented by modifying the /etc/sysconfig/init file. Set PROMPT to no.

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份