192 matches found
Ensure That the LD_LIBRARY_PATH Environment Variable Is Correctly Defined
LDLIBRARYPATH is an environmental variable in Linux. When loading a dynamic link library, the program preferentially obtains the library from the path specified by LDLIBRARYPATH. Generally, LDLIBRARYPATH should not be set, because a maliciously set value will make the program link to an incorrect...
Configure Audit Rules for Privilege Escalation Operations
In openEuler, logs of privilege escalation operations using the sudo command are recorded in the /var/log/secure file by default. This file also records other authentication-related security logs. If you want to audit privilege escalation operations using sudo, you are advised to record logs...
Configure Proper MACs Algorithms for the SSH Service
In cryptography, a message authentication code MAC is an authentication mechanism used by communication entities to check message integrity. If the configured algorithms are insecure, security risks increase because weak algorithms have been or are about to be cracked in the industry. The...
Ensure That a User Is Locked After a Specified Number of Login Failures
If a user fails to log in to the system for a specified number of consecutive times, the system locks the user. That is, the user is not allowed to log in to the system for a specified period of time to prevent malicious system password cracking. During the lockout period, any input is considered...
Ensure That a User Has Its Own Home Directory
Each user must have its own home directory for storing user-related data. The owner of the home directory must be the user. If the owner of the home directory is not the user, the user cannot read or write the home directory, or the user data stored in the home directory can be read or tampered...
Do Not Install Insecure SNMP Versions
Simple Network Management Protocol SNMP is a standard protocol designed to manage network nodes in IP networks. This protocol allows the exchange of network management and control data between network elements NEs. If SNMP is installed in scenarios where SNMP is not required, additional system...
Ensure That the umask Value Is Correct
The umask value is the mask for default file or directory permissions. When a file or directory is created, its default permission is set to 777 minus the umask value. For a file, its execute permission is also removed. If the umask value is set improperly, the permission of new files may be too...
Configure the Core Dump Properly
A core dump records the memory status when a program stops abnormally or breaks down. It helps locate faults but may contain sensitive information in the process memory. In some cases, the core dump function needs to be enabled to record problem causes. When enabling the core dump function,...
Do Not Preset known_hosts for the SSH Service
knownhosts stores the public keys of the computers that the host has accessed. After a user successfully logs in to another computer, the public key information is automatically saved in $HOME/.ssh/knownhosts. When the same computer is accessed next time, its public key is verified. If the...
Enable PAM Authentication
Pluggable Authentication Modules PAM on the Linux platform provides a series of open source shared library files .so files. You can flexibly control the authentication process by configuring parameters. After PAM authentication is configured for SSH, the user authentication management module of t...
Configure a Proper SSH Service Authentication Mode
A proper authentication mode helps ensure user and system data security. Typically, the user/password authentication mode is suitable for human-machine users. In non-interactive login scenarios, the public and private keys are suitable for authentication. In high-risk scenarios, only the public a...
Configure Audit Rules for Network Environment
Attackers may change the system domain name and host name to launch attacks, such as host spoofing. It is recommended that the user set the audit of system calls setdomainname and sethostname and the audit of the /etc/hosts file to monitor changes in the system domain name and host name. You can...
Configure Audit Rules for File Access Failures
System calls, such as open, truncate, ftruncate, create and openat, are audited and monitored. If the -EACCES or -EPERM error is returned, you lack the permission to access the files. In this case, audit logs need to be recorded. File access failures due to a lack of proper permissions are common...
Ensure That the Password Validity Is Set Correctly
If a password is not changed for a long time, the password is vulnerable to brute force cracking, which compromises system security. If the password validity period is set too short, the password needs to be changed frequently, increasing management costs. In addition, users may fail to log in...
Configure a Proper Number of Concurrent Sessions Allowed for a Single SSH Connection
SSH allows a client that supports multiplexing to establish multiple sessions based on a network connection. MaxSessions limits the number of concurrent SSH sessions that can be established for each network connection. This prevents system resources from being occupied by a single connection or a...
Do Not Use auditctl to Set auditd Rules
auditd service rules can be configured using either rule files in the /etc/audit/rules.d/ directory applied after server restart or the auditctl command for immediate effect. The permission of the /etc/audit/rules.d/ directory is 750, while that of the auditctl command is 755. Therefore,...
Do Not Enable the DNS Service
The Domain Name System DNS is a hierarchical naming system that maps names to IP addresses of computers, services, and other network resources. Unless a system is the designated DNS server, you are advised to disable its DNS service to reduce the attack surface. SPDX-FileCopyrightText: 2025...
Do Not Start the debug-shell Service
The debug-shell service is used to locate faults that occur during system boot. This service is installed with systemd. The debug-shell service requires no authentication, that is, attackers can access the root shell by simply pressing Ctrl+Alt+F9 during systemd startup when the OS is booting. Th...
Configure the Kernel Parameter ptrace_scope Properly
ptrace is a system call used for process tracing. It provides the capability for a parent process to observe and control child processes. Linux Kernel 3.4 and later versions support completely restricting or disabling the ptrace function. According to the Linux Kernel Yama Documentation, the...
Ensure That auditd Is Enabled
The auditd component is a user-space component of the Linux audit framework, providing the auditctl, ausearch, and aureport programs to audit and view logs. Audit rules are configured using the auditctl program. When getting started, auditctl reads these rules from /etc/audit/audit.rules. The aud...