Configure Audit Rules for Network Environment

Attackers may change the system domain name and host name to launch attacks, such as host spoofing. It is recommended that the user set the audit of system calls setdomainname and sethostname and the audit of the /etc/hosts file to monitor changes in the system domain name and host name. You can...

Ensure That the Permissions on Important Files and Directories Are Minimized

According to the principle of least privilege, the minimum access permission must be correctly set for key files or directories in the system, especially those containing sensitive information. Only users with relevant permissions can access these files or directories. If the file or directory...

Configure a Proper Default Zone

The firewalld service allows several independent rule zones to be created on a firewall based on the zone concept. Different interfaces or source addresses can be bound to different zones to implement different control logic. A zone can be configured with many different network interfaces or sour...

Configure a Proper Number of Concurrent Unauthenticated SSH Connections

Without knowing the password, an attacker can set up a large number of concurrent connections that have not been authenticated to consume system resources. The number of concurrent unauthenticated SSH connections is not configured in openEuler by default. You are advised to configure the upper...

Ensure That the PATH User Variable Is Strictly Defined

In Linux, the PATH variable defines the path for searching for executable files in the user context of the current user. For example, if a user runs the ls command in any directory, the system searches for the ls command in the directories specified by PATH and executes the command. The PATH...

Enable PAM Authentication

Pluggable Authentication Modules PAM on the Linux platform provides a series of open source shared library files .so files. You can flexibly control the authentication process by configuring parameters. After PAM authentication is configured for SSH, the user authentication management module of t...

Avoid the .forward File in the Home Directory

An email address can be configured in the .forward file. When a user receives an email, the email is automatically forwarded to the email address. If there are no email forwarding scenarios, you are advised to delete the .forward file. If the .forward file exists, emails containing sensitive...

Enable Reverse Path Filtering

Setting net.ipv4.conf.all.rpfilter and net.ipv4.conf.default.rpfilter to 1 forces the Linux kernel to perform reverse path filtering on a received packet and check the validity of its source address. If the Linux kernel queries the routing table in which the source address is included and finds...

Configure Proper Association Policies for INPUT and OUTPUT of iptables

Although you can configure protocols, IP addresses, and port numbers to add policies for packets entering and leaving a server to the INPUT and OUTPUT chains, it is difficult to configure suitable policies using the sport parameter due to complicated situations. For example, a client accesses the...

Ensure That Partitions That Do Not Require SUID/SGID Bits Are Mounted Using nosuid

After the SUID bit is set for an executable file, the user who executes the file not the file owner is temporarily granted the permission of the file owner. For example, common user test executes a program whose permission is 755 and owner is root. In this case, if the SUID bit is not set,only th...

Configure Proper Policies for INPUT of iptables

The INPUT chain is used to filter packets received from external systems. For any service provided for external systems, configure the corresponding INPUT policy and enable the related port so that external clients can access the service through the port. If the policy is not set, all packets tha...

Do Not Allow Unused Users

If service-irrelevant users exist in the system, attackers may use them to launch attacks. Only users required by services are retained in the system. Other users used for installation, deployment, commissioning, verification, and fault locating must be deleted. By default, unused users do not...

Do Not Use X11 Forwarding

The X11 forwarding function of SSH allows the GUI program of the remote host to be executed on the local host. If the X11 forwarding function is enabled, the attack surface is expanded and other users on the X11 server may attack the local host. If the function is not required in the service...

Configure Audit Rules for Kernel Module Changes

Generally, for deployed services, the loaded kernel modules do not change. Therefore, changes in loaded kernel modules may indicate attacks. You are advised to audit and monitor kernel module changes for future tracing. By default, audit rules for kernel module changes are not configured in...

Receive Remote rsyslog Messages Only on A Specified Log Host

By default, rsyslog does not listen on log messages from a remote system. Log message listening via TCP is performed in a similar way to log message listening via UDP, both requiring rsyslog to load a module, that is, the imtcp.so module and the imudp.so module respectively. The TCP/UDP port to b...

Ensure That the Weak Password Dictionary Is Set Correctly

If a user password is weak, it is easy for attackers to guess the password or crack it through dictionary attacks in a short period of time. A weak password dictionary is a collection of passwords that are not strong enough and can be easily cracked through guesses. Weak passwords include default...

Configure the Default Policies of iptables to DROP Properly

Generally, iptables policies can be configured in allowlist or blocklist mode. You are advised to configure iptables policies in allowlist mode. Connections that do not comply with the rules in the allowlist are prohibited. Therefore, you can configure the DROP or REJECT policy for the INPUT,...

Configure the dmesg Access Permission Properly

The permission to access dmesg information is restricted. Unprivileged users cannot view system information. This prevents any one from obtaining sensitive information and attacking the system. Only processes with the CAPSYSLOG capability are allowed to access kernel logs. In this way, the least...

Configure Kernel Parameter kptr_restrict Properly

kptrrestrict is used to protect kernel symbol addresses. When the protection level is low, common users can obtain kernel symbol addresses, which are easy to be exploited by attackers. This increases the attack surface and reduces system security. Currently, kptrrestrict can be set to any of the...

Start the cron Daemon Properly

The cron daemon is used to execute batch processing jobs on the system. Even if the OS does not have user jobs that need to be run, some system jobs need to be run, including important jobs such as security monitoring. The cron daemon is used to execute these jobs. If the cron daemon is not start...

Enable the haveged Service

The haveged service can generate an unpredictable stream of random numbers in a simple way. These random numbers can fill the system entropy pool, which can solve the problem of low system entropy in some cases. You are advised to enable this service to meet the needs of encryption, decryption, o...

Do Not Install the NIS Server

Network Information Service NIS works in client-server mode. NIS clients running the ypbind daemon obtain information from a server. NIS is inherently insecure and is vulnerable to DoS and buffer overflow attacks. Therefore, do not install the NIS server in the service scenario where NIS is not...

Configure Audit Rules for Privilege-Escalated Commands

Users can call privilege-escalated commands that is, commands with SUID/SGID bits to obtain the super administrator permissions. This operation is risky and often exploited by attackers. You are advised to audit and monitor privilege-escalated commands for future tracing. By default, audit rules...

Do Not Enable the Avahi Service

Avahi is a zero-configuration networking implementation, including a system for multicast DNS/DNS-SD service discovery and automatic broadcast. For example, you can connect a server to the network and use Avahi to automatically broadcast network services running on the server for other user to...

Do Not Enable the LDAP Service

Lightweight Directory Access Protocol LDAP is a protocol that provides access control and is used to maintain distributed directory information. The LDAP service increases system resource usage and expands the attack surface. If the LDAP service is not required, do not install the LDAP service. T...

Configure Proper Policies for INPUT of nftables

The INPUT chain is used to filter packets received from external systems. For any service provided for external systems, configure the corresponding INPUT policy and enable the related port so that external clients can access the service through the port. If the policy is not set, all packets tha...

Ensure That the GIDs Are Unique

The group IDs GIDs in /etc/group must be unique. In the Linux system, user group permissions are determined based on GIDs. If multiple user groups use the same GID, these user groups have the same permissions and can access each other SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptio...

Configure the iptables Policies for Loopback Properly

The loopback address 127.0.0.0/8 is a special address on a server. It is irrelevant to NICs and is mainly used for the inter-process communication of a local device. Packets with the source address 127.0.0.0/8 from NICs should be discarded. If policies related to the loopback address are improper...

Avoid the .netrc File in the Home Directory

The .netrc file stores the passwords for logging in to the remote FTP server. If there are no FTP-related scenarios, you are advised to delete the .netrc file. Passwords stored in the .netrc file are in plaintext and can be easily stolen by attackers. As a result, sensitive data on the FTP server...

Do Not Install the LDAP Service

Lightweight Directory Access Protocol LDAP is a protocol that provides access control and is used to maintain distributed directory information. The LDAP service increases system resource usage and expands the attack surface. If the LDAP service is not required, do not install the LDAP service. T...

Configure Proper Policies for OUTPUT of nftables

There are two occasions in which a server sends outgoing packets: 1. The local host process proactively connects to an external server, for example, performing an HTTP access, or sending data to a log server. 2. The local host responds to the external access to the local services. If no policy is...

Do Not Allow Hidden Executable Files

In Linux, the name of a hidden file starts with a dot .. Hidden executable files are not allowed in the system. Note that . and . are not hidden files. They refer to the current directory and upper-level directory, respectively. The .bashrc, .bashprofile, and .bashlogout files are script files us...

Do Not Install Network Sniffing Tools

If network sniffing tools exist in the production environment, attackers may use them for network analysis and attacks. Therefore, in the production environment, do not install network sniffing, packet capturing, or analysis tools, such as tcpdump, Ethereal, and Wireshark. SPDX-FileCopyrightText:...

Ensure That Removable Device Partitions Are Mounted Using noexec and nodev

The security of removable devices cannot be ensured completely due to a lot of factors, such as the source, usage, and transportation process. In this sense, removable devices are the main host for viruses. Therefore, removable devices must be mounted using noexec and nodev to improve security an...

Do Not Use auditctl to Set auditd Rules

auditd service rules can be configured using either rule files in the /etc/audit/rules.d/ directory applied after server restart or the auditctl command for immediate effect. The permission of the /etc/audit/rules.d/ directory is 750, while that of the auditctl command is 755. Therefore,...

Configure the Remote Log Server

rsyslog can send local logs to a remote log server for unified storage. This facilitates centralized log management, prevents local logs from occupying too much drive space and being tampered with. If remote log storage is not configured, rsyslog logs are stored in local files. As far as the...

Configure a Proper SSH Service Authentication Mode

A proper authentication mode helps ensure user and system data security. Typically, the user/password authentication mode is suitable for human-machine users. In non-interactive login scenarios, the public and private keys are suitable for authentication. In high-risk scenarios, only the public a...

Do Not Install Development and Compilation Tools

Compilation tools in the service environment may be exploited by attackers to edit, tamper with, and perform reverse analysis on key files in the environment. Therefore, in the production environment, do not install compilation, decompilation, binary analysis tools, and compilation environments...

Configure Proper Association Policies for INPUT and OUTPUT of nftables

Although you can configure protocols, IP addresses, and port numbers to add policies for packets entering and leaving a server to the INPUT and OUTPUT chains, it is difficult to configure suitable policies using the sport parameter due to complicated situations. For example, a client accesses the...

Disable SysRq

SysRq enables users with physical access to access dangerous system-level commands in a computer. Therefore, it is advised to restrict the usage of the SysRq function. If SysRq is not disabled, you can use the keyboard to trigger SysRq. As a result, commands may be directly sent to the kernel,...

Record the cron Logs

Generally, cron is used to schedule tasks in Linux. Because cron can be exploited by hackers to load malicious code, all the cron logs need to be recorded to trace system exceptions. Otherwise, the exception information cannot be displayed in logs when there are malicious operations. As a result,...

Configure the Core Dump Properly

A core dump records the memory status when a program stops abnormally or breaks down. It helps locate faults but may contain sensitive information in the process memory. In some cases, the core dump function needs to be enabled to record problem causes. When enabling the core dump function,...

Do Not Enable the DHCP Service

The Dynamic Host Configuration Protocol DHCP service provides dynamic allocation of IP addresses to machines. Unless a system is the designated DHCP server, you are advised to disable its DHCP service to reduce the attack surface. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions...

Configure Proper SSH Key Exchange Algorithms

Key exchange is a process in which two parties exchange keys to allow the use of an encryption algorithm. A secure key exchange algorithm enables them to securely exchange keys, thereby using encryption algorithms to encrypt messages to be sent and decrypt received messages. Set the SSH key...

Configure Login Audit Rules

The /var/log/lastlog file is updated when a user successfully logs in to the system. Therefore, user login events can be recorded by auditing and monitoring the file. If login audit is not configured, the administrator cannot trace login events from audit logs. By default, login audit rules are n...

Configure the Banner Path Correctly

The banner path points to a file which contains the prompt information displayed on the client before a user logs in to the SSH. The content in the file can be configured based on the actual service scenario. If the banner path is not set, no information is displayed by default...

Configure the nftables Policies for Loopback Properly

The loopback address 127.0.0.0/8 is a special address on a server. It is irrelevant to NICs and is mainly used for the inter-process communication of a local device. Packets with the source address 127.0.0.0/8 from NICs should be discarded. If policies related to the loopback address are improper...

Configure Audit Rules for SELinux

SELinux is a mandatory access control function component of Linux. It is used to implement fine-grained permission control on processes and files. You are advised to audit configurations of SELinux configuration files and policy files and record modification logs. If SELinux audit is not...

Disable IP Forwarding

If a node does not function as a gateway server, disable the IP forwarding function. Otherwise, attackers can use the node as a router. In the container scenario, if network packets need to be forwarded through the host, IP forwarding is allowed. SPDX-FileCopyrightText: 2025 Greenbone AG Some tex...

Ensure That the Password Complexity Is Set Correctly

Simple passwords, including short passwords and passwords containing only digits or letters, are easy to guess by brute force cracking tools. As such, users are required to set complex passwords. For service scenarios with high security requirements, follow industry best practices. For example,...