177629 matches found
Do Not Install Insecure SNMP Versions
Simple Network Management Protocol SNMP is a standard protocol designed to manage network nodes in IP networks. This protocol allows the exchange of network management and control data between network elements NEs. If SNMP is installed in scenarios where SNMP is not required, additional system...
Enable the enforcing Mode
SELinux is a built-in security module in Linux distributions. It controls the access from applications to resources in a fine-grained way, thus improving system security. SELinux can run in any of the following modes: 1. enforcing: If the user does not have the permission to access the resource,...
Do Not Install the LDAP Client
Lightweight Directory Access Protocol LDAP is a protocol that provides access control and is used to maintain distributed directory information. Running the LDAP service requires additional system resources and expands the attack surface. Therefore, do not install the LDAP client in the service...
Ensure That Common Users Run Privileged Programs Using the sudo Command
The sudo command enables a specified common user to execute certain programs with the root permission. Most system management commands need to be executed by the root user. For the system administrator, properly authorizing other users can reduce the burden of the system administrator. However,...
Ensure That All Groups Exist in /etc/passwd
All user groups in /etc/passwd must exist in the /etc/group file. If the administrator manually modifies the two files, the user groups may be incorrectly set due to human errors. If a user group in /etc/passwd does not exist in /etc/group, risks of user group permission management may occur...
Do Not Allow Files or Directories Without Owners or Owner Groups
Files or directories without owners or owner groups are not allowed in the system. Generally, these files or directories refer to those whose previous owners are deleted. These files are security risks and may cause information leakage, occupy unnecessary drive space and system resources, and...
Ensure That Passwords Are Encrypted Using Strong Hash Algorithms
For system security, passwords cannot be stored in plaintext in the system and must be encrypted. Irreversible cryptographic algorithms must be used in scenarios where passwords do not need to be recovered. If a password is encrypted with a weak algorithm, attackers can increase the computing pow...
Ensure That Warning Banners Contain Proper Information
Warning banners contain warning information added on the system login page. Security warnings are displayed for all users who log in to the system. The security warnings must include information about the organization to which the system belongs, monitoring or records of login behavior, and legal...
Restrict the Number of Historical Command Records
HISTSIZE is an environment variable used to control the size of the command history. Specifically, HISTSIZE defines the number of command entries that can be stored in the command history. By setting the value of HISTSIZE, you can limit or increase the size of the command history, thus controllin...
Ensure That Passwords Do Not Contain User Names
To ensure user security, you must configure passwords that do not contain user names. If a password is the same as the user name or the user name in reverse order, or contains the user name, attackers can guess the password easily. This requirement is not exerted on passwords of users whose names...
Ensure That Partitions without Executable Files Are Mounted Using noexec
A data drive only stores data generated during service running. No command is executed in the data drive. Therefore, you can mount the drive or partition using noexec to improve security and reduce the attack surface. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be...
Ensure That GPG Verification Is Configured for the Yum Repositories
Software packages may be tampered with by attackers during network transmission or local storage. If the integrity verification is not performed on the software packages, software tampered with by attackers may be installed. As a result, the server or even the entire network cluster is attacked. ...
Do Not Install Debugging Tools
Debugging scripts and tools in the service environment may be exploited by attackers to launch attacks. Therefore, do not install any debugging tools or files in the production environment. Such tools or files include but not limited to: code debugging tool privilege escalation commands, scripts,...
Disable the Source Packet Routing
In a network, source routing allows the sender to specify some or all routes for data packets to pass through the network. In regular routing, routers in the network determine the path based on the destination of the data packets. If a large number of packets are tampered with and pass through th...
Configure a Proper Value for audit_backlog_limit
auditbackloglimit sets the buffer queue length for audit events awaiting transfer to the audit service. The default value is 64. If the queue is full, audit events are discarded and an alarm log is generated, indicating that the queue is full. If the value is too small, audit events may be lost. ...
Do Not Configure Deprecated Options for the SSH Service
Currently, the SSH service communication protocols are classified into the first generation and the second generation. The configuration options of the SSH service of different versions are incompatible. In addition, the configuration options of some earlier versions are deprecated in the new...
Ensure That Rotation Is Enabled for Audit Logs
maxlogfileaction decides the action taken when the size of a log file reaches the upper limit. By default, ROTATE is configured in openEuler, indicating that a new log file is created when the size of a log file reaches the upper limit and the original log file is not deleted. numlogs specifies t...
Configure Audit Rules for Network Environment
Attackers may change the system domain name and host name to launch attacks, such as host spoofing. It is recommended that the user set the audit of system calls setdomainname and sethostname and the audit of the /etc/hosts file to monitor changes in the system domain name and host name. You can...
Ensure That the Permissions on Important Files and Directories Are Minimized
According to the principle of least privilege, the minimum access permission must be correctly set for key files or directories in the system, especially those containing sensitive information. Only users with relevant permissions can access these files or directories. If the file or directory...
Do Not Install the rsync Service
The rsync service can synchronize data between servers or between local drive partitions. However, information leakage risks exist because rsync uses non-encrypted transmission protocols. If the rsync service is enabled and data is transmitted between servers over the network, attackers can...
Configure Proper Policies for OUTPUT of nftables
There are two occasions in which a server sends outgoing packets: 1. The local host process proactively connects to an external server, for example, performing an HTTP access, or sending data to a log server. 2. The local host responds to the external access to the local services. If no policy is...
Do Not Install the X Window System
X Window System X for short provides a GUI for users to log in and perform operations in Linux. Generally, servers do not require a GUI. Administrators can configure and modify a server through the CLI. X SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a...
Enable PAM Authentication
Pluggable Authentication Modules PAM on the Linux platform provides a series of open source shared library files .so files. You can flexibly control the authentication process by configuring parameters. After PAM authentication is configured for SSH, the user authentication management module of t...
Configure Audit Rules for Privilege Escalation Operations
In openEuler, logs of privilege escalation operations using the sudo command are recorded in the /var/log/secure file by default. This file also records other authentication-related security logs. If you want to audit privilege escalation operations using sudo, you are advised to record logs...
Avoid the .forward File in the Home Directory
An email address can be configured in the .forward file. When a user receives an email, the email is automatically forwarded to the email address. If there are no email forwarding scenarios, you are advised to delete the .forward file. If the .forward file exists, emails containing sensitive...
Do Not Allow Empty Links
Empty links are redundant files and waste system resources. In addition, if a file is installed or created at the target location of an empty link, the file can be accessed through the link, leading to possible information leakage or tampering. If the file to which the link points has been delete...
Ensure That Removable Device Partitions Are Mounted Using noexec and nodev
The security of removable devices cannot be ensured completely due to a lot of factors, such as the source, usage, and transportation process. In this sense, removable devices are the main host for viruses. Therefore, removable devices must be mounted using noexec and nodev to improve security an...
Do Not Enable the NFS Service
The Network File System NFS is one of the earliest and most widely used file systems in UNIX environments. It allows a system to mount file systems of other servers over the network. If the system does not share content through NFS, you are advised to disable NFS to reduce the remote attack...
Ensure That the Password Protection Is Configured in Single-User Mode
You can edit the GRUB startup menu and add the s or single command to the Linux startup command line to enter the single-user mode, which is an emergency rescue mode. In this mode, system data can be modified. For example, users can change the password of the root user. In this case, the password...
Configure Proper Policies for INPUT of iptables
The INPUT chain is used to filter packets received from external systems. For any service provided for external systems, configure the corresponding INPUT policy and enable the related port so that external clients can access the service through the port. If the policy is not set, all packets tha...
Configure Proper Policies for OUTPUT of iptables
There are two occasions in which a server sends outgoing packets: 1. The local host process proactively connects to an external server, for example, performing an HTTP access, or sending data to a log server. 2. The local host responds to the external access to the local services. If no policy is...
Ensure That User Group and Password File Permissions Are Correct
In the Linux OS-related information, such as users, passwords, and user groups, is recorded in the configuration files in the /etc directory. Proper permissions must be set for accessing these files. Otherwise, the files may be stolen or tampered with by attackers. The owner and owner group of...
Do Not Allow Unused Users
If service-irrelevant users exist in the system, attackers may use them to launch attacks. Only users required by services are retained in the system. Other users used for installation, deployment, commissioning, verification, and fault locating must be deleted. By default, unused users do not...
Configure a Proper Number of Concurrent Sessions Allowed for a Single SSH Connection
SSH allows a client that supports multiplexing to establish multiple sessions based on a network connection. MaxSessions limits the number of concurrent SSH sessions that can be established for each network connection. This prevents system resources from being occupied by a single connection or a...
Configure Login Audit Rules
The /var/log/lastlog file is updated when a user successfully logs in to the system. Therefore, user login events can be recorded by auditing and monitoring the file. If login audit is not configured, the administrator cannot trace login events from audit logs. By default, login audit rules are n...
Ensure That the Weak Password Dictionary Is Set Correctly
If a user password is weak, it is easy for attackers to guess the password or crack it through dictionary attacks in a short period of time. A weak password dictionary is a collection of passwords that are not strong enough and can be easily cracked through guesses. Weak passwords include default...
Configure the Default Policies of iptables to DROP Properly
Generally, iptables policies can be configured in allowlist or blocklist mode. You are advised to configure iptables policies in allowlist mode. Connections that do not comply with the rules in the allowlist are prohibited. Therefore, you can configure the DROP or REJECT policy for the INPUT,...
Configure the nftables Policies for Loopback Properly
The loopback address 127.0.0.0/8 is a special address on a server. It is irrelevant to NICs and is mainly used for the inter-process communication of a local device. Packets with the source address 127.0.0.0/8 from NICs should be discarded. If policies related to the loopback address are improper...
Configure Audit Rules for File Access Control Permissions
File access permission control is the basic permission management in Linux. Different users can access different files after being authorized. This prevents sensitive information leakage or file data tampering between users and prevents common users from accessing high-permission files or...
Ensure That the Number of Files That Can Be Opened by Users Is Correctly Configured
The number of files that can be opened in Linux is limited. Once the limit is reached by a user, other users can no longer open files. By default, openEuler limits the maximum number of file handles that can be opened by each user to 1024. If the value exceeds 1024, new file handles cannot be...
Configure Audit Rules for SELinux
SELinux is a mandatory access control function component of Linux. It is used to implement fine-grained permission control on processes and files. You are advised to audit configurations of SELinux configuration files and policy files and record modification logs. If SELinux audit is not...
Avoid Using Programs Labeled unconfined_service_t
The purpose of setting the unconfinedservicet label for SELinux is to enable some third-party service processes not configured with SELinux policies to run without restrictions. By default, when systemd runs a third-party application whose label is bint or usrt generally located in directories su...
Configure the dmesg Access Permission Properly
The permission to access dmesg information is restricted. Unprivileged users cannot view system information. This prevents any one from obtaining sensitive information and attacking the system. Only processes with the CAPSYSLOG capability are allowed to access kernel logs. In this way, the least...
Ensure That a User Is Locked After a Specified Number of Login Failures
If a user fails to log in to the system for a specified number of consecutive times, the system locks the user. That is, the user is not allowed to log in to the system for a specified period of time to prevent malicious system password cracking. During the lockout period, any input is considered...
Configure Audit Rules for Privilege-Escalated Commands
Users can call privilege-escalated commands that is, commands with SUID/SGID bits to obtain the super administrator permissions. This operation is risky and often exploited by attackers. You are advised to audit and monitor privilege-escalated commands for future tracing. By default, audit rules...
Configure the Default Policies of nftables to DROP Properly
For security purposes, the nftables base chains INPUT, OUTPUT, and FORWARD are similar to those of iptables. You need to configure the DROP policy for all packets, and then add the ACCEPT policy to the base chains to open related services and ports. If the base chains are not configured or the ho...
Do Not Enable the LDAP Service
Lightweight Directory Access Protocol LDAP is a protocol that provides access control and is used to maintain distributed directory information. The LDAP service increases system resource usage and expands the attack surface. If the LDAP service is not required, do not install the LDAP service. T...
Configure a Proper SSH Service Authentication Mode
A proper authentication mode helps ensure user and system data security. Typically, the user/password authentication mode is suitable for human-machine users. In non-interactive login scenarios, the public and private keys are suitable for authentication. In high-risk scenarios, only the public a...
Avoid Using Uncommon Network Services
Some protocols are seldom used and their communities develop slowly. Therefore, related security issues cannot be quickly resolved. If these protocols are not disabled, attackers may exploit the protocols or code vulnerabilities to launch attacks. Stream Control Transmission Protocol SCTP is used...
Configure Audit Rules for File System Mounting
Generally, for deployed services, the file system mounting does not change. Therefore, any change in the file system mounting may indicate attacks. For file systems with changes in mounting, audit and monitor their mounting conditions for tracing. By default, audit rules for file system mounting...