Do Not Enable the Samba Service

The daemon of Samba allows the system administrator to configure the Linux system to share file systems and directories with Windows systems. Samba publishes file systems and directories through the Server Message Block SMB protocol. Windows users will be able to mount these directories and file...

Do Not Enable the Avahi Service

Avahi is a zero-configuration networking implementation, including a system for multicast DNS/DNS-SD service discovery and automatic broadcast. For example, you can connect a server to the network and use Avahi to automatically broadcast network services running on the server for other user to...

Ensure That a Common User Cannot Use pkexec for Privilege Escalation

The pkexec command enables a common user to have the permissions of the superuser or other users. After the authentication is successful, the common user runs the corresponding program with the permissions of the superuser. The pkexec command provides a convenient way for users to change their...

Disable the Function of Forwarding ICMP Redirect Messages

ICMP redirects can be used to send routing information to other hosts. As a host itself does not act as a router, it is unnecessary for the host to forward ICMP redirect messages. Attackers can exploit the compromised host to send invalid ICMP redirect messages to other routers, attempting to...

Configure a Correct SSH Service Version

SSH1 contains known issues and is no longer maintained in a routine manner, which poses risks such as information leakage and command data tampering on the system. The OpenSSH component inherited by openEuler uses the SSH protocol for remote control or file transfer between servers. The SSH1.3,...

Disable the Function of Receiving ICMP Redirect Messages

ICMP redirect messages transmit routing information and notify hosts of a better path through which the hosts send data packets. This is a method for allowing an external routing device to update a system routing table. After both net.ipv4.conf.all.acceptredirects and...

Ensure That the umask Value Is Correct

The umask value is the mask for default file or directory permissions. When a file or directory is created, its default permission is set to 777 minus the umask value. For a file, its execute permission is also removed. If the umask value is set improperly, the permission of new files may be too...

Ensure That a User Has Its Own Home Directory

Each user must have its own home directory for storing user-related data. The owner of the home directory must be the user. If the owner of the home directory is not the user, the user cannot read or write the home directory, or the user data stored in the home directory can be read or tampered...

Discard Forged ICMP Packets and Do Not Record Logs

Setting icmpignoreboguserrorresponses to 1 prevents the kernel from recording responses to duplicate broadcast packets, which prevents useless log information from filling in the file system. Some attackers send ICMP packets that violate RFC-1122 and attempt to fill the log file system with a lar...

Configure the Kernel Parameter ptrace_scope Properly

ptrace is a system call used for process tracing. It provides the capability for a parent process to observe and control child processes. Linux Kernel 3.4 and later versions support completely restricting or disabling the ptrace function. According to the Linux Kernel Yama Documentation, the...

Ensure That Soft and Hard Link Protection Is Correctly Configured

In Linux, a soft or hard link is a file pointing to another file target. In other words, the target is opened once the link file is opened. Therefore, an attacker can forge a soft link as a common user for a privileged user to execute, causing security issues such as privilege escalation. The sam...

Disable the TCP Forwarding Function of SSH

Setting AllowTcpForwarding to no disables the SSH client from performing TCP port forwarding. TCP port forwarding is a function of transmitting data between a local host and a remote host through an SSH tunnel. By disabling this function, you can restrict the data transmission and access scope of...

Configure Proper Cryptographic Algorithms for the SSH Service

As cryptographic technologies develop and computing capabilities improve, some cryptographic algorithms are no longer suitable for today SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right...

Do Not Install the Print Service

A server running Common Unix Printing System CUPS provides print services to other devices on the network. Running the CUPS service requires additional system resources and expands the attack surface. Therefore, do not start the CUPS service in the scenario where the CUPS service is not required...

Ensure That the Group Names Are Unique

The user group names in /etc/group must be unique. If user group names in /etc/group are duplicate, only the GID of the first user group in /etc/group is valid. If the administrator runs commands such as useradd or groupadd to add users or user groups, duplicate user group names typically do not...

Ensure That Different Group IDs Are Initially Assigned to Different Users

The initial login groups of different users must be different. If a user needs to access files in another group, you need to run a command to add the user to the group. In most cases, if the file permission and the folder permission are set to 640 and 750, respectively, users in the same group ca...

Disable the System from Responding to ICMP Broadcast Packets

Internet Control Message Protocol ICMP transmits query packets and error packets. You can configure a policy of not receiving ICMP broadcast packets to defend against ICMP packet attacks. This parameter determines whether a device needs to respond to the ICMP echo messages and timestamp requests...

Configure sudoers Audit Rules

The sudo command allows common users to perform privileged operations as the root user, which is highly risky. Though attackers cannot access the root user easily, they can escalate the privilege using the sudo command. You are advised to configure audit for the /etc/sudoers file and the...

Record System Authentication-related Events in Logs

System authentication-related events must be recorded to help analyze users SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...

Configure Audit Rules for User Information Changes

Generally, for deployed services, users and user groups do not change. Passwords, however, are changed periodically but not frequently due to validity periods. It is recommended that key authentication and authorization data be audited and monitored so that changes can be traced. Performing attac...

Ensure That the Password Protection Is Configured for GRUB

GRUB is the default bootloader of Linux. The bootloader can set the startup mode of the system. By setting the GRUB password, you can prevent attackers from modifying the GRUB setting to enter the single-user mode. If the GRUB password is not set, attackers can easily access the GRUB editing menu...

Configure The ntpd Service Properly

In the cluster scenario, the time of servers must be accurate and consistent. For example, if the server time is inconsistent, the data generated by different servers may be sorted or compared inaccurately. Even if you run the date command to set the time of all servers to the same value, the tim...

Configure Proper Policies for INPUT of nftables

The INPUT chain is used to filter packets received from external systems. For any service provided for external systems, configure the corresponding INPUT policy and enable the related port so that external clients can access the service through the port. If the policy is not set, all packets tha...

Ensure That the GIDs Are Unique

The group IDs GIDs in /etc/group must be unique. In the Linux system, user group permissions are determined based on GIDs. If multiple user groups use the same GID, these user groups have the same permissions and can access each other SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptio...

Configure the iptables Policies for Loopback Properly

The loopback address 127.0.0.0/8 is a special address on a server. It is irrelevant to NICs and is mainly used for the inter-process communication of a local device. Packets with the source address 127.0.0.0/8 from NICs should be discarded. If policies related to the loopback address are improper...

Avoid the .netrc File in the Home Directory

The .netrc file stores the passwords for logging in to the remote FTP server. If there are no FTP-related scenarios, you are advised to delete the .netrc file. Passwords stored in the .netrc file are in plaintext and can be easily stolen by attackers. As a result, sensitive data on the FTP server...

Configure a Proper Number of Concurrent Unauthenticated SSH Connections

Without knowing the password, an attacker can set up a large number of concurrent connections that have not been authenticated to consume system resources. The number of concurrent unauthenticated SSH connections is not configured in openEuler by default. You are advised to configure the upper...

Ensure That the Password Validity Is Set Correctly

If a password is not changed for a long time, the password is vulnerable to brute force cracking, which compromises system security. If the password validity period is set too short, the password needs to be changed frequently, increasing management costs. In addition, users may fail to log in...

Configure Dumping journald Logs for rsyslog

The system uses journald to collect logs. Logs may be stored on volatile or persistent storage devices. As a result, logs may be lost or the drive space may be used up. In this case, logs need to be dumped in a timely manner to ensure the security of logs and the system. SPDX-FileCopyrightText:...

Do Not Install Network Sniffing Tools

If network sniffing tools exist in the production environment, attackers may use them for network analysis and attacks. Therefore, in the production environment, do not install network sniffing, packet capturing, or analysis tools, such as tcpdump, Ethereal, and Wireshark. SPDX-FileCopyrightText:...

Disable tcp_timestamps

tcptimestamps is used to record the time when TCP data packets are sent. It can be used for RTT measurement RTTM and protection against wrapped sequence number PAWS. It is a bidirectional option and takes effect only when it is enabled on both the client and server. If this option is enabled, the...

Do Not Use auditctl to Set auditd Rules

auditd service rules can be configured using either rule files in the /etc/audit/rules.d/ directory applied after server restart or the auditctl command for immediate effect. The permission of the /etc/audit/rules.d/ directory is 750, while that of the auditctl command is 755. Therefore,...

Configure TIME_WAIT for TCP

TIMEWAIT indicates the time for TCP to wait for connection destruction. If this parameter is set to a large value, a large number of TCP connections are not closed and DoS attacks occur. You are advised to set this parameter to a value less than or equal to 60. SPDX-FileCopyrightText: 2025...

Ignore All ICMP Requests

Ignoring all ICMP requests to prohibit external systems from running the ping command to detect the system location. Attackers can detect the URL of the system based on the returned result of the ping command. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted fro...

Ensure That the LD_LIBRARY_PATH Environment Variable Is Correctly Defined

LDLIBRARYPATH is an environmental variable in Linux. When loading a dynamic link library, the program preferentially obtains the library from the path specified by LDLIBRARYPATH. Generally, LDLIBRARYPATH should not be set, because a maliciously set value will make the program link to an incorrect...

Configure a Proper SSH Service Authentication Mode

A proper authentication mode helps ensure user and system data security. Typically, the user/password authentication mode is suitable for human-machine users. In non-interactive login scenarios, the public and private keys are suitable for authentication. In high-risk scenarios, only the public a...

Configure the Remote Log Server

rsyslog can send local logs to a remote log server for unified storage. This facilitates centralized log management, prevents local logs from occupying too much drive space and being tampered with. If remote log storage is not configured, rsyslog logs are stored in local files. As far as the...

Disable the ARP Proxy

The ARP proxy allows the system to respond to ARP requests on another interface on behalf of a host connected to an interface. Disabling the ARP proxy not only prevents unauthorized information sharing, but also prevents addressing information leakage between connected network segments. Therefore...

Enable Kernel ASLR

Address-space layout randomization ASLR randomly arranges the positions of the stack, function libraries, and programs to slightly different positions each time. As a result, the correct positions cannot be guessed, and buffer overflow attacks fail. In the Linux kernel, ASLR is classified into...

Enable auditd to Start upon System Startup

By enabling auditd to start upon system startup, you can audit the events generated during system startup before the auditd service is started. If audit is not enabled during system startup, you may not be able to audit attacks during the startup procedure. By default, audit is not enabled during...

Ubuntu: Security Advisory (USN-7498-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu: Security Advisory (USN-7485-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2025-1407)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for krb5 (EulerOS-SA-2025-1423)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2025-1408)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2025-1439)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu: Security Advisory (USN-7492-2)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

openSUSE Security Advisory (SUSE-SU-2025:1450-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE: Security Advisory (SUSE-SU-2025:1451-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu: Security Advisory (USN-7497-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...