Security Hardening Tools
Overview
HCE 2.0 is a Linux distribution for Huawei Cloud users. By default, security hardening is not performed after the ISO is installed.
security-tool is a Huawei-developed security hardening tool package that meets Huawei's basic security hardening requirements. By default, security-tool is not installed with HCE 2.0. You can install security-tool as required. After security-tool is installed, automatic security hardening is performed when the OS is started for the first time. You can also harden your OS by referring to the Huawei Cloud EulerOS 2.0 Security Configuration Baseline if needed.
For details about security hardening, see the security-tool RPM package. The security hardening items are as follows:
- System services: for example, configuring SSH, deleting postfix.service, and enabling haveged.service
- Kernel parameters: for example, kernel network protocol stack
- Accounts and passwords: for example, PAM parameters
- Authorization and authentication: for example, warning banner and umask
- File permissions: for example, cron configuration
Using security-tool
- Install the security-tool package.
If the package exists in the repo source, run the yum command to install it.
yum install -y security-tool
If no, obtain the security-tool package from the repo source on the Huawei Cloud official website.
- Specify the type of the configuration to be hardened in the /etc/hce_security/hce_enhance_type.conf file.
There are three types of configurations: cybersecurity (graded protection hardening), hwsecurity (cloud service hardening), and general (general hardening). general is recommended. general is used as an example in the following steps.
echo general > /etc/hce_security/hce_enhance_type.conf
- Start the hce-security service.
systemctl start hce-security
Run the systemctl status hce-security command to check the service status. If the status is active(exited), the security hardening is successful.
For details about security hardening logs, see /var/log/hce_security.log.
You can modify the /etc/hce_security/usr-security.conf file to configure security hardening items. The method of modifying the configuration file is as follows:
######################################################################## # # HowTo: # # delete key, and difference caused by blankspace/tab on key is ignored # id@d@file@key # # # modify option: find line started with key, and get the value changed # id@m@file@key[@value] # # # modify sub-option: find line started with key, and then change the value of key2 to value2(prepostive seperator should not be blank characters) in the line # id@M@file@key@key2[@value2] # # # check existence of commands # id@which@command1 [command2 ...] # # # execute command on the files found # id@find@dir@condition@command # # # any command(with or without parameter), such as 'rm -f','chmod 700','which','touch', used to extend functions, return 0 is ok # id@command@file1 [file2 ...] # # Notes: # 1. The comment line should start with '#' # 2. "value" related with "key" should contain prepositive separator("="," " and so on), if there is any. # 3. When item starts with "d", "m" or "M", "file" should be a single normal file, otherwise multi-objects(separated by blankspace) are allowed. # ########################################################################If you want to harden the security for more items, refer to Huawei Cloud EulerOS 2.0 Security Configuration Baseline or other Huawei Cloud OS security hardening specifications.
Enabling SELinux affects system performance. SELinux is disabled in HCE by default. To enable SELinux, you need to restart the OS for multiple times. SELinux cannot be enabled in one click. For details about how to enable SELinux, see How Do I Enable SELinux on an ECS Running Huawei Cloud EulerOS?
Differences Between general, hwsecurity, and cybersecurity
Check Item Type |
Check Item |
Check Content |
general |
hwsecurity |
cybersecurity |
default |
Initial configuration |
File system configuration |
Partition key system directories for mounting. |
- |
- |
- |
- |
Ensure that unnecessary file systems are disabled. |
- |
- |
- |
- |
||
Ensure that partitions that do not need to be modified are mounted as read-only. |
- |
- |
- |
- |
||
Ensure that partitions that do not need to be mounted with devices are mounted in nodev mode. |
- |
- |
- |
- |
||
Ensure that partitions without executable files are mounted in noexec mode. |
- |
- |
- |
- |
||
Ensure that partitions that do not require SUID/SGID are mounted in nosuid mode. |
- |
- |
- |
- |
||
Avoid using USB storage. |
〇 |
- |
- |
√ |
||
Software service configuration |
Forbid the installation of the X Window System (X11, or simply X). |
- |
- |
- |
√ |
|
Disable the debug-shell service. |
〇 |
- |
- |
√ |
||
Disable the rsync service. |
〇 |
- |
- |
√ |
||
Disable the avahi service. |
〇 |
〇 |
- |
√ |
||
Disable the SNMP service. |
〇 |
〇 |
- |
√ |
||
Disable the squid service. |
〇 |
〇 |
- |
√ |
||
Avoid enabling the samba service. |
〇 |
〇 |
- |
√ |
||
Disable the FTP service. |
〇 |
〇 |
- |
√ |
||
Disable the TFTP service. |
〇 |
〇 |
- |
√ |
||
Disable the DNS service. |
〇 |
- |
- |
√ |
||
Disable the NFS service. |
〇 |
〇 |
- |
√ |
||
Disable the rpcbind service. |
〇 |
〇 |
〇 |
- |
||
Disable the LDAP service. |
〇 |
〇 |
- |
√ |
||
Disable the DHCP service. |
〇 |
〇 |
- |
√ |
||
Do not install the CUPS software. |
- |
- |
- |
√ |
||
Do not install the NIS software. |
- |
- |
- |
√ |
||
Do not install the Telnet software. |
- |
- |
- |
√ |
||
Do not install the NIS client. |
- |
- |
- |
√ |
||
Do not install the LDAP client. |
- |
- |
- |
√ |
||
Do not install debugging tools. |
- |
- |
- |
√ |
||
Do not install development and compilation tools. |
- |
- |
- |
√ |
||
Do not install network sniffing tools. |
- |
- |
- |
√ |
||
Software upgrade configuration |
Ensure that the GNU Privacy Guard (GPG) public key is configured. |
- |
- |
- |
√ |
|
Ensure that gpgcheck is enabled. |
- |
- |
- |
√ |
||
Ensure that the software repository source is configured. |
- |
- |
- |
√ |
||
File integrity check |
Ensure that the Advanced Intrusion Detection Environment (AIDE) is installed. |
- |
- |
- |
- |
|
Set periodic file integrity check. |
- |
- |
- |
- |
||
Common process hardening |
Ensure that address space layout randomization (ASLR) is enabled. |
〇 |
- |
- |
√ |
|
Ensure that core dumps are correctly configured. |
〇 |
- |
- |
√ |
||
Restrict the number of files that can be opened by users. |
- |
- |
- |
- |
||
Ensure that link file protection is correctly configured. |
〇 |
- |
- |
√ |
||
Ensure that the dmesg access permission is correctly configured. |
〇 |
〇 |
- |
- |
||
Ensure that access to the kernel symbol address is restricted. |
〇 |
〇 |
- |
√ |
||
Restrict the ptrace for processes. |
- |
- |
- |
- |
||
Do not set the global encryption policy to LEGACY. |
- |
- |
- |
√ |
||
System services |
Time synchronization service |
Configure the ntpd service correctly. |
- |
- |
- |
- |
Configure the chronyd service correctly. |
- |
- |
- |
√ |
||
Cron service |
Ensure that the cron service is running normally. |
〇 |
- |
- |
√ |
|
Ensure that the cron configuration permission is correct. |
〇 |
〇 |
- |
- |
||
Secure Shell (SSH) service |
Ensure that the /etc/ssh/sshd_config permission is correctly configured. |
〇 |
〇 |
- |
√ |
|
Ensure that the permission on the SSH private key file is correctly configured. |
〇 |
〇 |
〇 |
- |
||
Ensure that the permission on the SSH public key file is correctly configured. |
〇 |
〇 |
〇 |
- |
||
Ensure that IgnoreRhosts is enabled. |
〇 |
- |
- |
√ |
||
Configure the authentication blacklist and whitelist correctly. |
- |
- |
- |
- |
||
Ensure that Privileged Access Management (PAM) authentication is enabled for SSH. |
〇 |
- |
- |
√ |
||
Forbid login as user root. |
- |
- |
〇 |
- |
||
Forbid login using an empty password. |
〇 |
- |
- |
√ |
||
Forbid host-based authentication. |
〇 |
- |
- |
√ |
||
Ensure that the warning banner file path is configured. |
〇 |
〇 |
- |
- |
||
Ensure that the SSH log level is correctly configured. |
〇 |
〇 |
- |
√ |
||
Configure the listening IP address of the SSH service. |
- |
- |
- |
- |
||
Configure an appropriate number of concurrent unauthenticated SSH connections. |
〇 |
- |
- |
- |
||
Forbid X11 forwarding. |
〇 |
〇 |
- |
- |
||
Set the value of SSH MaxSessions less than or equal to 10. |
〇 |
- |
- |
√ |
||
Ensure that MaxAuthTries is correctly configured. |
〇 |
- |
- |
- |
||
Forbid PermitUserEnvironment. |
〇 |
- |
- |
√ |
||
Set the value of LoginGraceTime less than or equal to 60 seconds. |
〇 |
〇 |
- |
- |
||
Ensure that the idle timeout is configured. |
〇 |
〇 |
- |
- |
||
Forbid AllowTcpForwarding. |
〇 |
〇 |
- |
- |
||
Ensure that strong SSH key exchange algorithms (KexAlgorithms) are configured. |
〇 |
〇 |
- |
√ |
||
Ensure that strong SSH message authentication codes (MACs) are configured. |
〇 |
〇 |
- |
√ |
||
Ensure that strong SSH Ciphers are configured. |
〇 |
〇 |
- |
√ |
||
Do not configure the options that will be discarded by SSH. |
〇 |
- |
- |
√ |
||
Network services |
Unused network protocols and devices |
Avoid using uncommon network services. |
- |
- |
- |
- |
Avoid using WLANs. |
- |
- |
- |
√ |
||
Network protocol stack in the kernel space |
Disable the system from responding to ICMP broadcast packets. |
〇 |
〇 |
- |
√ |
|
Do not receive ICMP redirect messages. |
〇 |
〇 |
- |
- |
||
Do not forward ICMP redirect messages. |
〇 |
- |
- |
√ |
||
Ignore all ICMP requests. |
- |
- |
- |
- |
||
Ensure that forged ICMP packets are ignored. |
〇 |
- |
- |
√ |
||
Ensure that reverse address filtering is enabled. |
〇 |
〇 |
- |
- |
||
Disable IP forwarding. |
〇 |
〇 |
- |
√ |
||
Disable the option of receiving source route packets. |
〇 |
〇 |
- |
- |
||
Ensure that TCP-SYN cookie protection is enabled. |
〇 |
〇 |
- |
√ |
||
Enable logging to record suspicious network packets. |
〇 |
- |
- |
- |
||
Do not enable tcp_timestamps. |
- |
- |
- |
- |
||
Ensure that TIME_WAIT for TCP is configured. |
〇 |
- |
- |
√ |
||
Ensure that the number of queues in the SYN_RECV state is correctly configured |
- |
- |
- |
- |
||
Do not use the ARP proxy. |
- |
- |
- |
√ |
||
Firewall configuration |
firewalld |
Enable the firewalld service. |
- |
- |
- |
√ |
Ensure that iptables is not enabled. |
- |
- |
- |
√ |
||
Ensure that nftables is not enabled. |
- |
- |
- |
√ |
||
Configure valid default zones. |
- |
- |
- |
- |
||
Ensure that the network interfaces are bound to the correct zones. |
- |
- |
- |
- |
||
Avoid enabling unnecessary services and ports. |
- |
- |
- |
- |
||
iptables |
Enable the iptables service. |
- |
- |
- |
- |
|
Ensure that iptables is not enabled. |
- |
- |
- |
- |
||
Ensure that nftables is not enabled. |
- |
- |
- |
√ |
||
Configure the default rejection policy. |
- |
- |
- |
- |
||
Configure the iptables loopback policy. |
- |
- |
- |
- |
||
Configure the iptables INPUT policy. |
- |
- |
- |
- |
||
Configure the iptables OUTPUT policy. |
- |
- |
- |
- |
||
Configure association policies for the iptables INPUT and OUTPUT. |
- |
- |
- |
- |
||
nftables |
Enable the nftables service. |
- |
- |
- |
- |
|
Ensure that iptables is not enabled. |
- |
- |
- |
√ |
||
Ensure that nftables is not enabled. |
- |
- |
- |
- |
||
Configure the default rejection policy. |
- |
- |
- |
- |
||
Configure the nftables loopback policy. |
- |
- |
- |
- |
||
Configure the nftables INPUT policy. |
- |
- |
- |
- |
||
Configure the nftables OUTPUT policy. |
- |
- |
- |
- |
||
Configure association policies for the nftables INPUT and OUTPUT. |
- |
- |
- |
- |
||
Log auditing |
auditd |
Ensure that auditd is enabled. |
〇 |
- |
- |
√ |
Ensure that auditd can be enabled when the system boots. |
- |
- |
- |
- |
||
Ensure that audit_backlog_limit is correctly configured. |
- |
- |
- |
- |
||
Ensure that the maximum size of a single log file is specified. |
- |
- |
- |
√ |
||
Ensuring that ROTATE is enabled for audit logs. |
- |
- |
- |
- |
||
Ensure that audit logs are not automatically deleted. |
- |
- |
- |
√ |
||
Ensure that disk space thresholds are correctly configured. |
- |
- |
- |
√ |
||
Avoid setting a small rate limit threshold for audit logs. |
- |
- |
- |
√ |
||
Configure the sudoers audit rule. |
- |
〇 |
〇 |
- |
||
Configure a login audit rule. |
- |
- |
- |
√ |
||
Configure a session audit rule. |
- |
- |
- |
√ |
||
Configure an audit rule for time change. |
- |
〇 |
〇 |
- |
||
Configure an SELinux audit rule. |
- |
- |
- |
- |
||
Configure an audit rule for the network environment. |
- |
- |
〇 |
- |
||
Configure an audit rule for file access control permissions. |
- |
- |
- |
- |
||
Configure an audit rule for file access failures. |
- |
- |
- |
- |
||
Configure an audit rule for file deletions. |
- |
- |
- |
- |
||
Configure an audit rule for account information modifications. |
- |
〇 |
〇 |
- |
||
Configure an audit rule for file system mounting. |
- |
- |
- |
- |
||
Configure the audit rule for privilege escalation commands. |
- |
- |
- |
- |
||
Ensure that the audit rule for kernel module changes. |
- |
- |
- |
√ |
||
Configure an audit rule for sudo log file modifications. |
- |
- |
- |
- |
||
rsyslog |
Ensure that the rsyslog service is enabled. |
〇 |
〇 |
〇 |
- |
|
Ensure that system authentication-related events are recorded. |
- |
- |
- |
√ |
||
Ensure that cron logs are recorded. |
〇 |
- |
- |
√ |
||
Configure the log records of each service correctly. |
- |
- |
- |
√ |
||
Configure the default rsyslog file permission correctly. |
〇 |
〇 |
〇 |
- |
||
Configure a rotation policy for rsyslog. |
- |
- |
- |
- |
||
Configure the option of sending logs to a remote log server. |
- |
- |
- |
- |
||
Ensure that remote rsyslog messages are received only on the specified log host. |
- |
- |
- |
- |
||
Ensure that the option of dumping journald logs of the rsyslog service has been configured. |
- |
- |
- |
- |
||
Account and password management |
Account management |
Forbid login capabilities for accounts that are not used for login. |
- |
- |
- |
- |
Forbid unused accounts. |
- |
- |
- |
- |
||
Set the account validity period correctly. |
- |
- |
- |
- |
||
Forbid non-root accounts with UID 0. |
- |
- |
- |
√ |
||
Ensure that the UIDs are unique. |
- |
- |
- |
√ |
||
Ensure that the GIDs are unique. |
- |
- |
- |
√ |
||
Ensure that the account names are unique. |
- |
- |
- |
√ |
||
Ensure that the group names are unique. |
- |
- |
- |
√ |
||
Ensure that all groups exist in /etc/passwd. |
- |
- |
- |
√ |
||
Ensure that an account has its own home directory. |
- |
- |
- |
√ |
||
Ensure that the permissions on the home directory of the account are 750 or stricter. |
- |
- |
- |
√ |
||
Avoid the .forward file in the home directory. |
- |
- |
- |
√ |
||
Avoid the .netrc file in the home directory. |
- |
- |
- |
√ |
||
Ensure that the user PATH variable is strictly defined. |
- |
- |
- |
√ |
||
Password management |
Ensure the password complexity. |
〇 |
〇 |
〇 |
- |
|
Restrict the number of reusing a historical password. |
〇 |
〇 |
〇 |
- |
||
Ensure that passwords do not contain the account character strings. |
- |
- |
- |
√ |
||
Ensure that passwords are encrypted using SHA512. |
〇 |
〇 |
〇 |
- |
||
Ensure that the password expiration time is correctly configured. |
〇 |
〇 |
〇 |
- |
||
Ensure that the password expiration alarm time is correctly configured. |
〇 |
〇 |
- |
√ |
||
Ensure that the password change period is correctly configured. |
〇 |
〇 |
〇 |
- |
||
Ensure that inactive passwords are locked for no more than 30 days. |
〇 |
- |
- |
√ |
||
Ensure that the password protection is configured for GRUB. |
- |
- |
- |
√ |
||
Ensure that password protection is configured in the single-user mode. |
- |
- |
- |
√ |
||
Identity authentication |
Lock an account after a specific number of login failures. |
〇 |
〇 |
〇 |
- |
|
Prevent user root from accessing the system locally. |
- |
- |
- |
- |
||
Ensure that the timeout duration of sessions is correctly configured. |
〇 |
〇 |
〇 |
- |
||
Warning banners |
Ensure that the local login warning banner contains proper information. |
〇 |
〇 |
- |
- |
|
Ensure that the remote login warning banner contains proper information. |
〇 |
〇 |
- |
- |
||
Ensure that the motd file contains proper information. |
〇 |
〇 |
- |
- |
||
Ensure that the /etc/issue permission is correctly configured. |
〇 |
〇 |
- |
√ |
||
Ensure that the /etc/issue.net permission is correctly configured. |
〇 |
〇 |
- |
√ |
||
Ensure that the /etc/motd permission is correctly configured. |
〇 |
〇 |
- |
√ |
||
Access control |
SELinux |
Ensure that the enforce mode is enabled. |
- |
- |
- |
√ |
Ensure that the SELinux policy is correctly configured. |
- |
- |
- |
√ |
||
Avoid the services with the unconfined_service_t label. |
- |
- |
- |
- |
||
Ensure that the SETroubleShoot service is not installed. |
- |
- |
- |
√ |
||
Ensure that the Mount Conversion Service (MCS) is not installed. |
- |
- |
- |
√ |
||
Privileged commands |
Ensure that the su command is restricted. |
〇 |
〇 |
〇 |
- |
|
Ensure that the su command inherits the user's environment variables without escalating privileges. |
〇 |
〇 |
〇 |
- |
||
Ensure that common users run privileged programs using sudo. |
- |
- |
- |
- |
||
Ensure that the sudo log file is configured. |
〇 |
- |
- |
- |
||
Disable the SysRq key. |
- |
〇 |
- |
- |
||
System file permissions |
Ensure that the /etc/passwd permission is correctly configured. |
〇 |
- |
- |
√ |
|
Ensure that the /etc/passwd- permission is correctly configured. |
〇 |
- |
- |
√ |
||
Ensure that the /etc/passwd permission is correctly configured. |
〇 |
- |
- |
√ |
||
Ensure that the /etc/shadow- permission is correctly configured. |
〇 |
- |
- |
√ |
||
Ensure that the /etc/group permission is correctly configured. |
〇 |
- |
- |
√ |
||
Ensure that the /etc/group- permission is correctly configured. |
〇 |
- |
- |
√ |
||
Ensure that the /etc/gshadow permission is correctly configured. |
〇 |
- |
- |
√ |
||
Ensure that the /etc/gshadow- permission is correctly configured. |
〇 |
- |
- |
√ |
||
Ensure that the sticky bit is set for world-writable directories. |
- |
- |
- |
√ |
||
Forbid files or directories without owners or owning groups. |
- |
- |
- |
√ |
||
Avoid using world-writable files. |
- |
- |
- |
√ |
||
Forbid files with invalid links. |
- |
- |
- |
√ |
||
Forbid executable hidden files. |
- |
- |
- |
√ |
||
Ensure that unnecessary SUID or SGID bits in the file are deleted. |
- |
- |
- |
√ |
||
Ensure that umask is 027 or stricter. |
〇 |
〇 |
〇 |
- |
- The symbol √ indicates that the requirement is met by default.
- The symbol 〇 indicates that the item is executed.
- The symbol - indicates that the item is not executed.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
