No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Local HA System Software Installation Guide (SUSE Linux + MySQL + OMMHA) 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Hardening the SUSE Operating System Manually

Hardening the SUSE Operating System Manually

Some items in the SUSE Linux operating system cannot be hardened through the SetSuSE tool and must be manually hardened.

Procedure

  1. Run the following commands to stop eSight:

    1. Use the PuTTY tool to log in to the standby eSight server as the ossuser user.
    2. Run the following command to stop the eSight system:

      > cd /opt/ommha/ha/bin

      > ./stop.sh

      The following information indicates that standby eSight server is stopped successfully:

      stop HA successfully.
    3. Use the PuTTY tool to log in to the active eSight server as the ossuser user.
    4. Run the following command to stop the eSight system:

      > cd /opt/ommha/ha/bin

      > ./stop.sh

      The following information indicates that the active eSight server is stopped successfully:

      stop HA successfully.

  2. Use the PuTTY tool to log in to the active eSight server as the ossuser user.
  3. Switch to the root user.

    > su - root

  4. Delete the user groups created when the operating system is installed.

    1. Query the user group of the operating system.

      # awk -F: '{ strCmd = "awk -F: \x27$4=="$3" {print}\x27 /etc/passwd"; strRtn = ""; strCmd | getline strRtn; if (strRtn == "") print $1 }' /etc/group | egrep -v 'sys|dba|dialout|tty|video|sfcb|shadow|wheel'

    2. Determine whether to retain the user group. If the user group is not required, run the following command to delete it:

      # groupdel user name

  5. Check and lock accounts with empty passwords.

    1. Check whether accounts have empty passwords.

      # awk -F: '(!$2) {print}' /etc/shadow 2>/null

    2. If an account with an empty password exists, change the password or lock the account.

      Changing the password:

      # passwd Account name

      Locking an account

      # passwd -l Account name

      NOTE:

      To unlock the account, run the following command:

      # passwd -u Account name

  6. Modify the bash information of the nobody user.

    # vi /etc/passwd

    1. Press i to enter the editing mode.
    2. Modify nobody:x:65534:65533:nobody:/var/lib/nobody:/sbin/nologin to nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/false.
    3. Press Esc to exit the input mode.
    4. Run the :wq command to save and exit the /etc/passwd file.

  7. Optional: Set the validity period of passwords for non-root users.

    By default, the validity period of the ossuser and oracle users is 9999 days. Using the ossuser user as an example, run the following command to set the validity period of the user's password to 180 days:

    You are advised to periodically change user passwords.

    If the validity periods are not modified for passwords of the ossuser and oracle users before the passwords expire, you must log in to the SUSE operating system as root user, and change the passwords of the ossuser and oracle users.

    # chage -M 180 ossuser

  8. Use the PuTTY tool to log in to the standby eSight server as the ossuser user. Repeat 2 to 7 to harden the SUSE Linux on the standby server.
  9. Run the following commands to start eSight:

    1. Use the PuTTY tool to log in to the active eSight server as the ossuser user.
    2. Run the following command to start the eSight system:

      > cd /opt/ommha/ha/bin

      > ./start.sh

      The following information indicates that the operation is performed successfully:

      start HA successfully.
    3. Use the PuTTY tool to log in to the standby eSight server as the ossuser user.
    4. Run the following command to start the eSight system:

      > cd /opt/ommha/ha/bin

      > ./start.sh

      The following information indicates that the operation is performed successfully:

      start HA successfully.

Download
Updated: 2019-09-02

Document ID: EDOC1100011856

Views: 90904

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next