No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Single-Node System Software Installation Guide (SUSE Linux) 09

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Hardening the SUSE Linux Operating System

Hardening the SUSE Linux Operating System

This topic describes how to harden the security of the SUSE Linux operating system.

Installing SetSuSE

The tool SetSuSE can be used to harden the SuSE Linux operating system. This section describes the detailed procedure of installing SetSuSE.

Prerequisites
Context

SetSuSE is an security hardening tool for the SUSE Linux operating system. The tool supports the following operations to check and improve security of the SUSE Linux operating system.

  • Audit logs.
  • Implement minimum authorization.
  • Add alarm identifiers.
  • Harden built-in services of the system.
  • Adjust the system kernel parameters.
  • Strictly control access to the system.
  • Control read and write operations to the system files.
  • Properly design the disk partitioning before operating system installation.
  • Clear restricted accounts in the system and check password complexity.
Procedure
  1. Log in to the SUSE Linux operating system as user root.

    Right-click on the desktop of the operating system and choose Open Terminal from the shortcut menu

  2. Decompress the SetSuSE software package.

    NOTE:

    Assume that the SetSuSE installation package is stored in /opt/setsuse.

    # cd /opt/setsuse

    # unzip eSight_V300R009C00SPC200_ReinforcementTools_For_SUSE12_SP2.zip

    # tar -xvf SecureCATV200R001C20SetSuSE12.tar.gz

  3. Install SetSuSE.

    # cd /opt/setsuse/SecureCATV200R001C20SetSuSE

    # sh install.sh -p /opt -if /opt/setsuse/ESIGHT_SUSE12.tar

    NOTE:
    • -p /opt: specifies the installation directory of the tool.
    • -if /opt/setsuse/ESIGHT_SUSE12.tar: imports the security hardening policy file.
    Installation in progress, please wait ... 
     
    Importing configuration file successful 
    /opt/setsuse/ESIGHT_SUSE12.tar 
     
    Installation completed successfully 
    Note: 
    SEK installation log file path :  
    < /var/log/SEKInstall.log > 
    SEK installation path :  
    < /opt > 
    SEK tool was run after installation, please refer the application log for details 
    SEK version :     

  4. Delete the installation package and temporary files from the server after the SetSuSE is installed.

    # rm -rf /opt/setsuse

Hardening the SUSE Linux Using the SetSuSE

This section describes methods to perform security hardening on the SUSE Linux operating system.

Prerequisites
Context

When you use the security tool to harden a device, you cannot perform other operations on the device.

Procedure
  1. Run the following commands to start SetSuSE.

    # cd /opt

    # sekgui

  2. Optional: SetSuSE automatically backs up system data when it is started for the first time.

    NOTE:

    If some services on the eSight server are not started, a dialog box may be displayed during the backup process, indicating that data backup fails.

  3. Choose Policy > Execute All Selected from the main menu.

  4. Click Yes in the dialog box that is displayed.

  5. Click Yes in the dialog box that is displayed.

  6. Confirm the hardening result in the dialog box that is displayed.

  7. Restart the operating system to make the policies take effect.

    The following changes occur after policies take effect:

    • The user root can only log in to the operating system locally.
    • The user ossuser can log in to the operating system remotely through SSH.

    If you need to perform operations as the root user during remote login, log in as the ossuser user and switch to the root user.

Hardening the SUSE Operating System Manually

After hardening the SUSE operating system using the SetSuSE, you need to perform manually hardening.

Prerequisites

Ensure that the eSight service is stopped. For details, see Stopping the eSight Service.

Context

The hardening is invalid for existing sessions. After the hardening, quit all the sessions and connect them again.

Procedure
  1. Log in to the server as the ossuser user.
  2. Switch to the root user.

    > su - root

  3. Delete the user groups created when the operating system is installed.

    1. Query the user group of the operating system.

      # awk -F: '{ strCmd = "awk -F: \x27$4=="$3" {print}\x27 /etc/passwd"; strRtn = ""; strCmd | getline strRtn; if (strRtn == "") print $1 }' /etc/group | egrep -v 'sys|dba|dialout|tty|video|sfcb|shadow|wheel'

    2. Determine whether to retain the user group. If the user group is not required, run the following command to delete it:

      # groupdel user name

  4. Check and lock accounts with empty passwords.

    1. Check whether accounts have empty passwords.

      # awk -F: '(!$2) {print}' /etc/shadow 2>/null

    2. If an account with an empty password exists, change the password or lock the account.

      Changing the password:

      # passwd Account name

      Locking an account

      # passwd -l Account name

    NOTE:

    To unlock the account, run the following command:

    # passwd -u Account name

  5. Modify the bash information of the nobody user.

    # vi /etc/passwd

    1. Press i to enter the editing mode.
    2. Modify nobody:x:65534:65533:nobody:/var/lib/nobody:/sbin/nologin to nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/false.
    3. Press Esc to exit the input mode.
    4. Run the :wq command to save and exit the /etc/passwd file.

  6. Optional: Set the validity period of passwords for non-root users.

    By default, the validity period of the ossuser and oracle users is 9999 days. Using the ossuser user as an example, run the following command to set the validity period of the user's password to 180 days:

    You are advised to periodically change user passwords.

    After hardening, the root user is forbidden to remotely log in to the SUSE operating system. If the validity periods are not modified for passwords of the ossuser and oracle users before the passwords expire, you cannot log in to the system as the ossuser and oracle user after the passwords expire. In this case, you must log in to the SUSE operating system as a valid user, switch to the root user, and change the passwords of the ossuser and oracle users.

    # chage -M 180 ossuser

Download
Updated: 2019-05-17

Document ID: EDOC1100011860

Views: 92369

Downloads: 138

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next