No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Maintenance for the Linux Operating System

Security Maintenance for the Linux Operating System

The administrator is suggested to: assign one maintenance account to each maintenance engineer, add maintenance accounts to the maintenance group, assign maintenance rights to maintenance personnel corresponding to their responsibilities, and periodically audit the maintenance personnel information.

Creating a Maintenance Account

Create a maintenance account sysmanand add the account to maintenance groupadmin.

  1. 1. Log in to the system as the root user.
  2. 2. Create the user groupadmin.

    groupadd admin

  3. 3. Create an account sysman.

    useradd -g admin -m -d /home/sysman -s /bin/bash sysman

    This command creates a user namedsysmanwho belongs to theadmingroup. The user's home directory is /home/sysman.
    The parameters are as follows:
    • -g: Designate the maintenance accounts group asadmin.
    • -m: Create the designated home directory/home/sysmanif the user does not have a home directory. If the user already has one, this parameter is invalid.
    • -d: Specify the home directory for the user.
    • -s: Specify the Shell type for the user.
  4. 4. Set a password for thesysmanuser.

    passwd sysman

    If the following information is displayed, the password is set successfully:

    Changing password for sysman.

Deleting an Account

Delete the temporarily created maintenance account after use.

  1. 1. Log in to the system as the root user.
  2. 2. Delete the sysman user.

    userdel sysman

    no crontab for sysman

    Delete the home directory of the account if required.

    userdel sysman -r

    If the following information is displayed, the user and the associated home directory are deleted successfully:

    no crontab for sysman

Locking an Account

If an account is not in use temporarily, lock the account. Unlock it when necessary.

  1. 1. Log in to the system as the root user.
  2. 2. Lock the sysman user.

    passwd -l sysman

    If the following information is displayed, the user is locked successfully:

    Password changed.

Unlocking an Account

Unlock a maintenance account if you want to use the account again.

  1. Log in to the system as the root user.
  2. Unlock the sysman user.

    passwd -u sysman

    If the following information is displayed, the user is unlocked successfully:

    Password changed.

Changing the Login Password

Change your password periodically to ensure account security, and passwords must meet complexity requirements. Change the login password every 90 days. The passwords should conform to password policy for security maintenance.

  1. Log in to the USM-EUA server as the OMUSER user.
  2. Change the login password for a user, for example, euauser.

    su - euauser

    passwd euauser

    Enter a new password for the euauser user,The password must meet complexity requirements.

    If the following information is displayed, enter the New passwordand the Retype new password:

    Changing password for euauser. 
    Old password:
    New password:
    Reenter new password:

Setting the Password Validity Period

To set the password validity period, perform the following steps:

  1. Log in to the EUA server as the root user.
  2. Set the validity period of the sysman user to 90 days and specify the number of days in advance a user is notified of password expiration to 7.

    passwd -x 90 -w 7 sysman

    The system displays the following information, indicating that the password validity period is successfully set:

    Password expiry information changed.

Monitoring and Auditing Accounts

Regularly check the validity period of maintenance accounts. Update the password promptly based on requirements. The passwords are updated every 91 days.

  1. Log in to the system as the root user.
  2. 2. Query the password validity period of the accounts.

    • − Query the password validity period of all accounts.

      passwd -a -S

      Query result format:

      name status mm/dd/yy min max warn
      The parameters are as follows:
      • status:PS =passworded LK =locked NP =no
      • min: minimum number of days before changing a password
      • max: maximum number of days in keeping a password
      • warn: number of days before expiration when users are requested to change the account password
    • − Query the password validity period of thesysmanuser.

      passwd -S sysman

    If any accounts have no password, set one immediately.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100059091

Views: 20544

Downloads: 11

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next