Automated Configuration Items
This section describes how to use tools to inspect and harden some openEuler configurations. For details on tool installation and usage, see description about baseline inspection capabilities for openEuler security configurations.
Save the /etc/sysctl.conf file before execution.
cp /etc/sysctl.conf /etc/sysctl.conf.bak
In the reference link, the supported items summarized under Point 3 in "Description" part of the "Tools" section are as follows:
1.1.4 Ensure That the Sticky Bit Is Set for Globally Writable Directories
1.1.5 Ensure That the umask Value Is Correctly Configured
1.1.16 Ensure That Soft and Hard Link Protection Is Correctly Configured
1.2.1 Do Not Install the FTP Client
1.2.2 Do Not Install the TFTP Client
1.2.3 Do Not Install the Telnet Client
1.2.4 Do Not Install Insecure SNMP Versions
1.2.5 Do not install Python 2
1.2.6 Ensure That GPG Verification Is Configured for Yum Repositories
1.2.7 Do Not Start the debug-shell Service
1.2.8 Do Not Install the rsync Service
1.2.9 Do Not Install the Avahi Service
1.2.10 Do Not Install the LDAP Service
1.2.11 Do Not Install the Print Service
1.2.12 Do Not Install the NIS Server
1.2.13 Do Not Install the NIS Client
1.2.14 Do Not Install the LDAP Client
2.1.4 Do Not Allow Non-root Accounts With UID 0
2.1.5 Ensure That Correct Permissions Are Set For Account, Group, And Password Files
2.1.6 Ensure That Each Account Has Its Own Home Directory
2.1.7 Ensure That Groups Specified In The /Etc/passwd File Exist
2.2.1 Ensure That the Password Complexity Is Correctly Set
2.2.2 Do Not Use Historical Passwords
2.2.4 Ensure That Passwords Do Not Contain The Account String
2.2.5 Ensure That Passwords Are Encrypted Using Strong Hash Algorithms
2.2.6 Ensure That The Weak Password Dictionary Is Correctly Configured
2.2.7 Ensure That The Password Validity Period Is Correctly Configured
2.2.8 Do Not Allow Login with Empty Passwords
2.2.10 Ensure That Password Protection Is Configured For Single-User Mode
2.3.2 Ensure That The Session Timeout Period Is Correctly Set
2.3.4 Ensure That The Banner Path Is Correctly Configured
2.4.4 Ensure That Use Of The su Command Is Restricted
2.4.7 Ensure That Regular Users Cannot Use Pkexec To Escalate Privileges To Root
2.4.8 Ensure That The su Command Inherits User Environment Variables Without Escalating Privileges
3.3.1 Ensure That The SSH Service Version Is Correctly Configured
3.3.2 Ensure That The SSH Service Authentication Mode Is Correctly Configured
3.3.3 Ensure That The SSH Key Exchange Algorithms Are Correctly Configured
3.3.4 Ensure That The User Authentication Key Algorithm Is Correctly Configured
3.3.5 Enable PAM Authentication
3.3.6 Ensure That MACs Algorithm Is Correctly Configured For The Ssh Service
3.3.7 Ensure That The Cryptographic Algorithm Is Correctly Configured For the SSH Service
3.3.8 Do Not Configure the Encryption Algorithm Overwriting Policy for the SSH Service
3.3.14 Do Not Use X11 Forwarding
3.3.16 Do Not Use PermitUserEnvironment
3.3.20 Do Not Configure Deprecated Options for the SSH Service
3.3.21 Ensure That TCP Forwarding Is Disabled for the SSH Service
3.4.2 Ensure That the cron Daemon Is Enabled
3.4.3 Ensure That at and cron Are Correctly Configured
3.5.1 Ensure That Kernel ASLR is Enabled
3.5.2 Ensure That the dmesg Access Permission Is Correctly Configured
3.5.3 Ensure That the Kernel Parameter kptr_restrict Is Correctly Configured
3.5.4 Ensure That Kernel SMAP Is Enabled
3.5.5 Ensure That Kernel SMEP Is Enabled
3.5.6 Do Not Allow the System to Respond to ICMP Broadcast Packets
3.5.7 Do Not Receive ICMP Redirect Messages
3.5.8 Do Not Forward ICMP Redirect Messages
3.5.10 Ensure That Forged ICMP Packets are Discarded and No Log is Recorded
3.5.11 Ensure That Reverse Path Filtering Is Enabled
3.5.12 Do Not Allow IP Forwarding
3.5.13 Do Not Allow Source Packet Routing
3.5.14 Ensure That TCP-SYN Cookie Protection Is Enabled
3.5.15 Log Spoofing, Source Routing, And Redirect Packets
3.5.16 Avoid Enabling tcp_timestamps
3.5.17 Ensure That TIME_WAIT for TCP is Configured
3.5.18 Configure a Proper SYN_RECV Queue Size
3.5.19 Do Not Use Proxy ARP
3.5.21 Do Not Use SysRq
4.1.1 Ensure That auditd Is Enabled
4.1.2 Ensure That Rotation Is Enabled for Audit Logs
4.1.11 Ensure That the Log Size Limit Is Correctly Configured
4.2.1 Ensure That the rsyslog Service Is Enabled
4.2.2 Ensure That System Authentication Event Logs Are Recorded
4.2.3 Ensure That cron Service Logs Are Recorded
4.2.6 Ensure That journald Log Forwarding to rsyslog is Configured
To establish a remote connection to the openclaw WebSocket inside the cVM of the appliance, you need to use iptables or SSH tunneling. Therefore, configurations in the automated script that disable IP forwarding can be restored using the previously backed up /etc/sysctl.conf.bak file.