Device Security Hardening
Security hardening involves host hardening and containers hardening to prevent potential security risks and ensure the security of devices and containers. Perform security hardening according to the actual situations.
- Disable remote login of the root user.
Set PermitRootLogin to no in /etc/ssh/sshd_config.
- Use the built-in address space layout randomization (ASLR) function of Linux to enhance the vulnerability attack defense capability.
- Use the targetpw option in the sudo command to require the password for the target user to be entered by default. This prevents all users from running system commands as the root user without entering the password after the sudo rule is added. This option is not added by default. You are advised to add this option.
Run the cat /etc/sudoers | grep -E "^[^#]*Defaults[[:space:]]+targetpw" command to check whether the Defaults targetpw or Defaults rootpw configuration item exists. If the item does not exist, add it to #Defaults specification in the /etc/sudoers file.
- Prevent common users or groups from escalating privileges to the root user by using all commands.
Run the cat /etc/sudoers command to check whether the /etc/sudoers file contains (ALL) ALL and (ALL:ALL) ALL of users or groups other than root ALL=(ALL:ALL) ALL and root ALL=(ALL) ALL. For example, if user ALL=(ALL) ALL, %admin ALL=(ALL) ALL, or %sudo ALL=(ALL:ALL) ALL exist, determine whether to delete them based on actual service requirements.
- To generate secure random numbers, ensure that the operating system supports getrandom system calls (supported by default).