Device Security Hardening
- Disable remote login of the root user.
Method: set PermitRootLogin in the /etc/ssh/sshd_config file to no.
- Use the built-in address space layout randomization (ASLR) function of Linux to enhance the vulnerability attack defense capability.
Method: write 2 to the /proc/sys/kernel/randomize_va_space file.
- Use the targetpw option in the sudo command to require the password for the target user to be entered by default. This prevents all users from running system commands as the root user without entering the password after the sudo rule is added. This option is not added by default. You are advised to add this option.
Run the cat /etc/sudoers | grep -E "^[^#]*Defaults[[:space:]]+targetpw" command to check whether the Defaults targetpw or Defaults rootpw configuration item exists. If the item does not exist, add it to #Defaults specification in the /etc/sudoers file.
- Prevent common users or groups from escalating privileges to the root user by using all commands.
Run the cat /etc/sudoers command to check whether the /etc/sudoers file contains (ALL) ALL and (ALL:ALL) ALL of users or groups other than root ALL=(ALL:ALL) ALL and root ALL=(ALL) ALL. If such users or groups exist, determine whether to delete them based on the actual service scenario. If they are not required, delete them, for example, deleting user ALL=(ALL) ALL, %admin ALL=(ALL) ALL, or %sudo ALL=(ALL:ALL) ALL.
- To generate secure random numbers, ensure that the operating system supports getrandom system calls (supported by default).