Greenbone Adds New Compliance Profiles for Huawei EulerOS

Greenbone is excited to announce new compliance policies for Huawei’s EulerOS and openEuler. These compliance policies are the result of close collaboration with Huawei to provide OPENVAS SCAN users with authenticated checks for over 200 key security controls. By thoroughly vetting security settings, defenders gain high degree security assurances and visibility into the security posture of their EulerOS infrastructure.

Out of the box, Operating Systems (OS) are configured for ease of use and flexibility. By default, operating systems are set up to handle almost any task without post-install adjustment. Many unnecessary kernel modules and services are enabled, and security settings are relaxed. For maximum security, organizations need to harden the default post-installation settings to keep critical data and operations secure. Compliance testing turns configuration guidance into verifiable controls so teams can audit security at scale. By verifying hardened security configurations, defenders gain high security assurances that their IT assets are resilient against cyber attack.

OPENVAS SCAN allows IT security teams to automate policy‑driven audits across their IT infrastructure. Our platform already includes a library of compliance profiles for CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1][2][3][4] and policies based on national guidance for encryption standards.

Now, we’re expanding our compliance auditing and reporting capabilities with new policy profiles for Huawei’s EulerOS family. These new offerings bring policy checks right into OPENVAS SCAN’s vulnerability management workflow. These security hardening controls apply to EulerOS, OpenEuler, HCE, and EulerOS Virtualization OSs. Once the policy scans have been executed in OPENVAS SCAN, the results can be viewed as a specialized audit report.

Read on to find out more about how these new compliance profiles help IT security teams harden their security posture against cyber attack.

OPENVAS SCAN Now Includes Compliance Profiles for Huawei EulerOS

Greenbone’s new compliance scans for Huawei EulerOS follow our existing policy deployment model. OPENVAS SCAN’s compliance policies are specialized scan configurations composed of targeted Vulnerability Tests (VTs) that evaluate whether hosts meet defined security requirements. The new compliance policies for EulerOS are distributed to OPENVAS SCAN instances via the OPENVAS ENTERPRISE FEED and COMMUNITY FEED.

The new compliance profile curates families of authenticated security checks specially tailored to EulerOS environments. Authenticated auditing ensures that accurate evidence is collected from each scanned endpoint, providing the highest visibility for security attestation. OPENVAS SCAN also offers customized reporting formats, including an executive compliance report suited for management oversight.

To execute an audit, users can configure remote access for authenticated scans,  select a policy, run the policy scan task, and view an evidence‑rich audit report that shows which controls passed, failed, or require further manual investigation. Policies are managed in OPENVAS SCAN’s Compliance Policies area and executed as vulnerability scans with the same level of control as other scan configurations: alerting, reporting, and scheduling to verify continuous compliance.

What Do the New Huawei EulerOS Compliance Policies Cover?

The new Huawei EulerOS profile’s goal is simple: reduce attack surface by verifying secure settings on every host. The policy scan aggregates over 200 of distinct security checks across Linux networking, services and local configuration. The policy tests resemble the CIS Benchmarks, while aligning with Huawei’s platform specifics requirements. The new EulerOS compliance policies can also be adjusted to support each organization’s internal policy needs.

The new EulerOS compliance policies include:

• Service Hardening: Ensures unnecessary or insecure network services (e.g., DNS, NFS, RPC, SNMP, HTTP, Avahi) are disabled or not installed to reduce the system’s attack surface.
• System Configuration and Kernel Security: Validates secure kernel parameters, sysctl settings, ICMP behavior, address space layout randomization (ASLR), and protection mechanisms like dmesg_restrict.
• Authentication and Access Control: Enforces strong password policies, account lockout rules, sudo configurations, and user access restrictions to prevent unauthorized access.
• File and Directory Permissions: Checks critical system files (e.g., /etc/passwd, /etc/shadow, SSH keys) and directories for proper ownership and secure permissions.
• Password Policy Enforcement: Checks for password complexity, minimum length, expiration period, history count, retry limits, and lockout mechanisms to ensure strong authentication hygiene.
• User Account and Privilege Management: Reviews active user accounts for unused, duplicate, or privileged users; ensures direct root login is disabled and only necessary users have shell access.
• Boot and Initialization Security: Validates GRUB configurations, bootloader protections, secure boot settings, and kernel module restrictions.
• Firewall and Network Traffic Control: Ensures proper iptables/nftables/firewalld configurations for INPUT/OUTPUT policies and default zones to limit unauthorized network communication.
• Package and Software Management: Checks for secure package management practices, disallows installation of unnecessary or insecure software, and confirms that package repositories are configured correctly.
• CVE Discovery and Vulnerability Detection: Identifies known vulnerabilities (CVEs) present on the system by checking installed packages against vulnerability feeds. This helps prioritize remediation of exploitable software flaws based on real-world threat data.
• Logging and Auditing: Verifies audit rules for privileged commands, tracks access to sensitive files, configures rsyslog for remote logging, and ensures audit logs are properly stored and managed.

These security checks are implemented as Vulnerability Tests (VTs), grouped into families, and referenced from the EulerOS policy object. OPENVAS SCAN ships with many other platform‑specific VT families—including Huawei EulerOS Local Security Checks—which are enabled inside of the new policies to collect host‑level evidence of CVE exposure in addition to configuration hardening.

Which Huawei EulerOS Distributions are Covered?

Greenbone’s new compliance profiles are designed for the EulerOS ecosystem including distributions for enterprise and cloud deployments. Delivery is simple: the new Huawei EulerOS compliance profiles are provided via OPENVAS COMMUNITY FEED for Greenbone’s OPENVAS SCAN product. Users receive them with routine feed updates similar to other default policies. This ensures your policy content stays up to date without additional maintenance.

Here is a description  of each EulerOS distribution covered in Greenbone’s new compliance profiles and a brief description of the OS-specific security coverage.

EulerOS (Traditional/Enterprise)

Coverage focuses on EulerOS 2.0 service packs published by Huawei. OPENVAS SCAN maps each compliance test to Huawei’s official EulerOS security advisories portal, the EulerOS Security Configuration Baseline, and EulerOS lifecycle information. This includes service packs SP9 and newer.

EulerOS Virtual (VM Editions)

For data centers that rely on EulerOS Virtual for x86_64 and ARM64 architecture, our new compliance profiles recognize EulerOS Virtual versions—including releases 2.9.x, 2.10.x, 2.11.x, 2.12.x, 2.13.x. They also include checks for virtualization‑specific packages and services accordingly (for example, KVM/QEMU components and their hardening/patch levels).

openEuler (Community)

For organizations that standardize on openEuler LTS, Greenbone consumes the CSAF‑formatted advisories published by the openEuler project and aligns compliance checks using OS version awareness. The openEuler lifecycle and downloads page document the available LTS releases and service packs. The compliance profiles support auditing versions 20.03, 22.03, 24.03 based on openEuler Security Configuration Baseline.

Huawei Cloud EulerOS (HCE)

For Huawei Cloud EulerOS (HCE) 2.0 and HCE 3.0 cloud deployments, our new compliance profiles leverage publicly available advisories to validate HCE package baselines and configuration hardening specific to cloud images and managed repositories—recognizing differences such as package managers and repo layout between.

Summary

Greenbone’s new compliance profiles for EulerOS distributions extend OPENVAS SCAN’s capabilities with policy‑driven audits. The policies can be used to attest the hardened security posture of EulerOS, EulerOS Virtual, openEuler and HCE. Delivered through the OPENVAS COMMUNITY FEED, the audits execute authenticated checks to verify secure baselines for a wide scope of attack surface. The profiles are also complemented with detailed technical and executive reporting for stakeholders. These new tools enhance OPENVAS SCAN as a reliable way to harden Huawei-based Linux fleets at enterprise scale.