diff --git a/meta-ohos-staging/recipes-core/base-files/base-files_%.bbappend b/meta-ohos-staging/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000000000000000000000000000000000000..39563046086395c1f820ab598fc424d6a835e06a
--- /dev/null
+++ b/meta-ohos-staging/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
+
+do_install_append_harden () {
+    sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
+}
diff --git a/meta-ohos-staging/recipes-extended/shadow/shadow_%.bbappend b/meta-ohos-staging/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000000000000000000000000000000000000..3f363f069ae0d63d3c04f1c6ee6a9a15cc7f51e4
--- /dev/null
+++ b/meta-ohos-staging/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,10 @@
+do_install_append_harden () {
+	# to hardend
+	sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
+}