Add some instructions relate to specific operations.

README.md

@@ -82,36 +82,42 @@ Use the command to set the hardening level to make the corresponding level audit
 ```
 # bash bin/hardening.sh --set-hardening-level <level>
 ```
-
 Global configuration is in ``etc/hardening.cfg``. This file controls the log level
 as well as the backup directory. Whenever a script is instructed to edit a file, it
 will create a timestamped backup in this directory.
 
-### Run aka "Harden your distro"
+### Run aka "Harden your distro (After the hardened, you must perform the "After remediation" section)
 
 To run the checks and apply the fixes, run ``bin/hardening.sh``.
 
-This command has 2 main operation modes:
-- ``--audit``: Audit your system with all enabled and audit mode scripts
-- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
+This command has 2 main operation modes:    
+- ``--audit``: Audit your system with all enabled and audit mode scripts    
+- ``--apply``: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts    
 
-Additionally, ``--audit-all`` can be used to force running all auditing scripts,
-including disabled ones. this will *not* change the system.
+Additionally, ``--audit-all`` can be used to force running all auditing scripts, including disabled ones. this will *not* change the system.  
 
-``--audit-all-enable-passed`` can be used as a quick way to kickstart your
-configuration. It will run all scripts in audit mode. If a script passes,
-it will automatically be enabled for future runs. Do NOT use this option
-if you have already started to customize your configuration.
+``--audit-all-enable-passed`` can be used as a quick way to kickstart your configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration.
 
-## After remediation   
+Use the command to harden your OS:
+```
+# bash bin/hardening.sh --apply 
+```
+
+## After remediation (Very important)
 When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following:
 
-1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations.
+1) When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations. 
+If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following:
+```
+# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su 
+```
+Temporarily comment out the line containing pam_wheel.so. After you have finished using the su command, please uncomment the line.
 
 2) When applying 7.4.4_hosts_deny.sh, the OS cannot be connected through the ssh service, so you need to set allow access host list on /etc/hosts.allow, example:
 ```
 # echo "ALL: 192.168.1. 192.168.5." >> /etc/hosts.allow
 ```
+This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this system. Need to be configured according to your situation. 
 
 3) Set capabilities for usual user, example(user name is test):
 ```
@@ -119,7 +125,7 @@ When exec --apply and set-hardening-level are set to 5 (the highest level), you
 ```
 
 4) Set basic iptables rules 
-Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux firewall rules: 
+Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules: 
 [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/examples/configurations/etc.iptables.rules.v4.sh)
 to do the following:
 ```