Skip to content
Log In

Guide to the Secure Configuration of OpenEmbedded

Rules, Groups, and Values defined within the XCCDF Benchmark

  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...
    Group
    Show

  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
    Show

  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...
    Group
    Show

  • Proxy Server

    A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system ac...
    Group
    Show

  • Disable Squid if Possible

    If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.
    Group
    Show

  • Samba(SMB) Microsoft Windows File Sharing Server

    When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The firs...
    Group
    Show

  • Postfix relayhost

    Specify the host all outbound email should be routed into.
    Value
    Show

  • Postfix Root Mail Alias

    Specify an email address (string) for a root mail alias.
    Value
    Show

  • Install the ntp service

    The ntpd service should be installed.
    Rule High Severity
    Show

  • Verify No netrc Files Exist

    The <code>.netrc</code> files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP serv...
    Rule Medium Severity
    Show

  • Maximum login attempts delay

    Maximum time in seconds between fail login attempts before re-prompting.
    Value
    Show

  • Maximum concurrent login sessions

    Maximum number of concurrent sessions by a user
    Value
    Show

  • Account Inactivity Timeout (seconds)

    In an interactive shell, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates after waiting for that number of seconds if input does...
    Value
    Show

  • Randomize the address of the kernel image (KASLR)

    In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is map...
    Rule Medium Severity
    Show

  • Randomize the kernel memory sections

    Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc &amp; vmemmap). This configuration is available from kernel 4.8, but may be available if backported b...
    Rule Medium Severity
    Show

  • Avoid speculative indirect branches in kernel

    Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a compiler with -mindirect-branch=thunk-extern supp...
    Rule Medium Severity
    Show

  • SSH session Idle time

    Specify duration of allowed idle time.
    Value
    Show

  • SSH Max authentication attempts

    Specify the maximum number of authentication attempts per connection.
    Value
    Show

  • SSH Max Sessions Count

    Specify the maximum number of open sessions permitted.
    Value
    Show

  • SSH Max Keep Alive Count

    Specify the maximum number of idle message counts before session is terminated.
    Value
    Show

  • Disable SSH Server If Possible

    The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access.
    Rule High Severity
    Show

  • Verify Group Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be group-owned by root group.
    Rule Medium Severity
    Show

  • Verify Group Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be group-owned by root group.
    Rule Medium Severity
    Show

  • Verify Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be owned by root user.
    Rule Medium Severity
    Show

  • Verify Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be owned by root user.
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...
    Rule Medium Severity
    Show

  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...
    Group
    Show

  • SSH RekeyLimit - size

    Specify the size component of the rekey limit.
    Value
    Show

  • SSH RekeyLimit - size

    Specify the size component of the rekey limit.
    Value
    Show

  • SSH Compression Setting

    Specify the compression setting for SSH connections.
    Value
    Show

  • SSH Privilege Separation Setting

    Specify whether and how sshd separates privileges when handling incoming network connections.
    Value
    Show

  • SSH LoginGraceTime setting

    Configure parameters for how long the servers stays connected before the user has successfully logged in
    Value
    Show

  • SSH MaxStartups setting

    Configure parameters for maximum concurrent unauthenticated connections to the SSH daemon.
    Value
    Show

  • Endpoint Protection Software

    Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base pla...
    Group
    Show

  • Configure Backups of User Data

    The operating system must conduct backups of user data contained in the operating system. The operating system provides utilities for automating backups of user data. Commercial and open-source pro...
    Rule Medium Severity
    Show

  • McAfee Endpoint Security Software

    In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.
    Group
    Show

  • McAfee Host-Based Intrusion Detection Software (HBSS)

    McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems.
    Group
    Show

  • Install the Host Intrusion Prevention System (HIPS) Module

    Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module.
    Rule Medium Severity
    Show

  • Set SSH Client Alive Count Max to zero

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures time...
    Rule Medium Severity
    Show

  • net.ipv6.conf.all.accept_ra

    Accept all router advertisements?
    Value
    Show

  • net.ipv6.conf.all.accept_redirects

    Toggle ICMP Redirect Acceptance
    Value
    Show

  • net.ipv6.conf.all.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
    Value
    Show

  • net.ipv6.conf.all.forwarding

    Toggle IPv6 Forwarding
    Value
    Show

  • net.ipv6.conf.default.accept_ra

    Accept default router advertisements by default?
    Value
    Show

  • net.ipv6.conf.default.accept_redirects

    Toggle ICMP Redirect Acceptance By Default
    Value
    Show

  • net.ipv6.conf.default.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
    Value
    Show

  • net.ipv4.conf.default.rp_filter

    Enables source route verification
    Value
    Show

  • net.ipv4.conf.default.secure_redirects

    Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packages by default.
    Value
    Show

  • net.ipv4.conf.default.shared_media

    Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/shar...
    Value
    Show

  • net.ipv4.icmp_echo_ignore_broadcasts

    Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
    Value
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules