Guide to the Secure Configuration of OpenEmbedded
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled...Group -
Disable DHCP Service
The <code>dhcpd</code> service should be disabled on any system that does not need to act as a DHCP server. The <code>dhcpd</code> service can be disabled with the following command: <pre>$ sudo s...Rule Medium Severity -
DNS Server
Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any ...Group -
Disable DNS Server
DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on OpenEmbedded by default. The remainder of this sect...Group -
Disable named Service
Thenamedservice can be disabled with the following command:$ sudo systemctl mask --now named.service
Rule Medium Severity -
Restrict the Set of Users Allowed to Access FTP
This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only...Group -
Limit Users Allowed FTP Access if Necessary
If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add o...Rule Unknown Severity -
Web Server
The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br> <br> <ul> <li>The HTTP port is commo...Group -
Disable Apache if Possible
If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.Group -
Disable httpd Service
Thehttpdservice can be disabled with the following command:$ sudo systemctl mask --now httpd.service
Rule Unknown Severity -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
IMAP and POP3 Server
Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovecot.org</a> contains more detailed information abou...Group -
Disable Dovecot
If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.Group -
LDAP
LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. OpenEmbedded includes software that enables a system to act as both an LDAP clien...Group -
Configure OpenLDAP Server
This section details some security-relevant settings for an OpenLDAP server.Group -
Disable LDAP Server (slapd)
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.Rule Medium Severity -
Configure System to Forward All Mail From Postmaster to The Root Account
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...Rule Medium Severity -
Configure System to Forward All Mail through a specific host
Set up a relay host that will act as a gateway for all outbound email. Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>relayhost</code> line appears: <pre>re...Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...Group -
Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules