Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of OpenEmbedded

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Disable named Service

    The named service can be disabled with the following command: 
    $ sudo systemctl mask --now named.service
    Rule Medium Severity
    Show

  • Isolate DNS from Other Services

    This section discusses mechanisms for preventing the DNS server from interfering with other services. This is done both to protect the remainder of...
    Group
    Show

  • Run DNS Software in a chroot Jail

    Install the <code>bind-chroot</code> package: <pre>$ sudo yum install bind-chroot</pre> Place a valid named.conf file inside the chroot jail: <pre>...
    Group
    Show

  • Run DNS Software on Dedicated Servers

    Since DNS is a high-risk service which must frequently be made available to the entire Internet, it is strongly recommended that no other services ...
    Group
    Show

  • Configure Firewalls to Protect the FTP Server

    By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 21 traffic,...
    Rule Unknown Severity
    Show

  • Restrict the Set of Users Allowed to Access FTP

    This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applic...
    Group
    Show

  • Limit Users Allowed FTP Access if Necessary

    If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this...
    Rule Unknown Severity
    Show

  • Use vsftpd to Provide FTP Service if Necessary

    If your use-case requires FTP service, install and set-up vsftpd to provide it.
    Group
    Show

  • Web Server

    The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br...
    Group
    Show

  • Disable Apache if Possible

    If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.
    Group
    Show

  • Disable httpd Service

    The httpd service can be disabled with the following command: 
    $ sudo systemctl mask --now httpd.service
    Rule Unknown Severity
    Show

  • Disable NGINX if Possible

    If NGINX was installed and activated, but the system does not need to act as a web server, then it should be removed from the system.
    Group
    Show

  • Install Apache if Necessary

    If <code>httpd</code> was not installed and activated, but the system needs to act as a web server, then it should be installed on the system. Foll...
    Group
    Show

  • Confirm Minimal Built-in Modules Installed

    The default <code>httpd</code> installation minimizes the number of modules that are compiled directly into the binary (<code>core prefork http_cor...
    Group
    Show

  • Secure Apache Configuration

    The <code>httpd</code> configuration file is <code>/etc/httpd/conf/httpd.conf</code>. Apply the recommendations in the remainder of this section to...
    Group
    Show

  • HTTPD Log Level

    The setting for LogLevel in /etc/httpd/conf/httpd.conf
    Value
    Show

  • Maximum KeepAlive Requests for HTTPD

    The setting for MaxKeepAliveRequests in httpd.conf
    Value
    Show

  • Run httpd in a chroot Jail if Practical

    Running <code>httpd</code> inside a <code>chroot</code> jail is designed to isolate the web server process to a small section of the filesystem, li...
    Group
    Show

  • Restrict File and Directory Access

    Minimize access to critical httpd files and directories.
    Group
    Show

  • Configure PERL Securely

    PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from...
    Group
    Show

  • Configure PHP Securely

    PHP is a widely-used and often misconfigured server-side scripting language. It should be used with caution, but configured appropriately when need...
    Group
    Show

  • Directory Restrictions

    The Directory tags in the web server configuration file allow finer grained access control for a specified directory. All web directories should be...
    Group
    Show

  • Minimize Web Server Loadable Modules

    A default installation of <code>httpd</code> includes a plethora of dynamically shared objects (DSO) that are loaded at run-time. Unlike the aforem...
    Group
    Show

  • httpd Core Modules

    These modules comprise a basic subset of modules that are likely needed for base <code>httpd</code> functionality; ensure they are not commented ou...
    Group
    Show

  • Minimize Modules for HTTP Basic Authentication

    The following modules are necessary if this web server will provide content that will be restricted by a password. <br><br> Authentication can be p...
    Group
    Show

  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
    Show

  • Postfix Network Interfaces

    The setting for inet_interfaces in /etc/postfix/main.cf
    Value
    Show

  • Minimize Configuration Files Included

    The <code>Include</code> directive directs <code>httpd</code> to load supplementary configuration files from a provided path. The default configura...
    Group
    Show

  • Minimize Various Optional Components

    The following modules perform very specific tasks, sometimes providing access to just a few additional directives. If such functionality is not req...
    Group
    Show

  • Use Appropriate Modules to Improve httpd's Security

    Among the modules available for <code>httpd</code> are several whose use may improve the security of the web server installation. This section reco...
    Group
    Show

  • Deploy mod_security

    The <code>security</code> module provides an application level firewall for <code>httpd</code>. Following its installation with the base ruleset, s...
    Group
    Show

  • Deploy mod_ssl

    Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be conf...
    Group
    Show

  • Restrict Web Server Information Leakage

    The <code>ServerTokens</code> and <code>ServerSignature</code> directives determine how much information the web server discloses about the configu...
    Group
    Show

  • Configure HTTPD-Served Web Content Securely

    Running <code>httpd</code> inside a <code>chroot</code> jail is designed to isolate the web server process to a small section of the filesystem, li...
    Group
    Show

  • Web Login Banner Verbiage

    Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters ...
    Value
    Show

  • Use Denial-of-Service Protection Modules

    Denial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, some traffic-shapin...
    Group
    Show

  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...
    Group
    Show

  • Configure Dovecot if Necessary

    If the system will operate as an IMAP or POP3 server, the dovecot software should be configured securely by following the recommendations below.
    Group
    Show

  • Support Only the Necessary Protocols

    Dovecot supports the IMAP and POP3 protocols, as well as SSL-protected versions of those protocols. Configure the Dovecot server to support only ...
    Group
    Show

  • Disable Cyrus IMAP

    If the system does not need to operate as an IMAP or POP3 server, the Cyrus IMAP software should be removed.
    Group
    Show

  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
    Show

  • Disable Dovecot Service

    The dovecot service can be disabled with the following command: 
    $ sudo systemctl mask --now dovecot.service
    Rule Unknown Severity
    Show

  • Kerberos

    The Kerberos protocol is used for authentication across non-secure network. Authentication can happen between various types of principals -- users,...
    Group
    Show

  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. OpenEmbedded includes software ...
    Group
    Show

  • 389 Directory Server

    389 Directory Server is a popular open-source LDAP server for Linux.
    Group
    Show

  • Configure OpenLDAP Clients

    This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate con...
    Group
    Show

  • Configure OpenLDAP Server

    This section details some security-relevant settings for an OpenLDAP server.
    Group
    Show

  • Disable LDAP Server (slapd)

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.
    Rule Medium Severity
    Show

  • Install and Protect LDAP Certificate Files

    Create the PKI directory for LDAP certificates if it does not already exist: <pre>$ sudo mkdir /etc/pki/tls/ldap $ sudo chown root:root /etc/pki/tl...
    Group
    Show

  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules