Guide to the Secure Configuration of OpenEmbedded
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify permissions on System Login Banner
To properly set the permissions of/etc/issue
, run the command:$ sudo chmod 0644 /etc/issue
Rule Medium Severity -
Verify permissions on Message of the Day Banner
To properly set the permissions of/etc/motd
, run the command:$ sudo chmod 0644 /etc/motd
Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...Group -
Password Hashing algorithm
Specify the system default encryption algorithm for encrypting passwords. Defines the value set as ENCRYPT_METHOD in /etc/login.defs.Value -
remember
The last n passwords for each user are saved in <code>/etc/security/opasswd</code> in order to force password change history and keep the user from...Value -
Disallow Configuration to Bypass Password Requirements for Privilege Escalation
Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/...Rule Medium Severity -
Ensure PAM Displays Last Logon/Access Notification
To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...Rule Low Severity -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...Group -
fail_deny
Number of failed login attempts before account lockoutValue -
faillock directory
The directory where the user files with the failure records are keptValue -
fail_interval
Interval for counting failed login attempts before account lockoutValue -
fail_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
tally2_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
faildelay_delay
Delay next login attempt after a failed loginValue -
pwhistory_remember
Prevent password re-use using password history lookupValue -
PAM pwhistory remember - control flag
'Specify the control flag required for password remember requirement. If multiple values are allowed write them separated by commas as in "required...Value -
tally2
Number of failed login attemptsValue -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Limit Password Reuse: password-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...Rule Medium Severity -
Limit Password Reuse: system-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.