Skip to content

Guide to the Secure Configuration of OpenEmbedded

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Set SSH Client Alive Count Max to zero

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The optio...
    Rule Medium Severity
  • Disable PubkeyAuthentication Authentication

    Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms. To disable PubkeyAuthentication authentication, add or co...
    Rule Medium Severity
  • Disable SSH Support for .rhosts Files

    SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via <code>.rhosts</code> fil...
    Rule Medium Severity
  • Strengthen the Default Ruleset

    The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in configuration files under t...
    Group
  • Dectivate firewalld Rules

    Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffi...
    Group
  • IPSec Support

    Support for Internet Protocol Security (IPsec) is provided with Libreswan.
    Group
  • net.ipv6.conf.all.accept_ra_rtr_pref

    Accept router preference in router advertisements?
    Value
  • net.ipv6.conf.all.accept_ra

    Accept all router advertisements?
    Value
  • net.ipv6.conf.all.accept_redirects

    Toggle ICMP Redirect Acceptance
    Value
  • net.ipv6.conf.all.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...
    Value
  • net.ipv6.conf.all.autoconf

    Enable auto configuration on IPv6 interfaces
    Value
  • net.ipv6.conf.all.forwarding

    Toggle IPv6 Forwarding
    Value
  • net.ipv6.conf.all.max_addresses

    Maximum number of autoconfigured IPv6 addresses
    Value
  • net.ipv6.conf.all.router_solicitations

    Accept all router solicitations?
    Value
  • net.ipv6.conf.default.accept_ra_defrtr

    Accept default router in router advertisements?
    Value
  • net.ipv6.conf.default.accept_ra_pinfo

    Accept prefix information in router advertisements?
    Value
  • net.ipv6.conf.default.accept_ra_rtr_pref

    Accept router preference in router advertisements?
    Value
  • net.ipv6.conf.default.accept_ra

    Accept default router advertisements by default?
    Value
  • net.ipv6.conf.default.accept_redirects

    Toggle ICMP Redirect Acceptance By Default
    Value
  • net.ipv6.conf.default.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...
    Value

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules