Guide to the Secure Configuration of OpenEmbedded
Rules, Groups, and Values defined within the XCCDF Benchmark
-
net.ipv6.conf.default.autoconf
Enable auto configuration on IPv6 interfacesValue -
net.ipv6.conf.default.forwarding
Toggle IPv6 default ForwardingValue -
net.ipv6.conf.default.max_addresses
Maximum number of autoconfigured IPv6 addressesValue -
net.ipv6.conf.default.router_solicitations
Accept all router solicitations by default?Value -
net.ipv4.conf.default.rp_filter
Enables source route verificationValue -
net.ipv4.conf.default.secure_redirects
Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure...Value -
net.ipv4.conf.default.shared_media
Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be en...Value -
net.ipv4.icmp_echo_ignore_broadcasts
Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicastValue -
net.ipv4.icmp_ignore_bogus_error_responses
Enable to prevent unnecessary loggingValue -
net.ipv4.tcp_invalid_ratelimit
Configure the maximal rate for sending duplicate acknowledgments in response to incoming invalid TCP packets.Value -
net.ipv4.tcp_rfc1337
Enable to enable TCP behavior conformant with RFC 1337Value -
net.ipv4.tcp_syncookies
Enable to turn on TCP SYN Cookie ProtectionValue -
Disable Accepting Packets Routed Between Local Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_local</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net...Rule Medium Severity -
Nftables Base Chain Policies
This is the default verdict that will be applied to packets reaching the end of the chain (i.e, no more rules to be evaluated against). Currently ...Value -
Disable SSH Support for Rhosts RSA Authentication
SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. <br><...Rule Medium Severity -
Disable SSH Root Login
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following lin...Rule Medium Severity -
Wireless Networking
Wireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless net...Group -
Disable Wireless Through Software Configuration
If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following ...Group -
Ensure No World-Writable Files Exist
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific a...Rule Medium Severity -
Verify User Who Owns Backup group File
To properly set the owner of/etc/group-, run the command:$ sudo chown root /etc/group-
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.