Skip to content
Log In

Guide to the Secure Configuration of OpenEmbedded

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...
    Group
    Show

  • kernel.kptr_restrict

    Configure exposition of kernel pointer addresses
    Value
    Show

  • Restrict Exposed Kernel Pointer Addresses Access

    To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...
    Rule Medium Severity
    Show

  • The Postfix package is installed

    A mail server is required for sending emails. The postfix package can be installed with the following command: 
    $ sudo dnf install postfix
    Rule Medium Severity
    Show

  • SELinux state

    enforcing - SELinux security policy is enforced.
    permissive - SELinux prints warnings instead of enforcing.
    disabled - SELinux is fully disabled.
    Value
    Show

  • Ensure that /etc/at.deny does not exist

    The file /etc/at.deny should not exist. Use /etc/at.allow instead.
    Rule Medium Severity
    Show

  • Ensure that /etc/cron.deny does not exist

    The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/at.allow file

    If <code>/etc/at.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/at.allow</code>, run the command: <pre>$ sudo chgrp root /etc/at.al...
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chgrp root /etc/c...
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/at.allow file

    If <code>/etc/at.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/at.allow</code>, run the command: <pre>$ sudo chown root /etc/at.allow </pre> ...
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chown root /etc/cron.allow </...
    Rule Medium Severity
    Show

  • Verify Permissions on /etc/at.allow file

    If <code>/etc/at.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/etc/at.allow</code>, run the command: <pre>$ sudo c...
    Rule Medium Severity
    Show

  • Verify Permissions on /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/etc/cron.allow</code>, run the command: <pre>$ su...
    Rule Medium Severity
    Show

  • Deprecated services

    Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as uncontrolled communication channel, risk associated...
    Group
    Show

  • Uninstall the inet-based telnet server

    The inet-based telnet daemon should be uninstalled.
    Rule High Severity
    Show

  • Uninstall the nis package

    The support for Yellowpages should not be installed unless it is required.
    Rule Low Severity
    Show

  • Uninstall the ntpdate package

    ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.
    Rule Low Severity
    Show

  • Uninstall the ssl compliant telnet server

    The telnet daemon, even with ssl support, should be uninstalled.
    Rule High Severity
    Show

  • Configure DHCP Server

    If the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-updating schemes should be explicitly disabled unless...
    Group
    Show

  • Minimize Served Information

    Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information ...
    Rule Unknown Severity
    Show

  • Disable DHCP Server

    The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled...
    Group
    Show

  • Disable DHCP Service

    The <code>dhcpd</code> service should be disabled on any system that does not need to act as a DHCP server. The <code>dhcpd</code> service can be disabled with the following command: <pre>$ sudo s...
    Rule Medium Severity
    Show

  • DNS Server

    Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any ...
    Group
    Show

  • Disable DNS Server

    DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on OpenEmbedded by default. The remainder of this sect...
    Group
    Show

  • Disable named Service

    The named service can be disabled with the following command: 
    $ sudo systemctl mask --now named.service
    Rule Medium Severity
    Show

  • Restrict the Set of Users Allowed to Access FTP

    This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only...
    Group
    Show

  • Limit Users Allowed FTP Access if Necessary

    If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add o...
    Rule Unknown Severity
    Show

  • Web Server

    The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br> <br> <ul> <li>The HTTP port is commo...
    Group
    Show

  • Disable Apache if Possible

    If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.
    Group
    Show

  • Disable httpd Service

    The httpd service can be disabled with the following command: 
    $ sudo systemctl mask --now httpd.service
    Rule Unknown Severity
    Show

  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
    Show

  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovecot.org</a> contains more detailed information abou...
    Group
    Show

  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
    Show

  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. OpenEmbedded includes software that enables a system to act as both an LDAP clien...
    Group
    Show

  • Configure OpenLDAP Server

    This section details some security-relevant settings for an OpenLDAP server.
    Group
    Show

  • Disable LDAP Server (slapd)

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.
    Rule Medium Severity
    Show

  • Configure System to Forward All Mail From Postmaster to The Root Account

    Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...
    Rule Medium Severity
    Show

  • Configure System to Forward All Mail through a specific host

    Set up a relay host that will act as a gateway for all outbound email. Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>relayhost</code> line appears: <pre>re...
    Rule Medium Severity
    Show

  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...
    Group
    Show

  • Disable All NFS Services if Possible

    If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.
    Group
    Show

  • Disable netfs if Possible

    To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: <pre>$ mount -t nfs,nfs4,smbfs,cifs,ncpfs</pre> If the command did not re...
    Group
    Show

  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br> <br> All of these daemons run with elevated privileges, and many listen for network connections. I...
    Group
    Show

  • Disable rpcbind Service

    The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they e...
    Rule Low Severity
    Show

  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
    Show

  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons...
    Group
    Show

  • Configure NFS Servers

    The steps in this section are appropriate for systems which operate as NFS servers.
    Group
    Show

  • Ensure All-Squashing Disabled On All Exports

    The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash</code> option from the file <code>/etc/exports</co...
    Rule Low Severity
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...
    Group
    Show

  • Vendor Approved Time Servers

    The list of vendor-approved time servers
    Value
    Show

  • Disable Samba if Possible

    Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing fun...
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules