Guide to the Secure Configuration of OpenEmbedded
Rules, Groups, and Values defined within the XCCDF Benchmark
-
pwhistory_remember
Prevent password re-use using password history lookupValue -
PAM pwhistory remember - control flag
'Specify the control flag required for password remember requirement. If multiple values are allowed write them separated by commas as in "required,requisite", for remediations the first value will...Value -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Limit Password Reuse: system-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code> PAM module. <br> <br> On systems with n...Rule Medium Severity -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_pwquality</code> to require at lea...Group -
minclass
Minimum number of categories of characters that must exist in a passwordValue -
minlen
Minimum number of characters in passwordValue -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_val...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to show <code>retry=<xccdf-1.2:s...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some...Group -
Require Authentication for Emergency Systemd Target
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br> <br> By default, Emergency mode is protected by...Rule Medium Severity -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. <br> <br> By default, single-user mode is ...Rule Medium Severity -
number of days after a password expires until the account is permanently disabled
The number of days to wait after a password expires, until the account will be permanently disabled.Value -
Ensure All Accounts on the System Have Unique Names
Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d</pre> If a usernam...Rule Medium Severity -
Use Centralized and Automated Authentication
Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. This system should integrate with an existing enterprise user managemen...Rule Medium Severity -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>login</code> consult <code>/etc/login.defs</code> ...Group -
maximum password age
Maximum age of password in daysValue
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.