Skip to content
Log In

Guide to the Secure Configuration of OpenEmbedded

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SNMP Server

    The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintex...
    Group
    Show

  • Disable SNMP Server if Possible

    The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled an...
    Group
    Show

  • Disable snmpd Service

    The snmpd service can be disabled with the following command: 
    $ sudo systemctl mask --now snmpd.service
    Rule Low Severity
    Show

  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...
    Group
    Show

  • Set SSH Client Alive Count Max

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures time...
    Rule Medium Severity
    Show

  • Disable Host-Based Authentication

    SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organ...
    Rule Medium Severity
    Show

  • Allow Only SSH Protocol 2

    Only SSH protocol version 2 connections should be permitted. The default setting in <code>/etc/ssh/sshd_config</code> is correct, and can be verified by ensuring that the following line appears: <p...
    Rule High Severity
    Show

  • Disable SSH Access via Empty Passwords

    Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for <code>PermitEmptyPasswords<...
    Rule High Severity
    Show

  • Disable GSSAPI Authentication

    Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. <br> The default SSH configuration disallows authentications based on GSSAPI. The appropriate c...
    Rule Medium Severity
    Show

  • Disable Kerberos Authentication

    Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. <br> The default SSH configuration disallows authentication validation through Kerberos. The ...
    Rule Medium Severity
    Show

  • Do Not Allow SSH Environment Options

    Ensure that users are not able to override environment variables of the SSH daemon. <br> The default SSH configuration disables environment processing. The appropriate configuration is used if no v...
    Rule Medium Severity
    Show

  • Enable PAM

    UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM...
    Rule Medium Severity
    Show

  • Enable Public Key Authentication

    Enable SSH login with public keys. <br> The default SSH configuration enables authentication based on public keys. The appropriate configuration is used if no value is set for <code>PubkeyAuthentic...
    Rule Medium Severity
    Show

  • Enable Use of Strict Mode Checking

    SSHs <code>StrictModes</code> option checks file and ownership permissions in the user's home directory <code>.ssh</code> folder before accepting login. If world- writable permissions are found, lo...
    Rule Medium Severity
    Show

  • Enable SSH Warning Banner

    To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Banner /etc/issue</pre> Another section c...
    Rule Medium Severity
    Show

  • Enable SSH Warning Banner

    To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Banner /etc/issue.net</pre> Another sectio...
    Rule Medium Severity
    Show

  • Enable Encrypted X11 Forwarding

    By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's <code>X11Forwarding</code> option is enabled. <br> ...
    Rule High Severity
    Show

  • Limit Users' SSH Access

    By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users and group can access the system via SSH. It is recom...
    Rule Unknown Severity
    Show

  • Ensure SSH LoginGraceTime is configured

    The <code>LoginGraceTime</code> parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated ...
    Rule Medium Severity
    Show

  • Set LogLevel to INFO

    The INFO parameter specifices that record login and logout activity will be logged. <br> The default SSH configuration sets the log level to INFO. The appropriate configuration is used if no value ...
    Rule Low Severity
    Show

  • Set SSH Daemon LogLevel to VERBOSE

    The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in <code>/etc/ssh/sshd_config<...
    Rule Medium Severity
    Show

  • Set SSH authentication attempt limit

    The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures ar...
    Rule Medium Severity
    Show

  • Set SSH MaxSessions limit

    The <code>MaxSessions</code> parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit <code>/etc/ssh/sshd_config</code> as follows: <pre>Ma...
    Rule Medium Severity
    Show

  • Enable Use of Privilege Separation

    When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the <code>/...
    Rule Medium Severity
    Show

  • Record Information on the Use of Privileged Commands

    At a minimum, the audit system should collect the execution of privileged commands for all users and root.
    Group
    Show

  • Action for auditd to take when disk is full

    'The setting for disk_full_action in /etc/audit/auditd.conf, if multiple values are allowed write them separated by pipes as in "syslog|single|halt", for remediations the first value will be taken'
    Value
    Show

  • Number of Record to Retain Before Flushing to Disk

    The setting for freq in /etc/audit/auditd.conf
    Value
    Show

  • Maximum audit log file size for auditd

    The setting for max_log_file in /etc/audit/auditd.conf
    Value
    Show

  • Verify Permissions on cron.d

    To properly set the permissions of /etc/cron.d, run the command: 
    $ sudo chmod 0700 /etc/cron.d
    Rule Medium Severity
    Show

  • Verify Permissions on cron.daily

    To properly set the permissions of /etc/cron.daily, run the command: 
    $ sudo chmod 0700 /etc/cron.daily
    Rule Medium Severity
    Show

  • Verify Permissions on cron.hourly

    To properly set the permissions of /etc/cron.hourly, run the command: 
    $ sudo chmod 0700 /etc/cron.hourly
    Rule Medium Severity
    Show

  • Verify Permissions on cron.monthly

    To properly set the permissions of /etc/cron.monthly, run the command: 
    $ sudo chmod 0700 /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Permissions on cron.weekly

    To properly set the permissions of /etc/cron.weekly, run the command: 
    $ sudo chmod 0700 /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Permissions on crontab

    To properly set the permissions of /etc/crontab, run the command: 
    $ sudo chmod 0600 /etc/crontab
    Rule Medium Severity
    Show

  • Ensure rsyncd service is disabled

    The rsyncd service can be disabled with the following command: 
    $ sudo systemctl mask --now rsyncd.service
    Rule Medium Severity
    Show

  • Disable ypserv Service

    The <code>ypserv</code> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The <code>ypserv</code> service can be disabled with the following command:...
    Rule Medium Severity
    Show

  • Disable Accepting ICMP Redirects for All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</pre> To mak...
    Rule Medium Severity
    Show

  • Disable DCCP Support

    The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the <code>dccp</...
    Rule Medium Severity
    Show

  • Disable RDS Support

    The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the syst...
    Rule Low Severity
    Show

  • Disable SCTP Support

    The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection...
    Rule Medium Severity
    Show

  • Verify User Who Owns passwd File

    To properly set the owner of /etc/passwd, run the command: 
    $ sudo chown root /etc/passwd
    Rule Medium Severity
    Show

  • Verify User Who Owns shadow File

    To properly set the owner of /etc/shadow, run the command: 
    $ sudo chown root /etc/shadow
    Rule Medium Severity
    Show

  • Verify Permissions on Backup group File

    To properly set the permissions of /etc/group-, run the command: 
    $ sudo chmod 0644 /etc/group-
    Rule Medium Severity
    Show

  • Verify Permissions on Backup gshadow File

    To properly set the permissions of /etc/gshadow-, run the command: 
    $ sudo chmod 0000 /etc/gshadow-
    Rule Medium Severity
    Show

  • Verify Permissions on Backup passwd File

    To properly set the permissions of /etc/passwd-, run the command: 
    $ sudo chmod 0644 /etc/passwd-
    Rule Medium Severity
    Show

  • Verify Permissions on Backup shadow File

    To properly set the permissions of /etc/shadow-, run the command: 
    $ sudo chmod 0000 /etc/shadow-
    Rule Medium Severity
    Show

  • Verify Permissions on group File

    To properly set the permissions of /etc/group, run the command: 
    $ sudo chmod 0644 /etc/group
    Rule Medium Severity
    Show

  • Verify Permissions on gshadow File

    To properly set the permissions of /etc/gshadow, run the command: 
    $ sudo chmod 0000 /etc/gshadow
    Rule Medium Severity
    Show

  • Verify Permissions on passwd File

    To properly set the permissions of /etc/passwd, run the command: 
    $ sudo chmod 0644 /etc/passwd
    Rule Medium Severity
    Show

  • Verify Permissions on shadow File

    To properly set the permissions of /etc/shadow, run the command: 
    $ sudo chmod 0000 /etc/shadow
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules