Skip to content

Guide to the Secure Configuration of OpenEmbedded

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Configure Speculative Store Bypass Mitigation

    Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In...
    Rule Medium Severity
  • Enforce Spectre v2 mitigation

    Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor int...
    Rule High Severity
  • Ensure debug-shell service is not enabled during boot

    systemd's <code>debug-shell</code> service is intended to diagnose systemd related boot issues with various <code>systemctl</code> commands. Once e...
    Rule Medium Severity
  • Non-UEFI GRUB2 bootloader configuration

    Non-UEFI GRUB2 bootloader configuration
    Group
  • Verify /boot/grub2/grub.cfg Group Ownership

    The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file....
    Rule Medium Severity
  • Verify /boot/grub2/grub.cfg User Ownership

    The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To pr...
    Rule Medium Severity
  • Verify /boot/grub2/grub.cfg Permissions

    File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>,...
    Rule Medium Severity
  • Set Boot Loader Password in grub2

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...
    Rule High Severity
  • UEFI GRUB2 bootloader configuration

    UEFI GRUB2 bootloader configuration
    Group
  • zIPL bootloader configuration

    During the boot process, the bootloader is responsible for starting the execution of the kernel and passing options to it. The default OpenEmbedded...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules