Skip to content

Guide to the Secure Configuration of OpenEmbedded

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Specify module signing key to use

    Setting this option to something other than its default of <code>certs/signing_key.pem</code> will disable the autogeneration of signing keys and a...
    Rule Medium Severity
  • Sign kernel modules with SHA-512

    This configures the kernel to build and sign modules using SHA512 as the hash function. The configuration that was used to build kernel is availab...
    Rule Medium Severity
  • Enable poison without sanity check

    Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This config...
    Rule Medium Severity
  • Use zero for poisoning instead of debugging value

    Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization...
    Rule Medium Severity
  • Remove the kernel mapping in user mode

    This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This con...
    Rule High Severity
  • Kernel panic oops

    Enable the kernel to panic when it oopses. This has the same effect as setting oops=panic on the kernel command line. The configuration that was u...
    Rule Medium Severity
  • Kernel panic timeout

    Set the timeout value (in seconds) until a reboot occurs when the kernel panics. A timeout of 0 configures the system to wait forever. With a timeo...
    Rule Medium Severity
  • Disable support for /proc/kkcore

    Provides a virtual ELF core file of the live kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. ...
    Rule Low Severity
  • Use Views to Partition External and Internal Information

    If it is not possible to run external and internal nameservers on separate physical systems, run BIND9 and simulate this feature using views. Edit ...
    Group
  • Enable seccomp to safely compute untrusted bytecode

    This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules