Skip to content
Log In

Guide to the Secure Configuration of OpenEmbedded

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Verify Group Who Owns /var/log Directory

    To properly set the group owner of /var/log, run the command: 
    $ sudo chgrp root /var/log
    Rule Medium Severity
    Show

  • Verify Group Who Owns /var/log/messages File

    To properly set the group owner of /var/log/messages, run the command: 
    $ sudo chgrp root /var/log/messages
    Rule Medium Severity
    Show

  • Verify Group Who Owns /var/log/syslog File

    To properly set the group owner of /var/log/syslog, run the command: 
    $ sudo chgrp adm /var/log/syslog
    Rule Medium Severity
    Show

  • Verify User Who Owns /var/log Directory

    To properly set the owner of /var/log, run the command: 
    $ sudo chown root /var/log
    Rule Medium Severity
    Show

  • Verify User Who Owns /var/log/messages File

    To properly set the owner of /var/log/messages, run the command: 
    $ sudo chown root /var/log/messages
    Rule Medium Severity
    Show

  • Verify User Who Owns /var/log/syslog File

    To properly set the owner of /var/log/syslog, run the command: 
    $ sudo chown syslog /var/log/syslog
    Rule Medium Severity
    Show

  • Verify Permissions on /var/log Directory

    To properly set the permissions of /var/log, run the command: 
    $ sudo chmod 0755 /var/log
    Rule Medium Severity
    Show

  • Verify Permissions on /var/log/messages File

    To properly set the permissions of /var/log/messages, run the command: 
    $ sudo chmod 0640 /var/log/messages
    Rule Medium Severity
    Show

  • Verify Permissions on /var/log/syslog File

    To properly set the permissions of /var/log/syslog, run the command: 
    $ sudo chmod 0640 /var/log/syslog
    Rule Medium Severity
    Show

  • Action for auditd to take when log files reach their maximum size

    The setting for max_log_file_action in /etc/audit/auditd.conf. The following options are available: <br>ignore - audit daemon does nothing. <br>syslog - audit daemon will issue a warning to syslog....
    Value
    Show

  • Action for auditd to take when disk space just starts to run low

    The setting for space_left_action in /etc/audit/auditd.conf
    Value
    Show

  • Remove Rsh Trust Files

    The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To re...
    Rule High Severity
    Show

  • Print Support

    The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send t...
    Group
    Show

  • Disable the CUPS Service

    The cups service can be disabled with the following command: 
    $ sudo systemctl mask --now cups.service
    Rule Unknown Severity
    Show

  • Disable Squid

    The squid service can be disabled with the following command: 
    $ sudo systemctl mask --now squid.service
    Rule Unknown Severity
    Show

  • Disable Samba

    The smb service can be disabled with the following command: 
    $ sudo systemctl mask --now smb.service
    Rule Low Severity
    Show

  • SSH is required to be installed

    Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.<br> A value of 0 means that the policy doesn't care if OpenSSH server ...
    Value
    Show

  • Install the OpenSSH Server Package

    The openssh-server package should be installed. The openssh-server package can be installed with the following command: 
    $ sudo dnf install openssh-server
    Rule Medium Severity
    Show

  • Remove the OpenSSH Server Package

    The openssh-server package should be removed. The openssh-server package can be removed with the following command: 
    $ sudo dnf remove openssh-server
    Rule Medium Severity
    Show

  • Verify Group Who Owns SSH Server config file

    To properly set the group owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chgrp root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Owner on SSH Server config file

    To properly set the owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chown root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server config file

    To properly set the permissions of /etc/ssh/sshd_config, run the command: 
    $ sudo chmod 0600 /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Public *.pub Key Files

    To properly set the permissions of /etc/ssh/*.pub, run the command: 
    $ sudo chmod 0644 /etc/ssh/*.pub
    Rule Medium Severity
    Show

  • Verify that System Executable Have Root Ownership

    <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin</pre> All these directories should be owned by the <code>root</code> user. If any directory <i>DIR</i> in these directories is foun...
    Rule Medium Severity
    Show

  • Verify that Shared Library Directories Have Root Ownership

    System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...
    Rule Medium Severity
    Show

  • Disable Avahi Publishing

    To prevent Avahi from publishing its records, edit <code>/etc/avahi/avahi-daemon.conf</code> and ensure the following line appears in the <code>[publish]</code> section: <pre>disable-publishing=yes...
    Rule Low Severity
    Show

  • Disable Avahi Server Software

    The avahi-daemon service can be disabled with the following command: 
    $ sudo systemctl mask --now avahi-daemon.service
    Rule Medium Severity
    Show

  • Enable cron Service

    The <code>crond</code> service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system acti...
    Rule Medium Severity
    Show

  • Enable cron Service

    The <code>crond</code> service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system acti...
    Rule Medium Severity
    Show

  • Verify Integrity with AIDE

    AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and t...
    Group
    Show

  • Install AIDE

    The aide package can be installed with the following command: 
    $ sudo dnf install aide
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.d

    To properly set the group owner of /etc/cron.d, run the command: 
    $ sudo chgrp root /etc/cron.d
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.daily

    To properly set the group owner of /etc/cron.daily, run the command: 
    $ sudo chgrp root /etc/cron.daily
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.hourly

    To properly set the group owner of /etc/cron.hourly, run the command: 
    $ sudo chgrp root /etc/cron.hourly
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.monthly

    To properly set the group owner of /etc/cron.monthly, run the command: 
    $ sudo chgrp root /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.weekly

    To properly set the group owner of /etc/cron.weekly, run the command: 
    $ sudo chgrp root /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Group Who Owns Crontab

    To properly set the group owner of /etc/crontab, run the command: 
    $ sudo chgrp root /etc/crontab
    Rule Medium Severity
    Show

  • Verify Owner on cron.d

    To properly set the owner of /etc/cron.d, run the command: 
    $ sudo chown root /etc/cron.d
    Rule Medium Severity
    Show

  • Verify Owner on cron.daily

    To properly set the owner of /etc/cron.daily, run the command: 
    $ sudo chown root /etc/cron.daily
    Rule Medium Severity
    Show

  • Ensure Users Re-Authenticate for Privilege Escalation - sudo

    The sudo <code>NOPASSWD</code> and <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making ...
    Rule Medium Severity
    Show

  • Only the VDSM User Can Use sudo NOPASSWD

    The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the <code>vdsm</code> user should have this capability in any s...
    Rule Medium Severity
    Show

  • Configure Periodic Execution of AIDE

    At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * * root ...
    Rule Medium Severity
    Show

  • Disk Partitioning

    To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning sc...
    Group
    Show

  • Configure GNOME Login Screen

    In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest ac...
    Group
    Show

  • Disable XDMCP in GDM

    XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. <a href="https://help.gnome.org/admin/gdm/stable/security.html.en_GB#xdmcpsecurity">XDMCP Gnome docs</a>. To dis...
    Rule High Severity
    Show

  • Sudo

    <code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups...
    Group
    Show

  • Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

    The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authe...
    Rule Medium Severity
    Show

  • Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

    The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>NOPASSWD</code...
    Rule Medium Severity
    Show

  • Verify Owner on cron.hourly

    To properly set the owner of /etc/cron.hourly, run the command: 
    $ sudo chown root /etc/cron.hourly
    Rule Medium Severity
    Show

  • Explicit arguments in sudo specifications

    All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules