Guide to the Secure Configuration of OpenEmbedded
Rules, Groups, and Values defined within the XCCDF Benchmark
-
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...Group -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...Group -
Proxy Server
A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system ac...Group -
Disable Squid if Possible
If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.Group -
Samba(SMB) Microsoft Windows File Sharing Server
When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The firs...Group -
Postfix relayhost
Specify the host all outbound email should be routed into.Value -
Postfix Root Mail Alias
Specify an email address (string) for a root mail alias.Value -
Install the ntp service
The ntpd service should be installed.Rule High Severity -
Verify No netrc Files Exist
The <code>.netrc</code> files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP serv...Rule Medium Severity -
Maximum login attempts delay
Maximum time in seconds between fail login attempts before re-prompting.Value -
Maximum concurrent login sessions
Maximum number of concurrent sessions by a userValue -
Account Inactivity Timeout (seconds)
In an interactive shell, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates after waiting for that number of seconds if input does...Value -
Randomize the address of the kernel image (KASLR)
In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is map...Rule Medium Severity -
Randomize the kernel memory sections
Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc & vmemmap). This configuration is available from kernel 4.8, but may be available if backported b...Rule Medium Severity -
Avoid speculative indirect branches in kernel
Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a compiler with -mindirect-branch=thunk-extern supp...Rule Medium Severity -
SSH session Idle time
Specify duration of allowed idle time.Value -
SSH Max authentication attempts
Specify the maximum number of authentication attempts per connection.Value -
SSH Max Sessions Count
Specify the maximum number of open sessions permitted.Value -
SSH Max Keep Alive Count
Specify the maximum number of idle message counts before session is terminated.Value
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.