Skip to content
Log In

Sample Security Profile for OpenEmbedded Distros

Rules and Groups employed by this XCCDF Profile

  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured an...
    Group
    Show

  • Disable vsftpd if Possible

    To minimize attack surface, disable vsftpd if at all possible.
    Group
    Show

  • Disable vsftpd Service

    The vsftpd service can be disabled with the following command: 
    $ sudo systemctl mask --now vsftpd.service
    Rule Medium Severity
    Show

  • Web Server

    The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br> <br> <ul> <li>The HTTP port is commo...
    Group
    Show

  • Disable Apache if Possible

    If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.
    Group
    Show

  • Disable httpd Service

    The httpd service can be disabled with the following command: 
    $ sudo systemctl mask --now httpd.service
    Rule Unknown Severity
    Show

  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovecot.org</a> contains more detailed information abou...
    Group
    Show

  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
    Show

  • Disable Dovecot Service

    The dovecot service can be disabled with the following command: 
    $ sudo systemctl mask --now dovecot.service
    Rule Unknown Severity
    Show

  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. OpenEmbedded includes software that enables a system to act as both an LDAP clien...
    Group
    Show

  • Configure OpenLDAP Server

    This section details some security-relevant settings for an OpenLDAP server.
    Group
    Show

  • Disable LDAP Server (slapd)

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.
    Rule Medium Severity
    Show

  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...
    Group
    Show

  • Disable All NFS Services if Possible

    If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.
    Group
    Show

  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br> <br> All of these daemons run with elevated privileges, and many listen for network connections. I...
    Group
    Show

  • Disable rpcbind Service

    The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they e...
    Rule Low Severity
    Show

  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
    Show

  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons...
    Group
    Show

  • Disable Network File System (nfs)

    The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service ...
    Rule Unknown Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...
    Group
    Show

  • Ensure rsyncd service is disabled

    The rsyncd service can be disabled with the following command: 
    $ sudo systemctl mask --now rsyncd.service
    Rule Medium Severity
    Show

  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...
    Group
    Show

  • Disable ypserv Service

    The <code>ypserv</code> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The <code>ypserv</code> service can be disabled with the following command:...
    Rule Medium Severity
    Show

  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
    Show

  • Remove Rsh Trust Files

    The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To re...
    Rule High Severity
    Show

  • Print Support

    The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send t...
    Group
    Show

  • Disable the CUPS Service

    The cups service can be disabled with the following command: 
    $ sudo systemctl mask --now cups.service
    Rule Unknown Severity
    Show

  • Proxy Server

    A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system ac...
    Group
    Show

  • Disable Squid if Possible

    If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.
    Group
    Show

  • Disable Squid

    The squid service can be disabled with the following command: 
    $ sudo systemctl mask --now squid.service
    Rule Unknown Severity
    Show

  • Samba(SMB) Microsoft Windows File Sharing Server

    When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The firs...
    Group
    Show

  • Disable Samba if Possible

    Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing fun...
    Group
    Show

  • Disable Samba

    The smb service can be disabled with the following command: 
    $ sudo systemctl mask --now smb.service
    Rule Low Severity
    Show

  • SNMP Server

    The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintex...
    Group
    Show

  • Disable SNMP Server if Possible

    The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled an...
    Group
    Show

  • Disable snmpd Service

    The snmpd service can be disabled with the following command: 
    $ sudo systemctl mask --now snmpd.service
    Rule Low Severity
    Show

  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...
    Group
    Show

  • Verify Group Who Owns SSH Server config file

    To properly set the group owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chgrp root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Owner on SSH Server config file

    To properly set the owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chown root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server config file

    To properly set the permissions of /etc/ssh/sshd_config, run the command: 
    $ sudo chmod 0600 /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Public *.pub Key Files

    To properly set the permissions of /etc/ssh/*.pub, run the command: 
    $ sudo chmod 0644 /etc/ssh/*.pub
    Rule Medium Severity
    Show

  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...
    Group
    Show

  • Set SSH Client Alive Count Max

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures time...
    Rule Medium Severity
    Show

  • Set SSH Client Alive Interval

    SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. <br> <br> To set this t...
    Rule Medium Severity
    Show

  • Disable Host-Based Authentication

    SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organ...
    Rule Medium Severity
    Show

  • Allow Only SSH Protocol 2

    Only SSH protocol version 2 connections should be permitted. The default setting in <code>/etc/ssh/sshd_config</code> is correct, and can be verified by ensuring that the following line appears: <p...
    Rule High Severity
    Show

  • Disable SSH Access via Empty Passwords

    Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for <code>PermitEmptyPasswords<...
    Rule High Severity
    Show

  • Disable SSH Support for .rhosts Files

    SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via <code>.rhosts</code> files. <br> The default SSH configuration disables su...
    Rule Medium Severity
    Show

  • Disable SSH Root Login

    The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Pe...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules