Guide to the Secure Configuration of OpenEmbedded
with profile Basic Profile for Embedded SystemsThis profile contains items common to many embedded Linux installations. Regardless of your system's deployment objective, all of these checks should pass.
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
Evaluation target | qemux86-64 |
---|---|
Benchmark URL | /usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml |
Benchmark ID | xccdf_org.ssgproject.content_benchmark_OPENEMBEDDED |
Benchmark version | 0.1.44 |
Profile ID | xccdf_org.ssgproject.content_profile_basic-embedded |
Started at | 2022-02-14T23:14:39+00:00 |
Finished at | 2022-02-14T23:14:40+00:00 |
Performed by | root |
Test system | cpe:/a:redhat:openscap:1.3.4 |
CPE Platforms
- cpe:/o:openembedded:nodistro:0
Addresses
- IPv4 127.0.0.1
- IPv4 192.168.7.4
- IPv6 0:0:0:0:0:0:0:1
- IPv6 fe80:0:0:0:5054:ff:fe12:3404
- MAC 00:00:00:00:00:00
- MAC 52:54:00:12:34:04
Compliance and Scoring
Rule results
Severity of failed rules
Score
Scoring system | Score | Maximum | Percent |
---|---|---|---|
urn:xccdf:scoring:default | 91.666664 | 100.000000 |
Rule Overview
Title | Severity | Result |
---|---|---|
Guide to the Secure Configuration of OpenEmbedded 1x fail 2x notchecked | ||
System Settings 1x fail 2x notchecked | ||
Account and Access Control 1x fail 2x notchecked | ||
Protect Accounts by Restricting Password-Based Login 1x fail | ||
Verify Proper Storage and Existence of Password Hashes 1x fail | ||
Verify All Account Password Hashes are Shadowed | medium | pass |
Verify No netrc Files Exist | medium | fail |
Prevent Login to Accounts With Empty Password | high | pass |
Restrict Root Logins | ||
Verify Only Root Has UID 0 | high | pass |
Secure Session Configuration Files for Login Accounts 2x notchecked | ||
Ensure that No Dangerous Directories Exist in Root's Path 1x notchecked | ||
Ensure that Root's Path Does Not Include World or Group-Writable Directories | medium | pass |
Ensure that Root's Path Does Not Include Relative Paths or Null Directories | unknown | notchecked |
Ensure that Users Have Sensible Umask Values 1x notchecked | ||
Ensure the Default Umask is Set Correctly in /etc/profile | unknown | notchecked |
Ensure the Default Umask is Set Correctly in login.defs | medium | notapplicable |
Ensure the Logon Failure Delay is Set Correctly in login.defs | low | notapplicable |
Ensure that User Home Directories are not Group-Writable or World-Readable | unknown | pass |
Limit the Number of Concurrent Login Sessions Allowed Per User | low | notapplicable |
Result Details
Verify All Account Password Hashes are Shadowed
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_password_all_shadowed:def:1 |
Time | 2022-02-14T23:14:40+00:00 |
Severity | medium |
Identifiers and References | References: 5.5.2, 3.5.10, IA-5(h), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5 |
Description | If any password hashes are stored in |
Rationale | The hashes for all user account passwords should be stored in
the file |
password hashes are shadowed oval:ssg-test_accounts_password_all_shadowed:tst:1 true
Following items have been found on the system:
Username | Password | User id | Group id | Gcos | Home dir | Login shell | Last login |
---|---|---|---|---|---|---|---|
root | x | 0 | 0 | root | /home/root | /bin/sh | -1 |
daemon | x | 1 | 1 | daemon | /usr/sbin | /bin/sh | -1 |
bin | x | 2 | 2 | bin | /bin | /bin/sh | -1 |
sys | x | 3 | 3 | sys | /dev | /bin/sh | -1 |
sync | x | 4 | 65534 | sync | /bin | /bin/sync | -1 |
games | x | 5 | 60 | games | /usr/games | /bin/sh | -1 |
man | x | 6 | 12 | man | /var/cache/man | /bin/sh | -1 |
lp | x | 7 | 7 | lp | /var/spool/lpd | /bin/sh | -1 |
x | 8 | 8 | /var/mail | /bin/sh | -1 | ||
news | x | 9 | 9 | news | /var/spool/news | /bin/sh | -1 |
uucp | x | 10 | 10 | uucp | /var/spool/uucp | /bin/sh | -1 |
proxy | x | 13 | 13 | proxy | /bin | /bin/sh | -1 |
www-data | x | 33 | 33 | www-data | /home/bc6opv2hor18/public_html | /bin/sh | -1 |
backup | x | 34 | 34 | backup | /var/backups | /bin/sh | -1 |
list | x | 38 | 38 | Mailing List Manager | /var/list | /bin/sh | -1 |
irc | x | 39 | 39 | ircd | /var/run/ircd | /bin/sh | -1 |
gnats | x | 41 | 41 | Gnats Bug-Reporting System (admin) | /var/lib/gnats | /bin/sh | -1 |
messagebus | x | 999 | 999 | /var/lib/dbus | /bin/false | -1 | |
nobody | x | 65534 | 65534 | nobody | /nonexistent | /bin/sh | -1 |
Verify No netrc Files Exist
Rule ID | xccdf_org.ssgproject.content_rule_no_netrc_files |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_netrc_files:def:1 |
Time | 2022-02-14T23:14:40+00:00 |
Severity | medium |
Identifiers and References | References: CCI-000196, IA-5(h), AC-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 11, 12, 14, 15, 16, 18, 3, 5 |
Description | The |
Rationale | Unencrypted passwords for remote FTP servers may be stored in |
look for .netrc in /home oval:ssg-test_no_netrc_files_home:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/home/root/.netrc | regular | 0 | 0 | 0 | rw-r--r-- |
Prevent Login to Accounts With Empty Password
Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_empty_passwords:def:1 |
Time | 2022-02-14T23:14:40+00:00 |
Severity | high |
Identifiers and References | References: 5.5.2, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-6, IA-5(b), IA-5(c), IA-5(1)(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_AFL.1, Req-8.2.3, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5 |
Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the |
Rationale | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. |
make sure nullok is not used in /etc/pam.d/system-auth oval:ssg-test_no_empty_passwords:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_empty_passwords:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/pam.d/system-auth | \s*nullok\s* | 1 |
Verify Only Root Has UID 0
Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_no_uid_except_zero:def:1 |
Time | 2022-02-14T23:14:40+00:00 |
Severity | high |
Identifiers and References | References: 6.2.5, 3.1.1, 3.1.5, CCI-000366, AC-6, IA-2, IA-2(1), IA-4, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5 |
Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
|
Rationale | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. |
test that there are no accounts with UID 0 except root in the /etc/passwd file oval:ssg-test_accounts_no_uid_except_root:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/passwd | ^(?!root:)[^:]*:[^:]*:0 | 1 |
Ensure that Root's Path Does Not Include World or Group-Writable Directories
Rule ID | xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_root_path_dirs_no_write:def:1 |
Time | 2022-02-14T23:14:40+00:00 |
Severity | medium |
Identifiers and References | References: CCI-000366, CM-6(b), PR.IP-1, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9 |
Description | For each element in root's path, run: # ls -ld DIRand ensure that write permissions are disabled for group and other. |
Rationale | Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. |
Check if there aren't directories in root's path having write permission set for group or other oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1 of type file_object
Path | Filename | Filter | Filter | ||||||
---|---|---|---|---|---|---|---|---|---|
| no value | oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 | oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 |
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Rule ID | xccdf_org.ssgproject.content_rule_root_path_no_dot |
Result | notchecked |
Multi-check rule | no |
Time | 2022-02-14T23:14:40+00:00 |
Severity | unknown |
Identifiers and References | References: CCI-000366, CM-6(b), SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9, PR.IP-1 |
Description | Ensure that none of the directories in root's path is equal to a single
PATH=:/bin PATH=/bin: PATH=/bin::/sbinThese empty elements have the same effect as a single . character. |
Rationale | Including these entries increases the risk that root could execute code from an untrusted location. |
Ensure the Default Umask is Set Correctly in /etc/profile
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile |
Result | notchecked |
Multi-check rule | no |
Time | 2022-02-14T23:14:40+00:00 |
Severity | unknown |
Identifiers and References | References: 5.4.4, CCI-000366, SA-8, PR.IP-2, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, 18 |
Description | To ensure the default umask controlled by umask 077 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Ensure the Default Umask is Set Correctly in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs |
Result | notapplicable |
Multi-check rule | no |
Time | 2022-02-14T23:14:40+00:00 |
Severity | medium |
Identifiers and References | References: CCI-000366, CM-6(b), SA-8, PR.IP-1, PR.IP-2, SRG-OS-000480-GPOS-00228, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, 11, 18, 3, 9 |
Description | To ensure the default umask controlled by UMASK 077 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. |
Ensure the Logon Failure Delay is Set Correctly in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay |
Result | notapplicable |
Multi-check rule | no |
Time | 2022-02-14T23:14:40+00:00 |
Severity | low |
Identifiers and References | References: CCI-000366, AC-7(b), CM-6(b), PR.IP-1, SRG-OS-000480-GPOS-00226, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9 |
Description | To ensure the logon failure delay controlled by FAIL_DELAY 4 |
Rationale | Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. |
Limit the Number of Concurrent Login Sessions Allowed Per User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions |
Result | notapplicable |
Multi-check rule | no |
Time | 2022-02-14T23:14:40+00:00 |
Severity | low |
Identifiers and References | References: 5.5.2.2, CCI-000054, AC-10, PR.AC-5, SRG-OS-000027-GPOS-00008, SRG-OS-000027-VMM-000080, SR 3.1, SR 3.8, 4.3.3.4, DSS01.05, DSS05.02, A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3, 14, 15, 18, 9 |
Description | Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in * hard maxlogins 1 |
Rationale | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. |