Guide to the Secure Configuration of OpenEmbedded

with profile Basic Profile for Embedded Systems
This profile contains items common to many embedded Linux installations. Regardless of your system's deployment objective, all of these checks should pass.
The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide
This guide presents a catalog of security-relevant configuration settings for OpenEmbedded. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetqemux86-64
Benchmark URL/usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_OPENEMBEDDED
Benchmark version0.1.44
Profile IDxccdf_org.ssgproject.content_profile_basic-embedded
Started at2022-02-14T23:14:39+00:00
Finished at2022-02-14T23:14:40+00:00
Performed byroot
Test systemcpe:/a:redhat:openscap:1.3.4

CPE Platforms

  • cpe:/o:openembedded:nodistro:0

Addresses

  • IPv4  127.0.0.1
  • IPv4  192.168.7.4
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:5054:ff:fe12:3404
  • MAC  00:00:00:00:00:00
  • MAC  52:54:00:12:34:04

Compliance and Scoring

The target system did not satisfy the conditions of 1 rules! Please review rule results and consider applying remediation.

Rule results

5 passed
1 failed
2 other

Severity of failed rules

0 other
0 low
1 medium
0 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default91.666664100.000000
91.67%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of OpenEmbedded 1x fail 2x notchecked
System Settings 1x fail 2x notchecked
Account and Access Control 1x fail 2x notchecked
Protect Accounts by Restricting Password-Based Login 1x fail
Verify Proper Storage and Existence of Password Hashes 1x fail
Verify All Account Password Hashes are Shadowedmedium
pass
Verify No netrc Files Existmedium
fail
Prevent Login to Accounts With Empty Passwordhigh
pass
Restrict Root Logins
Verify Only Root Has UID 0high
pass
Secure Session Configuration Files for Login Accounts 2x notchecked
Ensure that No Dangerous Directories Exist in Root's Path 1x notchecked
Ensure that Root's Path Does Not Include World or Group-Writable Directoriesmedium
pass
Ensure that Root's Path Does Not Include Relative Paths or Null Directoriesunknown
notchecked
Ensure that Users Have Sensible Umask Values 1x notchecked
Ensure the Default Umask is Set Correctly in /etc/profileunknown
notchecked
Ensure the Logon Failure Delay is Set Correctly in login.defslow
notapplicable
Ensure that User Home Directories are not Group-Writable or World-Readableunknown
pass

Result Details

Verify All Account Password Hashes are Shadowedxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed medium

Verify All Account Password Hashes are Shadowed

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_all_shadowed:def:1
Time2022-02-14T23:14:40+00:00
Severitymedium
Identifiers and References

References:  5.5.2, 3.5.10, IA-5(h), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5

Description

If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

Rationale

The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users.

OVAL test results details

password hashes are shadowed  oval:ssg-test_accounts_password_all_shadowed:tst:1  true

Following items have been found on the system:
UsernamePasswordUser idGroup idGcosHome dirLogin shellLast login
rootx00root/home/root/bin/sh-1
daemonx11daemon/usr/sbin/bin/sh-1
binx22bin/bin/bin/sh-1
sysx33sys/dev/bin/sh-1
syncx465534sync/bin/bin/sync-1
gamesx560games/usr/games/bin/sh-1
manx612man/var/cache/man/bin/sh-1
lpx77lp/var/spool/lpd/bin/sh-1
mailx88mail/var/mail/bin/sh-1
newsx99news/var/spool/news/bin/sh-1
uucpx1010uucp/var/spool/uucp/bin/sh-1
proxyx1313proxy/bin/bin/sh-1
www-datax3333www-data/home/bc6opv2hor18/public_html/bin/sh-1
backupx3434backup/var/backups/bin/sh-1
listx3838Mailing List Manager/var/list/bin/sh-1
ircx3939ircd/var/run/ircd/bin/sh-1
gnatsx4141Gnats Bug-Reporting System (admin)/var/lib/gnats/bin/sh-1
messagebusx999999/var/lib/dbus/bin/false-1
nobodyx6553465534nobody/nonexistent/bin/sh-1
Verify No netrc Files Existxccdf_org.ssgproject.content_rule_no_netrc_files medium

Verify No netrc Files Exist

Rule IDxccdf_org.ssgproject.content_rule_no_netrc_files
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-no_netrc_files:def:1
Time2022-02-14T23:14:40+00:00
Severitymedium
Identifiers and References

References:  CCI-000196, IA-5(h), AC-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 11, 12, 14, 15, 16, 18, 3, 5

Description

The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed.

Rationale

Unencrypted passwords for remote FTP servers may be stored in .netrc files. DoD policy requires passwords be encrypted in storage and not used in access scripts.

OVAL test results details

look for .netrc in /home  oval:ssg-test_no_netrc_files_home:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/root/.netrcregular000rw-r--r-- 
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords high

Prevent Login to Accounts With Empty Password

Rule IDxccdf_org.ssgproject.content_rule_no_empty_passwords
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_empty_passwords:def:1
Time2022-02-14T23:14:40+00:00
Severityhigh
Identifiers and References

References:  5.5.2, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-6, IA-5(b), IA-5(c), IA-5(1)(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_AFL.1, Req-8.2.3, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5

Description

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

Rationale

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

OVAL test results details

make sure nullok is not used in /etc/pam.d/system-auth  oval:ssg-test_no_empty_passwords:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_empty_passwords:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth\s*nullok\s*1
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero high

Verify Only Root Has UID 0

Rule IDxccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_no_uid_except_zero:def:1
Time2022-02-14T23:14:40+00:00
Severityhigh
Identifiers and References

References:  6.2.5, 3.1.1, 3.1.5, CCI-000366, AC-6, IA-2, IA-2(1), IA-4, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5

Description

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.

Rationale

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

OVAL test results details

test that there are no accounts with UID 0 except root in the /etc/passwd file  oval:ssg-test_accounts_no_uid_except_root:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/passwd^(?!root:)[^:]*:[^:]*:01
Ensure that Root's Path Does Not Include World or Group-Writable Directoriesxccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write medium

Ensure that Root's Path Does Not Include World or Group-Writable Directories

Rule IDxccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_root_path_dirs_no_write:def:1
Time2022-02-14T23:14:40+00:00
Severitymedium
Identifiers and References

References:  CCI-000366, CM-6(b), PR.IP-1, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9

Description

For each element in root's path, run: 

# ls -ld DIR
and ensure that write permissions are disabled for group and other.

Rationale

Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code.

OVAL test results details

Check if there aren't directories in root's path having write permission set for group or other  oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1 of type file_object
PathFilenameFilterFilter
/usr/local/bin
/usr/bin
/bin
/usr/local/sbin
/usr/sbin
/sbin
no valueoval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1oval:ssg-state_accounts_root_path_dirs_symlink:ste:1
Ensure that Root's Path Does Not Include Relative Paths or Null Directoriesxccdf_org.ssgproject.content_rule_root_path_no_dot unknown

Ensure that Root's Path Does Not Include Relative Paths or Null Directories

Rule IDxccdf_org.ssgproject.content_rule_root_path_no_dot
Result
notchecked
Multi-check ruleno
Time2022-02-14T23:14:40+00:00
Severityunknown
Identifiers and References

References:  CCI-000366, CM-6(b), SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9, PR.IP-1

Description

Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples: 

PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single . character.

Rationale

Including these entries increases the risk that root could execute code from an untrusted location.

Evaluation messages
info  
No candidate or applicable check found.
Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile unknown

Ensure the Default Umask is Set Correctly in /etc/profile

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
Result
notchecked
Multi-check ruleno
Time2022-02-14T23:14:40+00:00
Severityunknown
Identifiers and References

References:  5.4.4, CCI-000366, SA-8, PR.IP-2, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, 18

Description

To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: 

umask 077

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

Evaluation messages
info  
No candidate or applicable check found.
Ensure the Logon Failure Delay is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay low

Ensure the Logon Failure Delay is Set Correctly in login.defs

Rule IDxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
Result
notapplicable
Multi-check ruleno
Time2022-02-14T23:14:40+00:00
Severitylow
Identifiers and References

References:  CCI-000366, AC-7(b), CM-6(b), PR.IP-1, SRG-OS-000480-GPOS-00226, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9

Description

To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: 

FAIL_DELAY 4

Rationale

Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.

Ensure that User Home Directories are not Group-Writable or World-Readablexccdf_org.ssgproject.content_rule_file_permissions_home_dirs unknown

Ensure that User Home Directories are not Group-Writable or World-Readable

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_home_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_home_dirs:def:1
Time2022-02-14T23:14:40+00:00
Severityunknown
Identifiers and References

References:  CCI-000225, AC-6(7), PR.AC-4, PR.DS-5, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

For each human user of the system, view the permissions of the user's home directory: 

# ls -ld /home/USER
Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions: 
# chmod g-w /home/USER
# chmod o-rwx /home/USER

Rationale

User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs.

Warnings
warning  This action may involve modifying user home directories. Notify your user community, and solicit input if appropriate, before making this type of change.
OVAL test results details

home directories  oval:ssg-test_file_permissions_home_dirs:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_home_dirs:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/homeno valueoval:ssg-state_home_dirs_home_itself:ste:1oval:ssg-state_home_dirs_wrong_perm:ste:1
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.