Hardening/FreeBSD

From Segfault
Jump to: navigation, search

Password hashing

In FreeBSD this is configured in /etc/login.conf[1], among other settings:

default:\
       :passwd_format=sha512:\
       :copyright=/etc/COPYRIGHT:\
       :welcome=/etc/motd:\
       :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
       :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
       :nologin=/var/run/nologin:\
       :cputime=unlimited:\
       :datasize=unlimited:\
       :stacksize=unlimited:\
       :memorylocked=64K:\
       :memoryuse=unlimited:\
       :filesize=unlimited:\
       :coredumpsize=unlimited:\
       :openfiles=unlimited:\
       :maxproc=unlimited:\
       :sbsize=unlimited:\
       :vmemoryuse=unlimited:\
       :swapuse=unlimited:\
       :pseudoterminals=unlimited:\
       :priority=0:\
       :ignoretime@:\
       :umask=022:

tmpfs

Moving temporary filesystems to tmpfs and setting them to nosuid,nodev,noexec[2] could help mitigate random program execution as well.

In FreeBSD, this can be done via entries in /etc/rc.conf:

tmpmfs="YES"
tmpsize="64m"
tmpmfs_flags="-S -o noexec"                   # Do not enable soft-updates on mdmfs; enable noexec

Or, doing this manually:

echo "md    /tmp    mfs    rw,-s64m,noexec    0 0" >> /etc/fstab
mv /tmp /tmp2 && mkdir -m1777 /tmp && mount /tmp && rm -rf /tmp2

Now, mount(8) should look something like this:

$ mount | grep /tmp
/dev/md0 on /tmp (ufs, local, noexec, soft-updates)

Per-user /tmp

TBD

Encrypted disks

Initialize the GELI device:

DEV=ada0p4
$ dd if=/dev/random bs=64 count=1 | gpg --cipher-algo aes --symmetric --armor > key-$DEV.asc                                 # GnuPG 1.x
$ F=$(mktemp); dd if=/dev/random of=$F bs=64 count=1 && gpg --cipher-algo aes --symmetric --armor --output key-$DEV.asc $F   # GnuPG 2.x

$ gpg --decrypt key-$DEV.asc | geli init -a HMAC/SHA256 -s 4096 -K - /dev/$DEV
gpg: AES encrypted data
Enter passphrase: XXX                                            # To decrypt the GPG key
gpg: encrypted with 1 passphrase
Enter new passphrase: XXX                                        # To add a passphrase to the GELI device
Reenter new passphrase: XXX

Metadata backup can be found in /var/backups/md1.eli and can be restored with the following command:

       # geli restore /var/backups/md1.eli /dev/md1

Attach and format the newly initialized disk:

gpg --decrypt key-$DEV.asc | geli attach -k - /dev/$DEV
newfs /dev/$DEV.eli                                              # This will create a new filesystem!
mount -t ufs /dev/$DEV.eli /data

Dump metadata:

$ geli dump $DEV | head -11
Metadata on md1:
     magic: GEOM::ELI
   version: 6
     flags: 0x10
     ealgo: AES-XTS
    keylen: 128
     aalgo: HMAC/SHA256
  provsize: 104857600
sectorsize: 4096
      keys: 0x01
iterations: 173531

Detach:

umount /data
geli detach $DEV.eli

References