Hardening/FreeBSD
Jump to navigation
Jump to search
Per-user
Password hashing
In FreeBSD this is configured in /etc/login.conf
[1], among other settings:
default:\
:passwd_format=sha512:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
:nologin=/var/run/nologin:\
:cputime=unlimited:\
:datasize=unlimited:\
:stacksize=unlimited:\
:memorylocked=64K:\
:memoryuse=unlimited:\
:filesize=unlimited:\
:coredumpsize=unlimited:\
:openfiles=unlimited:\
:maxproc=unlimited:\
:sbsize=unlimited:\
:vmemoryuse=unlimited:\
:swapuse=unlimited:\
:pseudoterminals=unlimited:\
:priority=0:\
:ignoretime@:\
:umask=022:
tmpfs
Moving temporary filesystems to tmpfs
and setting them to nosuid,nodev,noexec[2]
could help mitigate random program execution as well.
In FreeBSD, this can be done via entries in /etc/rc.conf
:
tmpmfs="YES"
tmpsize="64m"
tmpmfs_flags="-S -o noexec" # Disable soft updates, enable noexec
Or, doing this manually:
$ grep mfs /etc/fstab md /tmp mfs rw,noexec,-s256m 0 0 $ mv /tmp /tmp2 && mkdir -m1777 /tmp && mount /tmp && rm -rf /tmp2
Per-user /tmp
TBD
Encrypted disks
Initialize the GELI device:
DEV=ada0p4 $ dd if=/dev/random bs=64 count=1 | gpg --cipher-algo aes --symmetric --armor > key-$DEV.asc # GnuPG 1.x $ F=$(mktemp); dd if=/dev/random of=$F bs=64 count=1 && gpg --cipher-algo aes --symmetric --armor --output key-$DEV.asc $F # GnuPG 2.x $ gpg --decrypt key-$DEV.asc | geli init -a HMAC/SHA256 -s 4096 -K - /dev/$DEV gpg: AES encrypted data Enter passphrase: XXX # To decrypt the GPG key gpg: encrypted with 1 passphrase Enter new passphrase: XXX # To add a passphrase to the GELI device Reenter new passphrase: XXX Metadata backup can be found in /var/backups/md1.eli and can be restored with the following command: # geli restore /var/backups/md1.eli /dev/md1
Attach and format the newly initialized disk:
gpg --decrypt key-$DEV.asc | geli attach -k - /dev/$DEV newfs /dev/$DEV.eli # This will create a new filesystem! mount -t ufs /dev/$DEV.eli /data
Dump metadata:
$ geli dump $DEV | head -11 Metadata on md1: magic: GEOM::ELI version: 6 flags: 0x10 ealgo: AES-XTS keylen: 128 aalgo: HMAC/SHA256 provsize: 104857600 sectorsize: 4096 keys: 0x01 iterations: 173531
Detach:
umount /data
geli detach $DEV.eli
sysctl
During installation, a few hardening options[3] can be set. These can be tweaked later on via sysctl:
security.bsd.see_other_uids = 0 # hide_uids security.bsd.see_other_gids = 0 # hide_gids security.bsd.see_jail_proc = 0 # hide_jail security.bsd.unprivileged_read_msgbuf = 0 # read_msgbuf security.jail.param.allow.read_msgbuf = 0 security.bsd.unprivileged_proc_debug = 0 # proc_debug kern.randompid = 1 # random_pid
See more security related parameters with:
sysctl security
Even more settings -- TBD!
disable_syslogd disable_sendmail secure_console disable_ddtrace