Hardening/FreeBSD

From Segfault
Jump to navigation Jump to search

Password hashing

In FreeBSD this is configured in /etc/login.conf[1], among other settings:

default:\
       :passwd_format=sha512:\
       :copyright=/etc/COPYRIGHT:\
       :welcome=/etc/motd:\
       :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
       :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
       :nologin=/var/run/nologin:\
       :cputime=unlimited:\
       :datasize=unlimited:\
       :stacksize=unlimited:\
       :memorylocked=64K:\
       :memoryuse=unlimited:\
       :filesize=unlimited:\
       :coredumpsize=unlimited:\
       :openfiles=unlimited:\
       :maxproc=unlimited:\
       :sbsize=unlimited:\
       :vmemoryuse=unlimited:\
       :swapuse=unlimited:\
       :pseudoterminals=unlimited:\
       :priority=0:\
       :ignoretime@:\
       :umask=022:

tmpfs

Moving temporary filesystems to tmpfs and setting them to nosuid,nodev,noexec[2] could help mitigate random program execution as well.

In FreeBSD, this can be done via entries in /etc/rc.conf:

tmpmfs="YES"
tmpsize="64m"
tmpmfs_flags="-S -o noexec"                                           # Disable soft updates, enable noexec

Or, doing this manually:

$ grep mfs /etc/fstab
md          /tmp               mfs       rw,noexec,-s256m       0 0

$ mv /tmp /tmp2 && mkdir -m1777 /tmp && mount /tmp && rm -rf /tmp2

Per-user /tmp

TBD

Encrypted disks

Initialize the GELI device:

DEV=ada0p4
$ dd if=/dev/random bs=64 count=1 | gpg --cipher-algo aes --symmetric --armor > key-$DEV.asc                                 # GnuPG 1.x
$ F=$(mktemp); dd if=/dev/random of=$F bs=64 count=1 && gpg --cipher-algo aes --symmetric --armor --output key-$DEV.asc $F   # GnuPG 2.x

$ gpg --decrypt key-$DEV.asc | geli init -a HMAC/SHA256 -s 4096 -K - /dev/$DEV
gpg: AES encrypted data
Enter passphrase: XXX                                            # To decrypt the GPG key
gpg: encrypted with 1 passphrase
Enter new passphrase: XXX                                        # To add a passphrase to the GELI device
Reenter new passphrase: XXX

Metadata backup can be found in /var/backups/md1.eli and can be restored with the following command:

       # geli restore /var/backups/md1.eli /dev/md1

Attach and format the newly initialized disk:

gpg --decrypt key-$DEV.asc | geli attach -k - /dev/$DEV
newfs /dev/$DEV.eli                                              # This will create a new filesystem!
mount -t ufs /dev/$DEV.eli /data

Dump metadata:

$ geli dump $DEV | head -11
Metadata on md1:
     magic: GEOM::ELI
   version: 6
     flags: 0x10
     ealgo: AES-XTS
    keylen: 128
     aalgo: HMAC/SHA256
  provsize: 104857600
sectorsize: 4096
      keys: 0x01
iterations: 173531

Detach:

umount /data
geli detach $DEV.eli

sysctl

During installation, a few hardening options[3] can be set. These can be tweaked later on via sysctl:

security.bsd.see_other_uids = 0                                            # hide_uids
security.bsd.see_other_gids = 0                                            # hide_gids
security.bsd.see_jail_proc  = 0                                            # hide_jail
security.bsd.unprivileged_read_msgbuf = 0                                  # read_msgbuf
security.jail.param.allow.read_msgbuf = 0
security.bsd.unprivileged_proc_debug  = 0                                  # proc_debug
kern.randompid              = 1                                            # random_pid

See more security related parameters with:

sysctl security

Even more settings -- TBD!

disable_syslogd
disable_sendmail
secure_console
disable_ddtrace

References