I am preparing to do a clean install of 10.1-RELEASE on a new system using root-on-ZFS. I have played with this a bit with some of the release candidates.
As part of my standard lockdown, I would previously specifiy sizes for /tmp and /var/tmp and set them to noexec and nosuid (https://forums.freebsd.org/threads/correct-way-of-securing-tmp-and-var-tmp-in-freebsd.30864/)
In the ZFS world, I need to set the properties of the ZFS mount appropriately, such as:
In order to prevent disk space exhaustion from someone filling /tmp, I assume that I then need to set quotas (https://forums.freebsd.org/threads/zfs-limit-available-space-in.26218/). Say maximum of 512M each.
So, a few questions:
Nick
As part of my standard lockdown, I would previously specifiy sizes for /tmp and /var/tmp and set them to noexec and nosuid (https://forums.freebsd.org/threads/correct-way-of-securing-tmp-and-var-tmp-in-freebsd.30864/)
In the ZFS world, I need to set the properties of the ZFS mount appropriately, such as:
Code:
# zfs set exec=off zroot/tmp
# zfs set setuid=off zroot/tmp
# zfs set exec=off zroot/var/tmp
# zfs set setuid=off zroot/var/tmp
Code:
# zfs set quota=512M zroot/tmp
# zfs set quota=512M zroot/var/tmp
- I see references to an older nodev option which is also present in other BSDs, but seems that since the introduction of devfs is no longer applicable in FreeBSD. Do I need to consider any equivalents in ZFS options?
- Are there any other ZFS options that I really should be setting for a secure ZFS layout?
- Does anyone have any good pointers to ZFS layouts and recommended quota sizes for a production server that will not be compiling from source?
- Are there any caveats when applying noexec to ZFS tmp directories?
Nick