FreeBSD hardening guide

[kavitakr]

Hi
I see FreeBSD is not supported

Unsupported CIS Benchmarks

These CIS Benchmarks are no longer being reviewed and updated by our consensus communities, but you are still welcome to download them. AIX v1.0.1 – Version 1.0.1 – 2005 Apache Web Server 2.2.0 – Version 2.2.0 – November 2008 Apple iPhone OS 2.2.1 – Version 1.1.0 – March 2009 Check Point...

www.cisecurity.org

Is there any alternative documentation?

Regards
Kavitha

 

[SirDice]

You can start with security(7). There's also an old thread that's still useful: https://forums.freebsd.org/threads/unofficial-freebsd-security-checklist-links-resources.4108/

 

[gpw928]

The FreeBSD fork, HardenedBSD, might be a good starting point for those who are really serious about security. It's the platform used by OPNsense.

 

[1MachineElf]

Hi Kavitha. There are some minimal hardening configurations that are available from the FreeBSD Installer. Please have a look at the 2.8.4. Enabling Hardening Security Options section of the FreeBSD Handbook. There are only 10, but these could serve as a starting point for a custom security checklist.

 

[loveydovey]

The FreeBSD fork, HardenedBSD, might be a good starting point for those who are really serious about security. It's the platform used by OPNsense.

Does it make sense to talk about hardening FreeBSD towards HardenedBSD level, SirDice ? If I remember correctly, there has not been a hole in FreeBSD for years, and there were only a couple overall, and they weren't even deadly? So hardening more is more of an extra assurance? (I'm talking about security that doesn't stem from user/sysdamin oversight).

 

[SirDice]

Does it make sense to talk about hardening FreeBSD towards HardenedBSD level, SirDice ?

Plenty of things from HardenedBSD have been implemented in FreeBSD itself. If it makes sense, and doesn't break everything. There's a lot of "cross-pollination" between all the various BSDs out there.

About | HardenedBSD

hardenedbsd.org

The project started with Address Space Layout Randomization (ASLR) as an initial focal point and is now implementing further exploit mitigation techniques.

ASLR has been implemented in FreeBSD since then.

Making sure you're not a bot!

 

[cracauer@]

Does it make sense to talk about hardening FreeBSD towards HardenedBSD level, SirDice ? If I remember correctly, there has not been a hole in FreeBSD for years, and there were only a couple overall, and they weren't even deadly? So hardening more is more of an extra assurance? (I'm talking about security that doesn't stem from user/sysdamin oversight).

Hardening is not just about plugging holes.

It is also about mitigations that come into effect when there is a hole, to limit what an attacker can do with that hole.