My FreeBSD hardening script

A few comments. First, given the debate above, I read your license. I stopped when it said "You may not adapt ... the software logic...". Note that the word "software" I quoted here is not capitalized, so I don't even know whether that sentence applies to software in the common legal definition, or in your particular definition. If I take what you write in that sentence literally, I am not allowed to look at your software, notice that it contains a good idea, and then implement that idea (without using any piece of code) elsewhere. This requirement is inane.

But it immediately leads to a much larger scope of the license comment. FOSS licenses are a super complex part of IP law. There have been lots of lawsuits over them; I've sat in meetings with 3 or 4 lawyers discussing their details as part of my job, and I had a colleague fired for not reading a license before using software. Your license clearly has not been gone over by a set of lawyers. It is contradictory, unclear, and messy. I would be insane to use any software encumbered by this license, unless I first have my team of lawyers clarify whether the license is a stumbling block. And for a small script that sets a few variables in setup files (which I can set myself in 15 minutes of work), that level of effort is not a good investment. If you software was the greatest thing ever (like a program which solves the question whether P=NP, or a new operating system that today operates over 90% of all servers in the world), investigating a new license might be feasible. For your purposes, you just need to use a well-established license. Several others above proposed 2-clause BSD or LGPL2, pick something and get on with life.

Next comment: Above you write a few things about the use of software, including whether aliens (in the sense of martians!) can use your software, how it interacts with artificial intelligence, and your fear that free software can be corporatized. Those comments indicate that you are not thinking clearly, and do not understand very much about the real world. For example, IBM buying RedHat does not mean that software that's under the GPL suddenly becomes "gated": You can still download the Linux kernel and the GNU software from their respective web hosts, and as far as we know, the recent restrictions RedHat has put in place do not violate the GPL at all. You seem to be a religious zealot which scant connection to reality, both in terms of your paranoia about aliens and AI, and your nonchalant license.

Along the same lines, it upsets me that you casually insult so many experienced and knowledgeable people. You start that documentation with "FreeBSD officially defaults to Permanently Insecure Mode", with the last three words highlighted. That sentence is intended to be misunderstood; it is a slap in the face of the project, just to get some attention.

Finally, the task itself. You say that your software "hardens" FreeBSD. What does that even mean? It sets lots of variables, which all do various levels of protection. What kind of FreeBSD installation is it intended for: desktop, network server, storage server, embedded? What limitations does it have? All computer security is a tradeoff (usually between convenience and security), what are you trading off? What requirements is your software addressing? What services (client or server) does it impede? You need way more documentation, and that doesn't mean a long list of variables, but of their effects, and the cause for changing them.

In summary, I'm not touching your software with a 10-foot pole. If some space aliens want to use it, that's their choice.
 
ralphbsz said:
Finally, the task itself.
Click to expand...

I'll start here, concurring with all you've said above. I've provided my adjective for the licence, and am similarly unimpressed by disrespect shown to our security team - though the OP seems to have just arrived and is unlikely to know, beyond browsing and misquoting security(7)

ralphbsz said:
You say that your software "hardens" FreeBSD. What does that even mean? It sets lots of variables, which all do various levels of protection. What kind of FreeBSD installation is it intended for: desktop, network server, storage server, embedded? What limitations does it have? All computer security is a tradeoff (usually between convenience and security), what are you trading off? What requirements is your software addressing? What services (client or server) does it impede? You need way more documentation, and that doesn't mean a long list of variables, but of their effects, and the cause for changing them.
Click to expand...

Exactly. What concerns me is that it seems to be aimed at new, perhaps naive users of FreeBSD, who - as seen recently - may be impressed by promises of "more secure" without necessary knowledge of limitations and consequences of such settings, as you point out.

A major case in point is setting kern.securelevel above 0, as even bsdconfig's hardening options have had people surprised to be then unable to do common admin tasks - especially on laptops or desktops neither serving external clients nor even other users.

Hopefully the OP will take the time to become more familiar with FreeBSD security culture and norms for different circumstances before the next draft, maybe seeking advice from the security team?
 
It's very cool to see someone trying their hand at making hardening FreeBSD easier, especially for people who are new to it, and I have to say that you've definitely put a lot of effort on it as well, which I really appreciate.
However, like most of the others on this thread, I very much agree with the licensing issues, as the restrictions the license you've used on it practically make your scripts propietary - which is a bummer considering that this would have had the potential to become widely used had it been licensed using a license such as the previously mentioned 2BSD license.

...also, to be all paranoid about AI-generated code, but to use an AI-generated image for the logo, ironic, isn't it?
 
ralphbsz Your argument is a complete non-sequitur. It's a Non-Commercial license. FreeBSD users do not have Lawyers and I went to great pains to empower people, regular people, people power, excluding all else, so that obviously obviates Lawyers! If you were referencing my quip about FreeBSD using my License, well then, that's what Lawyers are for, negotiating and amending Licenses. However, you did catch a grammar error in the capitalization of "software" so thanks for helping me there.

smithi You are verging on personal insults so let me illuminate you. I'm an award winning Security Professional with decades of experience in securing almost every single OS going back to the start of the internet whom had an advanced and unique Government Security Clearance from multiple agencies that is still under NDA that you can view on my LinkedIn. I did get feedback from the very **top** of the FreeBSD team, that's why it works so well! I hope you realize that your false accusations harm your own reputation and not mine for anyone who can think critically.

Vanilla Pudding Thanks for the compliment for my efforts, that makes this whole thread worthwhile. I've gotten feedback on my script before I posted here and I've seen that comment a couple times and here my way I'm coming at it is not as simple as you think. In my mind, and many minds in the field of AI, is we are going to lose control of it. The use of an AI image while denying AI execution is a cognitive perspective reinforcement, or pattern alignment precedence, if you will.

In essence, I'm putting AI in its place. It is here to serve me and not the other way around. In fact, that is one of the main goals of the License that I would like people to come away with. We all saw that GitHub Co-Pilot used the famous Fast inverse square root https://news.ycombinator.com/item?id=27710287 and that type of AI hoovering up all code on the Internet, using for itself all the unprotected code WE write, is something I feel that needs to addressed. Thank for you the opportunity to express that.

---

To end, I would like potential users to take a step back from some of these obsequious and irrelevant comments and realize that I've given you software that works very well in helping *you* drive FreeBSD, at no cost. I provided you with a tool and reserved some space for myself, and people, you and I. If anything else, this thread has proved to me that I've absolutely made the correct decision with my License. There has been no critically reasoned argument put forth, only regurgitation and straw-man tactics.

To all young software developers I urge you not to relent to peer pressure and to find out what motivates and drives you, in your heart, in finding your own path that does not sacrifice your own ethics and vision. That is the only way to grow your conscience. Even if you get the same treatment I got, in the end, you will yourself be progressed a person even if at the end you realized you made a mistake, especially then. Mistakes are experiences best teacher. Have the courage to take a stand for what you think is right against mob mentality. I hope my case has been illustrative!
 
Wravoc said:
It will not remove duplicates in your existing confs although it will change them to the same value that is set in settings.ini. I might include that functionality later, thanks for that. I don't think there is any harm from duplicates AFAIK.

It definitely appends new values to the confs as most security values are not present and must be present for the script to fulfill it's goal.
Click to expand...


I just got two errors that stopped the script

Error: "YES" not allowed in pf_flags=""

Error: "YES" not allowed in jail_sysvipc_allowed=”YES”
Click to expand...

why is it messing with values not defined in settings.ini?

When I comment out the offending lines:

Code: 
Traceback (most recent call last):  File "/usr/home/jamie/Downloads/harden-freebsd-2.0.2/./harden-freebsd.py", line 358, in    SetOpts("STARTUP")  File "/usr/home/jamie/Downloads/harden-freebsd-2.0.2/./harden-freebsd.py", line 314, in __init__    conf_runner.setConf()  File "/usr/home/jamie/Downloads/harden-freebsd-2.0.2/./harden-freebsd.py", line 169, in setConf    lines = file_content.readlines()  File "/usr/local/lib/python3.9/encodings/ascii.py", line 26, in decode    return codecs.ascii_decode(input, self.errors)[0] UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 1453: ordinal not in range(128)
 
Last edited:
I disagree with security.
If you don't have "root" privileges you can't modify files whithout the proper "permissions" even if they don't have "schg"
If you have gained root privileges you can simply do a "chflags -R noschg" and so all security is lost.
I consider it a false feeling of security.
One exception could be 'securelevel 1' : Secure mode - the system immutable and system append-only flags may not be turned off;
 
I can't imagine removal of chflags.

Contributed software includes pjdfstest – a test suite that helps exercise POSIX system calls – <https://github.com/freebsd/freebsd-src/tree/main/contrib/pjdfstest#readme>, <https://github.com/freebsd/freebsd-src/tree/main/contrib/pjdfstest/tests/chflags> asomers@ <https://github.com/freebsd/freebsd-src/blob/main/contrib/pjdfstest/AUTHORS> (pjd = Pawel Jakub Dawidek).

And so on;

Code: 
% rg --sort path --count chflags /usr/src
/usr/src/Makefile.inc1:9
/usr/src/ObsoleteFiles.inc:1
/usr/src/bin/Makefile:1
/usr/src/bin/chflags/Makefile:1
/usr/src/bin/chflags/chflags.1:2
/usr/src/bin/chflags/chflags.c:3
/usr/src/bin/chflags/tests/Makefile:1
/usr/src/bin/chflags/tests/chflags_test.sh:10
/usr/src/bin/chmod/chmod.1:1
/usr/src/bin/chmod/tests/chmod_test.sh:2
/usr/src/bin/cp/utils.c:5
/usr/src/bin/ln/symlink.7:6
/usr/src/bin/ls/ls.1:3
/usr/src/bin/ls/tests/ls_tests.sh:2
/usr/src/bin/mv/mv.c:2
/usr/src/bin/pax/pax.1:3
/usr/src/bin/rm/rm.1:1
/usr/src/bin/rm/rm.c:3
/usr/src/contrib/bmake/install-sh:4
/usr/src/contrib/bmake/mk/install-sh:4
/usr/src/contrib/capsicum-test/capability-fd.cc:4
/usr/src/contrib/capsicum-test/capmode.cc:2
/usr/src/contrib/kyua/admin/build-bintray-dist.sh:4
/usr/src/contrib/kyua/admin/travis-build.sh:4
/usr/src/contrib/less/edit.c:14
/usr/src/contrib/libarchive/libarchive/archive_entry.c:1
/usr/src/contrib/libarchive/libarchive/archive_read_disk.3:1
/usr/src/contrib/libarchive/libarchive/archive_write_disk.3:1
/usr/src/contrib/libarchive/libarchive/archive_write_disk_posix.c:10
/usr/src/contrib/libarchive/libarchive/archive_write_set_format_shar.c:1
/usr/src/contrib/libarchive/libarchive/test/main.c:2
/usr/src/contrib/libarchive/tar/test/test_option_fflags.c:1
/usr/src/contrib/libarchive/test_utils/test_main.c:2
/usr/src/contrib/llvm-project/compiler-rt/include/sanitizer/netbsd_syscall_hooks.h:18
/usr/src/contrib/llvm-project/compiler-rt/lib/dfsan/libc_ubuntu1404_abilist.txt:2
/usr/src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_syscalls_netbsd.inc:6
/usr/src/contrib/lutok/admin/travis-build.sh:3
/usr/src/contrib/lutok/admin/travis-install-deps.sh:4
/usr/src/contrib/mtree/compare.c:2
/usr/src/contrib/mtree/mtree.8:2
/usr/src/contrib/mtree/verify.c:1
/usr/src/contrib/netbsd-tests/bin/cp/t_cp.sh:2
/usr/src/contrib/netbsd-tests/fs/tmpfs/t_remove.sh:2
/usr/src/contrib/netbsd-tests/fs/vfs/t_unpriv.c:8
/usr/src/contrib/netbsd-tests/lib/libc/sys/t_stat.c:8
/usr/src/contrib/openbsm/NEWS:1
/usr/src/contrib/openbsm/etc/audit_event:6
/usr/src/contrib/pjdfstest/configure.ac:8
/usr/src/contrib/pjdfstest/pjdfstest.c:16
/usr/src/contrib/pjdfstest/tests/chflags/00.t:25
/usr/src/contrib/pjdfstest/tests/chflags/01.t:4
/usr/src/contrib/pjdfstest/tests/chflags/02.t:9
/usr/src/contrib/pjdfstest/tests/chflags/03.t:9
/usr/src/contrib/pjdfstest/tests/chflags/04.t:5
/usr/src/contrib/pjdfstest/tests/chflags/05.t:8
/usr/src/contrib/pjdfstest/tests/chflags/06.t:5
/usr/src/contrib/pjdfstest/tests/chflags/07.t:7
/usr/src/contrib/pjdfstest/tests/chflags/08.t:11
/usr/src/contrib/pjdfstest/tests/chflags/09.t:16
/usr/src/contrib/pjdfstest/tests/chflags/10.t:7
/usr/src/contrib/pjdfstest/tests/chflags/11.t:11
/usr/src/contrib/pjdfstest/tests/chflags/12.t:13
/usr/src/contrib/pjdfstest/tests/chflags/13.t:5
/usr/src/contrib/pjdfstest/tests/chmod/08.t:15
/usr/src/contrib/pjdfstest/tests/chown/08.t:15
/usr/src/contrib/pjdfstest/tests/ftruncate/08.t:13
/usr/src/contrib/pjdfstest/tests/link/12.t:13
/usr/src/contrib/pjdfstest/tests/link/13.t:13
/usr/src/contrib/pjdfstest/tests/misc.sh:2
/usr/src/contrib/pjdfstest/tests/mkdir/08.t:13
/usr/src/contrib/pjdfstest/tests/mkfifo/10.t:13
/usr/src/contrib/pjdfstest/tests/mknod/09.t:13
/usr/src/contrib/pjdfstest/tests/open/09.t:13
/usr/src/contrib/pjdfstest/tests/open/10.t:9
/usr/src/contrib/pjdfstest/tests/open/11.t:5
/usr/src/contrib/pjdfstest/tests/open/13.t:1
/usr/src/contrib/pjdfstest/tests/rename/06.t:5
/usr/src/contrib/pjdfstest/tests/rename/07.t:5
/usr/src/contrib/pjdfstest/tests/rename/08.t:5
/usr/src/contrib/pjdfstest/tests/rmdir/09.t:13
/usr/src/contrib/pjdfstest/tests/rmdir/10.t:13
/usr/src/contrib/pjdfstest/tests/symlink/09.t:13
/usr/src/contrib/pjdfstest/tests/truncate/08.t:13
/usr/src/contrib/pjdfstest/tests/unlink/09.t:13
/usr/src/contrib/pjdfstest/tests/unlink/10.t:13
/usr/src/crypto/heimdal/lib/hx509/ChangeLog:1
/usr/src/crypto/heimdal/lib/hx509/ks_p11.c:2
/usr/src/crypto/openssl/apps/lib/s_cb.c:2
/usr/src/etc/mtree/BSD.tests.dist:2
/usr/src/include/protocols/dumprestore.h:1
/usr/src/lib/libc/gen/strtofflags.3:4
/usr/src/lib/libc/include/namespace.h:1
/usr/src/lib/libc/include/un-namespace.h:1
/usr/src/lib/libc/sys/Makefile.inc:4
/usr/src/lib/libc/sys/Symbol.map:10
/usr/src/lib/libc/sys/chflags.2:23
/usr/src/lib/libc/sys/chmod.2:2
/usr/src/lib/libc/sys/chown.2:2
/usr/src/lib/libc/sys/fhlink.2:1
/usr/src/lib/libc/sys/link.2:2
/usr/src/lib/libc/sys/mkdir.2:2
/usr/src/lib/libc/sys/mkfifo.2:2
/usr/src/lib/libc/sys/open.2:1
/usr/src/lib/libc/sys/rename.2:2
/usr/src/lib/libc/sys/rmdir.2:1
/usr/src/lib/libc/sys/stat.2:2
/usr/src/lib/libc/sys/symlink.2:2
/usr/src/lib/libc/sys/truncate.2:2
/usr/src/lib/libc/sys/unlink.2:2
/usr/src/lib/libc/sys/utimensat.2:2
/usr/src/lib/libc/sys/utimes.2:2
/usr/src/lib/libsysdecode/sysdecode_mask.3:2
/usr/src/libexec/rc/rc:2
/usr/src/libexec/rc/rc.d/random:1
/usr/src/libexec/rtld-elf/Makefile:1
/usr/src/libexec/save-entropy/save-entropy.sh:1
/usr/src/release/Makefile:1
/usr/src/release/scripts/mm-mtree.sh:1
/usr/src/rescue/rescue/Makefile:1
/usr/src/sbin/dump/dump.8:1
/usr/src/sbin/fsdb/fsdb.8:1
/usr/src/sbin/fsdb/fsdb.c:1
/usr/src/sbin/restore/dirs.c:1
/usr/src/sbin/restore/restore.h:1
/usr/src/sbin/restore/tape.c:4
/usr/src/sbin/restore/utilities.c:2
/usr/src/share/doc/smm/01.setup/3.t:3
/usr/src/share/doc/smm/01.setup/spell.ok:1
/usr/src/share/man/man4/rights.4:4
/usr/src/share/man/man7/security.7:3
/usr/src/share/mk/bsd.lib.mk:1
/usr/src/share/mk/local.dirdeps.mk:1
/usr/src/share/mk/suite.test.mk:1
/usr/src/sys/compat/freebsd32/freebsd32_syscall.h:4
/usr/src/sys/compat/freebsd32/freebsd32_syscalls.c:4
/usr/src/sys/compat/freebsd32/freebsd32_sysent.c:4
/usr/src/sys/compat/freebsd32/freebsd32_systrace_args.c:16
/usr/src/sys/conf/kern.post.mk:3
/usr/src/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_ctldir.c:1
/usr/src/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vnops_os.c:4
/usr/src/sys/contrib/openzfs/tests/zfs-tests/cmd/dosmode_readonly_write.c:2
/usr/src/sys/contrib/openzfs/tests/zfs-tests/cmd/linux_dos_attributes/read_dos_attributes.c:1
/usr/src/sys/contrib/openzfs/tests/zfs-tests/cmd/linux_dos_attributes/write_dos_attributes.c:2
/usr/src/sys/contrib/openzfs/tests/zfs-tests/include/commands.cfg:1
/usr/src/sys/contrib/openzfs/tests/zfs-tests/tests/functional/acl/off/dosmode.ksh:1
/usr/src/sys/contrib/openzfs/tests/zfs-tests/tests/functional/chattr/chattr_001_pos.ksh:6
/usr/src/sys/dev/hyperv/vmbus/vmbus_chan.c:1
/usr/src/sys/dev/hyperv/vmbus/vmbus_reg.h:1
/usr/src/sys/fs/ext2fs/ext2_dinode.h:1
/usr/src/sys/fs/ext2fs/inode.h:1
/usr/src/sys/fs/fdescfs/fdesc_vnops.c:1
/usr/src/sys/fs/nfsclient/nfs_clrpcops.c:2
/usr/src/sys/fs/tmpfs/tmpfs.h:1
/usr/src/sys/fs/tmpfs/tmpfs_subr.c:3
/usr/src/sys/fs/tmpfs/tmpfs_vnops.c:1
/usr/src/sys/kern/init_sysent.c:4
/usr/src/sys/kern/kern_jail.c:3
/usr/src/sys/kern/subr_capability.c:3
/usr/src/sys/kern/syscalls.c:4
/usr/src/sys/kern/syscalls.master:4
/usr/src/sys/kern/systrace_args.c:16
/usr/src/sys/kern/vfs_syscalls.c:17
/usr/src/sys/sys/caprights.h:1
/usr/src/sys/sys/capsicum.h:2
/usr/src/sys/sys/priv.h:1
/usr/src/sys/sys/stat.h:4
/usr/src/sys/sys/syscall.h:4
/usr/src/sys/sys/syscall.mk:4
/usr/src/sys/sys/sysproto.h:12
/usr/src/sys/ufs/ufs/dinode.h:2
/usr/src/sys/ufs/ufs/inode.h:1
/usr/src/targets/pseudo/tests/Makefile.depend:2
/usr/src/targets/pseudo/userland/Makefile.depend:1
/usr/src/tests/sys/audit/file-attribute-modify.c:62
/usr/src/tests/sys/file/path_test.c:4
/usr/src/tests/sys/fs/tarfs/mktar.c:1
/usr/src/tests/sys/pjdfstest/config.h:4
/usr/src/tests/sys/pjdfstest/tests/Makefile:1
/usr/src/tools/build/beinstall.sh:1
/usr/src/tools/build/cross-build/fake_chflags/Makefile:1
/usr/src/tools/build/cross-build/fake_chflags/chflags:3
/usr/src/tools/regression/priv/Makefile:1
/usr/src/tools/regression/priv/main.c:12
/usr/src/tools/regression/priv/main.h:10
/usr/src/tools/regression/priv/priv_vfs_chflags.c:45
/usr/src/tools/regression/security/cap_test/cap_test_capabilities.c:6
/usr/src/tools/regression/security/cap_test/cap_test_capmode.c:2
/usr/src/tools/regression/security/open_to_operation/open_to_operation.c:6
/usr/src/tools/regression/tmpfs/t_remove:2
/usr/src/tools/test/stress2/misc/devfd.sh:1
/usr/src/tools/test/stress2/misc/ldt2.sh:1
/usr/src/tools/test/stress2/misc/suj7.sh:1
/usr/src/tools/test/stress2/misc/syzkaller69.sh:1
/usr/src/tools/tools/build_option_survey/option_survey.sh:1
/usr/src/tools/tools/nanobsd/defaults.sh:4
/usr/src/tools/tools/nanobsd/dhcpd/common:1
/usr/src/tools/tools/sysbuild/sysbuild.sh:1
/usr/src/usr.bin/chpass/Makefile:1
/usr/src/usr.bin/compress/compress.c:2
/usr/src/usr.bin/du/du.1:1
/usr/src/usr.bin/find/find.1:2
/usr/src/usr.bin/find/function.c:1
/usr/src/usr.bin/fortune/datfiles/freebsd-tips:1
/usr/src/usr.bin/gzip/gzip.c:2
/usr/src/usr.bin/kdump/kdump.c:6
/usr/src/usr.bin/login/login.c:3
/usr/src/usr.bin/login/login_fbtab.c:2
/usr/src/usr.bin/passwd/Makefile:1
/usr/src/usr.bin/tip/tip/Makefile:1
/usr/src/usr.bin/truss/syscalls.c:4
/usr/src/usr.bin/xinstall/install.1:3
/usr/src/usr.bin/xinstall/xinstall.c:13
/usr/src/usr.sbin/chown/tests/chown_test.sh:2
/usr/src/usr.sbin/etcupdate/etcupdate.sh:2
/usr/src/usr.sbin/freebsd-update/freebsd-update.sh:2
/usr/src/usr.sbin/fstyp/hammer2_disk.h:1
/usr/src/usr.sbin/fstyp/hammer_disk.h:1
/usr/src/usr.sbin/jail/config.c:1
/usr/src/usr.sbin/jail/jail.8:2
/usr/src/usr.sbin/jail/jail.c:1
/usr/src/usr.sbin/mergemaster/mergemaster.sh:1
/usr/src/usr.sbin/newsyslog/newsyslog.c:6
/usr/src/usr.sbin/nmtree/mtree.5:1
/usr/src/usr.sbin/pw/cpdir.c:2
%
 
Alex Seitsinger said:
Perhaps someone has already mentioned it, but setting the default encryption method for user passwords to blowfish is less secure than using SHA256 or SHA512. The tutorials you probably referenced (as I have too) are outdated. The best system has an immutable filesystem, offers nothing extra (binaries) and is ready to use. From my experience, the best way to reproduce this is through a jail that has its filesystem ready to build your custom world and such. Once you have an immutable filesystem you can keep track of it with mtree.
Click to expand...
we can increase the bcrypt rounds in the future. An increase in the rounds will double the time to hash the password.
Not sure how to specify the number of rounds in FreeBSD. By default, FreeBSD use 04 rounds, which can be much more insecure than using SHA256 or SHA512. But a note: SHA is not designed for password hashing, but bcrypt is.
 
You must log in or register to reply here.
Back
Top