FreeBSD 11 new installer options

gkontos

Daemon

Reaction score: 488
Messages: 2,160

I installed today FreeBSD 11.0-RELEASE. (I know it is not officially announced but you can download it)
I noticed some new features in the installer. First you have the option to install the system with debug on:

image.png


The suggested partition schema was MBR and not GPT. At least in a 20GB VMWARE disk.
And finally some additional system security hardening options:

image.png


Impressive! Anyone knows what sysctl values those system security options affect?

Some are very obvious...
 

protocelt

Daemon

Reaction score: 414
Messages: 1,253

  • Hide processes running as other users = security.bsd.see_other_uids
  • Hide processes running as other groups = security.bsd.see_other_gids
  • Disable reading kernel message buffer for unprivileged users = security.bsd.unprivileged_read_msgbuf
  • Disable process debugging facilities for unprivileged users = security.bsd.unprivileged_proc_debug
  • Randomize the PID of newly created processes = kern.randompid
  • Insert stack guard page ahead of the growable segments = security.bsd.stack_guard_page
For reference: https://reviews.freebsd.org/D6826
 
OP
gkontos

gkontos

Daemon

Reaction score: 488
Messages: 2,160

Excellent, I need to find some time to test bhyve. Then, maybe I can get rid of all my Linux KVM servers!
 

cj572

New Member


Messages: 2

Hi,
I am still new to FreeBSD and I question about how to set the hardening. I want make my FreeBSD 11 as secure as possible. I Thank You for your time. CJ
 

xtaz

Well-Known Member

Reaction score: 146
Messages: 476

If you haven't already set the options in the installer like in the screenshot above then edit /etc/sysctl.conf and add the following lines, and change the 1234 for a better random number of your choice.

Code:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1234
security.bsd.stack_guard_page=1

They will only become active after a reboot. To make them active straight away simply run them on the command line using the sysctl command, like sysctl security.bsd.see_other_uids=0
 
D

Deleted member 48958

Guest


Here is where it is possible to view all available options:
/usr/src/usr.sbin/bsdinstall/scripts/hardening

Here is all 12-CURRENT hardening options:
Hide processes running as other users - add security.bsd.see_other_uids=0 to /etc/sysctl.conf
Hide processes running as other groups - add security.bsd.see_other_gids=0 to /etc/sysctl.conf
Hide processes running in jails - add security.bsd.see_jail_proc=0 to /etc/sysctl.conf
Disable reading kernel message buffer for unprivileged users - add security.bsd.unprivileged_read_msgbuf=0 to /etc/sysctl.conf
Disable process debugging facilities for unprivileged users - add security.bsd.unprivileged_proc_debug=0 to /etc/sysctl.conf
Randomize the PID of newly created processes - add kern.randompid=1 to /etc/sysctl.conf
Clean the /tmp filesystem on system startup - add clear_tmp_enable="YES" to /etc/rc.conf
Disable opening Syslogd network socket (disables remote logging) - add syslogd_flags="-ss" to /etc/rc.conf
Disable Sendmail service - add sendmail_enable="NONE" to /etc/rc.conf
Enable console password prompt (ask root password in single user mode) - replace
Code:
console none                            unknown off [b]secure[/b]
with
Code:
console none                            unknown off [b]insecure[/b]
in /etc/ttys.
 
Top