FreeBSD 11 Security Settings when Installing

C

chrismfz

Hello there.
When I install FreeBSD 11 there is a step for various security / hardening settings about kernel mainly.

Is there a way to run this somehow from console ?

I can't find it and I was curious how to run it onto systems that are already installed without them or in systems that had been upgraded from 10.x

ps. I am talking about
  • New 'System Hardening' menu in bsdinstall with several security features to be enabled per user's choice (r302897)
which is part of bsdinstall.
 
I've long removed bsdinstall from my systems, but to my knowledge you can simply start it yourself as well. Check /sbin or /usr/sbin. Or the manualpage of course.
 
As far I know those options are sysctl(8) options. If I record correctly:

Code: 
security.bsd.see_other_gids
security.bsd.see_other_uids
security.bsd.unprivileged_read_msgbuf
security.bsd.unprivileged_proc_debug
security.bsd.stack_guard_page
 
There's one to disable sendmail as well, which I assume, (and yeah, I know what that implies) just saves someone the work of adding the 3 or 4 sendmail lines to /etc/rc.conf

Code: 
sendmail_enable="NO" 
sendmail_submit_enable="NO" 
sendmail_outbound_enable="NO" 
sendmail_msp_queue_enable="NO"

I haven't checked if that is what that one option does, but it seems logical.
[FONT=Consolas][/FONT]
 
You can find the actual script here:
/usr/src/usr.sbin/bsdinstall/scripts/hardening

To run it use this:
Code: 
cd /usr/src/usr.sbin/bsdinstall/scripts
./hardening

++edit++
I do notice just running the script does not change any settings though.
 
scottro said:
There's one to disable sendmail as well, which I assume, (and yeah, I know what that implies) just saves someone the work of adding the 3 or 4 sendmail lines to /etc/rc.conf
Click to expand...
I know it's a little offtopic but Sendmail isn't enabled by default anymore, so you can leave the first line out. There is however another option which is also enabled by default. This is what I use:

Code: 
sendmail_cert_create="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
Based on the settings in /etc/defaults/rc.conf instead of the documentation which sometimes also implies that Sendmail is enabled by default (it no longer is).

The main reason I'm commenting though: in case someone does want to disable Sendmail based on this then also don't forget about /etc/periodic.conf:

Code: 
daily_clean_hoststat_enable="NO"
daily_status_include_submit_mailq="NO"
daily_status_mail_rejects_enable="NO"
daily_queuerun_enable="NO"
daily_submit_queuerun="NO"

Phishfry said:
You can find the actual script here:
/usr/src/usr.sbin/bsdinstall/scripts/hardening
Click to expand...
Keep in mind though that this requires the sourcecode to be installed, and not everyone has that.
 
Not only that -bsdinstaller uses a chroot envirnoment. So hence the script does not work on a running system.

Here they are translated:
Code: 
echo security.bsd.see_other_uids=0 >> /etc/sysctl.conf
echo security.bsd.see_other_gids=0 >> /etc/sysctl.conf
echo security.bsd.unprivileged_read_msgbuf=0 >> /etc/sysctl.conf
echo security.bsd.unprivileged_proc_debug=0 >> /etc/sysctl.conf
echo kern.randompid=$(jot -r 1 9999) >> /etc/sysctl.conf
echo security.bsd.stack_guard_page=1 >> /etc/sysctl.conf
echo 'clear_tmp_enable="YES"' >> /etc/rc.conf
echo 'syslogd_flags="-ss"' >> /etc/rc.conf
echo 'sendmail_enable="NONE"' >> /etc/rc.conf
 
Phishfry said:
Not only that -bsdinstaller uses a chroot envirnoment. So hence the script does not work on a running system.

Here they are translated:
Code: 
echo security.bsd.see_other_uids=0 >> /etc/sysctl.conf
echo security.bsd.see_other_gids=0 >> /etc/sysctl.conf
echo security.bsd.unprivileged_read_msgbuf=0 >> /etc/sysctl.conf
echo security.bsd.unprivileged_proc_debug=0 >> /etc/sysctl.conf
echo kern.randompid=$(jot -r 1 9999) >> /etc/sysctl.conf
echo security.bsd.stack_guard_page=1 >> /etc/sysctl.conf
echo 'clear_tmp_enable="YES"' >> /etc/rc.conf
echo 'syslogd_flags="-ss"' >> /etc/rc.conf
echo 'sendmail_enable="NONE"' >> /etc/rc.conf
Click to expand...

Thank you!

Indeed it worked. Made the very simple ps aux as a user to check if ,
sysctl security.bsd.see_other_uids
sysctl security.bsd.see_other_gids
works or not.

Code: 
chris@devbox ~$ ps aux
USER  PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
chris 979  0.0  0.0 13848 3308  0  S    15:21   0:00.00 -su (bash)
chris 981  0.0  0.0 21164 2584  0  R+   15:21   0:00.00 ps aux

Seems they work. Thanks again.
 
Related to Sendmail but not the original question, you can fully disable Sendmail with one rc.conf line:
Code: 
sendmail_enable="NONE"

It does look like they've forgotten to disable the cert_create option with this setting, although that's only a one-time function that creates an ssl certificate.
 
You must log in or register to reply here.
Back
Top