Solved Install what optional components when paranoid?

Toolforger

Member

Reaction score: 6
Messages: 64

Hi all,

I am setting up a system with paranoid, minimize-attack-surface requirements.
What optional components should I install?

I see:

base-dbg (off by default)
kernel-dbg (on by default, no idea what good that might do to me)
lib32-dbg (off by default)
lib32 (on by default, not sure I need it, I'm going to use ZFS, iocage, and Python 3 - can I add components later?)
ports (off by default, I'll need the above three, is installing ports worth it?)
tests (off by default, I believe I don't need it but I really have no idea what kind of tests run and whether I want them)

Any feedback appreciated!
 

JAW

Member

Reaction score: 24
Messages: 74

Turn them all off (they can be fetched/unpacked later if needed), although I'm not convinced this will really minimize attack surface, rather just save some disk space. Probably more important is what services you have running and leave open (besides all the usual good security practices, e.g. minimal permissions, strong passwords, etc.)

https://www.freebsd.org/doc/handbook/security-intro.html
 

_martin

Aspiring Daemon

Reaction score: 178
Messages: 846

Packages with "dbg" mean debug symbols. You don't need them for normal operation. lib32 are libraries to support 32b binaries. If you are in doubt don't use them, you can add them later.
You don't need ports per say either, you can use binary (prebuilt) packages.

I recommend reading the FreeBSD handbook - it's a great place to start getting familiar with FreeBSD.
 
OP
Toolforger

Toolforger

Member

Reaction score: 6
Messages: 64

Heh. I did read the BSD handbook.
I just didn't see the paragraph explaining what the consequences of leaving these components out are.
Nor did I see a paragraph explaining why the defaults are the way they are - I would need to know them to decide whether they're relevant for my use case or not.

I agree that the optional components probably don't have much of an impact on the attack surface.
OTOH debug symbols can help an attacker determine kernel addresses that might help them find code snippets that they can abuse. If that makes the attacker's life slightly more miserable without affecting my life, then why not do it?
 

Sevendogsbsd

Aspiring Daemon

Reaction score: 522
Messages: 974

Services running and ports open on your firewall are in my opinion, more important. Since you asked this question, I assume you have a separate hardware firewall? If this is a workstation, attackers are not going to bother with you. If a server, that depends entirely on what you are serving.
 

shkhln

Daemon

Reaction score: 663
Messages: 1,646

OTOH debug symbols can help an attacker determine kernel addresses that might help them find code snippets that they can abuse.
No idea what you are talking about, right? The attacker will probe the environment, get a fully automated exploit matching the kernel version and run it; they aren't going to debug it on the spot. Although even that is far fetched — applications are what you should be concerned with.
 
OP
Toolforger

Toolforger

Member

Reaction score: 6
Messages: 64

Yes, it's going to be a server, and sure, I'm going to shut down on services (not even sshd, since the thing will be the "main rescue console for the entire LAN").
It's just that I had that menu popping up during installation and didn't know what the consequences of deselecting everything are.
I know that not having debug symbols is merely a minor annoyance for an attacker. But every annoyance can help slow them down, which is an (oh so very slight) advantage.

Re the kernel version: You're right, I came up with that approach after the fact.
Still, even if I don't know what good something might be for an attacker, if I don't need it I won't provide it.
And if I find an actual use I'll install it anyway, not a big deal either.

Well, back to the original question: I see I don't need those optional components unless I find that I'll need them anyway, in which case I can install them.
Which is as good as an answer as it can get, I guess - unless somebody objects?
 

wolffnx

Well-Known Member

Reaction score: 104
Messages: 446

Hi all,

I am setting up a system with paranoid, minimize-attack-surface requirements.
What optional components should I install?

I see:

base-dbg (off by default)
kernel-dbg (on by default, no idea what good that might do to me)
lib32-dbg (off by default)
lib32 (on by default, not sure I need it, I'm going to use ZFS, iocage, and Python 3 - can I add components later?)
ports (off by default, I'll need the above three, is installing ports worth it?)
tests (off by default, I believe I don't need it but I really have no idea what kind of tests run and whether I want them)

Any feedback appreciated!
only talking about the installer,the most important option is "secure console" (I'think that is the name)
without this anyone can boot in single mode without ask for the root password
of course you can disable the boot menu,but if they boot with a FreeBSD installer cant mount(UFS) or import(ZFS) the pool and modify that...beside that can access unencrypted volumes or partitions
Its a long talk chat,like security
but in the installer,for me that is the most important option
 

_martin

Aspiring Daemon

Reaction score: 178
Messages: 846

Basically what shkhln said. Debug symbols ease the debugging ; it doesn't mean you can't prep the exploit. You could use security.bsd.unprivileged_proc_debug=0 on your system to make things harder (not impossible).
But then, I can install the same version of FreeBSD in my VM and prep for the attack without you knowing (for the sake of conversation I'm considering a bug in FreeBSD, not one coming from ports/application). Also FreeBSD doesn't have ASLR which sweetens the attack once the vector is found.

But for your situation default options are good enough. And it practically doesn't matter if you select all or none above (really).
 
OP
Toolforger

Toolforger

Member

Reaction score: 6
Messages: 64

Hey, this thread isn't about how to best harden a system.
I'm just after what those knobs I found here mean. If they make a difference or not.
Seems like they are pretty tiny speedbumps, but since they won't slow *me* down, I still believe I should make use of them. Can't hurt, may help, and all that.
 
Top