System Hardening Options Post-Install?

The System Hardening Options presented at install time - if one wished to keep these disabled at install time and then selectively enable them after installing, what is the method for doing so?

I am doing a FreeBSD 12 install and was hoping to see instructions on how to do that in the 2.8.4. Enabling Hardening Security Options section of the handbook, but it's not described there.

Maybe the functions used by this portion of the installer would give a clue of how do perform these changes. Can someone please direct me on where in the FreeBSD 12 code base these can be found?
 
I think this is most of them, if you select them all.

Code:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1

And then in rc.conf:

Code:
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
 
  • Thanks
Reactions: drr
syslogd_flags="-ss"
I also use -vv

Code:
syslogd_flags="-ss -vv"

My reasoning for that is that I want to see the logger facility and priority (-vv). I suppose that really isn't needed once you have syslogd properly setup, but for debugging, it is helpful to know if messages are going to the right place.

I keep it after the fact because it is nice for tracking things down.

Additionally, I enable ASLR:
Code:
kern.elf64.aslr.enable=1
kern.elf32.aslr.enable=1
 
I also believe system hardening requires good auditing. BSM is a great product, though not as thorough as Solaris's implementation, it's a tool ALL system administrators should learn to use. Likewise MAC, but I'm not a real fan of it and prefer RBAC (again a Solaris implementation) but not available on FreeBSD.
 
Be careful, when you use ASLR; last time I installed 13-RELEASE, I ran into issues with ntpd. You might have to use proccontrol to selectively exclude executables from ASLR for them to work. I believe, this applies to 12 as well.

In practice, you simply run into unexpected core dumps. If that happens, try disabling ASLR.

Since you mentioned targeting 12, I'll save you any further comments about W^X.
 
Or /usr/libexec/bsdinstall/hardening if you didn't install the source component.


The file shows these options that I wish to additionally enable in /etc/sysctl.conf. The syntax is different from what I find in the file below. What do I need to say in /etc/sysctl.conf to reflect the hardening settings 7, 9 and 10 below? Also in /etc/rc.conf?


Code:
"disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} 
        "9 secure_console" "Enable console password prompt" ${secure_console:-off} \
        "10 disable_ddtrace" "Disallow DTrace destructive-mode" ${disable_ddtrace:-off} \
        fi
        if [ "$feature" = "disable_syslogd" ]; then
                echo 'syslogd_flags="-ss"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
        fi
        if [ "$feature" = "secure_console" ]; then
                sed "s/unknown  off secure/unknown      off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening
        fi
        if [ "$feature" = "disable_ddtrace" ]; then
                echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening
        fi

Thank you.
 
options that I wish to additionally enable in /etc/sysctl.conf
The thing is: those options aren't set there.

echo 'syslogd_flags="-ss"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
--> add syslogd_flags="-ss" to /etc/rc.conf

sed "s/unknown off secure/unknown off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening
--> in /etc/ttys, in the following section, change secure to insecure:
Code:
# name  getty                           type    status          comments
#
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none                            unknown off             insecure

echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening
--> add security.bsd.allow_destructive_dtrace=0 to /boot/loader.conf

For the complete list, see https://forums.freebsd.org/threads/have-you-used-hardenedbsd-did-you-like-it.80187/#post-509491
 
The thing is: those options aren't set there.


--> add syslogd_flags="-ss" to /etc/rc.conf


--> in /etc/ttys, in the following section, change secure to insecure:
Code:
# name  getty                           type    status          comments
#
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none                            unknown off             insecure


--> add security.bsd.allow_destructive_dtrace=0 to /boot/loader.conf

For the complete list, see https://forums.freebsd.org/threads/have-you-used-hardenedbsd-did-you-like-it.80187/#post-509491

Thank you. I have done all that, and checked if what is given in the complete list that you have linked are set.

:)
 
Or /usr/libexec/bsdinstall/hardening if you didn't install the source component.
Yep, bsdinstall sources and executables are all identical.

You can safely run just hardening. Due to BSDINSTALL_TMPETC being unset, whatever you select conveniently winds up in
Code:
/sysctl.conf.hardening
/loader.conf.hardening
/rc.conf.hardening and
/ttys.hardening
since full bsdinstall would normally chroot into the new system to finish installing such conf files.
 
Yep, bsdinstall sources and executables are all identical.

You can safely run just hardening. Due to BSDINSTALL_TMPETC being unset, whatever you select conveniently winds up in
Code:
/sysctl.conf.hardening
/loader.conf.hardening
/rc.conf.hardening and
/ttys.hardening
since full bsdinstall would normally chroot into the new system to finish installing such conf files.

How do I run hardening ?

Thanks.
 
As root, should be as easy as typing in:

/usr/libexec/bsdinstall/hardening

Thank you.

Options menu popped up, I chose everything and said ok, the root prompt immediately returned a blank line. This as I understand, is to be taken to mean that the settings took effect.
 
I think so. I would run the following command as root:
find / -name "*.hardening" -print

That should give a list of files, then you would need to copy/merge to existing files.
A file sysctl.conf.hardening you want to merge into /etc/sysctl.conf
then repeat for other "hardening"files.
 
I think so. I would run the following command as root:
find / -name "*.hardening" -print

That should give a list of files, then you would need to copy/merge to existing files.
A file sysctl.conf.hardening you want to merge into /etc/sysctl.conf
then repeat for other "hardening"files.
Thank you.

find / -name "*.hardening" -print

shows:

/usr/libexec/bsdinstall/hardening /ttys.hardening /sysctl.conf.hardening /rc.conf.hardening

Would I have to issue the commands:

merge /sysctl.conf.hardening /etc/systctl.conf
and likewise for every file to /etc/?
 
I don't know exactly what commands one would run, but my method would be editor with the files side by side and hand merge the diffs. Basically:
emacs /ttys.hardening /etc/ttys
emacs /sysctl.conf.hardening /etc/sysctl.conf
emacs /rc.conf.hardening /etc/rc.conf

But that's because I'm a bit OCD sometimes and want to know exactly what a change is.
You could also probably do stuff with diff to see whats changed.
 
I don't know exactly what commands one would run, but my method would be editor with the files side by side and hand merge the diffs. Basically:
emacs /ttys.hardening /etc/ttys
emacs /sysctl.conf.hardening /etc/sysctl.conf
emacs /rc.conf.hardening /etc/rc.conf

But that's because I'm a bit OCD sometimes and want to know exactly what a change is.
You could also probably do stuff with diff to see whats changed.

emacs didn't work
diff returned an empty line for ttys, the next two commands show some difference. Will fix that.

Thank you.
 
emacs didn't work
diff returned an empty line for ttys, the next two commands show some difference. Will fix that.

Thank you.
Might be more instructive just looking at the sh(1) code in /usr/libexec/bsdinstall/hardening to see what it generates for each selected option, without worrying about the details around the dialog screen.

Sometimes manually adding lines to conf files allows an opportunity to add comments for later reference.

Regarding your original question, adding those lines initially commented out may accomplish that?
 
Might be more instructive just looking at the sh(1) code in /usr/libexec/bsdinstall/hardening to see what it generates for each selected option, without worrying about the details around the dialog screen.

Sometimes manually adding lines to conf files allows an opportunity to add comments for later reference.

Regarding your original question, adding those lines initially commented out may accomplish that?

Thank you smithi. My capacity to read and understand man pages such as sh(1) is extremely, extremely limited. I run ls and doas and the rest I copy and paste.

emacs /sysctl.conf.hardening /etc/sysctl.conf

shows

2,3d9
< security.bsd.see_other_gids=0
< security.bsd.see_jail_proc=0
5a12,16
> vfs.zfs.min_auto_ashift=12
> kern.ipc.shm_allow_removed=1
> kern.evdev.rcpt_mask=6
> security.bsd.see_other_gids=0
> security.bsd.see_jail_proc=0
6a18

diff /rc.conf.hardening /etc/rc.conf

shows


1d0
< clear_tmp_enable="YES"
3a3,29
> sendmail_submint_enable="NONE"
> sendmail_outbound_enable="NONE"
> sendmail_msp_queue_enable="NONE"
> hostname="BSD"
> keymap="us.kbd"
> ifconfig_re0="DHCP"
> ifconfig_re0_ipv6="inet6 accept_rtadv"
> defaultroute_delay="0" # Don't wait for a default route in the foreground
> moused_enable="YES"
> moused_port="/dev/psm0"
> moused_type="auto"
> moused_enable="YES"
> ntpd_enable="YES"
> # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
> dumpdev="AUTO"
> zfs_enable="YES"
> dbus_enable="YES"
> kdm5_enable="YES"
> kld_list="amdgpu"
> nginx_enable="NO"
> sddm_enable="yes"
> clear_tmp_enable="YES"
> syslogd_flags="-ss"
> pf_enable="yes"
> pflog_enable="yes"
> pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
> pflog_flags="" # additional flags for pflogd startu

Do I have to copy what is missing in one file, everything, from another AND vice versa? i.e, should both the / and /etc files have exactly the same contents?

Also pf status shows:

service pf status
Status: Enabled for 0 days 00:57:13 Debug: Urgent

How do I make pf auto-start on boot, everytime?

Thank you
 
It should be noted that some hardening should be disabled for some applications eg
Code:
#Firefox bug
kern.elf64.aslr.pie_enable=0
kern.elf64.aslr.enable=0
#For monitoring & dovecot
security.bsd.see_other_uids=1
security.bsd.see_other_gids=1
security.bsd.see_jail_proc=1
#For dovecot
security.bsd.hardlink_check_uid=0
security.bsd.hardlink_check_gid=0
#For something
security.bsd.unprivileged_mlock=1
 
I would be nice if bsdconfig had a hardening feature since it seems to mimic bsdinstall.

I ran bsdconfig hardening now. There is a security setting option which allows the root to choose three different levels of security. Also there is a Startup menu, which allows you to view the hardening options set, and modify it. Worked well.
 
Last edited:
Ideally it would come up under bsdconfig hardening command.
Because bsdinstall hardening is a relatively recent addition I am not suprised bsdconfig has not caught up yet.

I use bsdconfig timezone alot. I like the ability to run individual components instead of crawling thru the menu.
 
Top