System Hardening

[Deather]

Is there a FULL cheat sheet for rc.conf sysctl.conf etc..? I would like to review all the things I might need. Thanks <3

Edit: Thank you guys so much for the useful replies and if anyone would like to add more ideas let me know! <3

 

[vmb]

I am not aware of such a cheat sheet.
However, install lynis

#pkg install -y lynis

Then run

#lynis audit system -Q

That should give you a starting point for sysctl.conf and others

 

[Deather]

Yes, Lynis is a great tool but it doesn't tell you a whole lot. Like yes it tells you one like security.bsd.hardlink_check_gid=1 but is there other security.bsd ones?

 

[Alain De Vos]

Good question. For security I find some info here, some info there, use a package like lynis. Centralized info i did not found.
sysctl.conf depends largely on your personal usage. So there is nothing general.

 

[T-Daemon]

Here are some hardening tuneables for /boot/loader.conf, /etc/rc.conf, /etc/sysctl.conf, /etc/ttys listed.

man security(7) has instructions how to secure (harden) the system.

Or go direct to HardenedBSD, "a security-enhanced fork of FreeBSD. The HardenedBSD Project is implementing many exploit mitigation and security technologies on top of FreeBSD."

Here the wiki:

Sign in

HardenedBSD GitLab

git-01.md.hardenedbsd.org

 

[rootbert]

also: FreeBSD - a lesson in poor defaults: https://vez.mrsk.me/freebsd-defaults.html

 

[Mjölnir]

We can make this thread the start for a wiki page. My contribution:

• traditionally the staff group is used for developers & such, and these have reason to see a full process list. Thus I have mac_seeotheruids(4) in sysctl.conf(5)
  

  kern.randompid=1
  #security.bsd.see_other_uids=0
  security.bsd.see_jail_proc=0
  # see also rc.conf kld_load="${kld_load} mac_seeotheruids". id staff=20
  security.mac.seeotheruids.specificgid=20
  security.mac.seeotheruids.specificgid_enabled=1
  kern.random.fortuna.minpoolsize=512

• You may want to reflect if your security needs justify to use a file system firewall (ugidfw(8), mac_bsdextended(4)) or any of the other MAC policies (local doc).
• Fixing CPU bugs is mandatory: install sysutils/cpupdate & sysutils/devcpu-data
• Enable the predefined ipfw firewall: sysrc firewall_enable=YES sysrc firewall_type=workstation
• Does s/o have a good comparision of the available IDS in ports?

 

[George]

Who is the attacker?^^
There is security(7), and https://www.freebsd.org/doc/handbook/security.html, but..

 

[Deather]

G

Who is the attacker?^^
There is security(7), and https://www.freebsd.org/doc/handbook/security.html, but..

Governemnt agencies. As I will use it for "Pentesting".

 

[Mjölnir]

Additionally, you can enable various security related checks in periodic.conf(5). RTFM & RTSL UTSL /etc/defaults/periodic.conf

 

[Deather]

Good question. For security I find some info here, some info there, use a package like lynis. Centralized info i did not found.
sysctl.conf depends largely on your personal usage. So there is nothing general.

I only need the base install, my custom program, and internet So do you have any ideas for that configuration?

 

[Mjölnir]

What's the attack surface? To mitigate access to the ME & any OOB management, you need an external packet filter. Check the base like said above (+ freebsd-update IDS) & enable the workstation firewall, if needed configure it to allow access to your program. With the additions found throughout this thread you have a pretty good basic host security. Choose a strong password & change it regularly.

 

[Deather]

What's the attack surface? To mitigate access to the ME & any OOB management, you need an external packet filter. Check the base like said above (+ freebsd-update IDS) & enable the workstation firewall, if needed configure it to allow access to your program. With the additions found throughout this thread you have a pretty good basic host security. Choose a strong password & change it regularly.

I will be making a firewall in hardware aswell etc.. I will take to the extreme and I will even strip FreeBSD down to the point where it is almost impossible to use for any other use than it was intended. Which is pentesting using my program. Though I will have multiple firewalls and I couldn't get Tor to work with pf. If you know a firewall for Tor please let me know, and not just pf, ipfw and all the built in firewalls would be appreciated <3 Sorry for asking alot.

 

[Mjölnir]

Then you already know about nanobsd(8) & picobsd(8). What do you mean with "a firewall for tor(1)"? Traditionally, you have an external packet filter (single, extra phys. system solely for that purpose) & application gateway in a DMZ which you can set up as a collection of jailed proxies (SOCKS, HTTP, DNS, NTP, ...). There's a security/torsocks & net/tsocks to socksify any application. Nowadays you need to inspect the data streams, which is a topic of it's own. So you want to pentest another host or network, and your program is doing that? Then why do you want to harden that system?

 

[Deather]

Then you already know about nanobsd(8) & picobsd(8). What do you mean with "a firewall for tor(1)"? Traditionally, you have an external packet filter (single, extra phys. system solely for that purpose) & application gateway in a DMZ which you can set up as a collection of jailed proxies (SOCKS, HTTP, DNS, NTP, ...). There's a security/torsocks & net/tsocks to socksify any application. Nowadays you need to inspect the data streams, which is a topic of it's own. So you want to pentest another host or network, and your program is doing that? Then why do you want to harden that system?

During a pentest it is also good for the blue team to attack back at the red team in certain cases. Trying to deanonymize the users such as the fbi did with javascript once. I can't use the pkg system for reasons so is there a way to do something like proxychains or torsocks without actually having the program, perhaps a .sh? Also I'm a grey hat "exploiter" so when I say pentest I don't always do good. Sorry if you are dissapointed.

 

[Mjölnir]

During a pentest it is also good for the blue team to attack back at the red team in certain cases. Trying to deanonymize the users such as the fbi did with javascript once. I can't use the pkg system for reasons so is there a way to do something like proxychains or torsocks without actually having the program, perhaps a .sh? Also I'm a grey hat "exploiter" so when I say pentest I don't always do good. Sorry if you are dissapointed.

No, not at all. tsocks(1) is a shell script. It might serve as a start for your purpose. But since you can't use packages, I'll assume you don't have root privileges & you need to download some library into your $HOME to be available for your script. Where we have a topic that was forgotten not explicitely mentioned until now: mount(8) options. If the place where you can install your library or script has noexec mount options, you're out if you can't find any suitable substitute on the machine. Still not shure if this is valuable input for you.
Browse /usr/ports/security. Have to leave, bye & good luck.

 

[mark_j]

Is there a FULL cheat sheet for rc.conf sysctl.conf etc..? I would like to review all the things I might need. Thanks <3

Edit: Thank you guys so much for the useful replies and if anyone would like to add more ideas let me know! <3

Simple really. Remove everything in rc.conf and don't allow users. System hardening completed.

 

[George]

Government agencies.

Encrypt your hard disk. And do it well.^^

 

[Mjölnir]

Simple really. Remove everything in rc.conf and don't allow users. System hardening completed.

And cut/unplug every network connection. On a ZFS machine, blank out loader.conf(5), too. Information added: zero.

 

[olli@]

To make a computer really secure, switch it off, remove all cables and physically destroy all storage devices, and bury it 5 feet deep in concrete. And even then I wouldn’t be 100 % sure …

 

[Deather]

Encrypt your hard disk. And do it well.^^

My encryption passwords are hundreds of chars long. Root passwords are 20.

 

[SirDice]

My encryption passwords are hundreds of chars long. Root passwords are 20.

That won't prevent anyone from circumventing them if they have local access to the machine.

 

[Mjölnir]

Deather So did you find s/th? What is your route? Just curious, as I guess you're doing this pentesting in a professional environment (you wrote about two teams), and then you ought to have some good background on security & network, but maybe just lacking experience in FreeBSD.

 

[Mjölnir]

That won't prevent anyone from circumventing them if they have local access to the machine.

Obviously you can e.g. reset the (most) machine & boot from external media, but how would you circumvent the password/key to access encrypted data? Especially if it's two tokens, i.e. a key on a thumb drive or smartcard plus a password or fingerprint via sensor? Then there are these One-Time-Passwords.

 

[George]

There are 400-500 people with source commit bit (the list is in the Developers handbook). How do you know that none of them was ever approached by a government agency, offering money for a backdoor?