FreeBSD 11 new installer options

[gkontos]

I installed today FreeBSD 11.0-RELEASE. (I know it is not officially announced but you can download it)
I noticed some new features in the installer. First you have the option to install the system with debug on:

The suggested partition schema was MBR and not GPT. At least in a 20GB VMWARE disk.
And finally some additional system security hardening options:

Impressive! Anyone knows what sysctl values those system security options affect?

Some are very obvious...

 

[protocelt]

• Hide processes running as other users = security.bsd.see_other_uids
  
• Hide processes running as other groups = security.bsd.see_other_gids
  
• Disable reading kernel message buffer for unprivileged users = security.bsd.unprivileged_read_msgbuf
  
• Disable process debugging facilities for unprivileged users = security.bsd.unprivileged_proc_debug
  
• Randomize the PID of newly created processes = kern.randompid
  
• Insert stack guard page ahead of the growable segments = security.bsd.stack_guard_page

For reference: https://reviews.freebsd.org/D6826

 

[gkontos]

Excellent, I need to find some time to test bhyve. Then, maybe I can get rid of all my Linux KVM servers!

 

[cj572]

Hi,
I am still new to FreeBSD and I question about how to set the hardening. I want make my FreeBSD 11 as secure as possible. I Thank You for your time. CJ

 

[xtaz]

If you haven't already set the options in the installer like in the screenshot above then edit /etc/sysctl.conf and add the following lines, and change the 1234 for a better random number of your choice.

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1234
security.bsd.stack_guard_page=1

They will only become active after a reboot. To make them active straight away simply run them on the command line using the sysctl command, like sysctl security.bsd.see_other_uids=0

 

[SirDice]

This thread is a bit older but it should still apply: Thread 4108

 

[cj572]

Thank You for all info, I will use this info to setup my FreeBSD 11 system.
CJ

 

[Deleted member 48958]

Here is where it is possible to view all available options:
/usr/src/usr.sbin/bsdinstall/scripts/hardening

Here is all 12-CURRENT hardening options:
Hide processes running as other users - add security.bsd.see_other_uids=0 to /etc/sysctl.conf
Hide processes running as other groups - add security.bsd.see_other_gids=0 to /etc/sysctl.conf
Hide processes running in jails - add security.bsd.see_jail_proc=0 to /etc/sysctl.conf
Disable reading kernel message buffer for unprivileged users - add security.bsd.unprivileged_read_msgbuf=0 to /etc/sysctl.conf
Disable process debugging facilities for unprivileged users - add security.bsd.unprivileged_proc_debug=0 to /etc/sysctl.conf
Randomize the PID of newly created processes - add kern.randompid=1 to /etc/sysctl.conf
Clean the /tmp filesystem on system startup - add clear_tmp_enable="YES" to /etc/rc.conf
Disable opening Syslogd network socket (disables remote logging) - add syslogd_flags="-ss" to /etc/rc.conf
Disable Sendmail service - add sendmail_enable="NONE" to /etc/rc.conf
Enable console password prompt (ask root password in single user mode) - replace

console none                            unknown off [b]secure[/b]

with

console none                            unknown off [b]insecure[/b]

in /etc/ttys.