Solved How to enable the System Hardening options that are offered during the install process post install ?

[john_rambo]

I made a mistake and didn't enable these options while installing. I don't want to reinstall unless absolutely necessary. Is there a way I can enable these options now ? I mean after the installation is over ?

 

[SirDice]

They're all just sysctl(8) you can set in /etc/sysctl.conf.

 

[john_rambo]

They're all just sysctl(8) you can set in /etc/sysctl.conf.

Is there a official page where the I can find the list ? I tried searching but didn't find any such list.

 

[zirias@]

They're not all sysctls, e.g. clearing /tmp is handled by an init script and the rc.conf variable clear_tmp_enable.

Some of these settings are documented in security(7).

I wouldn't call it a mistake not to enable them. They have consequences. You should always make an informed decision about these things.

 

[SirDice]

Use the source, Luke...

hardening « scripts « bsdinstall « usr.sbin - src - FreeBSD source tree

cgit.freebsd.org

 

[john_rambo]

Zirias SirDice
I am using FreeBSD purely as a desktop OS. PF is enabled and set to deny all incoming. No listening services.
Q1) Should I add any hardening settings to /etc/sysctl.conf ?
Q2) If yes, then exactly which ones ?

Note : This is a desktop so this machine is stationary but still I have used full disk encryption. I am insterested only in network security.

 

[SirDice]

A1) Yes, no, maybe. Depends, do you understand their implications?
A2) See answer #1

 

[john_rambo]

Use the source, Luke...

hardening « scripts « bsdinstall « usr.sbin - src - FreeBSD source tree

cgit.freebsd.org

This is all new to me. That link you posted is that a shell script ? That's huge amount of tweaks.
I am supposed to save that page and give it a .sh extension and the run it like this as root ?

#./abcd.sh

Suppose after implementing all those tweaks I later realize that its interfering with my work and want to undo all those tweaks how do I do that ?

 

[SirDice]

This is all new to me. That link you posted is that a shell script ? That's huge amount of tweaks.

It's not, it's the source code of the screen you were looking at.

I am supposed to save that page and give it a .sh extension and the run it like this as root ?

No, you're supposed to look at what each option does exactly.

 

[zirias@]

tl;dr: If you don't understand what an option is doing, don't enable it!

Again, you can learn a few things from security(7) if you're interested. Most of these options change things making it harder for an attacker to do e.g. local privilege escalations (but can break "valid" usecases as well).

I am insterested only in network security.

The only options directly related to network services are those for syslog and sendmail. With some sane packet filtering (firewall) in place, there's not really a reason to worry about them.

 

[john_rambo]

The only options directly related to network services are those for syslog and sendmail. With some sane packet filtering (firewall) in place, there's not really a reason to worry about them.

In that case I see no reason to add any tweaks. Thanks.