System Hardening Options Post-Install?

[Sivan!]

Ideally it would come up under bsdconfig hardening command.
Because bsdinstall hardening is a relatively recent addition I am not suprised bsdconfig has not caught up yet.

I use bsdconfig timezone alot. I like the ability to run individual components instead of crawling thru the menu.

Yes, bsdconfig hardening doesn't work like bsdconfig timezone. It would be cool to make it work, with built in warning against each setting.

 

[smithi]

Thank you smithi. My capacity to read and understand man pages such as sh(1) is extremely, extremely limited. I run ls and doas and the rest I copy and paste.

Well, virtually all of the main system scripts are written in sh, so you will find that reading and studying this language essential to successful mastery of FreeBSD at any level.

That said, bsd{install.config} are pretty extreme in pushing sh(1) to its limits, and I should not have suggested it as an example; I'm still struggling to make sense of the broken bsdconfig packages code on 12.3-R dvd1.

Sorry to be frank, but copying stuff because 'hardening' sounds cool may be worse than leaving it alone in some cases, unless or until you know more or less precisely what each of those settings accomplishes.

I gather that your system is not likely a server, open to the world with multiple unrelated users? Perhaps making sure your firewall is tight is your best bet for online security?

Do I have to copy what is missing in one file, everything, from another AND vice versa? i.e, should both the / and /etc files have exactly the same contents?

No, the files dropped in / are just extra bits to add to the appropriate files. Best delete or move them afterwards.

Your diffs here and elsewhere show your rc.conf and ttys at least already included many of those options.

How do I make pf auto-start on boot, everytime?

Sorry, I can't help with pf, having used ipfw since 1998.

Cheers

 

[Sivan!]

smithi No, my system is not a server, it is a personal computer at the moment.

Phishfry After bsdconfig hardening the computer continued to work, but after a while I stopped network with service netif stop Later when I tried to restart network, dhcp or something else did not work, I was offline. When I shut down, there were a screen full of error messages that I could not note down, but after I rebooted the computer, network is fine after reboot, dmesg -a gives the following :

Starting dhclient.
ums0 on uhub2
...
DHCPOFFER from 192.168.1.1
unknown dhcp option value 0x7d
DHCPOFFER from 192.168.1.1
DHCPOFFER already seen.
DHCPREQUEST on re0 to 255.255.255.255 port xx
DHCPACK from 192.168.1.1
unknown dhcp option value 0x7d
bound to 192.168.1.x -- renewal in 43200 seconds.
Autoloading module: uhid.ko
Autoloading module: ums.ko
Autoloading module: usbhid.ko
Starting ums0 moused.
Starting pflog.
pflog0: promiscuous mode enabled
2022-05-14T19:15:36.608166+05:30 BSD pflogd 3777 - - [priv]: msg PRIV_OPEN_LOG received
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Enabling pf.
Updating motd:.
Creating and/or trimming log files.
Clearing /tmp.
Updating /var/run/os-release done.
Starting syslogd.
May 14 19:15:36 BSD kernel: Successfully added WC MTRR for [0xe0000000-0xefffffff]: 0;
No core dumps found.
Mounting late filesystems:.
Starting dbus.
Starting default mousedmtime.
Starting cron.
Raising kernel security level:
kern.securelevel: -1 -> 3
Starting sddm.
Starting background file system checks in 60 seconds.

Sat May 14 19:15:36 IST 2022
May 14 19:18:38 BSD dbus-daemon[45443]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.13" (uid=1001 pid=71399 comm="") interface="org.freedesktop.ConsoleKit.Manager" member="CanSuspendThenHibernate" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=59782 comm="")
May 14 19:19:21 BSD login[59364]: in prompt_tty(): caught signal 3
May 14 19:19:21 BSD login[59364]: pam_authenticate(): Conversation failure
May 14 19:24:18 BSD login[59364]: 1 LOGIN FAILURE ON ttyv8
May 14 19:26:00 BSD login[15030]: in prompt_tty(): caught oused: unable to open /dev/psm0: No such file or directory
.
Security policy loaded: MAC/ntpd (mac_ntpd)
Starting ntpd.
Configuring vt: keymap blanksignal 3
May 14 19:26:00 BSD login[15030]: pam_authenticate(): Conversation failure

 

[Alain De Vos]

ntpd might have a problem with aslr/pie/stack_gap.
To be certain something like:

kern.elf64.aslr.stack_gap=0    # ntp,firefox
kern.elf64.aslr.pie_enable=0
kern.elf64.aslr.enable=0

 

[Sivan!]

ntpd might have a problem with aslr/pie/stack_gap.
To be certain something like:

kern.elf64.aslr.stack_gap=0    # ntp,firefox
kern.elf64.aslr.pie_enable=0
kern.elf64.aslr.enable=0

Thank you. What is the file that I have to edit ?

 

[Alain De Vos]

/etc/sysctl.conf

 

[Sivan!]

/etc/sysctl.conf

Thank you. Added the kern elf64 code.

 

[getopt]

ntpd might have a problem with aslr/pie/stack_gap.

This means you may not be affected. Before disabling security features (ASLR) make sure there is a good and confirmed reason for doing so.

Look in your logfiles for ntpd related lines like

Cannot set RLIMIT_MEMLOCK: Operation not permitted

These were found on 32-bit archs.

 

[Sivan!]

This means you may not be affected. Before disabling security features (ASLR) make sure there is a good and confirmed reason for doing so.

Look in your logfiles for ntpd related lines like

Cannot set RLIMIT_MEMLOCK: Operation not permitted

These were found on 32-bit archs.

I didn't know that the kern.elf setting disabled security features. In the message above I was reporting an network restart issue, which was resolved after a reboot. This is what dmesg -a shows that is related to ntpd

Security policy loaded: MAC/ntpd (mac_ntpd)
Starting ntpd.
Configuring vt: keymap blanktime.
Starting cron.
Raising kernel security level:
kern.securelevel: -1 -> 3
Starting sddm.

After that there were some errors related to dbus and tty and there was a pam authenticate conversion failure, a log in failure on tty8 but none appears related to (whatever is) ntpd. The computer restarted with network without any problem.

I also checked with and without the kern.elf 0 lines, I could stop and restart netif without issues, so there was no difference between having and not having those lines in sysctl.

 

[Alain De Vos]

There was a bug, but it might be partially/fully fixed,

253208 – ntpd: fails to start with PIE

bugs.freebsd.org

 

[Sivan!]

There was a bug, but it might be partially/fully fixed,

253208 – ntpd: fails to start with PIE

bugs.freebsd.org

Thank you. The bug fix says:

If one builds FreeBSD with:
WITH_BIND_NOW=yes
WITH_PIE=yes

# I didn't build FreeBSD with BIND.

pkg info -x bind

pkg: No package(s) matching bind

$ pgrep -lf named

# returned a blank line

[ The bug fix page also says: ... and if one ]
and sets sysctls:
kern.elf64.aslr.enable=1
kern.elf64.aslr.honor_sbrk=0
kern.elf64.aslr.pie_enable=1
kern.elf64.allow_wx=0
security.bsd.stack_guard_page=1

I didn't have these settings related to kern.

The problem might have been due to some other strange issue, in any case it is resolved. (However, in the konsole as I was trying to type the above commands, the keyboard did not send "e" and "b" I had to type it somewhere else, copy and paste the character. This happened just now). Keyboard works fine elsewhere, but the last time in konsole it accepted

a cd fg ijklmnopqrstuvwxyz1234567890

 

[SWIFTYLIFT]

Have I missed the posts in this thread debating Mandatory Access Controls (MAC)? Surely there’s few things that are a matter of preference to share.?

It’s a hardening thread after all.

Chapter 18. Mandatory Access Control

This chapter focuses on the MAC framework and the set of pluggable security policy modules FreeBSD provides for enabling various security mechanisms

docs.freebsd.org

 

[SWIFTYLIFT]

I ran bsdconfig now. There is a security setting option which allows the root to choose three different levels of security. Also there is a Startup menu, which allows you to view the hardening options set, and modify it. Worked well.

Someone correct me if I’m wrong but is this giving kern secure level options? If so be aware at level 3 log rotation is a factor and need to keep an eye on.

 

[SWIFTYLIFT]

Have I missed the posts in this thread debating Mandatory Access Controls (MAC)? Surely there’s few things that are a matter of preference to share.?

It’s a hardening thread after all.

Chapter 18. Mandatory Access Control

This chapter focuses on the MAC framework and the set of pluggable security policy modules FreeBSD provides for enabling various security mechanisms

docs.freebsd.org

Didn’t see markj (but think he intentionally snuck it by us

 

[smithi]

Sivan, after saying:

> No, my system is not a server, it is a personal computer at the moment.

you then posted a dmesg segment showing raising securelevel(7) to 3.

Assuming you would not have taken such a drastic step without being fully aware of its consequences, could you please explain your rationale for doing this?

 

[Sivan!]

Sivan, after saying:

> No, my system is not a server, it is a personal computer at the moment.

you then posted a dmesg segment showing raising securelevel(7) to 3.

Assuming you would not have taken such a drastic step without being fully aware of its consequences, could you please explain your rationale for doing this?

I didn't go by securelevel(7) but I ran bsdconfig hardening , the console interface that popped up showed secure level3 as maximum, which included network security. This corresponds to:

Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
changed and dummynet(4) or pf(4) configuration cannot be adjusted.

Rationale for Level3: This high level of security does not seem to affect the functionality of my computer, network works fine, I can send and receive gmail, watch a youtube video or connect to zoom, which is just about all that I do in my computer.

However, there are some strange issues, such as some of the keys not working in plasma console; A moment ago I tried the bsdconfig hardening as root again, it didn't work the same way it worked two days ago.

bsdconfig hardening

awk: can't open file /usr/libexec/bsdconfig/*/INDEX.C.UTF-8
source line number 4
awk: can't open file /usr/local/libexec/bsdconfig/*/INDEX.C.UTF-8
source line number 4
awk: can't open file /usr/local/libexec/bsdconfig/*/INDEX
source line number 4
bsdconfig: hardening: not found

# found it at /usr/libexec/bsdinstall/hardening

Update: Of the strange problems that I am experiencing, one is the problem of some keys not working in konsole. I restarted the computer, launched the konsole which opened with the errors:

bash: /usr/local/share/bash-completion/bash_completion.sh: No such file or directory
readline: ~/.inputrc: line 1: HISTSIZE=1000: no key sequence terminator
readline: ~/.inputrc: line 8: HISTSIZE=10000: no key sequence terminator

It is possible that the keyboard error relates to wrong settings in the wrong files about the bash history length.

Another update: I looked at ~/.inputrc the file was corrupt. I cleaned it up, rebooted the computer and konsole works fine:

abcdefghijklmnopqrstuvwxyz01234567890

P.S. I missed the posts by SWIFTYLIFT above, will read the links and respond.

 

[Sivan!]

Someone correct me if I’m wrong but is this giving kern secure level options? If so be aware at level 3 log rotation is a factor and need to keep an eye on.

I didn't go by securelevel(7) but I ran bsdconfig hardening , the console interface that popped up showed secure level3 as maximum, which included network security. This corresponds to:

Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
changed and dummynet(4) or pf(4) configuration cannot be adjusted.

This high level of security does not seem to affect the functionality of my computer, network works fine, I can send and receive gmail, watch a youtube video or connect to zoom, which is just about all that I do in my computer.

Mandatory Access Control settings instructions that you have shared above are too complicated for me to experiment.

Thank you.

 

[Sivan!]

Someone correct me if I’m wrong but is this giving kern secure level options? If so be aware at level 3 log rotation is a factor and need to keep an eye on.

The command was not bsdconfig as I mistyped in a previous post, but bsdconfig hardening which presented security level options.

 

[SWIFTYLIFT]

Not sure if the scripts you’re using do this but:

Make use of some sshd_config options that aren’t in the example config file,

I’ve found creating a group and including users you want to allow: (I think it’s AllowGroups )

the two sshd binary replacements I’ve found floating around each (like any root kit) have some mechanism to circumvent the not permitting root - I’m not saying this would always hold true but it’s a simple entry to restrict ssh to a group and these are examples of it being a good practice.

There are a couple more little tweaks but need to look at these scripts and see what’s being done (feel pretty sure they don’t create a group populate it and modify the config).

About to dig into the issues you just posted -

Regarding the too complicated: that’s why a community like this exists - pretty sure there’s not much that couldn’t be figured out - an awful lot of expertise who are happy to help (subtle tnx to SirDice and sidetone )

 

[Sivan!]

I don't know exactly what commands one would run, but my method would be editor with the files side by side and hand merge the diffs. Basically:

emacs /ttys.hardening /etc/ttys
emacs /sysctl.conf.hardening /etc/sysctl.conf
emacs /rc.conf.hardening /etc/rc.conf

I still see several lines of mismatch when I run
diff /ttys.hardening /etc/ttys
diff /sysctl.conf.hardening /etc/sysctl.conf
diff /rc.conf.hardening /etc/rc.conf

Do I have to manually copy the contents from one file to another to make one file match its corresponding file?

Thank you.