FreeBSD:Hardening: Difference between revisions

UNDER CONSTRUCTION: The document is currently being modified!

Now that you have a solid baseline FreeBSD installation lets move on to configuring and hardening your system. In this article I will be covering setting up ports, installing some base software, setting up a user environment, and fixing some basic security concerns. The test system I will be using for this and all articles following this is from the FreeBSD Installation article. I personally will not be using a ZFS-based test system merely because using ZFS inside of VirtualBox is a bit redundant.

Again for this and all my other articles I am assuming you have a basic understanding of the shell and the computer in general (See Also: Category:FreeBSD). Assuming you have the FreeBSD machine installed, booted up and logged in as root, let us begin.

Compiler Settings

Both located in /etc/ the primary purpose of make.conf is to control the compilation of the FreeBSD sources, documentation, and ported applications; where as the only purpose of src.conf is to control the compilation of the FreeBSD source code.^[1] Note that changing these documents is completely optional and is not required. However after years of using FreeBSD myself I have found that these few settings will simplify and quicken a lot of things on the system, mainly if you are someone who compiles everything from source. If you are not this type of person maybe you can skip this section, I would still recommend looking it over at the very least. Some things will still be applicable, jails for example need special attention toward to src.conf.

make.conf

I will be going at this file piece by piece as it is a fairly large file and to paste it all at once I feel would be a bit daunting. I will be explaining each section in sufficient detail as I go along. Please note that I am obviously assuming you have at least a basic knowledge of editing files in vi(1) as this is the default editor on FreeBSD. If you do not feel comfortable using vi(1), you can always use the cat(1) method of creating files which was used in the installation articles (example shown below).

cat >> /etc/make.conf << _EOF_

Lets begin with CVSup and SVN configuration.

PORTSSUPFILE= /root/ports-supfile SUP= /usr/bin/csup SUP_UPDATE= YES SUPFLAGS= -L 2 SVN_UPDATE= YES

These options are used to implement usage of make update inside of /usr/ports/ in order to update the ports tree. SUP_UPDATE turns the option on, while SUP and SUPFLAGS are used to control which CVSup program to use and what arguments to pass to it. PORTSSUPFILE will need to be set to the location of your ports supfile that you copied previously from the installed examples. Finally SVN_UPDATE is used to enable the use of make update inside of /usr/src/ for updating your source tree.

## KERNEL/WORLD CPUTYPE?= native CFLAGS= -O3 -pipe -funroll-loops -fno-strict-aliasing COPTFLAGS= -O2 -pipe -funroll-loops -fno-strict-aliasing INSTALL_NODEBUG= YES KERNCONF= GENERIC .if ${.CURDIR:M*/usr/src/*} || ${.CURDIR:M*/usr/obj/*} MAKEOPTS+= -j8 .endif

For use with ports and buildworld CFLAGS are used for passing settings when compiling C code. -O3 uses the largest number or practical optimizations (level 3), in the process of doing so however it sacrifices binary size for speed. -pipe causes code to be piped between processes during compilation rather than using temporary files, this has obvious I/O advantages. -funroll-loops causes iterating loops with a known number of iterations to be unrolled into faster executions. The COPTFLAGS option is for passing settings when compiling the kernel specifically. Dropping down to an optimization level of 2 as level 3 is known to break kernels (Note: -O is the only one that is officially supported). All the other settings being passed are the same as in use with CFLAGS.

## DOCUMENTATION DOC_LANG= en_US.ISO8859-1

This is used to make sure all of the documentation that is compiled on the system is in the correct language/encoding.

## PERFORMANCE BUILD_OPTIMIZED= YES BUILD_STATIC= YES NO_PROFILE= YES OPTIMIZED_CFLAGS= YES WITH_CPUFLAGS= YES WITH_MMX= YES WITH_OPTIMIZED_CFLAGS= YES WITH_SSE= YES WITH_THREADS= YES WITHOUT_DEBUG= YES

This is a set of default ports knobs that will decrease compilation time, yet have no effect on how ports operate and function. Most of these have to do with enabling CPU-related settings.

WITHOUT_X11= YES

This settings can optionally be added to the list of settings above if you are building a server that will not be running Xorg.

## PORTS .if !empty(.CURDIR:M*/usr/ports/*) WRKDIRPREFIX= ${PORTSDIR}/obj NOPORTDATA= YES NOPORTDOCS= YES #NOPORTEXAMPLES= YES FORCE_MAKE_JOBS= YES MAKE_JOBS_NUMBER= 8 #UNSAFE_PORTS= this/port #UNSAFE_PORTS+= that/port .for port in ${UNSAFE_PORTS} DISABLE_MAKE_JOBS= YES .endfor WITH_ACPI= YES WITH_LINUX= YES WITHOUT_GSSAPI= YES WITHOUT_IPV6= YES WITHOUT_JAVA= YES WITHOUT_KERBEROS= YES WITHOUT_NAS= YES WITHOUT_NLS= YES # Xorg WITH_ASPELL= YES WITH_GTK2= YES WITH_IMLIB2= YES WITH_MPLAYER= YES WITH_NVIDIA_GL= YES WITH_UTF8= YES WITH_XFT= YES WITHOUT_ARTS= YES WITHOUT_ESOUND= YES WITHOUT_GCONF= YES WITHOUT_GNOME= YES WITHOUT_GNOMEVFS= YES WITHOUT_GNOMEVFS2= YES WITHOUT_GSTREAMER= YES WITHOUT_GTK1= YES WITHOUT_GTKSPELL= YES WITHOUT_HAL= YES WITHOUT_ISPELL= YES WITHOUT_KDE= YES WITHOUT_NAUTILUS= YES WITHOUT_QT= YES WITHOUT_XINE= YES WITHOUT_XMMS= YES .endif

These are all wrapped up in an if statement as to only apply to ports. To start, setting WRKDIRPREFIX will change the working directory used to extract/compile ports from. NOPORTDATA, NOPORTDOCS, and NOPORTEXAMPLES are the three settings for turning off the installation of additional data and examples in /usr/local/share and the installation of documentation in /usr/local/doc. FORCE_MAKE_JOBS turns on multithreaded compiling of ports while MAKE_JOBS_NUMBER controls how many to run in parallel. Typically you will want to set this to a number that is double the amount of CPU cores you have. Then directly below this commented out is the example of how to add ports to the list that do not compile with multithreaded compilation turned on. Then accordingly the for statement and DISABLE_MAKE_JOBS will turn off multithreading for said ports. Finally I have a list of typical ports knobs I use with all of my systems (these are completely optional, and the Xorg ones can easily be left out on servers).

## USER .if !empty(.CURDIR:M*/usr/ports/*) WITH_OPENSSH_CHROOT= YES WITHOUT_HUGE_STACK_SIZE= YES WITHOUT_PERL_64BITINT= YES PERL_MALLOC= YES .endif BROWSER= firefox WITH_BROWSER= firefox OVERRIDE_LINUX_BASE_PORT= f10 OVERRIDE_LINUX_NONBASE_PORTS= f10 PYTHON_VERSION= 2.7 PYTHON_DEFAULT_VERSION= python2.7

Lastly we have the user ports knobs, this is where you should add in your custom ports knobs (either per port or in general for the whole ports tree). Next I have set my default web browser to firefox, the linux emulator port default to f10, and then python has been set to use version 2.7.

src.conf

The /etc/src.conf contains settings that apply when building the FreeBSD source tree, similar to ports knobs these settings effect what does or doesn't get built into the source tree. It is a good idea to take a look at the manual page for src.conf(5), as configuring this file is very system specific. These are somewhat generic options but you should review each and every one just to make sure your system isn't different in some way to make you need said option.

WITH_BIND_LIBS= YES WITH_EXAMPLES= YES WITHOUT_ATM= YES WITHOUT_CALENDAR= YES #WITHOUT_CLANG= YES WITHOUT_GCOV= YES #WITHOUT_GDB= YES WITHOUT_HTML= YES WITHOUT_I4B= YES WITHOUT_IPFILTER= YES WITHOUT_IPX= YES WITHOUT_IPX_SUPPORT= YES WITHOUT_NCP= YES WITHOUT_NLS= YES WITHOUT_NLS_CATALOGS= YES WITHOUT_PROFILE= YES WITHOUT_RCMDS= YES WITHOUT_SHAREDOCS= YES ## SERVICES WITHOUT_BIND_DNSSEC= YES WITHOUT_BIND_ETC= YES WITHOUT_BIND_MTREE= YES WITHOUT_BIND_NAMED= YES WITHOUT_GSSAPI= YES WITHOUT_KERBEROS= YES WITHOUT_OPENSSH= YES WITHOUT_SENDMAIL= YES ## HARDWARE WITHOUT_BLUETOOTH= YES WITHOUT_LPR= YES WITHOUT_WIRELESS= YES ## ZFS #LOADER_ZFS_SUPPORT= YES WITHOUT_CDDL= YES

Couple things to keep in mind. If you are running ZFS you need to comment out WITHOUT_CDDL and uncomment LOADER_ZFS_SUPPORT. If you use a wireless network card instead of a wired one and/or bluetooth, uncomment out WITHOUT_WIRELESS and/or WITHOUT_BLUETOOTH. Otherwise review over these and make sure they don't conflict with your system or what you are trying to do with it.

Ports Tree

The FreeBSD Ports and Packages Collection (ports) offers a simple way for users and administrators to install applications. As there are a few basic system applications we will be needing to install lets get ports up to date. To do so we will be using csup(1) and an example supfile left from installation.

mkdir ~/csup/

cp /usr/share/examples/cvsup/ports-supfile ~/csup/

csup -L 2 -h cvsup10.us.freebsd.org ~/csup/ports-supfile

This will take a moment or two depending on the speed of your connection to the internet and the CVSup server you chose.^[2] Once the ports collection is installed the next step is to setup some ports, kernel and world build options.

Essential Ports

Now time to build some ports to assist us in hardening our system. First obviously you should download your text editor of choice, personally I like to use GNU nano but you can use whatever you like. Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. Subversion (or svn) is a software versioning and a revision control system distributed under the Apache license, this will be used to keep the source tree up-to-date.

cd /usr/ports/editors/nano ; make install clean

cd /usr/ports/security/sudo ; make install clean BATCH="YES"

cd /usr/ports/devel/subversion ; make install clean BATCH="YES"

You will notice while compiling dependencies for devel/subversion that databases/sqlite3 will not compile with FORCE_MAKE_JOBS in your /etc/make.conf. Go back and add this port to the UNSAFE_PORTS list to make sure it does not get built with multithreading.

vi /etc/make.conf

After that go ahead and try to compile devel/subversion again, this time getting past the errors about FORCE_MAKE_JOBS. Please take note at this technique as you will have to do this every time you run into a port with this issue. It is a small price to pay to compile a majority of your ports significantly faster.

cd /usr/ports/devel/subversion ; make clean install clean BATCH="YES"

(Temp) Creation Notes

03. Install the default editor, sudo and subversion.

   bsd# cd /usr/ports/editors/nano; make install clean;
   bsd# cd /usr/ports/security/sudo; make install clean;
   bsd# cd /usr/ports/devel/subversion; make install clean;
   bsd# setenv EDITOR nano

04. Change the way passwords are stored to blowfish, fetch login.conf, run the database

   rebuiler, then reset the root password.
  
   bsd# cd /etc
   bsd# fetch http://privatebox.org/bsd/etc/auth.conf
   bsd# fetch http://privatebox.org/bsd/etc/login.conf
   bsd# cap_mkdb /etc/login.conf
   bsd# passwd
  
   To double check that these changes work you should open up the /etc/master.passwd
   file and make sure the root password starts with "$2a"

05. Clean out the default user files directory

   bsd# cd /usr/share/skel/; rm dot.rhosts;
   bsd# fetch http://privatebox.org/bsd/home/dot.cshrc
   bsd# fetch http://privatebox.org/bsd/home/dot.login
   bsd# fetch http://privatebox.org/bsd/home/dot.login_conf
   bsd# fetch http://privatebox.org/bsd/home/dot.mail_aliases
   bsd# fetch http://privatebox.org/bsd/home/dot.profile

bsd# cp dot.cshrc ~/.cshrc; cp dot.login ~/.login; cp dot.login_conf ~/.login_conf; bsd# cp dot.mail_aliases ~/.mail_aliases; cp dot.profile ~/.profile;

   bsd# cd; rm .k5login;
   bsd# touch /etc/COPYRIGHT
   bsd# chmod g+rwx /usr/src /usr/obj

06. Add a users group, then modify the default adduser settings, remove the toor user

   account and add yourself a shell user that you will now always ssh from (instead
   of root).

   bsd# pw groupadd users
   bsd# adduser -C
      Uid (Leave empty for default):
      Login group []: users
      Enter additional groups []:
      Login class [default]: users
      Shell (sh csh tcsh nologin) [sh]: tcsh
      Home directory [/home/]:
      Home directory permissions (Leave empty for default): 0700
      Use password-based authentication? [yes]:
      Use an empty password? (yes/no) [no]:
      Use a random password? (yes/no) [no]:
      Lock out the account after creation? [no]:
      Pass Type  : yes
      Class      : users
      Groups     : users
      Home       : /home/
      Home Mode	: 0700
      Shell      : /bin/tcsh
      Locked     : no
      OK? (yes/no): yes
      Re-edit the default configuration? (yes/no): no
      Goodbye!
   bsd# pw userdel toor
   bsd# adduser
      Username   : k
      Password   : *****
      Full Name  : *****
      Uid        : 420
      Class      : root
      Groups     : wheel
      Home       : /home/k
      Home Mode	: 0700
      Shell      : /bin/tcsh
      Locked     : no
      OK? (yes/no): yes
      adduser: INFO: Successfully added (k) to the user database.
      Add another user? (yes/no): no
      Goodbye!

07. Update the doc and source tree from SVN, then copy over the kernel configuration

   file and then check it into the RCS.

   bsd# cd /usr/src/
   bsd# svn checkout svn://svn.freebsd.org/base/stable/8 /usr/src
   bsd# cd /usr/src/sys/i386/conf
   	(This would be /usr/src/sys/amd64/conf on an amd64 system)
   bsd# fetch http://privatebox.org/bsd/home/HUB
   bsd# ci -u HUB

08. Time to upgrade FreeBSD to its most current version, we will benchmark also.

   bsd# cd /usr/src
   bsd# buildworld

   This step will take ~30m-1h.

   bsd# buildkernel
   bsd# sudo make installkernel
   bsd# sudo reboot

   This is the hope and pray that you did everything right stage... When the box
   comes back up login via ssh and su to root. Then start up mergemaster preperation
   and then finally installworld and run mergemaster again (rule of thumb for running
   mergemaster, if your RCS'd it don't overwrite it). Then reboot the machine yet
   again.

   bsd# cd /usr/src
   bsd# mmp

   bsd# sudo make installworld
   bsd# mm
   bsd# sudo reboot

09. Install openssh_portable to replace standard ssh, then replace the sshd_config file

   and restart sshd

   bsd# cd /usr/ports/security/openssh-portable; sudo make install clean;
   bsd# cd /etc/ssh
   bsd# sudo fetch http://privatebox.org/bsd/etc/ssh/sshd_config
   bsd# sudo fetch http://privatebox.org/bsd/etc/ssh/sshd_banner
   bsd# sudo /usr/local/etc/rc.d/openssh onestart

NOTE: Please at this time make sure you can login to ssh, if you can not, then you need to review the steps and retrace what you did.

10. SSH back into the box and su to root. Then, retrieve all new modified system

   files into your /etc folder. Then check them all into the RCS.

   bsd# cd /etc
   bsd# fetch http://privatebox.org/bsd/etc/rc.conf
   bsd# fetch http://privatebox.org/bsd/etc/crontab
   bsd# fetch http://privatebox.org/bsd/etc/hosts
   bsd# fetch http://privatebox.org/bsd/etc/hosts.allow
   bsd# fetch http://privatebox.org/bsd/etc/newsyslog.conf
   bsd# fetch http://privatebox.org/bsd/etc/periodic.conf
   bsd# fetch http://privatebox.org/bsd/etc/sysctl.conf
   bsd# fetch http://privatebox.org/bsd/etc/syslog.conf
   

11. Install portupgrade/portaudit and audit already installed ports.

   bsd# cd /usr/ports/ports-mgmt/portaudit
   bsd# sudo make install clean
   bsd# cd ../portupgrade && sudo make install clean
   bsd# cd ../pkg_cutleaves && sudo make install clean
   bsd# sudo portaudit -Fda

12. Make /tmp the only temp.

   bsd# mv /var/tmp/* /tmp; rm -rf /var/tmp; ln -s /tmp /var/tmp

   (NOTE: If you recieve the message "Operation not permitted" on any of the
   files when you try to move/remove them you need to "chflags noschg
   <file/dir>")

13. Restrict access to crontab to root and your shell user account only. Then

   set proper permissions on the file. Then enable accounting.

   bsd# echo 'root' > /var/cron/allow; echo 'k' >> /var/cron/allow;
   bsd# chmod 0600 /var/cron/allow

14. Run the secure_me.sh file to set proper permissions to all system files.

   bsd# cd; mkdir scripts; cd scripts;
   bsd# fetch http://privatebox.org/bsd/other/secure_me.sh; chmod +x secure_me.sh;
   bsd# ./secure_me.sh

Notes