FreeBSD - Security Hardening Operating System

security-hardening Security Hardening Operating Systems

What is ACL? 

Access Control List (ACL) provides an additional, flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. 

An Access-Control List (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. 

e.g. If a file object has an ACL that contains, this would give Greg permission to read and write the file and Sarah to only read it.


Requirements 

FreeBSD Requirements

          • sudo: 1.8.31
          • gettext-runtime: 0.20.1
          • indexinfo: 0.3.1

Install Requirements 

Install FreeBSD requirements 

Security Harding Operating Systems

We will cover FreeBSD in this article which explains requirements, howto install and how to implement the changes for security hardening. 


Hiding Processes from Other Users & Groups 

 Add the following lines to your sysctl.conf file.

These lines will hide processes as other users and groups.

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0 

Basically what this does, it hides all processes that doesn't belong to the current logged in user.  When you attempt to show everyone's processes it will only show the current logged in user which is you.


Disabling Reading Kernel Buffers 

Add the lines to sysctl.conf 

security.bsd.unprivileged_read_msgbuf=0
 

When inserted in the sysctl.conf, the user can no longer see kernel buffer messages.  Please see example of the error message you'll receive when this option is disabled for users.

dmesg: sysctl kern.msgbuf: Operation not permitted

Disabling Process Debugging Facilities 

security.bsd.unprivileged_proc_debug=0 

 The above by disabling debugging disables the ability to see debug messages.

kernel.dmesg_restrict = 1 

 Prandomizing PID's of Newly Created Processes 

 Edit the /etc/sysctl.conf

 Adding below line to sysctl.conf

kern.randompid=1 

Setting the sysctl kern.randompid to 1 is no longer a no-op, but rather sets it to a random value between 100 and 1123 inclusive.  kern.randompid introduces some randomization in which PID is chosen for the next process, instead of just bumping by 1.


Hide Processes Running in Jails

Edit the sysctl.conf and add the following line below. 

security.bsd.see_jail_proc=0
 

 Hide running running processes match jails in FreeBSD.


Cleaning /tmp Filesystem on Startup 

 Output:

clear_tmp_enable: NO -> YES

Disable Opening Syslogd Network Socket 

Type the following command to disable syslogd network socket for remote logging.

syslogd_flags: -s -> -ss

Disabling Sendmail Services 

Disabling the Sendmail service.

sendmail_enable: NO -> NONE

Applying sysctl Settings 

Type below to apply our settings or reboot the machine.

 Showing Details of Changes in sysctl

Output: 

security.bsd.see_other_gids: 0

Show all default and modifications to sysctl by typing below.

 Sorry output is to large for the article.


Font size: +
Report Print

By accepting you will be accessing a service provided by a third-party external to https://www.klokur.com/