Australia's Leading Computer Emergency Response Team

UNIX and Linux Security Checklist v3.0 Notes - FreeBSD
Date: 13 February 2007
Original URL: http://www.auscert.org.au/render.html?cid=1937&it=5820

OS Specific footnotes - FreeBSD
OS Specific Footnotes - FreeBSD
General

An important resource is the Security chapter of the FreeBSD Handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html and the manual page for security(7).

D.1.1 Locate services and remove or disable

On FreeBSD systems, instead of using netstat to identify network services, the best command to use is sockstat -l -46
(Lower case L for listening ports)

E. Secure Base OS

The Titan hardening scripts also support FreeBSD. These are available at http://www.trouble.org/titan/

securelevels:
On FreeBSD the "securelevel" sysctl setting (configured with the kern_securelevel_enable and kern_securelevel parameters in /etc/rc.conf) can be given four distinct values to enforce kernel security restrictions. After the system has booted, this securelevel can then not be lowered.

If the securelevel is raised, direct access to memory, kernel modules and raw storage devices can be denied, and other security relevant settings can be frozen to prevent changes by all users including root. See the manual page for init(8) for a full description. Note that a local X server will not work under a raised securelevel unless it has already been started at boot time before the level was raised.

E.1 Physical, console and boot security

Editing the file /etc/ttys, mark console as "insecure". This configures the boot loader to ask for a password when booting into single user mode.

E.2.5 User session controls

/etc/login.conf
This file allows the system administrator flexibly to configure various session controls for different classes of user. These include resource limits on CPU, memory, file use and network connections, login policy such as restricting logins to certain times of the day or source IP addresses/terminals, and per user accounting of time spent logged on.

In the login.conf file, a name followed by an "@" symbol means to set that boolean to false.

Where appropriate, new user classes can be created to enable finer control. After a class of users is defined in login.conf, users can be put into the class using the command pw usermod <user> -L <class>. Users that are not given a specific class are in the 'default' class.

/etc/login.access
On FreeBSD this file can be used to control which specific terminals or IP addresses users can log in from. Consider using this file to globally disallow direct remote login to privileged accounts. For example:
-:wheel:ALL EXCEPT LOCAL

The settings in this file will also be checked by FreeBSD's pam_login_access.so module.

E.4.2 Filesystem attributes

On FreeBSD the chflags(1) command is used to set attributes including immutable, append-only and undeletable.

When using flags such as system immutable (schg), consider also running at a securelevel greater than 0 so that the flag cannot simply be turned off without a reboot (see E. above). This control needs to be weighed against the inconvenience when reconfiguring the system.

F.1.3 Other confinement mechanisms

FreeBSD has the jail(8) feature, which provides a more complete and configurable isolation mechanism than chroot.

  • Consider using separate FreeBSD jails to protect different server processes from one another.
  • When using jails, it is best to set the system security level to 1 or 2 (see "securelevel" in E. above).
  • Use different root passwords for the jail and the main system.

H.1.1 Identify host firewall software

FreeBSD comes as standard with three alternative host firewall systems: ipfw, pf and ipf.

  • ipfw is the native firewall system on FreeBSD.
  • pf is the flexible host firewall system ported from OpenBSD.
  • ipf (IP Filter) is also available, and supports many UNIX variants, allowing common rulesets to be used on different systems.

By default, none of these are enabled. For further detail on configuring them see Chapter 26 of the FreeBSD Handbook, at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

H.1.3 Weak end system

On FreeBSD systems with more than one network interface, the weak end system issue is addressed by setting the sysctl net.inet.ip.check_interface = 1

H.3 Network stack hardening/sysctls

  • FreeBSD has syncookies turned on by default (sysctl net.inet.tcp.syncookies=1)
  • To help mitigate denial of service, set kern.ipc.somaxconn=1024 to increase the queue size from 128.
    Also set:
    net.inet.ip.fw.dyn_syn_lifetime=5 (default 20)
    net.inet.ip.fw.dyn_max=16384 (default 4096)
    net.inet.ip.fw.dyn_buckets=2048 (default 256)
    to increase the size of the dynamic rule state table.