# Security Hardening Options



## Phishfry (Aug 14, 2016)

I like the look of the new security features of the `bsdinstaller`on FreeBSD11-RC1
I am using clear tmp at startup.

Looking good. Keep up the great work.


----------



## Phishfry (Aug 15, 2016)

The new FreeBSD 11 `bsdinstaller` clock and calendar feature are nice too.
Especially useful on platforms without an RTC.


----------



## shepherdAZ (Aug 15, 2016)

It's great to see hardening options appear in the installer, but it is a shame that they are all off by default. I have been creating some post-install scripts based on this work.


----------



## shepherdAZ (Aug 15, 2016)

gpatrick said:


> I would say following STIGs from the Defense Information Systems Agency is probably the best advice to use for securing a computer.



It is a shame that DISA do not provide a STIG for FreeBSD, as their docs for other OSes are quite good. The Center for Internet Security FreeBSD Benchmark is dated 2005 and relates to FreeBSD 4.10, some of it is still useful. The last decent books (here and here) on the topic was also 2005/7.

Apart from some misc hardening scripts on various websites, there isn't much recent guidance for FreeBSD. The Design and Implementation of the FreeBSD Operating System talks about things like Capsicum/MAC, but doesn't go into day-today security topics. Colin Percival (ex FreeBSD Security Officer) mentioned on Twitter earlier this year that he might be writing a new article on FreeBSD security, but I haven't seen anything yet.


----------

