# System Hardening Options Post-Install?



## 1MachineElf (May 18, 2020)

The System Hardening Options presented at install time - if one wished to keep these disabled at install time and then selectively enable them after installing, what is the method for doing so?

I am doing a FreeBSD 12 install and was hoping to see instructions on how to do that in the 2.8.4. Enabling Hardening Security Options section of the handbook, but it's not described there.

Maybe the functions used by this portion of the installer would give a clue of how do perform these changes. Can someone please direct me on where in the FreeBSD 12 code base these can be found?


----------



## SirDice (May 18, 2020)

1MachineElf said:


> if one wished to keep these disabled at install time and then selectively enable them after installing, what is the method for doing so?


Edit /etc/sysctl.conf, that's where most (if not all) of them end up.


----------



## eldaemon (May 20, 2020)

I think this is most of them, if you select them all.


```
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
```

And then in rc.conf:


```
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
```


----------



## Phishfry (May 20, 2020)

The actual script is here:
/usr/src/usr.sbin/bsdinstall/scripts/hardening


----------



## memreflect (May 20, 2020)

Or /usr/libexec/bsdinstall/hardening if you didn't install the source component.


----------



## tOsYZYny (Mar 26, 2022)

eldaemon said:


> syslogd_flags="-ss"


I also use -vv


```
syslogd_flags="-ss -vv"
```

My reasoning for that is that I want to see the logger facility and priority (-vv).  I suppose that really isn't needed once you have syslogd properly setup, but for debugging, it is helpful to know if messages are going to the right place.

I keep it after the fact because it is nice for tracking things down.

Additionally, I enable ASLR:

```
kern.elf64.aslr.enable=1
kern.elf32.aslr.enable=1
```


----------



## mark_j (Mar 27, 2022)

I also believe system hardening requires good auditing. BSM is a great product, though not as thorough as Solaris's implementation, it's a tool *ALL *system administrators should learn to use. Likewise MAC, but I'm not a real fan of it and prefer RBAC (again a Solaris implementation) but not available on FreeBSD.


----------



## cmoerz (Mar 27, 2022)

Be careful, when you use ASLR; last time I installed 13-RELEASE, I ran into issues with `ntpd`. You might have to use `proccontrol` to selectively exclude executables from ASLR for them to work. I believe, this applies to 12 as well.

In practice, you simply run into unexpected core dumps. If that happens, try disabling ASLR.

Since you mentioned targeting 12, I'll save you any further comments about W^X.


----------



## Sivan! (May 5, 2022)

memreflect said:


> Or /usr/libexec/bsdinstall/hardening if you didn't install the source component.




The file shows these options that I wish to additionally enable in /etc/sysctl.conf. The syntax is different from what I find in the file below.  What do I need to say in /etc/sysctl.conf to reflect the hardening settings 7, 9 and 10 below? Also in /etc/rc.conf?



```
"disable_syslogd" "Disable opening Syslogd network socket (disables remote logging)" ${disable_syslogd:-off} 
        "9 secure_console" "Enable console password prompt" ${secure_console:-off} \
        "10 disable_ddtrace" "Disallow DTrace destructive-mode" ${disable_ddtrace:-off} \
        fi
        if [ "$feature" = "disable_syslogd" ]; then
                echo 'syslogd_flags="-ss"' >> $BSDINSTALL_TMPETC/rc.conf.hardening
        fi
        if [ "$feature" = "secure_console" ]; then
                sed "s/unknown  off secure/unknown      off insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening
        fi
        if [ "$feature" = "disable_ddtrace" ]; then
                echo 'security.bsd.allow_destructive_dtrace=0' >> $BSDINSTALL_TMPBOOT/loader.conf.hardening
        fi
```

Thank you.


----------



## bsduck (May 5, 2022)

Sivan! said:


> options that I wish to additionally enable in `/etc/sysctl.conf`


The thing is: those options aren't set there.



> echo '*syslogd_flags="-ss"*' >> $BSDINSTALL_TMPETC/*rc.conf*.hardening


--> add `syslogd_flags="-ss"` to /etc/rc.conf



> sed "s/unknown  off *secure*/unknown      off *insecure*/g" $BSDINSTALL_CHROOT*/etc/ttys* > $BSDINSTALL_TMPETC/ttys.hardening


--> in /etc/ttys, in the following section, change `secure` to `insecure`:

```
# name  getty                           type    status          comments
#
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none                            unknown off             insecure
```



> echo '*security.bsd.allow_destructive_dtrace=0*' >> $BSDINSTALL_TMPBOOT/*loader.conf*.hardening


--> add `security.bsd.allow_destructive_dtrace=0` to /boot/loader.conf

For the complete list, see https://forums.freebsd.org/threads/have-you-used-hardenedbsd-did-you-like-it.80187/#post-509491


----------



## Sivan! (May 5, 2022)

bsduck said:


> The thing is: those options aren't set there.
> 
> 
> --> add `syslogd_flags="-ss"` to /etc/rc.conf
> ...



Thank you.  I have done all that, and checked if what is given in the complete list that you have linked are set.


----------



## smithi (May 10, 2022)

memreflect said:


> Or /usr/libexec/bsdinstall/hardening if you didn't install the source component.


Yep, bsdinstall sources and executables are all identical.

You can safely run just `hardening`. Due to BSDINSTALL_TMPETC being unset, whatever you select conveniently winds up in 
	
	



```
/sysctl.conf.hardening
/loader.conf.hardening
/rc.conf.hardening and
/ttys.hardening
```
since full bsdinstall would normally chroot into the new system to finish installing such conf files.


----------



## Sivan! (May 10, 2022)

smithi said:


> Yep, bsdinstall sources and executables are all identical.
> 
> You can safely run just `hardening`. Due to BSDINSTALL_TMPETC being unset, whatever you select conveniently winds up in
> 
> ...



How do I run `hardening` ?

Thanks.


----------



## mer (May 10, 2022)

Sivan! said:


> How do I run `hardening` ?


As root, should be as easy as typing in:

/usr/libexec/bsdinstall/hardening


----------



## Sivan! (May 10, 2022)

mer said:


> As root, should be as easy as typing in:
> 
> /usr/libexec/bsdinstall/hardening



Thank you.

Options menu popped up, I chose everything and said ok, the root prompt immediately returned a blank line.  This as I understand, is to be taken to mean that the settings took effect.


----------



## mer (May 10, 2022)

I think so.  I would run the following command as root:
find / -name "*.hardening" -print

That should give a list of files, then you would need to copy/merge to existing files.
A file sysctl.conf.hardening you want to merge into /etc/sysctl.conf
then repeat for other "hardening"files.


----------



## Sivan! (May 10, 2022)

mer said:


> I think so.  I would run the following command as root:
> find / -name "*.hardening" -print
> 
> That should give a list of files, then you would need to copy/merge to existing files.
> ...


Thank you.

`find / -name "*.hardening" -print`

shows:

`/usr/libexec/bsdinstall/hardening
/ttys.hardening
/sysctl.conf.hardening
/rc.conf.hardening`

Would I have to issue the commands:  

`merge /sysctl.conf.hardening /etc/systctl.conf`
and likewise for every file to `/etc/`?


----------



## mer (May 10, 2022)

I don't know exactly what commands one would run, but my method would be editor with the files side by side and hand merge the diffs.  Basically:
emacs /ttys.hardening /etc/ttys
emacs /sysctl.conf.hardening /etc/sysctl.conf
emacs /rc.conf.hardening /etc/rc.conf

But that's because I'm a bit OCD sometimes and want to know exactly what a change is.
You could also probably do stuff with diff  to see whats changed.


----------



## Sivan! (May 10, 2022)

mer said:


> I don't know exactly what commands one would run, but my method would be editor with the files side by side and hand merge the diffs.  Basically:
> emacs /ttys.hardening /etc/ttys
> emacs /sysctl.conf.hardening /etc/sysctl.conf
> emacs /rc.conf.hardening /etc/rc.conf
> ...



`emacs` didn't work
`diff` returned an empty line for ttys, the next two commands show some difference. Will fix that.

Thank you.


----------



## smithi (May 12, 2022)

Sivan! said:


> `emacs` didn't work
> `diff` returned an empty line for ttys, the next two commands show some difference. Will fix that.
> 
> Thank you.


Might be more instructive just looking at the sh(1) code in /usr/libexec/bsdinstall/hardening to see what it generates for each selected option, without worrying about the details around the dialog screen.

Sometimes manually adding lines to conf files allows an opportunity to add comments for later reference.

Regarding your original question, adding those lines initially commented out may accomplish that?


----------



## Sivan! (May 12, 2022)

smithi said:


> Might be more instructive just looking at the sh(1) code in /usr/libexec/bsdinstall/hardening to see what it generates for each selected option, without worrying about the details around the dialog screen.
> 
> Sometimes manually adding lines to conf files allows an opportunity to add comments for later reference.
> 
> Regarding your original question, adding those lines initially commented out may accomplish that?



Thank you smithi.  My capacity to read and understand man pages such as sh(1) is extremely, extremely limited. I run  `ls` and `doas` and the rest I copy and paste.

emacs `diff /sysctl.conf.hardening /etc/sysctl.conf`

shows



> 2,3d9
> < security.bsd.see_other_gids=0
> < security.bsd.see_jail_proc=0
> 5a12,16
> ...



`diff /rc.conf.hardening /etc/rc.conf`

shows




> 1d0
> < clear_tmp_enable="YES"
> 3a3,29
> > sendmail_submint_enable="NONE"
> ...



Do I have to copy what is missing in one file, everything, from another AND vice versa? i.e, should both the / and /etc files have exactly the same contents?

Also pf status shows:



> service pf status
> Status: Enabled for 0 days 00:57:13           Debug: Urgent



How do I make pf auto-start on boot, everytime?

Thank you


----------



## Alain De Vos (May 12, 2022)

It should be noted that some hardening should be disabled for some applications eg

```
#Firefox bug
kern.elf64.aslr.pie_enable=0
kern.elf64.aslr.enable=0
#For monitoring & dovecot
security.bsd.see_other_uids=1
security.bsd.see_other_gids=1
security.bsd.see_jail_proc=1
#For dovecot
security.bsd.hardlink_check_uid=0
security.bsd.hardlink_check_gid=0
#For something
security.bsd.unprivileged_mlock=1
```


----------



## Phishfry (May 12, 2022)

I would be nice if `bsdconfig` had a hardening feature since it seems to mimic `bsdinstall`.


----------



## Sivan! (May 12, 2022)

Phishfry said:


> I would be nice if `bsdconfig` had a hardening feature since it seems to mimic `bsdinstall`.



I ran `bsdconfig hardening` now. There is a security setting option which allows the root to choose three different levels of security. Also there is a Startup menu, which allows you to view the hardening options set, and modify it. Worked well.


----------



## Phishfry (May 12, 2022)

Ideally it would come up under `bsdconfig hardening` command.
Because bsdinstall hardening is a relatively recent addition I am not suprised bsdconfig has not caught up yet.

I use `bsdconfig timezone` alot. I like the ability to run individual components instead of crawling thru the menu.


----------



## Sivan! (May 12, 2022)

Phishfry said:


> Ideally it would come up under `bsdconfig hardening` command.
> Because bsdinstall hardening is a relatively recent addition I am not suprised bsdconfig has not caught up yet.
> 
> I use `bsdconfig timezone` alot. I like the ability to run individual components instead of crawling thru the menu.



Yes, `bsdconfig hardening` doesn't work like `bsdconfig timezone`. It would be cool to make it work, with built in warning against each setting.


----------



## smithi (May 13, 2022)

Sivan! said:


> Thank you smithi.  My capacity to read and understand man pages such as sh(1) is extremely, extremely limited. I run  `ls` and `doas` and the rest I copy and paste.



Well, virtually all of the main system scripts are written in `sh`, so you will find that reading and studying this language essential to successful mastery of FreeBSD at any level.

That said, bsd{install.config} are pretty extreme in pushing sh(1) to its limits, and I should not have suggested it as an example; I'm still struggling to make sense of the *broken* bsdconfig packages code on 12.3-R dvd1.

Sorry to be frank, but copying stuff because 'hardening' sounds cool may be worse than leaving it alone in some cases, unless or until you know more or less precisely what each of those settings accomplishes.

I gather that your system is not likely a server, open to the world with multiple unrelated users?  Perhaps making sure your firewall is tight is your best bet for online security?



Sivan! said:


> Do I have to copy what is missing in one file, everything, from another AND vice versa? i.e, should both the / and /etc files have exactly the same contents?



No, the files dropped in / are just extra bits to add to the appropriate files. Best delete or move them afterwards.

Your diffs here and elsewhere show your rc.conf and ttys at least already included many of those options.



Sivan! said:


> How do I make pf auto-start on boot, everytime?



Sorry, I can't help with pf, having used ipfw since 1998.

Cheers


----------



## Sivan! (May 14, 2022)

smithi  No, my system is not a server, it is a personal computer at the moment. 

Phishfry After `bsdconfig hardening` the computer continued to work,  but after a while I stopped network with `service netif stop` Later when I tried to restart network, dhcp or something else did not work, I was offline. When I shut down, there were a screen full of error messages that I could not note down, but after I rebooted the computer, *network is fine after reboot*, `dmesg -a` gives the following :



> Starting dhclient.
> ums0 on uhub2
> ...
> DHCPOFFER from 192.168.1.1
> ...


----------



## Alain De Vos (May 14, 2022)

ntpd might have a problem with aslr/pie/stack_gap.
To be certain something like:

```
kern.elf64.aslr.stack_gap=0    # ntp,firefox
kern.elf64.aslr.pie_enable=0
kern.elf64.aslr.enable=0
```


----------



## Sivan! (May 14, 2022)

Alain De Vos said:


> ntpd might have a problem with aslr/pie/stack_gap.
> To be certain something like:
> 
> ```
> ...



Thank you. What is the file that I have to edit ?


----------



## Alain De Vos (May 14, 2022)

```
/etc/sysctl.conf
```


----------



## Sivan! (May 14, 2022)

Alain De Vos said:


> ```
> /etc/sysctl.conf
> ```



Thank you. Added the kern elf64 code.


----------



## getopt (May 14, 2022)

Alain De Vos said:


> ntpd *might* have a problem with aslr/pie/stack_gap.


This means you may *not* be affected. Before disabling security features (ASLR) make sure there is a good and confirmed reason for doing so.

Look in your logfiles for ntpd related lines like

```
Cannot set RLIMIT_MEMLOCK: Operation not permitted
```

These were found on 32-bit archs.


----------



## Sivan! (May 14, 2022)

getopt said:


> This means you may *not* be affected. Before disabling security features (ASLR) make sure there is a good and confirmed reason for doing so.
> 
> Look in your logfiles for ntpd related lines like
> 
> ...



I didn't know that the kern.elf setting disabled security features. In the message above I was reporting an network restart issue, which was resolved after a reboot.  This is what `dmesg -a` shows that is related to ntpd



> Security policy loaded: MAC/ntpd (mac_ntpd)
> Starting ntpd.
> Configuring vt: keymap blanktime.
> Starting cron.
> ...



After that there were some errors related to dbus and tty and there was a pam authenticate conversion failure, a log in failure on tty8  but none appears related to (whatever is) ntpd. The computer restarted with network without any problem.

I also checked with and without the kern.elf 0 lines, I could stop and restart netif without issues, so there was no difference between having and not having those lines in sysctl.


----------



## Alain De Vos (May 14, 2022)

There was a bug, but it might be partially/fully fixed,





						253208 – ntpd: fails to start with PIE
					






					bugs.freebsd.org


----------



## Sivan! (May 14, 2022)

Alain De Vos said:


> There was a bug, but it might be partially/fully fixed,
> 
> 
> 
> ...



Thank you.  The bug fix says:


> If one builds FreeBSD with:
> WITH_BIND_NOW=yes
> WITH_PIE=yes



# I didn't build FreeBSD with BIND.

`pkg info -x bind`


> pkg: No package(s) matching bind



`$ pgrep -lf named`


> # returned a blank line





> [ The bug fix page also says:  ... and if one ]
> and sets sysctls:
> kern.elf64.aslr.enable=1
> kern.elf64.aslr.honor_sbrk=0
> ...



I didn't have these settings related to kern.

The problem might have been due to some other strange issue, in any case it is resolved.  (However, in the konsole as I was trying to type the above commands, the keyboard did not send "e" and "b" I had to type it somewhere else, copy and paste the character. This happened just now). Keyboard works fine elsewhere, but the last time in konsole it accepted 



> a    cd   fg   ijklmnopqrstuvwxyz1234567890


----------



## SWIFTYLIFT (May 14, 2022)

Have I missed the posts in this thread debating Mandatory Access Controls (MAC)?  Surely there’s few things that are a matter of preference to share.?

It’s a hardening thread after all.









						Chapter 17. Mandatory Access Control
					

This chapter focuses on the MAC framework and the set of pluggable security policy modules FreeBSD provides for enabling various security mechanisms




					docs.freebsd.org


----------



## SWIFTYLIFT (May 14, 2022)

Sivan! said:


> I ran `bsdconfig` now. There is a security setting option which allows the root to choose three different levels of security. Also there is a Startup menu, which allows you to view the hardening options set, and modify it. Worked well.


Someone correct me if I’m wrong but is this giving kern secure level options?  If so be aware at level 3 log rotation is a factor and need to keep an eye on.


----------



## SWIFTYLIFT (May 14, 2022)

SWIFTYLIFT said:


> Have I missed the posts in this thread debating Mandatory Access Controls (MAC)?  Surely there’s few things that are a matter of preference to share.?
> 
> It’s a hardening thread after all.
> 
> ...


Didn’t see markj (but think he intentionally snuck it by us


----------



## smithi (May 14, 2022)

Sivan, after saying:

   > No, my system is not a server, it is a personal computer at the moment.

you then posted a dmesg segment showing raising securelevel(7) to 3.

Assuming you would not have taken such a drastic step without being fully aware of its consequences, could you please explain your rationale for doing this?


----------



## Sivan! (May 15, 2022)

smithi said:


> Sivan, after saying:
> 
> > No, my system is not a server, it is a personal computer at the moment.
> 
> ...



I didn't go by securelevel(7) but I ran `bsdconfig hardening` , the console interface that popped up showed secure level3 as maximum, which included network security. This corresponds to:



> Network secure mode - same as highly    secure mode, plus IP packet
> filter rules    (see ipfw(8), ipfirewall(4) and    pfctl(8)) cannot be
> changed and dummynet(4) or pf(4) configuration cannot be adjusted.



Rationale for Level3:  This high level of security does not seem to affect the functionality of my computer, network works fine, I can send and receive gmail, watch a youtube video or connect to zoom, which is just about all that I do in my computer.

However, there are some strange issues, such as some of the keys not working in plasma console;  A moment ago I tried the `bsdconfig hardening` as root again, it didn't work the same way it worked two days ago.

`bsdconfig hardening`



> awk: can't open file /usr/libexec/bsdconfig/*/INDEX.C.UTF-8
> source line number 4
> awk: can't open file /usr/local/libexec/bsdconfig/*/INDEX.C.UTF-8
> source line number 4
> ...



# found it at `/usr/libexec/bsdinstall/hardening`

Update: Of the strange problems that I am experiencing, one is the problem of some keys not  working in konsole.  I restarted the computer, launched the konsole which opened with the errors:


> bash: /usr/local/share/bash-completion/bash_completion.sh: No such file or directory
> readline: ~/.inputrc: line 1: HISTSIZE=1000: no key sequence terminator
> readline: ~/.inputrc: line 8: HISTSIZE=10000: no key sequence terminator



It is possible that the keyboard error relates to wrong settings in the wrong files about the bash history length.

Another update:   I looked at ~/.inputrc the file was corrupt. *I cleaned it up, rebooted the computer and konsole works fine*:



> abcdefghijklmnopqrstuvwxyz01234567890



P.S.  I missed the posts by SWIFTYLIFT above, will read the links and respond.


----------



## Sivan! (May 15, 2022)

SWIFTYLIFT said:


> Someone correct me if I’m wrong but is this giving kern secure level options?  If so be aware at level 3 log rotation is a factor and need to keep an eye on.



I didn't go by securelevel(7) but I ran bsdconfig hardening , the console interface that popped up showed secure level3 as maximum, which included network security. This corresponds to:



> Network secure mode - same as highly secure mode, plus IP packet
> filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
> changed and dummynet(4) or pf(4) configuration cannot be adjusted.



This high level of security does not seem to affect the functionality of my computer, network works fine, I can send and receive gmail, watch a youtube video or connect to zoom, which is just about all that I do in my computer.

Mandatory Access Control settings instructions that you have shared above are too complicated for me to experiment.

Thank you.


----------



## Sivan! (May 15, 2022)

SWIFTYLIFT said:


> Someone correct me if I’m wrong but is this giving kern secure level options?  If so be aware at level 3 log rotation is a factor and need to keep an eye on.


The command was not `bsdconfig` as I mistyped in a previous post, but `bsdconfig hardening` which presented security level options.


----------



## SWIFTYLIFT (May 15, 2022)

Not sure if the scripts you’re using do this but:

Make use of *some sshd_config options that aren’t in the example config file*,

I’ve found creating a group and including users you want to allow: (I think it’s *AllowGroups* )

the two sshd binary replacements I’ve found floating around each (like any root kit) have some mechanism to circumvent the not permitting root - I’m not saying this would always hold true but it’s a simple entry to restrict ssh to a group and these are examples of it being a good practice. 

There are a couple more little tweaks but need to look at these scripts and see what’s being done (feel pretty sure they don’t create a group populate it and modify the config).

About to dig into the issues you just posted -

Regarding the too complicated: that’s why a community like this exists - pretty sure there’s not much that couldn’t be figured out - an awful lot of expertise who are happy to help (subtle tnx to SirDice and sidetone  )


----------



## Sivan! (Jul 6, 2022)

mer said:


> I don't know exactly what commands one would run, but my method would be editor with the files side by side and hand merge the diffs.  Basically:
> 
> emacs /ttys.hardening /etc/ttys
> emacs /sysctl.conf.hardening /etc/sysctl.conf
> emacs /rc.conf.hardening /etc/rc.conf



I still see several lines of mismatch when I run 
`diff /ttys.hardening /etc/ttys
diff /sysctl.conf.hardening /etc/sysctl.conf
diff /rc.conf.hardening /etc/rc.conf`

Do I have to manually copy the contents from one file to another to make one file match its corresponding file?

Thank you.


----------

