# FreeBSD 11 Security Settings when Installing



## chrismfz (Feb 4, 2017)

Hello there.
When I install FreeBSD 11 there is a step for various security / hardening settings about kernel mainly.

Is there a way to run this somehow from console ? 

I can't find it and I was curious how to run it onto systems that are already installed without them or in systems that had been upgraded from 10.x

ps. I am talking about 

New 'System Hardening' menu in bsdinstall with several security features to be enabled per user's choice (r302897)

which is part of bsdinstall.


----------



## ShelLuser (Feb 4, 2017)

I've long removed bsdinstall from my systems, but to my knowledge you can simply start it yourself as well. Check /sbin or /usr/sbin. Or the manualpage of course.


----------



## rigoletto@ (Feb 4, 2017)

As far I know those options are sysctl(8) options. If I record correctly:


```
security.bsd.see_other_gids
security.bsd.see_other_uids
security.bsd.unprivileged_read_msgbuf
security.bsd.unprivileged_proc_debug
security.bsd.stack_guard_page
```


----------



## scottro (Feb 5, 2017)

There's one to disable sendmail as well, which I assume, (and yeah, I know what that implies) just saves someone the work of adding the 3 or 4 sendmail lines to /etc/rc.conf


```
sendmail_enable="NO" 
sendmail_submit_enable="NO" 
sendmail_outbound_enable="NO" 
sendmail_msp_queue_enable="NO"
```

I haven't checked if that is what that one option does, but it seems logical. 
[FONT=Consolas][/FONT]


----------



## Phishfry (Feb 5, 2017)

You can find the actual script here:
/usr/src/usr.sbin/bsdinstall/scripts/hardening

To run it use this:

```
cd /usr/src/usr.sbin/bsdinstall/scripts
./hardening
```

++edit++
I do notice just running the script does not change any settings though.


----------



## ShelLuser (Feb 5, 2017)

scottro said:


> There's one to disable sendmail as well, which I assume, (and yeah, I know what that implies) just saves someone the work of adding the 3 or 4 sendmail lines to /etc/rc.conf


I know it's a little offtopic but Sendmail isn't enabled by default anymore, so you can leave the first line out. There is however another option which is also enabled by default. This is what I use:


```
sendmail_cert_create="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
```
Based on the settings in /etc/defaults/rc.conf instead of the documentation which sometimes also implies that Sendmail is enabled by default (it no longer is).

The main reason I'm commenting though: in case someone does want to disable Sendmail based on this then also don't forget about /etc/periodic.conf:


```
daily_clean_hoststat_enable="NO"
daily_status_include_submit_mailq="NO"
daily_status_mail_rejects_enable="NO"
daily_queuerun_enable="NO"
daily_submit_queuerun="NO"
```



Phishfry said:


> You can find the actual script here:
> /usr/src/usr.sbin/bsdinstall/scripts/hardening


Keep in mind though that this requires the sourcecode to be installed, and not everyone has that.


----------



## Phishfry (Feb 5, 2017)

Not only that -bsdinstaller uses a chroot envirnoment. So hence the script does not work on a running system.

Here they are translated:

```
echo security.bsd.see_other_uids=0 >> /etc/sysctl.conf
echo security.bsd.see_other_gids=0 >> /etc/sysctl.conf
echo security.bsd.unprivileged_read_msgbuf=0 >> /etc/sysctl.conf
echo security.bsd.unprivileged_proc_debug=0 >> /etc/sysctl.conf
echo kern.randompid=$(jot -r 1 9999) >> /etc/sysctl.conf
echo security.bsd.stack_guard_page=1 >> /etc/sysctl.conf
echo 'clear_tmp_enable="YES"' >> /etc/rc.conf
echo 'syslogd_flags="-ss"' >> /etc/rc.conf
echo 'sendmail_enable="NONE"' >> /etc/rc.conf
```


----------



## rigoletto@ (Feb 5, 2017)

If you wanna go deeper, you can take a look on here, specially on *"The /etc/sysctl.conf"* topic.


----------



## chrismfz (Feb 6, 2017)

Phishfry said:


> Not only that -bsdinstaller uses a chroot envirnoment. So hence the script does not work on a running system.
> 
> Here they are translated:
> 
> ...



Thank you! 

Indeed it worked. Made the very simple ps aux as a user to check if , 
sysctl security.bsd.see_other_uids
sysctl security.bsd.see_other_gids
works or not.


```
chris@devbox ~$ ps aux
USER  PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
chris 979  0.0  0.0 13848 3308  0  S    15:21   0:00.00 -su (bash)
chris 981  0.0  0.0 21164 2584  0  R+   15:21   0:00.00 ps aux
```

Seems they work. Thanks again.


----------



## usdmatt (Feb 6, 2017)

Related to Sendmail but not the original question, you can fully disable Sendmail with one rc.conf line:

```
sendmail_enable="NONE"
```

It does look like they've forgotten to disable the cert_create option with this setting, although that's only a one-time function that creates an ssl certificate.


----------

