Thread: Hardening FreeBSD
View Single Post
  #42   (View Single Post)  
Old 25th June 2008
pickupsticks pickupsticks is offline
New User
  
Join Date: Jun 2008
Posts: 6
Default
Help from CIS. Great tool that i cannot believe was not brought up here, much of what it checks for has been brought up though. It scans your system and gives you results and a score, there is also a guide which shows how to "fix" what it calls problems.
http://www.cisecurity.org/bench_freebsd.html

here is an example of results, the "non-standard suid program"
it complains of is because of the schg flag set by /usr/ports/security/lockdown, did anyone mention it?, very useful )

MACY# egrep "^Negative" ./cis-ruler-log.20080624-20.00.56.59258
Negative: 1.1 System appears not to have been patched within the last month.
Negative: 1.2 ssh_config must have 'Protocol 2' underneath Host *.
Negative: 1.3 host based firewall is NOT enabled.
Negative: 3.2 Password not required for single user console.
Negative: 4.2 No secure level > 0 (sysctl.conf kern.securelevel="-1")
Negative: 5.2 No System Accounting enabled (rc.conf accounting_enable="NO")
Negative: 5.4 /var/log/Xorg.0.log should not be world readable.
Negative: 5.4 /var/log/Xorg.0.log.old should not be world readable.
Negative: 6.1 /etc/fstab does NOT mount cdroms nosuid.
Negative: 7.1 weak authentication not deactivated in /etc/pam.d/rsh.
Negative: 7.3 File /etc/hosts.equiv exists, is non-zero size, isn't linked to /dev/null, and doesn't contain only the - character.
Negative: 7.7 X11 is listening on TCP port 6000.
Negative: 8.3 User joe does not have a maximum password life. (91 days or less recommended).
Negative: 8.4 Default /etc/adduser.conf file not found.
Negative: 8.8 Current umask setting in file /etc/login.conf is 022 -- it should be stronger to block world-read/write/execute.
Negative: 8.8 Current umask setting in file /etc/login.conf is 022 -- it should be stronger to block group-read/write/execute.
Negative: 6.5 Non-standard SUID program /usr/bin/ypchfn
Negative: 6.5 Non-standard SUID program /usr/sbin/authpf
Negative: 6.5 Non-standard SUID program /usr/bin/chfn
Negative: 6.5 Non-standard SUID program /usr/bin/ypchsh
Negative: 6.5 Non-standard SUID program /usr/bin/lprm
Negative: 6.5 Non-standard SUID program /usr/bin/chpass
Negative: 6.5 Non-standard SUID program /usr/bin/ypchpass
Negative: 6.5 Non-standard SUID program /usr/bin/lpr
Negative: 6.5 Non-standard SUID program /usr/bin/chsh
Negative: 6.5 Non-standard SUID program /usr/bin/rsh
Negative: 6.5 Non-standard SUID program /usr/bin/lpq
Negative: 6.5 Non-standard SGID program /usr/sbin/authpf
Negative: 6.5 Non-standard SGID program /usr/bin/lpr
Negative: 6.5 Non-standard SGID program /usr/bin/lprm
Negative: 6.5 Non-standard SGID program /usr/bin/lpq

MACY# egrep "^Positive" ./cis-ruler-log.20080624-20.00.56.59258
Positive: 2.1 inetd/xinetd is not listening on any of the miscellaneous ports checked in this item.
Positive: 2.2 telnet is deactivated.
Positive: 2.3 ftp is deactivated.
Positive: 2.4 rsh, rcp and rlogin are deactivated.
Positive: 2.5 tftp is deactivated.
Positive: 2.6 finger is deactivated.
Positive: 2.7 Kerberos v4 or v5 services are not enabled.
Positive: 3.1 All Serial login prompts are disabled.
Positive: 3.3 Good umask in all rc files.
Positive: 3.4 syslogd has the -s switch and is thus not listening to the network.
Positive: 3.5 Mail daemon is not listening on TCP 25.
Positive: 3.6 DNS named daemon is not listening on port 53.
Positive: 3.7 No RPC services enabled.
Positive: 3.8 No NFS servers enabled.
Positive: 3.9 No NFS client enabled.
Positive: 3.10 No non-privileged NFS ports allowed.
Positive: 3.11 No non-privileged mount requests allowed.
Positive: 3.12 No NIS server enabled.
Positive: 3.13 No NIS client enabled.
Positive: 3.14 No Printer daemon is enabled.
Positive: 4.1 No Core dumps enabled.
Positive: 4.3 No Users see unowned processes.
Positive: 4.4 No Users see processes in other groups.
Positive: 5.1 syslog captures daemon.debug messages.
Positive: 5.3 Logging of packets received on closed ports.
Positive: 5.5 /etc/newsyslog.conf log file permissions are correct.
Positive: 6.2 password and group files have right permissions and owners.
Positive: 6.6 No user's home directory is world or group writable.
Positive: 7.2 All .rhosts files are readable only by their owner.
Positive: 7.4 at/cron is restricted to authorized users.
Positive: 7.5 'Authorized use only' message in /etc/motd.
Positive: 7.6 X Wrapper package is NOT installed.
Positive: 8.1 All system accounts are locked/deleted
Positive: 8.2 All users have passwords
Positive: 8.5 User 'toor' has been removed.
Positive: 8.6 Only one UID 0 account AND it is named root.
Positive: 8.7 No group or world-writable dotfiles in user home directories!
Positive: 8.9 User shells default to mesg n, blocking talk/write.
Positive: 6.3 No world-writable directories without sticky bit.
Positive: 6.4 No non-standard world-writable files.
Positive: 6.7 No unowned files found.
Reply With Quote