|
||||
I had some time today and wrote up a guide on the topic of password enforcement to get things started (I hope that's ok). Please feel free to add on any information, as requested in the closing section of the guide.
__________________
Kill your t.v. |
|
|||
Help from CIS. Great tool that i cannot believe was not brought up here, much of what it checks for has been brought up though. It scans your system and gives you results and a score, there is also a guide which shows how to "fix" what it calls problems.
http://www.cisecurity.org/bench_freebsd.html here is an example of results, the "non-standard suid program" it complains of is because of the schg flag set by /usr/ports/security/lockdown, did anyone mention it?, very useful ) MACY# egrep "^Negative" ./cis-ruler-log.20080624-20.00.56.59258 Negative: 1.1 System appears not to have been patched within the last month. Negative: 1.2 ssh_config must have 'Protocol 2' underneath Host *. Negative: 1.3 host based firewall is NOT enabled. Negative: 3.2 Password not required for single user console. Negative: 4.2 No secure level > 0 (sysctl.conf kern.securelevel="-1") Negative: 5.2 No System Accounting enabled (rc.conf accounting_enable="NO") Negative: 5.4 /var/log/Xorg.0.log should not be world readable. Negative: 5.4 /var/log/Xorg.0.log.old should not be world readable. Negative: 6.1 /etc/fstab does NOT mount cdroms nosuid. Negative: 7.1 weak authentication not deactivated in /etc/pam.d/rsh. Negative: 7.3 File /etc/hosts.equiv exists, is non-zero size, isn't linked to /dev/null, and doesn't contain only the - character. Negative: 7.7 X11 is listening on TCP port 6000. Negative: 8.3 User joe does not have a maximum password life. (91 days or less recommended). Negative: 8.4 Default /etc/adduser.conf file not found. Negative: 8.8 Current umask setting in file /etc/login.conf is 022 -- it should be stronger to block world-read/write/execute. Negative: 8.8 Current umask setting in file /etc/login.conf is 022 -- it should be stronger to block group-read/write/execute. Negative: 6.5 Non-standard SUID program /usr/bin/ypchfn Negative: 6.5 Non-standard SUID program /usr/sbin/authpf Negative: 6.5 Non-standard SUID program /usr/bin/chfn Negative: 6.5 Non-standard SUID program /usr/bin/ypchsh Negative: 6.5 Non-standard SUID program /usr/bin/lprm Negative: 6.5 Non-standard SUID program /usr/bin/chpass Negative: 6.5 Non-standard SUID program /usr/bin/ypchpass Negative: 6.5 Non-standard SUID program /usr/bin/lpr Negative: 6.5 Non-standard SUID program /usr/bin/chsh Negative: 6.5 Non-standard SUID program /usr/bin/rsh Negative: 6.5 Non-standard SUID program /usr/bin/lpq Negative: 6.5 Non-standard SGID program /usr/sbin/authpf Negative: 6.5 Non-standard SGID program /usr/bin/lpr Negative: 6.5 Non-standard SGID program /usr/bin/lprm Negative: 6.5 Non-standard SGID program /usr/bin/lpq MACY# egrep "^Positive" ./cis-ruler-log.20080624-20.00.56.59258 Positive: 2.1 inetd/xinetd is not listening on any of the miscellaneous ports checked in this item. Positive: 2.2 telnet is deactivated. Positive: 2.3 ftp is deactivated. Positive: 2.4 rsh, rcp and rlogin are deactivated. Positive: 2.5 tftp is deactivated. Positive: 2.6 finger is deactivated. Positive: 2.7 Kerberos v4 or v5 services are not enabled. Positive: 3.1 All Serial login prompts are disabled. Positive: 3.3 Good umask in all rc files. Positive: 3.4 syslogd has the -s switch and is thus not listening to the network. Positive: 3.5 Mail daemon is not listening on TCP 25. Positive: 3.6 DNS named daemon is not listening on port 53. Positive: 3.7 No RPC services enabled. Positive: 3.8 No NFS servers enabled. Positive: 3.9 No NFS client enabled. Positive: 3.10 No non-privileged NFS ports allowed. Positive: 3.11 No non-privileged mount requests allowed. Positive: 3.12 No NIS server enabled. Positive: 3.13 No NIS client enabled. Positive: 3.14 No Printer daemon is enabled. Positive: 4.1 No Core dumps enabled. Positive: 4.3 No Users see unowned processes. Positive: 4.4 No Users see processes in other groups. Positive: 5.1 syslog captures daemon.debug messages. Positive: 5.3 Logging of packets received on closed ports. Positive: 5.5 /etc/newsyslog.conf log file permissions are correct. Positive: 6.2 password and group files have right permissions and owners. Positive: 6.6 No user's home directory is world or group writable. Positive: 7.2 All .rhosts files are readable only by their owner. Positive: 7.4 at/cron is restricted to authorized users. Positive: 7.5 'Authorized use only' message in /etc/motd. Positive: 7.6 X Wrapper package is NOT installed. Positive: 8.1 All system accounts are locked/deleted Positive: 8.2 All users have passwords Positive: 8.5 User 'toor' has been removed. Positive: 8.6 Only one UID 0 account AND it is named root. Positive: 8.7 No group or world-writable dotfiles in user home directories! Positive: 8.9 User shells default to mesg n, blocking talk/write. Positive: 6.3 No world-writable directories without sticky bit. Positive: 6.4 No non-standard world-writable files. Positive: 6.7 No unowned files found. |
|
|||
Hmm... this CIS thing seems interesting, but fails on a few points. It mentions me not having "-s" in my syslogd flags. I do have that. In fact, I have a lot more than that. Maybe that's why it's failing.
All in all, a fairly good way for a sysadmin to get a "grasp" of a few things. He can safely ignore something that he knows otherwise (like the example above, or "named running on port 53").
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
|||
I don't want to sound negative, but I've also ran the CIS tool on my box before and the fact that it hasn't been updated in a while really shows and is quite annoying.
Lots of false warnings hide the real problems, so you have to manually check everything... For example: Code:
Negative: 1.2 ssh_config must have 'Protocol 2' underneath Host *. That's why I also never bothered to install security/lockdown: the last port update is from 19 Apr 2007, in fact that's still the same version 2.0.0 that was released 24 Jun 2005! It could be that it still works properly on FreeBSD6.3/7.0, but i have my doubts... Anyway I did discover, fix and learn about a lot of problems thanks to the CIS script, so I would still recommend it to everyone! Just take it with a grain of salt Last edited by hopla; 25th June 2008 at 07:40 AM. Reason: typo |
|
|||
Dont forget to add following lines to /etc/sysctl.conf
Code:
security.bsd.hardlink_check_gid=1 security.bsd.hardlink_check_uid=1 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_get_quota=0 |
|
|||
You dont need one of those if you just set your password to password. Its easy to remember.
|
|
|||
Oh, thank you so much, I had forgotten my password. I had written it down, but I spilled my beer and the ink on the sticky-note on the bottom side of my keyboard ran!
|
|
|||
Quote:
thanks. |
|
|||
There are several ways to disable that functionality in FreeBSD:
You can disable them via:
Note: It's probably better to leave them enabled, perhaps, debugging the problem and sending it upstream.. but - we don't live in a perfect world. Last edited by BSDfan666; 10th August 2008 at 03:39 AM. |
|
||||
Quote:
# echo 'kern.coredump=0' >> /etc/sysctl.conf
__________________
Kill your t.v. |
|
|||
Quote:
/usr/ports/net/stone> cat pkg-descr Stone is a TCP/IP packet repeater in the application layer. It repeats TCP and UDP packets from inside to outside of a firewall, or from outside to inside. Stone has following features: 1. Simple. Stone's source code is only 3000 lines long (written in C language), so you can minimize the risk of security holes. 2. Stone supports SSL. Using OpenSSL (http://www.openssl.org/), stone can encrypt/decrypt packets. 3. Stone is a http proxy. Stone can also be a tiny http proxy. 4. POP -> APOP conversion. With stone and a mailer that does not support APOP, you can access to an APOP server. WWW: http://www.gcd.org/sengoku/stone/ ) |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Basic sshd hardening | anomie | Guides | 12 | 12th September 2008 03:39 AM |
Can I use this link for hardening FreeBSD 7 | mfaridi | FreeBSD Security | 1 | 9th July 2008 07:35 AM |