Harden FreeBSD
Table of Contents
FreeBSD officially defaults to Permanently Insecure Mode. This script will duplicate all the hardening settings run by /usr/libexec/bsdinstall/hardening and much more. Any directive can be set and re-set with a customizable settings.ini for administering, tuning, and easier jail management. All existing entries in all confs will remain untouched unless they are modified in the settings file.
This script is also targeted to new users of FreeBSD so that they may leverage years of security contributions by the entire BSD community across all spectra, implemented on their system in seconds.
Each of the security settings was researched, assessed, and chosen as a set of mitigations for maximizing threat reduction while minimizing restriction of system capability and availability.
For a more comprehensive true "hardened" solution with more security than this repo scope, which involves kernel modifications, I refer you to HardenedBSD.
Main Features
-
Makes backups of
rc.conf,sysctl.conf,login.conf, andloader.confon first run -
Disables Sendmail service, but it can still be run by command and abused.
-
Recommend:
-
rm -rf /usr/libexec/sendmail /usr/libexec/dmaORchmod -R 000 sendmail dma -
pkg install opensmtpd -
Sets passwords to blowfish encryption, which is better than SHA512 for this purpose
-
Sets passwords to expire at 120 days
-
Removes
otherwrite permissions from key system files and folders -
Allows only root for
cronandat -
Primitive flag verification catches simple errors
-
Modularizable within other tools
-
Automate any shell command
-
System Logging to
/var/log/messagesand Script Logging to/var/log/harden-freebsd.log -
Pretty prints color output of script execution to console while running
-
Sets umask to 027