Difference between revisions of "Security"
From GhostBSD Wiki
(→How to harden your system) |
(→How to harden your system) |
||
Line 32: | Line 32: | ||
Also using [https://www.clamav.net/ clamav] help to raise the score. | Also using [https://www.clamav.net/ clamav] help to raise the score. | ||
+ | |||
+ | ==How could keep those change - How setting security== | ||
+ | |||
+ | Append /etc/sysctl.conf with these entries: | ||
+ | |||
+ | hw.kbd.keymap_restrict_change=4 | ||
+ | kern.sugid_coredump=0 | ||
+ | net.inet.icmp.bmcastecho=0 | ||
+ | net.inet.icmp.drop_redirect=1 | ||
+ | net.inet.ip.accept_sourceroute=0 | ||
+ | net.inet.ip.check_interface=1 | ||
+ | net.inet.ip.forwarding=0 | ||
+ | net.inet.ip.process_options=0 | ||
+ | net.inet.ip.random_id=1 | ||
+ | net.inet.ip.redirect=0 | ||
+ | net.inet.ip.sourceroute=0 | ||
+ | net.inet.tcp.always_keepalive=0 | ||
+ | net.inet.tcp.blackhole=2 | ||
+ | net.inet.tcp.drop_synfin=1 | ||
+ | net.inet.tcp.icmp_may_rst=0 | ||
+ | net.inet.tcp.nolocaltimewait=1 | ||
+ | net.inet.tcp.path_mtu_discovery=0 | ||
+ | net.inet.udp.blackhole=1 | ||
+ | net.inet6.icmp6.rediraccept=0 | ||
+ | net.inet6.ip6.forwarding=0 | ||
+ | net.inet6.ip6.fw.enable=1 | ||
+ | net.inet6.ip6.redirect=0 | ||
+ | # The settings below will change the user experience | ||
+ | security.bsd.hardlink_check_gid=1 | ||
+ | security.bsd.hardlink_check_uid=1 | ||
+ | security.bsd.see_other_gids=0 | ||
+ | security.bsd.see_other_uids=0 | ||
+ | security.bsd.stack_guard_page=1 | ||
+ | security.bsd.unprivileged_proc_debug=0 | ||
+ | security.bsd.unprivileged_read_msgbuf=0 | ||
==Additional Information== | ==Additional Information== |
Revision as of 09:18, 8 November 2020
Welcome to the Security |
This page is in maintenance! Please do not change this page without to contact the author or use Discussion! |
Contents
Introduction
On this page we will collect information to harden your system.
How to harden your system
It is easy to get GhostBSD to get a score of 70. Install rkhunter and change 4 settings.
You can make additional changes to improve the score. Feel free to test to see what is comfortable for you.
If we simply set the network related values, we will not affect the user experience.
These changes plus adding one pkg (rkhunter) will provide a score of...
For those that want to keep those changes after reboot, just add them to /etc/sysctl.conf.
Also using clamav help to raise the score.
How could keep those change - How setting security
Append /etc/sysctl.conf with these entries:
hw.kbd.keymap_restrict_change=4 kern.sugid_coredump=0 net.inet.icmp.bmcastecho=0 net.inet.icmp.drop_redirect=1 net.inet.ip.accept_sourceroute=0 net.inet.ip.check_interface=1 net.inet.ip.forwarding=0 net.inet.ip.process_options=0 net.inet.ip.random_id=1 net.inet.ip.redirect=0 net.inet.ip.sourceroute=0 net.inet.tcp.always_keepalive=0 net.inet.tcp.blackhole=2 net.inet.tcp.drop_synfin=1 net.inet.tcp.icmp_may_rst=0 net.inet.tcp.nolocaltimewait=1 net.inet.tcp.path_mtu_discovery=0 net.inet.udp.blackhole=1 net.inet6.icmp6.rediraccept=0 net.inet6.ip6.forwarding=0 net.inet6.ip6.fw.enable=1 net.inet6.ip6.redirect=0 # The settings below will change the user experience security.bsd.hardlink_check_gid=1 security.bsd.hardlink_check_uid=1 security.bsd.see_other_gids=0 security.bsd.see_other_uids=0 security.bsd.stack_guard_page=1 security.bsd.unprivileged_proc_debug=0 security.bsd.unprivileged_read_msgbuf=0
Additional Information
Back to the GhostBSD Wiki |