Difference between revisions of "Security"

From GhostBSD Wiki
Jump to: navigation, search
m (Introduction)
m (How to harden your system)
Line 24: Line 24:
 
==How to harden your system==
 
==How to harden your system==
  
It is easy to get GhostBSD to get a score of 70. Install [http://rkhunter.sourceforge.net/ rkhunter] and change 4 settings.
+
To have GhostBSD score a 70 on the audit. Install [http://rkhunter.sourceforge.net/ rkhunter] and change 4 settings.
  
 
[[File:Photo 2020-11-08 12-40-56.jpg|400px]]
 
[[File:Photo 2020-11-08 12-40-56.jpg|400px]]

Revision as of 09:39, 8 November 2020

Welcome to theIcon Disti GhostBSD.png Security


Introduction

On this page we will collect information to harden your system.

To check your security you can use Lynis security scan.

Firstly, install lynis. sudo pkg install lynis

Secondly, conduct an audit sudo lynis audit system

Hardening your system to receive a better Hardened Index score is trivial.

How to harden your system

To have GhostBSD score a 70 on the audit. Install rkhunter and change 4 settings.

Photo 2020-11-08 12-40-56.jpg

You can make additional changes to improve the score. Feel free to test to see what is comfortable for you.

Photo 2020-11-08 12-44-00.jpg


If we simply set the network related values, we will not affect the user experience.

Photo 2020-11-08 12-57-52.jpg

These changes plus adding one pkg (rkhunter) will provide a score of...

Photo 2020-11-08 13-13-23.jpg

For those that want to keep those changes after reboot, just add them to /etc/sysctl.conf.

Also using clamav help to raise the score.

How could keep those change - How setting security

Append /etc/sysctl.conf with these entries: 

   hw.kbd.keymap_restrict_change=4
   kern.sugid_coredump=0
   net.inet.icmp.bmcastecho=0
   net.inet.icmp.drop_redirect=1
   net.inet.ip.accept_sourceroute=0
   net.inet.ip.check_interface=1
   net.inet.ip.forwarding=0
   net.inet.ip.process_options=0
   net.inet.ip.random_id=1
   net.inet.ip.redirect=0
   net.inet.ip.sourceroute=0
   net.inet.tcp.always_keepalive=0
   net.inet.tcp.blackhole=2
   net.inet.tcp.drop_synfin=1
   net.inet.tcp.icmp_may_rst=0
   net.inet.tcp.nolocaltimewait=1
   net.inet.tcp.path_mtu_discovery=0
   net.inet.udp.blackhole=1
   net.inet6.icmp6.rediraccept=0
   net.inet6.ip6.forwarding=0
   net.inet6.ip6.fw.enable=1
   net.inet6.ip6.redirect=0
   # The settings below will change the user experience
   security.bsd.hardlink_check_gid=1
   security.bsd.hardlink_check_uid=1
   security.bsd.see_other_gids=0
   security.bsd.see_other_uids=0
   security.bsd.stack_guard_page=1
   security.bsd.unprivileged_proc_debug=0
   security.bsd.unprivileged_read_msgbuf=0

Additional Information


Back to the Icon Disti GhostBSD.pngGhostBSD Wiki
Retrieved from "http://wiki.ghostbsd.org/index.php?title=Security&oldid=7024"