Editing Security

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 4: Line 4:
 
|}
 
|}
  
 +
{|class="wikitable" style="width:96.5%;background:#FFFFFF; border:2px solid #008000;text-align:left;padding: 10px"
 +
|-
 +
! scope="col" style="width: 100px;"|'''App/Package'''
 +
! scope="col" style="width: 350px;"|'''Abstract'''
 +
! scope="col" style="width: 250px;"|'''Addition or Link'''
 +
|-
 +
|xxx
 +
|xxx
 +
|xxx
 +
|-
 +
!colspan="3"|
 +
|-
 +
!colspan="3"|'''If you don't find a package you are looking for yet, it is recommended to search the ''' [[File:Icon FreeBSD.png|50px|link=https://www.freebsd.org/ports/categories-grouped.html]]'''Ports Collection.'''
 +
|-
 +
!colspan="3"|
 +
|-
 +
!colspan="3"|'''Back to the''' [[image:Icon Disti GhostBSD.png|50px|link=Applications]]'''Applications'''
  
==Introduction==
 
On this page we will collect information to harden your system.
 
 
To check your security you can use [https://opensource.com/article/20/5/linux-security-lynis Lynis security scan].
 
 
'''Firstly''', install [https://svnweb.freebsd.org/ports/head/security/lynis/pkg-descr?revision=HEAD lynis]:<br/>
 
 
<code>sudo pkg install lynis</code>
 
 
 
'''Secondly''', conduct an audit:<br/>
 
 
<code>sudo lynis audit system</code>
 
 
 
Hardening your system to receive a better Hardened Index score is trivial.
 
 
==How to harden your system==
 
 
To have GhostBSD score a 70 on the audit. Install [http://rkhunter.sourceforge.net/ rkhunter] and change 4 settings.
 
 
[[File:Photo 2020-11-08 12-40-56.jpg|400px]]
 
 
You can make additional changes to improve the score. Feel free to test to see what is comfortable for you.
 
 
[[File:Photo 2020-11-08 12-44-00.jpg|400px]]
 
 
 
If we simply set the network related values, we will not affect the user experience.
 
 
[[File:Photo 2020-11-08 12-57-52.jpg|400px]]
 
 
These changes plus adding one pkg (rkhunter) will provide a score of 77.
 
 
 
However, it is possible to attain a score of 82 by enabling several additional security.bsd settings.
 
 
[[File:Photo 2020-11-08 13-13-23.jpg|400px]]
 
 
For those that want to have these changes be persistent after reboot, add them to '''/etc/sysctl.conf'''.
 
 
Also, if you do not want to use rkhunter, it is possible to replace it with [https://www.clamav.net/ clamav].
 
Both rkhunter and clamav help to raise the hardened index score.
 
 
==How could keep those change - How setting security==
 
 
Append /etc/sysctl.conf with these entries:
 
 
    hw.kbd.keymap_restrict_change=4
 
    kern.sugid_coredump=0
 
    net.inet.icmp.bmcastecho=0
 
    net.inet.icmp.drop_redirect=1
 
    net.inet.ip.accept_sourceroute=0
 
    net.inet.ip.check_interface=1
 
    net.inet.ip.forwarding=0
 
    net.inet.ip.process_options=0
 
    net.inet.ip.random_id=1
 
    net.inet.ip.redirect=0
 
    net.inet.ip.sourceroute=0
 
    net.inet.tcp.always_keepalive=0
 
    net.inet.tcp.blackhole=2
 
    net.inet.tcp.drop_synfin=1
 
    net.inet.tcp.icmp_may_rst=0
 
    net.inet.tcp.nolocaltimewait=1
 
    net.inet.tcp.path_mtu_discovery=0
 
    net.inet.udp.blackhole=1
 
    net.inet6.icmp6.rediraccept=0
 
    net.inet6.ip6.forwarding=0
 
    net.inet6.ip6.fw.enable=1
 
    net.inet6.ip6.redirect=0
 
    # The settings below will change the user experience
 
    security.bsd.hardlink_check_gid=1
 
    security.bsd.hardlink_check_uid=1
 
    security.bsd.see_other_gids=0
 
    security.bsd.see_other_uids=0
 
    security.bsd.stack_guard_page=1
 
    security.bsd.unprivileged_proc_debug=0
 
    security.bsd.unprivileged_read_msgbuf=0
 
 
==Additional Information==
 
 
* [https://www.freebsd.org/ports/security.html FreeBSD ports]
 
* [https://www.freebsd.org/doc/handbook/security.html FreeBSD Handbook: Security]
 
 
 
 
{|class="wikitable" style="width:96.5%;background:#FFFFFF; border:2px solid #008000;text-align:center;padding: 10px"
 
|'''Back to the''' [[image:Icon Disti GhostBSD.png|50px|link=GhostBSD Wiki]]'''GhostBSD Wiki'''
 
 
|}
 
|}
  
  
 
[[Category:Station]]
 
[[Category:Station]]

Please note that all contributions to GhostBSD Wiki are considered to be released under the Creative Commons Attribution (see GhostBSD Wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel | Editing help (opens in new window)
Retrieved from "http://wiki.ghostbsd.org/index.php/Security"