Just a general query...
FreeBSD recommends some general system hardening setups and I wondered if they suited Ghost.
For rc.conf:
Ghost by default has this hardening option set:These controls should be enabled [=1] unless there’s a good reason not to do so:
security.bsd.see_other_uids=0
Hide processes running as other users
security.bsd.see_other_gids=0
Hide processes running as other groups
security.bsd.unprivileged_read_msgbuf=0
Disable reading kernel message buffer for unprivileged users
security.bsd.unprivileged_proc_debug=0
Disable process debugging facilities for unprivileged users
kern.randompid=$(jot -r 1 9999)
Randomise the pid of newly created processes
security.bsd.stack_guard_page=1
Insert stack guard page ahead of the growable segments
For sysctl.conf:
Are there other general use system variables / parameters to consider?clear_tmp_enable=”YES”
Clean the tmp file system on system starting
syslogd_flags=”-ss”
Disable opening syslogd network socket (disables remote logging)
sendmail_enable=”NONE”
Disable sendmail service
I added in terminal:
# sudo rc-update add cleartmp default
and it seems to work fine.
Thanks,
Steve