Are FreeBSD Hardening setups suitable for GhostBSD?

Post your general questions or comments about GhostBSD here!
Post Reply
nevets
Posts: 57
Joined: Tue Jun 23, 2020 3:54 am

Are FreeBSD Hardening setups suitable for GhostBSD?

Post by nevets »

Hi,
Just a general query...
FreeBSD recommends some general system hardening setups and I wondered if they suited Ghost.
For rc.conf:
These controls should be enabled [=1] unless there’s a good reason not to do so:
security.bsd.see_other_uids=0
Hide processes running as other users
security.bsd.see_other_gids=0
Hide processes running as other groups
security.bsd.unprivileged_read_msgbuf=0
Disable reading kernel message buffer for unprivileged users
security.bsd.unprivileged_proc_debug=0
Disable process debugging facilities for unprivileged users
kern.randompid=$(jot -r 1 9999)
Randomise the pid of newly created processes
Ghost by default has this hardening option set:
security.bsd.stack_guard_page=1
Insert stack guard page ahead of the growable segments
For sysctl.conf:
clear_tmp_enable=”YES”
Clean the tmp file system on system starting
syslogd_flags=”-ss”
Disable opening syslogd network socket (disables remote logging)
sendmail_enable=”NONE”
Disable sendmail service
Are there other general use system variables / parameters to consider?
I added in terminal:
# sudo rc-update add cleartmp default
and it seems to work fine.
Thanks,
Steve
USNCPOSharky
Posts: 13
Joined: Wed Jun 30, 2021 7:51 am

Re: Are FreeBSD Hardening setups suitable for GhostBSD?

Post by USNCPOSharky »

Nice Find and yes this would be very valuable to know if it is indeed applicable to GhostBSD.
User avatar
ericbsd
Developer
Posts: 1833
Joined: Mon Nov 19, 2012 7:54 pm

Re: Are FreeBSD Hardening setups suitable for GhostBSD?

Post by ericbsd »

In GhostBSD sendmail is removed from the base, cleartmp works. For syslogd_flags=”-ss” I have no look if that works on GhostBSD.

As For all the security.* they should all work, but be aware some could break the GUI user experience.
nevets
Posts: 57
Joined: Tue Jun 23, 2020 3:54 am

Re: Are FreeBSD Hardening setups suitable for GhostBSD?

Post by nevets »

Thanks Eric for the guidance - I'll have a play...
nevets
Posts: 57
Joined: Tue Jun 23, 2020 3:54 am

Re: Are FreeBSD Hardening setups suitable for GhostBSD?

Post by nevets »

ericbsd wrote: Mon Aug 09, 2021 8:53 am In GhostBSD sendmail is removed from the base, cleartmp works. For syslogd_flags=”-ss” I have no look if that works on GhostBSD.

As For all the security.* they should all work, but be aware some could break the GUI user experience.
To test the settings I set up two configuration files:
/etc/sysctl.d/myghost.core.conf
with the content...
# Set the IndirectBranchRestriciveSpeculation fix for Spectre 2
hw.ibrs_disable=0
# Disable process debugging facilities for unprivileged users
security.bsd.unprivileged_proc_debug=0
# Hide processes running as other users
security.bsd.see_other_uids=0
# Hide processes running as other groups
security.bsd.see_other_gids=0
# Disable reading kernal message buffer for unprivileged users
security.bsd.unprivileged_read_msgbuf=0
and
/etc/rc.conf.d/myghost-conf.conf
with the content
# Disable opening syslogd network socket (disables remote logging)
syslogd_flags=”-ss”

This all works fine so far when using a vpn, firefox for webmail, MATE update station, MATE software station and Linphone voip webcam/audio.

However, the setting to randomise the pid of newly created processes
kern.randompid=$(jot -r 1 9999)
throws a fault in the logs so doesn't seem a suitable setting.
ERROR sysctl: invalid integer '$(jot'
* Unable to configure some kernel parameters
[ !! ]
* ERROR: sysctl failed to start
security_lover
Posts: 45
Joined: Thu Apr 22, 2021 9:54 am

Re: Are FreeBSD Hardening setups suitable for GhostBSD?

Post by security_lover »

Since OpenBSD's main focus is on security I am eager to know.
Q1) What extra security features does OpenBSD have that FreeBSD/GhostBSD doesn't ?
Q2) When it comes to security is GhostBSD and FreeBSD equal? Or is there some loss of security to make GhostBSD suitable for desktop use ?
I am paranoid about security ! :lol:
User avatar
ericbsd
Developer
Posts: 1833
Joined: Mon Nov 19, 2012 7:54 pm

Re: Are FreeBSD Hardening setups suitable for GhostBSD?

Post by ericbsd »

security_lover wrote: Sat Aug 28, 2021 10:34 am Since OpenBSD's main focus is on security I am eager to know.
Q1) What extra security features does OpenBSD have that FreeBSD/GhostBSD doesn't ?
I know little about OpenRC, so I have no idea.
security_lover wrote: Sat Aug 28, 2021 10:34 am Q2) When it comes to security is GhostBSD and FreeBSD equal? Or is there some loss of security to make GhostBSD suitable for desktop use ?
If you run lynis on GhostBSD and FreeBSD, GhostBSD pulls ahead a bit. This is because GhostBSD comes with ipfs enable by default.

Also, some work has been done lately to make the user's home folder a more private and saver with permission mode 700 by default.

I do not claim that GhostBSD is more secure than FreeBSD because GhostBSD comes with more software by default.
Morty
Posts: 10
Joined: Mon Sep 20, 2021 8:22 am

Re: Are FreeBSD Hardening setups suitable for GhostBSD?

Post by Morty »

f you run lynis on GhostBSD and FreeBSD, GhostBSD pulls ahead a bit. This is because GhostBSD comes with ipfs enable by default.

Also, some work has been done lately to make the user's home folder a more private and saver with permission mode 700 by default.

I do not claim that GhostBSD is more secure than FreeBSD because GhostBSD comes with more software by default.
I installed lynis,too. It's in Software Station. After installing it,

Code: Select all

sudo lynis audit system
runs it in terminal. Lots of info output. From bottom of output,scrolling up a little way to 'lynis security scan details' and 'hardenig index' rates it. Rating of 62 is what is there for my scans without executing any further security options. I hear that's pretty good.
Software Station installs version 3.0.3. Latest version is 3.0.6. and I get prompt to upgrade to latest version in the output.
Post Reply