My GhostBSD hardening script

Post your general questions or comments about GhostBSD here!
Post Reply
wravoc
Posts: 1
Joined: Sat Aug 26, 2023 5:49 pm
Location: Mojave Desert, AZ
Contact:
Contact wravoc

My GhostBSD hardening script

Post by wravoc »

Hello all, 20 year Security Professional here. I'm focused on BSD security these days writing security scripts for each of them. My FreeBSD hardening script was successful and as soon as I tried GhostBSD I knew it had to be the first "port". Excellent work!

This hardening script, not to be confused with HardenedBSD.org, is a Python script that sets all the recommened directives in each of the confs, sets key directory permissions to remove other from system files, changes the password cipher to Blowfish (many researches are convinced this is better than SHA512, including Google Engineers, I can post links), password expiration, etc.

What would take an experienced operator an hour or so can be done in seconds. As well as general OS hardening I made an AMD Zenbleed workaround script in accordance with the current Security Research.

I spent a couple days testing my script against the default latest GhostBSD install and one thing I want to bring up first thing is that Firefox and Chromium are using shared memory access which the security community sees a definite vulnerability no matter what the software is, except maybe databases, but web browser shared memory is the worst!

As it is, the only browser that passed my security settings and works on this forum is Qutebrowser! Librewolf does not render this forum site correctly.

If you do decide that a secure GhostBSD is for you, please do not disable the setting to run Chromium! Only recently has Firefox brought this insecurity back after removing it on all platforms and I expect them to remove the vulnerability soon.

However, right now Chrome has a slew of high CVE's attributed to them. Most of our lives go through the web browser: Bank Accounts. Federal Documents, etc. so there you have it.

I also included some nice wallpapers with my own logo design. I used some classic visual art brain tricks in there to make it more "ghostly". The dots on the right center are not bigger than the others! If the GhostBSD Founder, Team would like to use them for free, I'm ready to give free license, just contact me ;)

I also included a PDF visual "man hier" so you can see the directory structure of GhostBSD at a glance. Hope you like it! Open up any issues you may find.

https://github.com/wravoc/harden-ghostbsd


Backup
https://bitbucket.org/quadhelion-engine ... n-ghostbsd

- Elias Griffin
--
Elias Christopher Griffin
https://www.eliasgriffin.com
https://www.quadhelion.engineering
https://www.linkedin.com/in/eliasgriffin
https://github.com/wravoc
https://wravoc.blog
https://eliasgriffin.substack.com
Top
Post Reply

Return to “General Questions”