Friday, August 06, 2004

Nice little checklist for FreeBSD

http://www.sddi.net/FBSDSecCheckListaslist.html

This Check list is going to come in handy if I reinstall my FreeBSD system. I have made so many changes over the years and I can use this to add to when I think of something. The below checklist was slightly modified to suit my needs.


FreeBSD Security Checklist as a List

Location of this document: http://www.sddi.net/FBSDSecCheckListaslist.html

Location of the full version: http://www.sddi.net/FBSDSecCheckList.html

Installation
____ separate slices for /(500MB), /tmp(400MB), /usr(33G), /usr/home(2G), /var(400MB), /storage(34G)
____ no inetd.conf, nfs or ntp
____ list ntp servers to use:________________ ________________
____ add /sysutils/rdate-1.0 & /security/chkrootkit-0.36
____ add non-privileged user account in wheel group
Users
____ vipw and remove toor user, rename Charlie&, change shells
____ in /etc/group, and add ssh:*:0:sshusergroup
motd
____ cp /etc/motd /etc/motd.old
____ rm /etc/motd
____ touch /etc/motd
____ vi /etc/motd and create
____ cp /etc/motd /etc/issue
/etc/ssh/sshd_config
____ port 22
____ protocol 2
____ #Hostkey /etc/ssh/ssh_host_key
____ PermitRootLogin no
____ MaxStartups 5:50:10
____ X11Forwarding no
____ PrintLastLog yes
____ SyslogFacility auth
____ LogLevel VERBOSE
____ PasswordAuthentication no
____ Banner /etc/issue
____ AllowGroups sshusers
/etc/ssh/ssh_config
____ ForwardAgent no
____ ForwardX11 no
____ PasswordAuthentication no
____ CheckHostIP yes
____ Protocol 2
DSA Key Generation (as opposed to passwd)
____ su - {nonprivuser} as root
____ ssh-keygen -d
____ accept default /.ssh/id_dsa
____ enter passwords twice
____ cd .ssh
____ cat id_dsa.pub > authorized_keys2
____ copy key to floppy, and confirm
____ delete key from server
rc.conf
____ inetd.conf="NO"
____ syslogd_enable="YES"
____ syslogd_flags="-ss"
____ icmp_drop_redirect="YES"
____ icmp_log_redirect="YES"
____ clear_tmp_enable="YES"
____ portmap_enable="NO"
____ icmp_bmcastecho="NO"
____ fsck_y_enable="YES"
____ update_motd="NO"
____ tcp_drop_synfin="YES"
____ log_in_vain="YES"
login.conf & auth.conf
____ vi /etc/login.conf
____ :passwd_format=blf:____ :passwordtime=52d:____ mixpasswordcase=true:____ :minpasswordlen=9:____ :idletime=32:____ cap_mkdb /etc/login.conf
____ confirm with vipw that password field starts with $2
____ confirm shells for users
____ vi /etc/auth.conf
____ crypt_default=blf
sysctl.conf
____ vi sysctl.conf
____ net.inet.tcp.blackhole=2
____ net.inet.udp.blackhole=1
____ kern.ps_showallprocs=0
fstab
____ vi /etc/fstab
____ /tmp to rw,noexec
____ /usr/home to rw,nosuid,noexec
____ /floppy to rw,noauoto,noexec,nosuid,nodev,noatime
____ /cdrom to ro,noauto
crontab
____ chmod 600 /etc/crontab
____ touch /var/cron/allow and add users who can change cron jobs
____ chmod 600 /var/cron/deny
____ vi /var/cron/deny and add users to disallow
____ add 0 2 * * * root /usr/libexec/locate.updatedb
____ add 0 2 * * * root /usr/local/sbin/rdate {ntpserver}
____ add 1 3 * * * root /usr/local/sbin/chkrootkit
Kernel Changes /usr/src/sys/i386/conf/{kernelname}
____ #pseudo-device bpf
____ options SC_NO_HISTORY
____ options SC_DISABLE_REBOOT
____ options SC_DISABLE_DDBKEY
____ options TCP_DROP_SYNFIN
____ options RANDOM_IP_ID
____ options ICMP_BANDLIM
____ confirm settings in /usr/src/sys/i386/conf/LINT
____ rebuild kernel and reboot
File Permissions
____ chmod 700 /root
____ chmod 600 /etc/syslog.conf
____ chmod 600 /etc/rc.conf
____ chmod 600 /etc/newsyslog.conf
____ chmod 600 /etc/hosts.allow
____ chmod 600 on /etc/login.conf
____ chmod 700 /usr/home/*
Network Time Protocol
____ vi /etc/ntp.conf
____ restrict default ignore
TCP Wrappers
vi /etc/hosts.allow
____ sshd : localhost : allow
____ sshd : x.x.x.x, x.x.x.x : allow
____ sshd : all : deny
____ ftpd : ALL : deny and so on for unused services
Console Access
____ vi /etc/ttys
____ first line: console none unknown off insecure
____ on insecure for each tty
Bash Shell
____ vi /usr/share/skel/.bash_logout
____ clear
chflags
____ list files to sappnd & schg
Clean-up
____ sockstat -4
____ tcpdump -xX

No comments: