Proper FreeBSD system hardning :)(all for sysctl)
Uncategorized
2
Posts
2
Posters
11
Views
-
Proper FreeBSD system hardning :)
(all for sysctl)security.bsd.see_other_uids
security.bsd.see_other_gids
--> Don't show other users processessecurity.bsd.unprivileged_read_msgbuf
--> Don't allow unprivileges to read kernel buffer (dmesg)security.bsd.unprivileged_proc_debug
--> Don't allow unprivileged to use debuggingsecurity.bsd.hardlink_check_uid
security.bsd.hardlink_check_gid
--> restrict hardlinks to same user/groupkern.elf64.aslr.enable
kern.elf32.aslr.enable
--> Enable kernel address randomization (ASLR)security.bsd.unprivileged_mlock
--> Restrict unprivileged users from loading kernel modulessysctl kern.securelevel=1
--> Cannot lower securelevel
--> Cannot write directly to mounted disks
--> Cannot write to /dev/mem or /dev/kmem
--> Cannot load/unload kernel modules
--> Cannot change firewall rules (if compiled with IPFIREWALL_STATIC)
--> System immutable and append-only file flags cannot be removedThis can make a FreeBSD system more secure, especially on multi-user systems. Securelevel ca even go higher, but those restrictions generally need care.
#runbsd #freebsd #security #hardening #goodpractice #devops #sysadmin
-
Proper FreeBSD system hardning :)
(all for sysctl)security.bsd.see_other_uids
security.bsd.see_other_gids
--> Don't show other users processessecurity.bsd.unprivileged_read_msgbuf
--> Don't allow unprivileges to read kernel buffer (dmesg)security.bsd.unprivileged_proc_debug
--> Don't allow unprivileged to use debuggingsecurity.bsd.hardlink_check_uid
security.bsd.hardlink_check_gid
--> restrict hardlinks to same user/groupkern.elf64.aslr.enable
kern.elf32.aslr.enable
--> Enable kernel address randomization (ASLR)security.bsd.unprivileged_mlock
--> Restrict unprivileged users from loading kernel modulessysctl kern.securelevel=1
--> Cannot lower securelevel
--> Cannot write directly to mounted disks
--> Cannot write to /dev/mem or /dev/kmem
--> Cannot load/unload kernel modules
--> Cannot change firewall rules (if compiled with IPFIREWALL_STATIC)
--> System immutable and append-only file flags cannot be removedThis can make a FreeBSD system more secure, especially on multi-user systems. Securelevel ca even go higher, but those restrictions generally need care.
#runbsd #freebsd #security #hardening #goodpractice #devops #sysadmin
@Larvitz we enable a bunch of these (and more) by default in BastilleBSD
-
undefined stefano@mastodon.bsd.cafe shared this topic on
Gli ultimi otto messaggi ricevuti dalla Federazione
-
-
2 5 100 6 7
-
@Gina for the record, I'm faving the "amazing weekend" part :3
-
@NicholasLaney ogni riferimento a fatti di cronaca è puramente casuale
-
“Rogita-San,” dice l’amica Jap, “io adesso seguo tre brand da Italia per Giappone. Dovrei comprare qualcosa da loro per promuovere ma questa stagione materiali davvero bruttissimi. Proprio peggio nè. Prima vestiti erano meglio, non sono sono riuscita a comprare niente.”
Pausa. “Ma tanto io vecchia ormai, sono scusata.” Risatina.(E io che non sono capace di rifilare schifezze agli altri mi sento tanto ebete).
-
don't forget to pat your domesticated rocks
-
Una tavola di lookup è cosciente?
@aitech - Un interessante punto di vista filosofico, pensando agli attuali LLM
-
Aaand I'm back at work again after an amazing weekend at #FOSDEM 🥲
