Skip to content

Piero Bosio Social Web Site Personale Logo Fediverso

Social Forum federato con il resto del mondo. Non contano le istanze, contano le persone
  1. Home
  2. Categories
  3. Uncategorized
  4. Proper FreeBSD system hardning :)(all for sysctl)

Proper FreeBSD system hardning :)(all for sysctl)

Uncategorized
2 2 12
  • larvitz@mastodon.bsd.cafeundefined

    Proper FreeBSD system hardning :)
    (all for sysctl)

    security.bsd.see_other_uids
    security.bsd.see_other_gids
    --> Don't show other users processes

    security.bsd.unprivileged_read_msgbuf
    --> Don't allow unprivileges to read kernel buffer (dmesg)

    security.bsd.unprivileged_proc_debug
    --> Don't allow unprivileged to use debugging

    security.bsd.hardlink_check_uid
    security.bsd.hardlink_check_gid
    --> restrict hardlinks to same user/group

    kern.elf64.aslr.enable
    kern.elf32.aslr.enable
    --> Enable kernel address randomization (ASLR)

    security.bsd.unprivileged_mlock
    --> Restrict unprivileged users from loading kernel modules

    sysctl kern.securelevel=1
    --> Cannot lower securelevel
    --> Cannot write directly to mounted disks
    --> Cannot write to /dev/mem or /dev/kmem
    --> Cannot load/unload kernel modules
    --> Cannot change firewall rules (if compiled with IPFIREWALL_STATIC)
    --> System immutable and append-only file flags cannot be removed

    This can make a FreeBSD system more secure, especially on multi-user systems. Securelevel ca even go higher, but those restrictions generally need care.

    0
  • larvitz@mastodon.bsd.cafeundefined larvitz@mastodon.bsd.cafe

    Proper FreeBSD system hardning :)
    (all for sysctl)

    security.bsd.see_other_uids
    security.bsd.see_other_gids
    --> Don't show other users processes

    security.bsd.unprivileged_read_msgbuf
    --> Don't allow unprivileges to read kernel buffer (dmesg)

    security.bsd.unprivileged_proc_debug
    --> Don't allow unprivileged to use debugging

    security.bsd.hardlink_check_uid
    security.bsd.hardlink_check_gid
    --> restrict hardlinks to same user/group

    kern.elf64.aslr.enable
    kern.elf32.aslr.enable
    --> Enable kernel address randomization (ASLR)

    security.bsd.unprivileged_mlock
    --> Restrict unprivileged users from loading kernel modules

    sysctl kern.securelevel=1
    --> Cannot lower securelevel
    --> Cannot write directly to mounted disks
    --> Cannot write to /dev/mem or /dev/kmem
    --> Cannot load/unload kernel modules
    --> Cannot change firewall rules (if compiled with IPFIREWALL_STATIC)
    --> System immutable and append-only file flags cannot be removed

    This can make a FreeBSD system more secure, especially on multi-user systems. Securelevel ca even go higher, but those restrictions generally need care.

    bastillebsd@fosstodon.orgundefined

    @Larvitz we enable a bunch of these (and more) by default in BastilleBSD

    0
  • stefano@mastodon.bsd.cafeundefined stefano@mastodon.bsd.cafe shared this topic on
Log in to reply

Feed RSS
Proper FreeBSD system hardning :)(all for sysctl)

Gli ultimi otto messaggi ricevuti dalla Federazione
@pierobosio@soc.bosio.info
Post suggeriti
  • rqm@exquisite.socialundefined

    While openports.pl is healing, I made a backup:https://pkg-add.vip/

    Uncategorized openbsd runbsd
    1
    0 Votes
    1 Posts
    9 Views
    rqm@exquisite.socialundefined
    While openports.pl is healing, I made a backup:https://pkg-add.vip/Please boost.#OpenBSD #RunBSD
  • lw@mastodon.bsd.cafeundefined

    so Raptor gave me access to a Talos II to do some work on FreeBSD/ppc64le.

    Uncategorized freebsd
    1
    0 Votes
    1 Posts
    13 Views
    lw@mastodon.bsd.cafeundefined
    so Raptor gave me access to a Talos II to do some work on FreeBSD/ppc64le. first thing i noticed: the boot process is *very* unusual. it doesn't use the FreeBSD loader at all; instead it has a Linux-based firmware loader called Petitboot which can load and kexec() the FreeBSD kernel directly. however it needs a rather odd partition layout to do that:# Device Mountpoint FStype Options Dump Pass#/dev/nda0p2 / ufs rw 1 1/dev/nda0p1 /boot msdosfs rw 2 2i assume this is because Petitboot can't read FreeBSD UFS, so we need the kernel (which is in /boot/kernel) to be on FAT. Raptor suggested we should make the loader kexec()able instead, which seems like a good idea, but from what i can tell this platform doesn't use OpenFirmware at all, and i'm not even sure we have a PowerNV-native loader.(as you can tell, i know very little about either POWER or FreeBSD/powerpc, so this is going to be an interesting learning experience.)#FreeBSD
  • privacydigest@mas.toundefined

    We’re Doubling Down on #DigitalRights.

    Uncategorized security privacy donation rights surveillance encryption freedom authoritarian
    1
    0 Votes
    1 Posts
    8 Views
    privacydigest@mas.toundefined
    We’re Doubling Down on #DigitalRights. You Can, Too.Technology can uplift #democracy , or it can be an #authoritarian weapon. @eff is making sure it stays on the side of #freedom. We’re defending #encryption , exposing abusive #surveillance tech, fighting government overreach, and standing up for free expression. But we need your help to protect digital #rights —and right now, your #donation will be matched dollar-for-dollar.#privacy #securityhttps://www.eff.org/deeplinks/2025/11/power-your-donation-week
  • jhx@journal.bsd.cafeundefined

    Jellyfin on FreeBSD

    The BSD Cafe Journal bsd freebsd jail jellyfin media nas storage videos
    1
    1
    0 Votes
    1 Posts
    7 Views
    jhx@journal.bsd.cafeundefined
    We all love media – to some extent at least!Movies, TV Shows and all the moving pictures we can find and consume.So, since we all have movies etc. on our NAS/HDD/SSD/whatever we should be able to play and see everything we have on all our connected devices.But what can we do?Simple, we leverage Jellyfin to present our media to us.In this little howto we will set up Jellyfin in a Jail on FreeBSD.Let’s get right to it!Creating the JailJails can be created in different ways. In this howto however we will use Bastille – which is a excellent tool for creating Jails.This howto will not go into detail of how to set up Bastille. If you need to set up Bastille first, given you have not installed said tool, you can have a look at the quickstart guide:Bastille Quickstart GuideRight, let’s create the Jail first.$ sudo bastille create media 14.3-RELEASE 10.0.23.77/24 vtnet0You of course need to change the IP address and network interface (vtnet0 is probably not what you want!). Also, one can of course change the name of the Jail – I’ve chosen media since that describes the use case well of said Jail.After that our Jail is ready!Jellyfin needs mlock to be enabled to work properly.$ sudo bastille config media set allow.mlock 1But wait a second… How do I access all my media files?There is no access in the Jail to any directory on the host holding all my videos!Right, that is the case indeed!So, what can we do?Simple, we just mount our media directory in the Jail with nullfs!$ sudo bastille mount "media" /home/x/videos/ /videos nullfs ro 0 0This line mount /home/x/videos/ in the Jail under /videos. Also, I mount the directory as readonly – which you can change by sepcifying rw on the command above. Be sure to also select the correct Jail – in my case media.Jail fun with JellyfinWe can now finally enter the jail to further go along with the howto.$ sudo bastille console mediaLet’s first install Jellyfin which is directly accessible from the official package repository.$ pkg$ pkg update -f$ pkg install -y jellyfinThe first command pkg bootstraps the pkg package manager. The second command refreshes the package cache and the last command installs Jellyfin itself.Right, so far so good.But we also need to configure Jellfin (Service) to always start. And, last but not least, we need to start Jellyfin – since it is not running after the installation finished.$ sysrc jellyfin_enable="YES"$ service jellyfin startWe did all that, alright… But how do we know Jellyfin is running?Let’s have a look at the ps and sockstat output.root@media:~ # sockstat -l4USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS jellyfin jellyfin 10700 478 udp4 10.0.23.77:7359 *:*jellyfin jellyfin 10700 503 tcp4 10.0.23.77:8096 *:*root@media:~ # ps ax PID TT STAT TIME COMMAND10662 - SsJ 0:00.00 /usr/sbin/syslogd -ss10699 - IsJ 0:00.00 daemon: /usr/local/jellyfin/jellyfin[10700] (daemon)10700 - IJ 0:03.81 /usr/local/jellyfin/jellyfin --datadir /var/db/jellyfin --cachedir /var/cache/jellyfin10706 - SsJ 0:00.00 /usr/sbin/cron -J 60 -s10804 1 IJ 0:00.00 login [pam] (login)10805 1 SJ 0:00.01 -sh (sh)10842 1 R+J 0:00.00 ps axAh yes, Jellyfin is running and listening on port 8096 – which is the designated port for Jellyfin!Jellyfin all the way!Since we established that Jellyfin is running and listening, let’s open our webbrowser of choice and navigate over to the install wizard.$ firefox http://10.0.23.77:8096We are greated with the intital Jellyfin wizard.I will not go into detail on how to set up the wizard. But don’t worry, there is a excellent guide over on the official Jellyfin website.The guide can be found here: Jellyfin Setup Wizard guideBe sure to add your nullfs mounted directory in your library to be able to play said videos and shows.That is all there is to it.Simple, easy and clean. Everything is done in a Jail and isolated. Also, mounting a media directory is easy and straightforward via bastille mount.Final wordsThis little howto just shows how versatile jails are. One can of course tweak the setup further and for example add a reverse proxy (like Nginx) to the mix.The sky is the limit – Tools like bastille are very powerful and flexible!Enjoy!…and as always:Stay Open!