Proper FreeBSD system hardning :)(all for sysctl)
Uncategorized
2
Posts
2
Posters
12
Views
-
Proper FreeBSD system hardning :)
(all for sysctl)security.bsd.see_other_uids
security.bsd.see_other_gids
--> Don't show other users processessecurity.bsd.unprivileged_read_msgbuf
--> Don't allow unprivileges to read kernel buffer (dmesg)security.bsd.unprivileged_proc_debug
--> Don't allow unprivileged to use debuggingsecurity.bsd.hardlink_check_uid
security.bsd.hardlink_check_gid
--> restrict hardlinks to same user/groupkern.elf64.aslr.enable
kern.elf32.aslr.enable
--> Enable kernel address randomization (ASLR)security.bsd.unprivileged_mlock
--> Restrict unprivileged users from loading kernel modulessysctl kern.securelevel=1
--> Cannot lower securelevel
--> Cannot write directly to mounted disks
--> Cannot write to /dev/mem or /dev/kmem
--> Cannot load/unload kernel modules
--> Cannot change firewall rules (if compiled with IPFIREWALL_STATIC)
--> System immutable and append-only file flags cannot be removedThis can make a FreeBSD system more secure, especially on multi-user systems. Securelevel ca even go higher, but those restrictions generally need care.
#runbsd #freebsd #security #hardening #goodpractice #devops #sysadmin
-
Proper FreeBSD system hardning :)
(all for sysctl)security.bsd.see_other_uids
security.bsd.see_other_gids
--> Don't show other users processessecurity.bsd.unprivileged_read_msgbuf
--> Don't allow unprivileges to read kernel buffer (dmesg)security.bsd.unprivileged_proc_debug
--> Don't allow unprivileged to use debuggingsecurity.bsd.hardlink_check_uid
security.bsd.hardlink_check_gid
--> restrict hardlinks to same user/groupkern.elf64.aslr.enable
kern.elf32.aslr.enable
--> Enable kernel address randomization (ASLR)security.bsd.unprivileged_mlock
--> Restrict unprivileged users from loading kernel modulessysctl kern.securelevel=1
--> Cannot lower securelevel
--> Cannot write directly to mounted disks
--> Cannot write to /dev/mem or /dev/kmem
--> Cannot load/unload kernel modules
--> Cannot change firewall rules (if compiled with IPFIREWALL_STATIC)
--> System immutable and append-only file flags cannot be removedThis can make a FreeBSD system more secure, especially on multi-user systems. Securelevel ca even go higher, but those restrictions generally need care.
#runbsd #freebsd #security #hardening #goodpractice #devops #sysadmin
@Larvitz we enable a bunch of these (and more) by default in BastilleBSD
-
undefined stefano@mastodon.bsd.cafe shared this topic on
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@arrjay @SnoopJ the great thing about the Astral tools is they're not written in Python, so Python developers can't break it. Unlike every other tool that does the same things the Astral tools do, which break all the damned time.
I've never loved anything as much as Python developers love breaking backward compatibility, even for core functionality. Your CI worked yesterday and you think that means it'll work today? Don't be silly. pip, venv, pipenv, poetry, setuptools, etc. break all the time.
-
"Give us money and data, or your users' experience will suck" is, apparently, "balance".
-
@nina_kali_nina you can also use one to measure the height of buildings in a variety of novel and creative ways https://dspace.mit.edu/handle/1721.1/44215
-
@nina_kali_nina was it sales pressure that made you say this ? 😉
-
@nina_kali_nina ...for this? 😀 https://en.wikipedia.org/wiki/Barometer_question
-
@nina_kali_nina correct
-
@nina_kali_nina They are putting pressure on you.
-
Current* conditions near Marblehead, OH:
