SecureBSD is a major improvement to
FreeBSD security and control. After you finish a normal
FreeBSD install, (v3.4 or 4.0), installing the kernel modifications and additions provided by SecureBSD will greatly enhance the security of your
FreeBSD system. Installation is a breeze on a FreeBSD system; just download, untar it, and run the install script that comes with it. Then, recompile your kernel, add the lines you want (some are shown below) to your /etc/sysctl.conf file, and reboot; you're done. =)
You may be asking yourself, "but, why not just run OpenBSD?
OpenBSD supports alot of this stuff already!" .. yes, I know. But
OpenBSD also has a total lack of
SMP, so if you need to run a box with more than one processor, (a web server in my case), you're out of luck, and OpenBSD is not an option.
SecureBSD is a good alternative in that case. =)
Some of the benefits to installing
SecureBSD on top of
FreeBSD:
o Able to specify MDA (MD5/SHA1) hashes for files; the table containing the hashes will be loaded by the kernel. Any discrepencies between the hash and the file (even a tiny difference), and the system will refuse to execute the file. This helps prevent trojan'ed copies of ls, ps, find, top, passwd, login, sshd, etc from being installed and ran.
o Randomized PID #'s (woo! finally!!)
o Creates a new subfolder named "securebsd" in the /var/log folder, restricted to root, and logs your choice of activities (loooooong list; may log success or failures for about 400 things, including: chmod, chown, mknod, reboot, connect, etc, etc.. the list is quite long)
o Display ONLY the processes a user owns, even if they do 'ps aux' to show all - it will only display his.
o Random 'uname' responses (in progress)
o very tight ACL lists
o New syslog daemon (much more secure)
o Lots of new sysctl.conf options; here's a partial list from my own /etc/sysctl.conf file on FreeBSD 4:
net.inet.tcp.blackhole=1 : eat incoming tcp packets on any port with no services currently running (doesn't return a RST)
net.inet.udp.blackhole=1 : eat incoming udp packets on any port with no service running (prevents stealth scans)
net.inet.tcp.log_in_vain=1 : log any connect attempts to any port without a service running
securebsd.groups.restricted_procinfo=1 : restrict the "ps" display to only show processes that user's group started
securebsd.options.randompids=1 : use randomized pid #'s instead of consecutive pids for processes
securebsd.options.dynamic_uname=1 : return random uname info when queried (in progress)
securebsd.options.restricted_procinfo=1 : restrict ps / process info
securebsd.options.disable_promiscuous=1 : do not allow the
NIC to go into promiscuous mode. =)
securebsd.logging.success.mknod=1 : log successful
mknod's
securebsd.logging.success.chmod=1 : log successful
chmod's
securebsd.logging.success.chown=1 : log successful
chown's
securebsd.logging.success.reboot=1 : log any reboots
securebsd.logging.success.setuid=1 : log
setuid's
securebsd.logging.success.setgid=1 : log
setgid's
securebsd.logging.success.coredump=1 log
coredumps
securebsd.logging.success.promiscuous=1 : log if entering
promiscuous mode.
securebsd.logging.success.settimeofday=1 : log any system clock timechanges
it will of course email you regarding any of the above options should they occour as well. SecureBSD is still a work in progress, but is an incredible (and much needed) step forward in regards to
FreeBSD security. If they keep up the pace on their improvements,
SecureBSD might actually give my favorite
OS (
OpenBSD) a run for it's money. =)
Note: Keep in mind, SecureBSD is still a work in progress. This is their first (public) release, and although I have not had any problems with it on my test system, it doesn't mean that everything will necessarily go perfectly all the time. Also note, documentation is very thin; I had to dig through a sysctl -a to even dig up most of the systctl options that were available through SecureBSD -- but this should change soon, and documentation will be improved. I will probably add quite a bit more to this node after I've had another week to play with SecureBSD, and perhaps post some config suggestions for it, etc.
FreeBSD:
http://www.freebsd.org/
SecureBSD:
http://www.securebsd.com/