##########################################
# Settings file for harden-freebsd.py
#
# No section can be entirely commented out
# No section can be completely empty
# Harmless to re-run same settings
#
# Settings can be changed as many
# times as needed; re-run script.
# 
##########################################


[STARTUP]
kern_securelevel_enable = "YES"
microcode_update_enable = "YES"
sendmail_enable = "NONE"
sendmail_outbound_enable = "NO"
sendmail_submit_enable = "NO"
sendmail_msp_queue_enable = "NO"
syslogd_flags = "-ss"
clear_tmp_enable = "YES"
icmp_drop_redirect = "YES"
inetd_enable = "NO"
portmap_enable = "NO"
update_motd = "NO"


[SYSTEM]
kern.securelevel = 1
security.bsd.see_other_uids = 0
security.bsd.see_other_gids = 0
security.bsd.see_jail_proc = 0
security.bsd.unprivileged_read_msgbuf = 0
kern.randompid = 107
kern.ipc.maxsockbuf=67108864
net.inet.tcp.sendbuf_max=67108864
net.inet.tcp.recvbuf_max=67108864
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.cc.algorithm=htcp
net.inet.ip.random_id = 1
net.inet.ip.redirect = 0
net.inet.tcp.always_keepalive = 0
net.inet.tcp.blackhole = 2
net.inet.udp.blackhole = 1
net.inet.tcp.path_mtu_discovery = 0
net.inet.icmp.drop_redirect = 1
net.inet6.icmp6.rediraccept = 0
net.inet.tcp.drop_synfin = 1
hw.mds_disable = 3
hw.spec_store_bypass_disable = 1
kern.elf64.allow_wx = 0



[KERNEL]
security.bsd.allow_destructive_dtrace = "0"
hw.ibrs_disable = "1"


[FILESEC]
lockout_other_group = chmod o= /etc/ftpusers /etc/group /etc/hosts /etc/hosts.allow /etc/hosts.equiv /etc/hosts.lpd /etc/inetd.conf /etc/login.access /etc/login.conf /etc/newsyslog.conf /etc/rc.conf /etc/ssh/sshd_config /etc/sysctl.conf /etc/syslog.conf /etc/ttys /etc/crontab /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/batch /var/log
lockdown_root = chmod 710 /root


[USERSEC]
set_cron_root_only = echo "root" | tee /var/cron/allow /var/at/at.allow > /dev/null
enable_blowfish_passwords = sed -i .original 's/passwd_format=sha512/passwd_format=blf/g' /etc/login.conf
enable_password_reset = sed -i .original 's/^default.*/& \n\t:passwordtime=120d:\\/' /etc/login.conf
reset_login = cap_mkdb /etc/login.conf                                                                                                                               
pkg_security_check = pkg audit -Fr > pkg-audit-report

[SCRIPT]
first_run = True