74 lines
2.3 KiB
INI
74 lines
2.3 KiB
INI
##########################################
|
|
# Settings file for harden-freebsd.py
|
|
#
|
|
# No section can be entirely commented out
|
|
# No section can be completely empty
|
|
# Harmless to re-run same settings
|
|
#
|
|
# Settings can be changed as many
|
|
# times as needed; re-run script.
|
|
#
|
|
##########################################
|
|
|
|
|
|
[STARTUP]
|
|
kern_securelevel_enable = "YES"
|
|
microcode_update_enable = "YES"
|
|
sendmail_enable = "NONE"
|
|
sendmail_outbound_enable = "NO"
|
|
sendmail_submit_enable = "NO"
|
|
sendmail_msp_queue_enable = "NO"
|
|
syslogd_flags = "-ss"
|
|
clear_tmp_enable = "YES"
|
|
icmp_drop_redirect = "YES"
|
|
inetd_enable = "NO"
|
|
portmap_enable = "NO"
|
|
update_motd = "NO"
|
|
pf_enable="YES"
|
|
pflog_enable="YES"
|
|
|
|
|
|
|
|
[SYSTEM]
|
|
kern.securelevel = 1
|
|
security.bsd.see_other_uids = 0
|
|
security.bsd.see_other_gids = 0
|
|
security.bsd.see_jail_proc = 0
|
|
security.bsd.unprivileged_read_msgbuf = 0
|
|
kern.randompid = 107
|
|
net.inet.ip.random_id = 1
|
|
net.inet.ip.redirect = 0
|
|
net.inet.tcp.always_keepalive = 0
|
|
net.inet.tcp.blackhole = 2
|
|
net.inet.udp.blackhole = 1
|
|
net.inet.tcp.path_mtu_discovery = 0
|
|
net.inet.icmp.drop_redirect = 1
|
|
net.inet6.icmp6.rediraccept = 0
|
|
net.inet.tcp.drop_synfin = 1
|
|
hw.mds_disable = 3
|
|
hw.spec_store_bypass_disable = 1
|
|
kern.elf64.allow_wx = 0
|
|
|
|
|
|
|
|
[KERNEL]
|
|
security.bsd.allow_destructive_dtrace = "0"
|
|
hw.ibrs_disable = "1"
|
|
|
|
|
|
[FILESEC]
|
|
lockout_other_group = chmod o= /etc/ftpusers /etc/group /etc/hosts /etc/hosts.allow /etc/hosts.equiv /etc/hosts.lpd /etc/inetd.conf /etc/login.access /etc/login.conf /etc/newsyslog.conf /etc/rc.conf /etc/ssh/sshd_config /etc/sysctl.conf /etc/syslog.conf /etc/ttys /etc/crontab /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/batch /var/log
|
|
lockdown_root = chmod 710 /root
|
|
|
|
|
|
[USERSEC]
|
|
set_cron_root_only = echo "root" | tee /var/cron/allow /var/at/at.allow > /dev/null
|
|
enable_harden_umask = sed -i .original3 's/umask=022/umask=027/g' /etc/login.conf
|
|
enable_blowfish_passwords = sed -i .original 's/passwd_format=sha512/passwd_format=blf/g' /etc/login.conf
|
|
enable_password_reset = sed -i .original 's/^default.*/& \n\t:passwordtime=120d:\\/' /etc/login.conf
|
|
reset_login = cap_mkdb /etc/login.conf
|
|
pkg_security_check = pkg audit -Fr > pkg-audit-report
|
|
|
|
[SCRIPT]
|
|
first_run = True
|
|
|