aboutsummaryrefslogtreecommitdiff
path: root/documentation/content/en/books/handbook/security/_index.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'documentation/content/en/books/handbook/security/_index.adoc')
-rw-r--r--documentation/content/en/books/handbook/security/_index.adoc2786
1 files changed, 1189 insertions, 1597 deletions
diff --git a/documentation/content/en/books/handbook/security/_index.adoc b/documentation/content/en/books/handbook/security/_index.adoc
index 4d60f4012b..9f7d1566be 100644
--- a/documentation/content/en/books/handbook/security/_index.adoc
+++ b/documentation/content/en/books/handbook/security/_index.adoc
@@ -1,10 +1,13 @@
---
-title: Chapter 14. Security
+title: Chapter 16. Security
part: Part III. System Administration
prev: books/handbook/boot
next: books/handbook/jails
description: Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must
-tags: ["security", "one-time passwords", "TCP Wrapper", "Kerberos", "OpenSSL", "IPsec", "OpenSSH", "ACL", "advisories", "sudo", "doas", "monitoring"]
+tags: ["security", "TCP Wrappers", "Kerberos", "OpenSSL", "OpenSSH", "ACL", "NFSv4 ACLs", "advisories", "sudo", "doas", "capsicum", "monitoring"]
+showBookMenu: true
+weight: 20
+path: "/books/handbook/security/"
---
[[security]]
@@ -15,64 +18,60 @@ tags: ["security", "one-time passwords", "TCP Wrapper", "Kerberos", "OpenSSL", "
:icons: font
:sectnums:
:sectnumlevels: 6
+:sectnumoffset: 16
+:partnums:
:source-highlighter: rouge
:experimental:
-:skip-front-matter:
-:xrefstyle: basic
-:relfileprefix: ../
-:outfilesuffix:
-:sectnumoffset: 14
-
-ifeval::["{backend}" == "html5"]
-:imagesdir: ../../../../images/books/handbook/security/
-endif::[]
-
-ifeval::["{backend}" == "pdf"]
-:imagesdir: ../../../../static/images/books/handbook/security/
-endif::[]
+:images-path: books/handbook/security/
-ifeval::["{backend}" == "epub3"]
-:imagesdir: ../../../../static/images/books/handbook/security/
+ifdef::env-beastie[]
+ifdef::backend-html5[]
+:imagesdir: ../../../../images/{images-path}
endif::[]
-
+ifndef::book[]
include::shared/authors.adoc[]
+include::shared/mirrors.adoc[]
include::shared/releases.adoc[]
-include::shared/en/mailing-lists.adoc[]
-include::shared/en/teams.adoc[]
-include::shared/en/urls.adoc[]
+include::shared/attributes/attributes-{{% lang %}}.adoc[]
+include::shared/{{% lang %}}/teams.adoc[]
+include::shared/{{% lang %}}/mailing-lists.adoc[]
+include::shared/{{% lang %}}/urls.adoc[]
+toc::[]
+endif::[]
+ifdef::backend-pdf,backend-epub3[]
+include::../../../../../shared/asciidoctor.adoc[]
+endif::[]
+endif::[]
+ifndef::env-beastie[]
toc::[]
+include::../../../../../shared/asciidoctor.adoc[]
+endif::[]
[[security-synopsis]]
== Synopsis
-Security, whether physical or virtual, is a topic so broad that an entire industry has evolved around it.
Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must.
In this chapter, several fundamentals and techniques will be discussed.
The FreeBSD system comes with multiple layers of security, and many more third party utilities may be added to enhance security.
-After reading this chapter, you will know:
+This chapter covers:
* Basic FreeBSD system security concepts.
* The various crypt mechanisms available in FreeBSD.
-* How to set up one-time password authentication.
-* How to configure TCP Wrapper for use with man:inetd[8].
+* How to configure TCP Wrappers for use with man:inetd[8].
* How to set up Kerberos on FreeBSD.
-* How to configure IPsec and create a VPN.
* How to configure and use OpenSSH on FreeBSD.
+* How to use OpenSSL on FreeBSD.
* How to use file system ACLs.
* How to use pkg to audit third party software packages installed from the Ports Collection.
* How to utilize FreeBSD security advisories.
* What Process Accounting is and how to enable it on FreeBSD.
* How to control user resources using login classes or the resource limits database.
+* What is Capsicum and a basic example.
-Before reading this chapter, you should:
-
-* Understand basic FreeBSD and Internet concepts.
-
-Additional security topics are covered elsewhere in this Handbook.
-For example, Mandatory Access Control is discussed in crossref:mac[mac,Mandatory Access Control] and Internet firewalls are discussed in crossref:firewalls[firewalls,Firewalls].
+Certain topics due to their complexity are found in dedicated chapters such as crossref:firewalls[firewalls,Firewalls], crossref:mac[mac,Mandatory Access Control] and articles like extref:{vpn-ipsec}[VPN over IPsec].
[[security-intro]]
== Introduction
@@ -82,7 +81,7 @@ A weak entry point in any system could allow intruders to gain access to critica
One of the core principles of information security is the CIA triad, which stands for the Confidentiality, Integrity, and Availability of information systems.
The CIA triad is a bedrock concept of computer security as customers and users expect their data to be protected.
-For example, a customer expects that their credit card information is securely stored (confidentiality), that their orders are not changed behind the scenes (integrity), and that they have access to their order information at all times (availablility).
+For example, a customer expects that their credit card information is securely stored (confidentiality), that their orders are not changed behind the scenes (integrity), and that they have access to their order information at all times (availability).
To provide CIA, security professionals apply a defense in depth strategy.
The idea of defense in depth is to add several layers of security to prevent one single layer failing and the entire security system collapsing.
@@ -103,57 +102,39 @@ The policy should include the security configuration of workstations, desktops,
In many cases, standard operating procedures (SOPs) already exist.
When in doubt, ask the security team.
-The rest of this introduction describes how some of these basic security configurations are performed on a FreeBSD system.
-The rest of this chapter describes some specific tools which can be used when implementing a security policy on a FreeBSD system.
+[[sec-accounts]]
+== Securing Accounts
+
+Maintaining secure accounts in FreeBSD is crucial for data confidentiality, system integrity, and privilege separation, as it prevents unauthorized access, malware, and data breaches while ensuring compliance and protecting an organization's reputation.
[[security-accounts]]
=== Preventing Logins
In securing a system, a good starting point is an audit of accounts.
-Ensure that `root` has a strong password and that this password is not shared.
Disable any accounts that do not need login access.
-To deny login access to accounts, two methods exist.
-The first is to lock the account.
-This example locks the `toor` account:
+[TIP]
+====
+Ensure that `root` has a strong password and that this password is not shared.
+====
-[source,shell]
-....
-# pw lock toor
-....
+To deny login access to accounts, two methods exist.
-The second method is to prevent login access by changing the shell to [.filename]#/usr/sbin/nologin#.
-Only the superuser can change the shell for other users:
+The first is to lock the account, this example shows how to lock the `imani` account:
[source,shell]
....
-# chsh -s /usr/sbin/nologin toor
+# pw lock imani
....
-The [.filename]#/usr/sbin/nologin# shell prevents the system from assigning a shell to the user when they attempt to login.
-
-[[security-accountmgmt]]
-=== Permitted Account Escalation
-
-In some cases, system administration needs to be shared with other users.
-FreeBSD has two methods to handle this.
-The first one, which is not recommended, is a shared root password used by members of the `wheel` group.
-With this method, a user types `su` and enters the password for `wheel` whenever superuser access is needed.
-The user should then type `exit` to leave privileged access after finishing the commands that required administrative access.
-To add a user to this group, edit [.filename]#/etc/group# and add the user to the end of the `wheel` entry.
-The user must be separated by a comma character with no space.
-
-The second, and recommended, method to permit privilege escalation is to install the package:security/sudo[] package or port.
-This software provides additional auditing, more fine-grained user control, and can be configured to lock users into running only the specified privileged commands.
+The second method is to prevent login access by changing the shell to [.filename]#/usr/sbin/nologin#.
+The man:nologin[8] shell prevents the system from assigning a shell to the user when they attempt to login.
-After installation, use `visudo` to edit [.filename]#/usr/local/etc/sudoers#.
-This example creates a new `webadmin` group, adds the `trhodes` account to that group, and configures that group access to restart package:apache24[]:
+Only the superuser can change the shell for other users:
[source,shell]
....
-# pw groupadd webadmin -M trhodes -g 6000
-# visudo
-%webadmin ALL=(ALL) /usr/sbin/service apache24 *
+# chsh -s /usr/sbin/nologin imani
....
[[security-passwords]]
@@ -161,7 +142,8 @@ This example creates a new `webadmin` group, adds the `trhodes` account to that
Passwords are a necessary evil of technology.
When they must be used, they should be complex and a powerful hash mechanism should be used to encrypt the version that is stored in the password database.
-FreeBSD supports the DES, MD5, SHA256, SHA512, and Blowfish hash algorithms in its `crypt()` library.
+FreeBSD supports several algorithms, including SHA256, SHA512 and Blowfish hash algorithms in its `crypt()` library, see man:crypt[3] for details.
+
The default of SHA512 should not be changed to a less secure hashing algorithm, but can be changed to the more secure Blowfish algorithm.
[NOTE]
@@ -170,57 +152,72 @@ Blowfish is not part of AES and is not considered compliant with any Federal Inf
Its use may not be permitted in some environments.
====
-To determine which hash algorithm is used to encrypt a user's password, the superuser can view the hash for the user in the FreeBSD password database.
+To determine which hash algorithm is used to encrypt a user's password, the superuser can view the hash for the user in the FreeBSD password database.
Each hash starts with a symbol which indicates the type of hash mechanism used to encrypt the password.
+
If DES is used, there is no beginning symbol.
For MD5, the symbol is `$`.
For SHA256 and SHA512, the symbol is `$6$`.
For Blowfish, the symbol is `$2a$`.
-In this example, the password for `dru` is hashed using the default SHA512 algorithm as the hash starts with `$6$`.
+In this example, the password for `imani` is hashed using the default SHA512 algorithm as the hash starts with `$6$`.
Note that the encrypted hash, not the password itself, is stored in the password database:
[source,shell]
....
-# grep dru /etc/master.passwd
-dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:dru:/usr/home/dru:/bin/csh
+# grep imani /etc/master.passwd
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
+imani:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:imani:/usr/home/imani:/bin/sh
....
The hash mechanism is set in the user's login class.
-For this example, the user is in the `default` login class and the hash algorithm is set with this line in [.filename]#/etc/login.conf#:
+
+The following command can be run to check which hash mechanism is currently being used:
+
+[source,shell]
+....
+# grep user /etc/master.passwd
+....
+
+The output should be similar to the following:
[.programlisting]
....
- :passwd_format=sha512:\
+:passwd_format=sha512:\
....
-To change the algorithm to Blowfish, modify that line to look like this:
+For example, to change the algorithm to Blowfish, modify that line to look like this:
[.programlisting]
....
- :passwd_format=blf:\
+:passwd_format=blf:\
+....
+
+Then, man:cap_mkdb[1] must be executed to upgrade the login.conf database:
+
+[source,shell]
+....
+# cap_mkdb /etc/login.conf
....
-Then run `cap_mkdb /etc/login.conf` as described in <<users-limiting>>.
Note that this change will not affect any existing password hashes.
This means that all passwords should be re-hashed by asking users to run `passwd` in order to change their password.
-For remote logins, two-factor authentication should be used.
-An example of two-factor authentication is "something you have", such as a key, and "something you know", such as the passphrase for that key.
-Since OpenSSH is part of the FreeBSD base system, all network logins should be over an encrypted connection and use key-based authentication instead of passwords.
-For more information, refer to <<openssh>>.
-Kerberos users may need to make additional changes to implement OpenSSH in their network.
-These changes are described in <<kerberos5>>.
-
[[security-pwpolicy]]
=== Password Policy Enforcement
Enforcing a strong password policy for local accounts is a fundamental aspect of system security.
In FreeBSD, password length, password strength, and password complexity can be implemented using built-in Pluggable Authentication Modules (PAM).
-This section demonstrates how to configure the minimum and maximum password length and the enforcement of mixed characters using the [.filename]#pam_passwdqc.so# module.
+This section demonstrates how to configure the minimum and maximum password length and the enforcement of mixed characters using the man:pam_passwdqc[8] module.
This module is enforced when a user changes their password.
To configure this module, become the superuser and uncomment the line containing `pam_passwdqc.so` in [.filename]#/etc/pam.d/passwd#.
+
Then, edit that line to match the password policy:
[.programlisting]
@@ -228,24 +225,20 @@ Then, edit that line to match the password policy:
password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users
....
-This example sets several requirements for new passwords.
-The `min` setting controls the minimum password length.
-It has five values because this module defines five different types of passwords based on their complexity.
-Complexity is defined by the type of characters that must exist in a password, such as letters, numbers, symbols, and case.
-The types of passwords are described in man:pam_passwdqc[8].
-In this example, the first three types of passwords are disabled, meaning that passwords that meet those complexity requirements will not be accepted, regardless of their length.
-The `12` sets a minimum password policy of at least twelve characters, if the password also contains characters with three types of complexity.
-The `10` sets the password policy to also allow passwords of at least ten characters, if the password contains characters with four types of complexity.
-
-The `similar` setting denies passwords that are similar to the user's previous password.
-The `retry` setting provides a user with three opportunities to enter a new password.
+The explanation of the parameters can be found in man:pam_passwdqc[8].
Once this file is saved, a user changing their password will see a message similar to the following:
[source,shell]
....
% passwd
-Changing local password for trhodes
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
+Changing local password for user
Old Password:
You can now choose the new password.
@@ -262,8 +255,8 @@ Enter new password:
If a password that does not match the policy is entered, it will be rejected with a warning and the user will have an opportunity to try again, up to the configured number of retries.
-Most password policies require passwords to expire after so many days.
-To set a password age time in FreeBSD, set `passwordtime` for the user's login class in [.filename]#/etc/login.conf#.
+If your organization's policy requires passwords to expire, FreeBSD supports the `passwordtime` in the user's login class in [.filename]#/etc/login.conf#
+
The `default` login class contains an example:
[.programlisting]
@@ -271,482 +264,899 @@ The `default` login class contains an example:
# :passwordtime=90d:\
....
-So, to set an expiry of 90 days for this login class, remove the comment symbol (`#`), save the edit, and run `cap_mkdb /etc/login.conf`.
+So, to set an expiry of 90 days for this login class, remove the comment symbol (#), save the edit, and execute the following command:
+
+[source,shell]
+....
+# cap_mkdb /etc/login.conf
+....
To set the expiration on individual users, pass an expiration date or the number of days to expiry and a username to `pw`:
[source,shell]
....
-# pw usermod -p 30-apr-2015 -n trhodes
+# pw usermod -p 30-apr-2025 -n user
....
As seen here, an expiration date is set in the form of day, month, and year.
For more information, see man:pw[8].
-[[security-rkhunter]]
-=== Detecting Rootkits
+[[security-sudo]]
+=== Shared Administration with sudo
-A _rootkit_ is any unauthorized software that attempts to gain `root` access to a system.
-Once installed, this malicious software will normally open up another avenue of entry for an attacker.
-Realistically, once a system has been compromised by a rootkit and an investigation has been performed, the system should be reinstalled from scratch.
-There is tremendous risk that even the most prudent security or systems engineer will miss something an attacker left behind.
+System administrators often need the ability to grant enhanced permissions to users so they may perform privileged tasks.
+The idea that team members are provided access to a FreeBSD system to perform their specific tasks opens up unique challenges to every administrator.
+These team members only need a subset of access beyond normal end user levels; however, they almost always tell management they are unable to perform their tasks without superuser access.
+Thankfully, there is no reason to provide such access to end users because tools exist to manage this exact requirement.
-A rootkit does do one thing useful for administrators: once detected, it is a sign that a compromise happened at some point.
-But, these types of applications tend to be very well hidden.
-This section demonstrates a tool that can be used to detect rootkits, package:security/rkhunter[].
+[TIP]
+====
+Even administrators should limit their privileges when not needed.
+====
-After installation of this package or port, the system may be checked using the following command.
-It will produce a lot of information and will require some manual pressing of kbd:[ENTER]:
+Up to this point, the security chapter has covered permitting access to authorized users and attempting to prevent unauthorized access.
+Another problem arises once authorized users have access to the system resources.
+In many cases, some users may need access to application startup scripts, or a team of administrators need to maintain the system.
+Traditionally, the standard users and groups, file permissions, and even the man:su[1] command would manage this access.
+And as applications required more access, as more users needed to use system resources, a better solution was required.
+The most used application is currently Sudo.
+
+Sudo allows administrators to configure more rigid access to system commands and provide for some advanced logging features.
+As a tool, it is available from the Ports Collection as package:security/sudo[] or by use of the man:pkg[8] utility.
+
+Execute the following command to install it:
[source,shell]
....
-# rkhunter -c
+# pkg install sudo
+....
+
+After the installation is complete, the installed `visudo` will open the configuration file with a text editor.
+Using `visudo` is highly recommended as it comes with a built in syntax checker to verify there are no errors before the file is saved.
+
+The configuration file is made up of several small sections which allow for extensive configuration.
+In the following example, web application maintainer, user1, needs to start, stop, and restart the web application known as _webservice_.
+To grant this user permission to perform these tasks, add this line to the end of [.filename]#/usr/local/etc/sudoers#:
+
+[.programlisting]
+....
+user1 ALL=(ALL) /usr/sbin/service webservice *
+....
+
+The user may now start _webservice_ using this command:
+
+[source,shell]
+....
+% sudo /usr/sbin/service webservice start
+....
+
+While this configuration allows a single user access to the webservice service;
+however, in most organizations, there is an entire web team in charge of managing the service.
+A single line can also give access to an entire group.
+These steps will create a web group, add a user to this group, and allow all members of the group to manage the service:
+
+[source,shell]
....
+# pw groupadd -g 6001 -n webteam
+....
+
+Using the same man:pw[8] command, the user is added to the webteam group:
+
+[source,shell]
+....
+# pw groupmod -m user1 -n webteam
+....
+
+Finally, this line in [.filename]#/usr/local/etc/sudoers# allows any member of the webteam group to manage _webservice_:
+
+[.programlisting]
+....
+%webteam ALL=(ALL) /usr/sbin/service webservice *
+....
+
+Unlike man:su[1], man:sudo[8] only requires the end user password.
+This avoids sharing passwords, which is a poor practice.
+
+Users permitted to run applications with man:sudo[8] only enter their own passwords.
+This is more secure and gives better control than man:su[1],
+where the `root` password is entered and the user acquires all `root` permissions.
+
+[TIP]
+====
+Most organizations are moving or have moved toward a two factor authentication model.
+In these cases, the user may not have a password to enter.
+
+man:sudo[8] can be configured to permit two factor authentication model by using the `NOPASSWD` variable.
+Adding it to the configuration above will allow all members of the _webteam_ group to manage the service without the password requirement:
+
+[.programlisting]
+....
+%webteam ALL=(ALL) NOPASSWD: /usr/sbin/service webservice *
+....
+====
+
+[[security-doas]]
+=== Shared Administration with Doas
+
+man:doas[1] is a command-line utility ported from OpenBSD.
+It serves as an alternative to the widely used man:sudo[8] command in Unix-like systems.
-After the process completes, a status message will be printed to the screen.
-This message will include the amount of files checked, suspect files, possible rootkits, and more.
-During the check, some generic security warnings may be produced about hidden files, the OpenSSH protocol selection, and known vulnerable versions of installed software.
-These can be handled now or after a more detailed analysis has been performed.
+With doas, users can execute commands with elevated privileges, typically as the root user, while maintaining a simplified and security-conscious approach.
+Unlike man:sudo[8], doas emphasizes simplicity and minimalism, focusing on streamlined privilege delegation without an overwhelming array of configuration options.
-Every administrator should know what is running on the systems they are responsible for.
-Third-party tools like rkhunter and package:sysutils/lsof[], and native commands such as `netstat` and `ps`, can show a great deal of information on the system.
-Take notes on what is normal, ask questions when something seems out of place, and be paranoid.
-While preventing a compromise is ideal, detecting a compromise is a must.
+Execute the following command to install it:
+
+[source,shell]
+....
+# pkg install doas
+....
+
+After the installation [.filename]#/usr/local/etc/doas.conf# must be configured to grant access for users for specific commands, or roles.
+
+The simplest entry could be the following, which grants the user `local_user` with `root` permissions without asking for its password when executing the doas command.
+
+[.programlisting]
+....
+permit nopass local_user as root
+....
+
+After the installation and configuration of the `doas` utility, a command can now be executed with enhanced privileges, for example:
+
+[source,shell]
+....
+$ doas vi /etc/rc.conf
+....
+
+For more configuration examples, please read man:doas.conf[5].
[[security-ids]]
-=== Binary Verification
+== Intrusion Detection System (IDS)
Verification of system files and binaries is important because it provides the system administration and security teams information about system changes.
A software application that monitors the system for changes is called an Intrusion Detection System (IDS).
-FreeBSD provides native support for a basic IDS system.
+FreeBSD provides native support for a basic IDS system called man:mtree[8].
While the nightly security emails will notify an administrator of changes, the information is stored locally and there is a chance that a malicious user could modify this information in order to hide their changes to the system.
-As such, it is recommended to create a separate set of binary signatures and store them on a read-only, root-owned directory or, preferably, on a removable USB disk or remote rsync server.
+As such, it is recommended to create a separate set of binary signatures and store them on a read-only, root-owned directory or, preferably, on a removable USB disk or remote server.
+
+It is also recommended to run `freebsd-update IDS` after each update.
+
+[[security-ids-generate-spec-file]]
+=== Generating the Specification File
-The built-in `mtree` utility can be used to generate a specification of the contents of a directory.
+The built-in man:mtree[8] utility can be used to generate a specification of the contents of a directory.
A seed, or a numeric constant, is used to generate the specification and is required to check that the specification has not changed.
This makes it possible to determine if a file or binary has been modified.
Since the seed value is unknown by an attacker, faking or checking the checksum values of files will be difficult to impossible.
-The following example generates a set of SHA256 hashes, one for each system binary in [.filename]#/bin#, and saves those values to a hidden file in ``root``'s home directory, [.filename]#/root/.bin_chksum_mtree#:
+
+[TIP]
+====
+It is recommended to create specifications for the directories which contain binaries and configuration files, as well as any directories containing sensitive data.
+Typically, specifications are created for [.filename]#/bin#, [.filename]#/sbin#, [.filename]#/usr/bin#, [.filename]#/usr/sbin#, [.filename]#/usr/local/bin#, [.filename]#/etc#, and [.filename]#/usr/local/etc#.
+====
+
+The following example generates a set of `sha512` hashes, one for each system binary in [.filename]#/bin#, and saves those values to a hidden file in user's home directory, [.filename]#/home/user/.bin_chksum_mtree#:
[source,shell]
....
-# mtree -s 3483151339707503 -c -K cksum,sha256digest -p /bin > /root/.bin_chksum_mtree
-# mtree: /bin checksum: 3427012225
+# mtree -s 123456789 -c -K cksum,sha512 -p /bin > /home/user/.bin_chksum_mtree
....
-The _3483151339707503_ represents the seed.
-This value should be remembered, but not shared.
+The output should be similar to the following:
-Viewing [.filename]#/root/.bin_cksum_mtree# should yield output similar to the following:
+[.programlisting]
+....
+mtree: /bin checksum: 3427012225
+....
+
+[WARNING]
+====
+The `123456789` value represents the seed, and should be chosen randomly.
+This value should be remembered, *but not shared*.
+
+It is important to keep the seed value and the checksum output hidden from malicious users.
+====
+
+[[security-ids-spec-file-structure]]
+=== The Specification File Structure
+
+The mtree format is a textual format that describes a collection of filesystem objects.
+Such files are typically used to create or verify directory hierarchies.
+
+An mtree file consists of a series of lines, each providing information about a single filesystem object. Leading whitespace is always ignored.
+
+The specification file created above will be used to explain the format and content:
[.programlisting]
....
-# user: root
-# machine: dreadnaught
-# tree: /bin
-# date: Mon Feb 3 10:19:53 2014
+# user: root <.>
+# machine: machinename <.>
+# tree: /bin <.>
+# date: Thu Aug 24 21:58:37 2023 <.>
# .
-/set type=file uid=0 gid=0 mode=0555 nlink=1 flags=none
-. type=dir mode=0755 nlink=2 size=1024 \
- time=1380277977.000000000
- \133 nlink=2 size=11704 time=1380277977.000000000 \
- cksum=484492447 \
- sha256digest=6207490fbdb5ed1904441fbfa941279055c3e24d3a4049aeb45094596400662a
- cat size=12096 time=1380277975.000000000 cksum=3909216944 \
- sha256digest=65ea347b9418760b247ab10244f47a7ca2a569c9836d77f074e7a306900c1e69
- chflags size=8168 time=1380277975.000000000 cksum=3949425175 \
- sha256digest=c99eb6fc1c92cac335c08be004a0a5b4c24a0c0ef3712017b12c89a978b2dac3
- chio size=18520 time=1380277975.000000000 cksum=2208263309 \
- sha256digest=ddf7c8cb92a58750a675328345560d8cc7fe14fb3ccd3690c34954cbe69fc964
- chmod size=8640 time=1380277975.000000000 cksum=2214429708 \
- sha256digest=a435972263bf814ad8df082c0752aa2a7bdd8b74ff01431ccbd52ed1e490bbe7
-....
-
-The machine's hostname, the date and time the specification was created, and the name of the user who created the specification are included in this report.
-There is a checksum, size, time, and SHA256 digest for each binary in the directory.
+/set type=file uid=0 gid=0 mode=0555 nlink=1 flags=uarch <.>
+. type=dir mode=0755 nlink=2 time=1681388848.239523000 <.>
+ \133 nlink=2 size=12520 time=1685991378.688509000 \
+ cksum=520880818 \
+ sha512=5c1374ce0e2ba1b3bc5a41b23f4bbdc1ec89ae82fa01237f376a5eeef41822e68f1d8f75ec46b7bceb65396c122a9d837d692740fdebdcc376a05275adbd3471
+ cat size=14600 time=1685991378.694601000 cksum=3672531848 \ <.>
+ sha512=b30b96d155fdc4795432b523989a6581d71cdf69ba5f0ccb45d9b9e354b55a665899b16aee21982fffe20c4680d11da4e3ed9611232a775c69f926e5385d53a2
+ chflags size=8920 time=1685991378.700385000 cksum=1629328991 \
+ sha512=289a088cbbcbeb436dd9c1f74521a89b66643976abda696b99b9cc1fbfe8b76107c5b54d4a6a9b65332386ada73fc1bbb10e43c4e3065fa2161e7be269eaf86a
+ chio size=20720 time=1685991378.706095000 cksum=1948751604 \
+ sha512=46f58277ff16c3495ea51e74129c73617f31351e250315c2b878a88708c2b8a7bb060e2dc8ff92f606450dbc7dd2816da4853e465ec61ee411723e8bf52709ee
+ chmod size=9616 time=1685991378.712546000 cksum=4244658911 \
+ sha512=1769313ce08cba84ecdc2b9c07ef86d2b70a4206420dd71343867be7ab59659956f6f5a458c64e2531a1c736277a8e419c633a31a8d3c7ccc43e99dd4d71d630
+....
+
+<.> User who created the specification.
+<.> Machine's hostname.
+<.> Directory path.
+<.> The Date and time when the specification was created.
+<.> `/set` special commands, defines some settings obtained from the files analyzed.
+<.> Refers to the parsed directory and indicates things like what type it is, its mode, the number of hard links, and the time in UNIX format since it was modified.
+<.> Refers to the file and shows the size, time and a list of hashes to verify the integrity.
+
+[[security-ids-verify-specification-file]]
+=== Verify the Specification file
To verify that the binary signatures have not changed, compare the current contents of the directory to the previously generated specification, and save the results to a file.
+
This command requires the seed that was used to generate the original specification:
[source,shell]
....
-# mtree -s 3483151339707503 -p /bin < /root/.bin_chksum_mtree >> /root/.bin_chksum_output
-# mtree: /bin checksum: 3427012225
+# mtree -s 123456789 -p /bin < /home/user/.bin_chksum_mtree >> /home/user/.bin_chksum_output
....
This should produce the same checksum for [.filename]#/bin# that was produced when the specification was created.
-If no changes have occurred to the binaries in this directory, the [.filename]#/root/.bin_chksum_output# output file will be empty.
-To simulate a change, change the date on [.filename]#/bin/cat# using `touch` and run the verification command again:
+If no changes have occurred to the binaries in this directory, the [.filename]#/home/user/.bin_chksum_output# output file will be empty.
+
+To simulate a change, change the date on [.filename]#/bin/cat# using man:touch[1] and run the verification command again:
[source,shell]
....
# touch /bin/cat
-# mtree -s 3483151339707503 -p /bin < /root/.bin_chksum_mtree >> /root/.bin_chksum_output
-# more /root/.bin_chksum_output
-cat changed
- modification time expected Fri Sep 27 06:32:55 2013 found Mon Feb 3 10:28:43 2014
....
-It is recommended to create specifications for the directories which contain binaries and configuration files, as well as any directories containing sensitive data.
-Typically, specifications are created for [.filename]#/bin#, [.filename]#/sbin#, [.filename]#/usr/bin#, [.filename]#/usr/sbin#, [.filename]#/usr/local/bin#, [.filename]#/etc#, and [.filename]#/usr/local/etc#.
+Run the verification command again:
-More advanced IDS systems exist, such as package:security/aide[].
-In most cases, `mtree` provides the functionality administrators need.
-It is important to keep the seed value and the checksum output hidden from malicious users.
-More information about `mtree` can be found in man:mtree[8].
+[source,shell]
+....
+# mtree -s 123456789 -p /bin < /home/user/.bin_chksum_mtree >> /home/user/.bin_chksum_output
+....
-[[security-tuning]]
-=== System Tuning for Security
+And then check the content of the output file:
-In FreeBSD, many system features can be tuned using `sysctl`.
-A few of the security features which can be tuned to prevent Denial of Service (DoS) attacks will be covered in this section.
-More information about using `sysctl`, including how to temporarily change values and how to make the changes permanent after testing, can be found in crossref:config[configtuning-sysctl,“Tuning with sysctl(8)”].
+[source,shell]
+....
+# cat /root/.bin_chksum_output
+....
-[NOTE]
-====
-Any time a setting is changed with `sysctl`, the chance to cause undesired harm is increased, affecting the availability of the system.
-All changes should be monitored and, if possible, tried on a testing system before being used on a production system.
-====
+The output should be similar to the following:
-By default, the FreeBSD kernel boots with a security level of `-1`.
-This is called "insecure mode" because immutable file flags may be turned off and all devices may be read from or written to.
-The security level will remain at `-1` unless it is altered through `sysctl` or by a setting in the startup scripts.
-The security level may be increased during system startup by setting `kern_securelevel_enable` to `YES` in [.filename]#/etc/rc.conf#, and the value of `kern_securelevel` to the desired security level.
-See man:security[7] and man:init[8] for more information on these settings and the available security levels.
+[.programlisting]
+....
+cat: modification time (Fri Aug 25 13:30:17 2023, Fri Aug 25 13:34:20 2023)
+....
[WARNING]
====
-Increasing the `securelevel` can break Xorg and cause other issues.
-Be prepared to do some debugging.
+This is just an example of what would be displayed when executing the command,
+to show the changes that would occur in the metadata.
====
-The `net.inet.tcp.blackhole` and `net.inet.udp.blackhole` settings can be used to drop incoming SYN packets on closed ports without sending a return RST response.
-The default behavior is to return an RST to show a port is closed.
-Changing the default provides some level of protection against ports scans, which are used to determine which applications are running on a system.
-Set `net.inet.tcp.blackhole` to `2` and `net.inet.udp.blackhole` to `1`.
-Refer to man:blackhole[4] for more information about these settings.
+[[security-secure-levels]]
+== Secure levels
+
+securelevel is a security mechanism implemented in the kernel.
+When the securelevel is positive, the kernel restricts certain tasks; not even the superuser (root) is allowed to do them.
+
+The securelevel mechanism limits the ability to:
+
+* Unset certain file flags, such as `schg` (the system immutable flag).
+* Write to kernel memory via [.filename]#/dev/mem# and [.filename]#/dev/kmem#.
+* Load kernel modules.
+* Alter firewall rules.
-The `net.inet.icmp.drop_redirect` and `net.inet.ip.redirect` settings help prevent against _redirect attacks_.
-A redirect attack is a type of DoS which sends mass numbers of ICMP type 5 packets.
-Since these packets are not required, set `net.inet.icmp.drop_redirect` to `1` and set `net.inet.ip.redirect` to `0`.
+[[security-secure-levels-definitions]]
+=== Secure Levels Definitions
-Source routing is a method for detecting and accessing non-routable addresses on the internal network.
-This should be disabled as non-routable addresses are normally not routable on purpose.
-To disable this feature, set `net.inet.ip.sourceroute` and `net.inet.ip.accept_sourceroute` to `0`.
+The kernel runs with five different security levels.
+Any super-user process can raise the level, but no process can lower it.
-When a machine on the network needs to send messages to all hosts on a subnet, an ICMP echo request message is sent to the broadcast address.
-However, there is no reason for an external host to perform such an action.
-To reject all external broadcast requests, set `net.inet.icmp.bmcastecho` to `0`.
+The security definitions are:
-Some additional settings are documented in man:security[7].
+-1::
+*Permanently insecure mode* - always run the system in insecure mode.
+This is the default initial value.
-[[one-time-passwords]]
-== One-time Passwords
+0::
+*Insecure mode* - immutable and append-only flags may be turned off.
+All devices may be read or written subject to their permissions.
-By default, FreeBSD includes support for One-time Passwords In Everything (OPIE).
-OPIE is designed to prevent replay attacks, in which an attacker discovers a user's password and uses it to access a system.
-Since a password is only used once in OPIE, a discovered password is of little use to an attacker.
-OPIE uses a secure hash and a challenge/response system to manage passwords.
-The FreeBSD implementation uses the MD5 hash by default.
+1::
+*Secure mode* - the system immutable and system append-only flags may not be turned off;
+disks for mounted file systems, [.filename]#/dev/mem# and [.filename]#/dev/kmem# may not be opened for writing;
+[.filename]#/dev/io# (if your platform has it) may not be opened at all; kernel modules (see man:kld[4]) may not be loaded or unloaded.
+The kernel debugger may not be entered using the debug.kdb.enter sysctl.
+A panic or trap cannot be forced using the debug.kdb.panic, debug.kdb.panic_str and other sysctl's.
-OPIE uses three different types of passwords.
-The first is the usual UNIX(R) or Kerberos password.
-The second is the one-time password which is generated by `opiekey`.
-The third type of password is the "secret password" which is used to generate one-time passwords.
-The secret password has nothing to do with, and should be different from, the UNIX(R) password.
+2::
+*Highly secure mode* - same as secure mode, plus disks may not be opened for writing (except by man:mount[2]) whether mounted or not.
+This level precludes tampering with file systems by unmounting them, but also inhibits running man:newfs[8] while the system is multiuser.
-There are two other pieces of data that are important to OPIE.
-One is the "seed" or "key", consisting of two letters and five digits.
-The other is the "iteration count", a number between 1 and 100.
-OPIE creates the one-time password by concatenating the seed and the secret password, applying the MD5 hash as many times as specified by the iteration count, and turning the result into six short English words which represent the one-time password.
-The authentication system keeps track of the last one-time password used, and the user is authenticated if the hash of the user-provided password is equal to the previous password.
-Since a one-way hash is used, it is impossible to generate future one-time passwords if a successfully used password is captured.
-The iteration count is decremented after each successful login to keep the user and the login program in sync.
-When the iteration count gets down to `1`, OPIE must be reinitialized.
+3::
+*Network secure mode* - same as highly secure mode, plus IP packet filter rules (see man:ipfw[8], man:ipfirewall[4] and man:pfctl[8]) cannot be changed and man:dummynet[4] or man:pf[4] configuration cannot be adjusted.
-There are a few programs involved in this process.
-A one-time password, or a consecutive list of one-time passwords, is generated by passing an iteration count, a seed, and a secret password to man:opiekey[1].
-In addition to initializing OPIE, man:opiepasswd[1] is used to change passwords, iteration counts, or seeds.
-The relevant credential files in [.filename]#/etc/opiekeys# are examined by man:opieinfo[1] which prints out the invoking user's current iteration count and seed.
+[TIP]
+====
+In summary, the key difference between `Permanently Insecure Mode` and `Insecure Mode` in FreeBSD secure levels is the degree of security they provide.
+`Permanently Insecure Mode` completely lifts all security restrictions, while `Insecure Mode` relaxes some restrictions but still maintains a level of control and security.
+====
-This section describes four different sorts of operations.
-The first is how to set up one-time-passwords for the first time over a secure connection.
-The second is how to use `opiepasswd` over an insecure connection.
-The third is how to log in over an insecure connection.
-The fourth is how to generate a number of keys which can be written down or printed out to use at insecure locations.
+[[security-modify-secure-levels]]
+=== Modify Secure Levels
-=== Initializing OPIE
+In order to change the securelevel of the system it is necessary to activate `kern_securelevel_enable` by executing the following command:
-To initialize OPIE for the first time, run this command from a secure location:
+[source,shell]
+....
+# sysrc kern_securelevel_enable="YES"
+....
+
+And set the value of `kern_securelevel` to the desired security level:
[source,shell]
....
-% opiepasswd -c
-Adding unfurl:
-Only use this method from the console; NEVER from remote. If you are using
-telnet, xterm, or a dial-in, type ^C now or exit with no password.
-Then run opiepasswd without the -c parameter.
-Using MD5 to compute responses.
-Enter new secret pass phrase:
-Again new secret pass phrase:
+# sysrc kern_securelevel=2
+....
+
+To check the status of the securelevel on a running system execute the following command:
-ID unfurl OTP key is 499 to4268
-MOS MALL GOAT ARM AVID COED
+[source,shell]
+....
+# sysctl -n kern.securelevel
....
-The `-c` sets console mode which assumes that the command is being run from a secure location, such as a computer under the user's control or an SSH session to a computer under the user's control.
+The output contains the current value of the securelevel.
+If it is greater than 0, at least some of the securelevel's protections are enabled.
+
+[[security-file-flags]]
+== File flags
+
+File flags allow users to attach additional metadata or attributes to files and directories beyond basic permissions and ownership.
+These flags provide a way to control various behaviors and properties of files without needing to resort to creating special directories or using extended attributes.
+
+File flags can be used to achieve different goals, such as preventing file deletion, making files append-only, synchronizing file updates, and more.
+Some commonly used file flags in FreeBSD include the "immutable" flag, which prevents modification or deletion of a file, and the "append-only" flag, which allows only data to be added to the end of a file but not modified or removed.
-When prompted, enter the secret password which will be used to generate the one-time login keys.
-This password should be difficult to guess and should be different than the password which is associated with the user's login account.
-It must be between 10 and 127 characters long. Remember this password.
+These flags can be managed using the man:chflags[1] command in FreeBSD, providing administrators and users with greater control over the behavior and characteristics of their files and directories.
+It is important to note that file flags are typically managed by root or users with appropriate privileges, as they can influence how files are accessed and manipulated.
+Some flags are available for the use of the file's owner, as described in man:chflags[1].
-The `ID` line lists the login name (`unfurl`), default iteration count (`499`), and default seed (`to4268`).
-When logging in, the system will remember these parameters and display them, meaning that they do not have to be memorized.
-The last line lists the generated one-time password which corresponds to those parameters and the secret password.
-At the next login, use this one-time password.
+[[security-work-file-flag]]
+=== Work with File Flags
-=== Insecure Connection Initialization
+In this example, a file named [.filename]#~/important.txt# in user's home directory want to be protected against deletions.
-To initialize or change the secret password on an insecure system, a secure connection is needed to some place where `opiekey` can be run.
-This might be a shell prompt on a trusted machine.
-An iteration count is needed, where 100 is probably a good value, and the seed can either be specified or the randomly-generated one used.
-On the insecure connection, the machine being initialized, use man:opiepasswd[1]:
+Execute the following command to set the `schg` file flag:
[source,shell]
....
-% opiepasswd
+# chflags schg ~/important.txt
+....
-Updating unfurl:
-You need the response from an OTP generator.
-Old secret pass phrase:
- otp-md5 498 to4268 ext
- Response: GAME GAG WELT OUT DOWN CHAT
-New secret pass phrase:
- otp-md5 499 to4269
- Response: LINE PAP MILK NELL BUOY TROY
+When any user, including the `root` user, tries to delete the file, the system will display the message:
-ID mark OTP key is 499 gr4269
-LINE PAP MILK NELL BUOY TROY
+[.programlisting]
+....
+rm: important.txt: Operation not permitted
....
-To accept the default seed, press kbd:[Return].
-Before entering an access password, move over to the secure connection and give it the same parameters:
+To delete the file, it will be necessary to delete the file flags of that file by executing the following command:
[source,shell]
....
-% opiekey 498 to4268
-Using the MD5 algorithm to compute response.
-Reminder: Do not use opiekey from telnet or dial-in sessions.
-Enter secret pass phrase:
-GAME GAG WELT OUT DOWN CHAT
+# chflags noschg ~/important.txt
....
-Switch back over to the insecure connection, and copy the generated one-time password over to the relevant program.
+A list of supported file flags and their functionality can be found in man:chflags[1].
-=== Generating a Single One-time Password
+[[openssh]]
+== OpenSSH
-After initializing OPIE and logging in, a prompt like this will be displayed:
+OpenSSH is a set of network connectivity tools used to provide secure access to remote machines.
+Additionally, TCP/IP connections can be tunneled or forwarded securely through SSH connections.
+OpenSSH encrypts all traffic to eliminate eavesdropping, connection hijacking, and other network-level attacks.
+
+OpenSSH is maintained by the OpenBSD project and is installed by default in FreeBSD.
+
+When data is sent over the network in an unencrypted form, network sniffers anywhere in between the client and server can steal user/password information or data transferred during the session.
+OpenSSH offers a variety of authentication and encryption methods to prevent this from happening.
+
+More information about OpenSSH is available in the link:https://www.openssh.com/[web page].
+
+This section provides an overview of the built-in client utilities to securely access other systems and securely transfer files from a FreeBSD system.
+It then describes how to configure a SSH server on a FreeBSD system.
+
+[TIP]
+====
+As stated, this chapter will cover the base system version of OpenSSH.
+A version of OpenSSH is also available in the package:security/openssh-portable[], which provides additional configuration options and is updated more regularly.
+====
+
+=== Using the SSH Client Utilities
+
+To log into a SSH server, use man:ssh[1] and specify a username that exists on that server and the IP address or hostname of the server.
+If this is the first time a connection has been made to the specified server, the user will be prompted to first verify the server's fingerprint:
[source,shell]
....
-% telnet example.com
-Trying 10.0.0.1...
-Connected to example.com
-Escape character is '^]'.
+# ssh user@example.com
+....
-FreeBSD/i386 (example.com) (ttypa)
+The output should be similar to the following:
-login: <username>
-otp-md5 498 gr4269 ext
-Password:
+[.programlisting]
....
+The authenticity of host 'example.com (10.0.0.1)' can't be established.
+ECDSA key fingerprint is 25:cc:73:b5:b3:96:75:3d:56:19:49:d2:5c:1f:91:3b.
+Are you sure you want to continue connecting (yes/no)? yes
+Permanently added 'example.com' (ECDSA) to the list of known hosts.
+Password for user@example.com: user_password
+....
+
+SSH utilizes a key fingerprint system to verify the authenticity of the server when the client connects.
+When the user accepts the key's fingerprint by typing `yes` when connecting for the first time, a copy of the key is saved to [.filename]#~/.ssh/known_hosts# in the user's home directory.
+Future attempts to login are verified against the saved key and man:ssh[1] will display an alert if the server's key does not match the saved key.
+If this occurs, the user should first verify why the key has changed before continuing with the connection.
+
+[NOTE]
+====
+How to perform this check is outside the scope of this chapter.
+====
+
+Use man:scp[1] to securely copy a file to or from a remote machine.
+
+This example copies `COPYRIGHT` on the remote system to a file of the same name in the current directory of the local system:
+
+[source,shell]
+....
+# scp user@example.com:/COPYRIGHT COPYRIGHT
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
+Password for user@example.com: *******
+COPYRIGHT 100% |*****************************| 4735
+....
+
+Since the fingerprint was already verified for this host, the server's key is automatically checked before prompting for the user's password.
-The OPIE prompts provides a useful feature.
-If kbd:[Return] is pressed at the password prompt, the prompt will turn echo on and display what is typed.
-This can be useful when attempting to type in a password by hand from a printout.
+The arguments passed to man:scp[1] are similar to man:cp[1].
+The file or files to copy is the first argument and the destination to copy to is the second.
+Since the file is fetched over the network, one or more of the file arguments takes the form `user@host:<path_to_remote_file>`.
+Be aware when copying directories recursively that man:scp[1] uses `-r`, whereas man:cp[1] uses `-R`.
+
+To open an interactive session for copying files, use man:sftp[1].
-At this point, generate the one-time password to answer this login prompt.
-This must be done on a trusted system where it is safe to run man:opiekey[1].
-There are versions of this command for Windows(R), Mac OS(R) and FreeBSD.
-This command needs the iteration count and the seed as command line options.
-Use cut-and-paste from the login prompt on the machine being logged in to.
+Refer to man:sftp[1] for a list of available commands while in an man:sftp[1] session.
+
+[[security-ssh-keygen]]
+=== Key-based Authentication
-On the trusted system:
+Instead of using passwords, a client can be configured to connect to the remote machine using keys.
+For security reasons, this is the preferred method.
+
+man:ssh-keygen[1] can be used to generate the authentication keys.
+To generate a public and private key pair, specify the type of key and follow the prompts.
+It is recommended to protect the keys with a memorable, but hard to guess passphrase.
[source,shell]
....
-% opiekey 498 to4268
-Using the MD5 algorithm to compute response.
-Reminder: Do not use opiekey from telnet or dial-in sessions.
-Enter secret pass phrase:
-GAME GAG WELT OUT DOWN CHAT
+% ssh-keygen -t rsa -b 4096
....
-Once the one-time password is generated, continue to log in.
+The output should be similar to the following:
-=== Generating Multiple One-time Passwords
+[.programlisting]
+....
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/user/.ssh/id_rsa):
+Created directory '/home/user/.ssh/.ssh'.
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /home/user/.ssh/id_rsa.
+Your public key has been saved in /home/user/.ssh/id_rsa.pub.
+The key fingerprint is:
+SHA256:54Xm9Uvtv6H4NOo6yjP/YCfODryvUU7yWHzMqeXwhq8 user@host.example.com
+The key's randomart image is:
++---[RSA 2048]----+
+| |
+| |
+| |
+| . o.. |
+| .S*+*o |
+| . O=Oo . . |
+| = Oo= oo..|
+| .oB.* +.oo.|
+| =OE**.o..=|
++----[SHA256]-----+
+....
+
+The private key is stored in [.filename]#~/.ssh/id_rsa# and the public key is stored in [.filename]#~/.ssh/id_rsa.pub#.
+The _public_ key must be copied to [.filename]#~/.ssh/authorized_keys# on the remote machine for key-based authentication to work.
+
+[WARNING]
+====
+Utilizing a passphrase for OpenSSH keys is a key security practice, providing an extra layer of protection against unauthorized access and enhancing overall cybersecurity.
-Sometimes there is no access to a trusted machine or secure connection.
-In this case, it is possible to use man:opiekey[1] to generate a number of one-time passwords beforehand. For example:
+In case of loss or theft, this adds another layer of security.
+====
+
+[[security-ssh-tunneling]]
+=== SSH Tunneling
+
+OpenSSH has the ability to create a tunnel to encapsulate another protocol in an encrypted session.
+
+The following command tells man:ssh[1] to create a tunnel:
[source,shell]
....
-% opiekey -n 5 30 zz99999
-Using the MD5 algorithm to compute response.
-Reminder: Do not use opiekey from telnet or dial-in sessions.
-Enter secret pass phrase: <secret password>
-26: JOAN BORE FOSS DES NAY QUIT
-27: LATE BIAS SLAY FOLK MUCH TRIG
-28: SALT TIN ANTI LOON NEAL USE
-29: RIO ODIN GO BYE FURY TIC
-30: GREW JIVE SAN GIRD BOIL PHI
+% ssh -D 8080 user@example.com
....
-The `-n 5` requests five keys in sequence, and `30` specifies what the last iteration number should be.
-Note that these are printed out in _reverse_ order of use.
-The really paranoid might want to write the results down by hand; otherwise, print the list.
-Each line shows both the iteration count and the one-time password.
-Scratch off the passwords as they are used.
+This example uses the following options:
+
+-D::
+Specifies a local "dynamic" application-level port forwarding.
+
+user@foo.example.com::
+The login name to use on the specified remote SSH server.
-=== Restricting Use of UNIX(R) Passwords
+An SSH tunnel works by creating a listen socket on `localhost` on the specified `localport`.
-OPIE can restrict the use of UNIX(R) passwords based on the IP address of a login session.
-The relevant file is [.filename]#/etc/opieaccess#, which is present by default.
-Refer to man:opieaccess[5] for more information on this file and which security considerations to be aware of when using it.
+This method can be used to wrap any number of insecure TCP protocols such as SMTP, POP3, and FTP.
-Here is a sample [.filename]#opieaccess#:
+=== Enabling the SSH Server
-[.programlisting]
+In addition to providing built-in SSH client utilities, a FreeBSD system can be configured as an SSH server, accepting connections from other SSH clients.
+
+[TIP]
+====
+As stated, this chapter will cover the base system version of OpenSSH.
+Please *not* confuse with package:security/openssh-portable[], the version of OpenSSH that ships with the FreeBSD ports.
+====
+
+In order to have the SSH Server enabled across reboots execute the following command:
+
+[source,shell]
....
-permit 192.168.0.0 255.255.0.0
+# sysrc sshd_enable="YES"
....
-This line allows users whose IP source address (which is vulnerable to spoofing) matches the specified value and mask, to use UNIX(R) passwords at any time.
+Then execute the following command to enable the service:
-If no rules in [.filename]#opieaccess# are matched, the default is to deny non-OPIE logins.
+[source,shell]
+....
+# service sshd start
+....
-[[tcpwrappers]]
-== TCP Wrapper
+The first time sshd starts on a FreeBSD system, the system's host keys will be automatically created and the fingerprint will be displayed on the console.
+Provide users with the fingerprint so that they can verify it the first time they connect to the server.
-TCP Wrapper is a host-based access control system which extends the abilities of crossref:network-servers[network-inetd,“The inetd Super-Server”].
-It can be configured to provide logging support, return messages, and connection restrictions for the server daemons under the control of inetd.
-Refer to man:tcpd[8] for more information about TCP Wrapper and its features.
+Refer to man:sshd[8] for the list of available options when starting sshd and a complete discussion about authentication, the login process, and the various configuration files.
-TCP Wrapper should not be considered a replacement for a properly configured firewall.
-Instead, TCP Wrapper should be used in conjunction with a firewall and other security enhancements in order to provide another layer of protection in the implementation of a security policy.
+At this point, the sshd should be available to all users with a username and password on the system.
-=== Initial Configuration
+[[config-publickey-auth]]
+=== Configuring publickey auth method
+
+Configuring OpenSSH to use public key authentication enhances security by leveraging asymmetric cryptography for authentication.
+This method eliminates password-related risks, such as weak passwords or interception during transmission, while thwarting various password-based attacks.
+However, it's vital to ensure the private keys are well-protected to prevent unauthorized access.
+
+The first step will be to configure man:sshd[8] to use the required authentication method.
-To enable TCP Wrapper in FreeBSD, add the following lines to [.filename]#/etc/rc.conf#:
+Edit [.filename]#/etc/ssh/sshd_config# and uncomment the following configuration:
[.programlisting]
....
-inetd_enable="YES"
-inetd_flags="-Ww"
+PubkeyAuthentication yes
....
-Then, properly configure [.filename]#/etc/hosts.allow#.
+Once the configuration is done, the users will have to send the system administrator their *public key* and these keys will be added in [.filename]#.ssh/authorized_keys#.
+The process for generating the keys is described in <<Key-based Authentication>>.
-[NOTE]
+Then restart the server executing the following command:
+
+[source,shell]
+....
+# service sshd reload
+....
+
+It is strongly recommended to follow the security improvements indicated in <<security-sshd-security-options>>.
+
+[[security-sshd-security-options]]
+=== SSH Server Security Options
+
+While sshd is the most widely used remote administration facility for FreeBSD, brute force and drive by attacks are common to any system exposed to public networks.
+
+Several additional parameters are available to prevent the success of these attacks and will be described in this section.
+All configurations will be done in [.filename]#/etc/ssh/sshd_config#
+
+[TIP]
====
-Unlike other implementations of TCP Wrapper, the use of [.filename]#hosts.deny# is deprecated in FreeBSD.
-All configuration options should be placed in [.filename]#/etc/hosts.allow#.
+Do not confuse [.filename]#/etc/ssh/sshd_config# with [.filename]#/etc/ssh/ssh_config# (note the extra `d` in the first filename).
+The first file configures the server and the second file configures the client.
+Refer to man:ssh_config[5] for a listing of the available client settings.
====
-In the simplest configuration, daemon connection policies are set to either permit or block, depending on the options in [.filename]#/etc/hosts.allow#.
-The default configuration in FreeBSD is to allow all connections to the daemons started with inetd.
+By default, authentication can be done with both pubkey and password.
+To allow *only* pubkey authentication, *which is strongly recommended*, change the variable:
-Basic configuration usually takes the form of `daemon : address : action`, where `daemon` is the daemon which inetd started, `address` is a valid hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and `action` is either `allow` or `deny`.
-TCP Wrapper uses a first rule match semantic, meaning that the configuration file is scanned from the beginning for a matching rule.
-When a match is found, the rule is applied and the search process stops.
+[.programlisting]
+....
+PasswordAuthentication no
+....
-For example, to allow POP3 connections via the package:mail/qpopper[] daemon, the following lines should be appended to [.filename]#hosts.allow#:
+It is a good idea to limit which users can log into the SSH server and from where using the `AllowUsers` keyword in the OpenSSH server configuration file.
+For example, to only allow `user` to log in from `192.168.1.32`, add this line to [.filename]#/etc/ssh/sshd_config#:
[.programlisting]
....
-# This line is required for POP3 connections:
-qpopper : ALL : allow
+AllowUsers user@192.168.1.32
....
-Whenever this file is edited, restart inetd:
+To allow `user` to log in from anywhere, list that user without specifying an IP address:
+
+[.programlisting]
+....
+AllowUsers user
+....
+
+Multiple users should be listed on the same line, like so:
+
+[.programlisting]
+....
+AllowUsers root@192.168.1.32 user
+....
+
+After making all the changes, and before restarting the service, it is recommended to verify that the configuration made is correct by executing the following command:
[source,shell]
....
-# service inetd restart
+# sshd -t
....
-=== Advanced Configuration
+If the configuration file is correct, no output will be shown.
+In case the configuration file is incorrect, it will show something like this:
-TCP Wrapper provides advanced options to allow more control over the way connections are handled.
-In some cases, it may be appropriate to return a comment to certain hosts or daemon connections.
-In other cases, a log entry should be recorded or an email sent to the administrator.
-Other situations may require the use of a service for local connections only.
-This is all possible through the use of configuration options known as wildcards, expansion characters, and external command execution.
+[.programlisting]
+....
+/etc/ssh/sshd_config: line 3: Bad configuration option: sdadasdasdasads
+/etc/ssh/sshd_config: terminating, 1 bad configuration options
+....
-Suppose that a situation occurs where a connection should be denied yet a reason should be sent to the host who attempted to establish that connection.
-That action is possible with `twist`.
-When a connection attempt is made, `twist` executes a shell command or script.
-An example exists in [.filename]#hosts.allow#:
+After making the changes and checking that the configuration file is correct, tell sshd to reload its configuration file by running:
+
+[source,shell]
+....
+# service sshd reload
+....
+
+[[openssl]]
+== OpenSSL
+
+OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) network protocols and many cryptography routines.
+
+The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell.
+It can be used for
+
+* Creation and management of private keys, public keys and parameters
+* Public key cryptographic operations
+* Creation of X.509 certificates, CSRs and CRLs
+* Calculation of Message Digests
+* Encryption and Decryption with Ciphers
+* SSL/TLS Client and Server Tests
+* Handling of S/MIME signed or encrypted mail
+* Time Stamp requests, generation and verification
+* Benchmarking the crypto routines
+
+For more information about OpenSSL, read the free https://www.feistyduck.com/books/openssl-cookbook/[OpenSSL Cookbook].
+
+[[generating-certificates]]
+=== Generating Certificates
+
+OpenSSL supports the generation of certificates both to be validated by a link:https://en.wikipedia.org/wiki/Certificate_authority[CA] and for own use.
+
+Run the command man:openssl[1] to generate a valid certificate for a link:https://en.wikipedia.org/wiki/Certificate_authority[CA] with the following arguments.
+This command will create two files in the current directory.
+The certificate request, [.filename]#req.pem#, can be sent to a link:https://en.wikipedia.org/wiki/Certificate_authority[CA] which,
+will validate the entered credentials, sign the request, and return the signed certificate.
+The second file, [.filename]#cert.key#, is the private key for the certificate and should be stored in a secure location.
+If this falls in the hands of others, it can be used to impersonate the user or the server.
+
+Execute the following command to generate the certificate:
+
+[source,shell]
+....
+# openssl req -new -nodes -out req.pem -keyout cert.key -sha3-512 -newkey rsa:4096
+....
+
+The output should be similar to the following:
[.programlisting]
....
-# The rest of the daemons are protected.
-ALL : ALL \
- : severity auth.info \
- : twist /bin/echo "You are not welcome to use %d from %h."
+Generating a RSA private key
+..................................................................................................................................+++++
+......................................+++++
+writing new private key to 'cert.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:ES
+State or Province Name (full name) [Some-State]:Valencian Community
+Locality Name (eg, city) []:Valencia
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
+Organizational Unit Name (eg, section) []:Systems Administrator
+Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org
+Email Address []:user@FreeBSD.org
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:123456789
+An optional company name []:Another name
....
-In this example, the message "You are not allowed to use _daemon name_ from _hostname_."
-will be returned for any daemon not configured in [.filename]#hosts.allow#.
-This is useful for sending a reply back to the connection initiator right after the established connection is dropped.
-Any message returned _must_ be wrapped in quote (`"`) characters.
+Alternately, if a signature from a link:https://en.wikipedia.org/wiki/Certificate_authority[CA] is not required, a self-signed certificate can be created.
+This will create two new files in the current directory: a private key file [.filename]#cert.key#, and the certificate itself, [.filename]#cert.crt#.
+These should be placed in a directory, preferably under [.filename]#/etc/ssl/#, which is readable only by `root`.
+Permissions of `0700` are appropriate for these files and can be set using `chmod`.
-[WARNING]
-====
-It may be possible to launch a denial of service attack on the server if an attacker floods these daemons with connection requests.
-====
+Execute the following command to generate the certificate:
-Another possibility is to use `spawn`.
-Like `twist`, `spawn` implicitly denies the connection and may be used to run external shell commands or scripts.
-Unlike `twist`, `spawn` will not send a reply back to the host who established the connection.
-For example, consider the following configuration:
+[source,shell]
+....
+# openssl req -new -x509 -days 365 -sha3-512 -keyout /etc/ssl/private/cert.key -out /etc/ssl/certs/cert.crt
+....
+
+The output should be similar to the following:
[.programlisting]
....
-# We do not allow connections from example.com:
-ALL : .example.com \
- : spawn (/bin/echo %a from %h attempted to access %d >> \
- /var/log/connections.log) \
- : deny
+Generating a RSA private key
+........................................+++++
+...........+++++
+writing new private key to '/etc/ssl/private/cert.key'
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:ES
+State or Province Name (full name) [Some-State]:Valencian Community
+Locality Name (eg, city) []:Valencia
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
+Organizational Unit Name (eg, section) []:Systems Administrator
+Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org
+Email Address []:user@FreeBSD.org
....
-This will deny all connection attempts from `*.example.com` and log the hostname, IP address, and the daemon to which access was attempted to [.filename]#/var/log/connections.log#.
-This example uses the substitution characters `%a` and `%h`.
-Refer to man:hosts_access[5] for the complete list.
+[[fips-provider]]
+=== Configuring the FIPS Provider
+
+With the import of OpenSSL 3 into the base system (on FreeBSD 14 and later), its new concept of provider modules was introduced in the system.
+Besides the default provider module built-in to the library, the _legacy_ module implements the now optional deprecated cryptography algorithms, while the _fips_ module restricts the OpenSSL implementation to the cryptography algorithms present in the link:https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards[FIPS] set of standards.
+This part of OpenSSL receives link:https://www.openssl.org/docs/fips.html[particular care], including a link:https://www.openssl.org/news/fips-cve.html[list of relevant security issues], and is subject to the link:https://github.com/openssl/openssl/blob/master/README-FIPS.md[FIPS 140 validation process] on a regular basis.
+The link:https://www.openssl.org/source/[list of FIPS validated versions] is also available.
+This allows users to ensure FIPS compliance in their use of OpenSSL.
+
+Importantly, the man:fips_module[7] is protected by an additional security measure, preventing its use without passing an integrity check.
+This check can be setup by the local system administrator, allowing every user of OpenSSL 3 to load this module.
+When not configured correctly, the FIPS module is expected to fail as follows:
+
+[source,shell]
+....
+# echo test | openssl aes-128-cbc -a -provider fips -pbkdf2
+....
-To match every instance of a daemon, domain, or IP address, use `ALL`.
-Another wildcard is `PARANOID` which may be used to match any host which provides an IP address that may be forged because the IP address differs from its resolved hostname.
-In this example, all connection requests to Sendmail which have an IP address that varies from its hostname will be denied:
+The output should be similar to the following:
[.programlisting]
....
-# Block possibly spoofed requests to sendmail:
-sendmail : PARANOID : deny
+aes-128-cbc: unable to load provider fips
+Hint: use -provider-path option or OPENSSL_MODULES environment variable.
+00206124D94D0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:crypto/openssl/providers/fips/self_test.c:275:
+00206124D94D0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:crypto/openssl/providers/fips/self_test.c:373:
+00206124D94D0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:crypto/openssl/providers/fips/fipsprov.c:707:
+00206124D94D0000:error:078C0105:common libcrypto routines:provider_init:init fail:crypto/openssl/crypto/provider_core.c:932:name=fips
....
-[CAUTION]
-====
-Using the `PARANOID` wildcard will result in denied connections if the client or server has a broken DNS setup.
-====
+The check can be configured through the creation of a file in [.filename]#/etc/ssl/fipsmodule.cnf#, which will then be referenced in OpenSSL's main configuration file [.filename]#/etc/ssl/openssl.cnf#.
+OpenSSL provides the man:openssl-fipsinstall[1] utility to help with this process, which can be used as follows:
-To learn more about wildcards and their associated functionality, refer to man:hosts_access[5].
+[source,shell]
+....
+# openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out /etc/ssl/fipsmodule.cnf
+....
-[NOTE]
-====
-When adding new configuration lines, make sure that any unneeded entries for that daemon are commented out in [.filename]#hosts.allow#.
-====
+The output should be similar to the following:
+
+[.programlisting]
+....
+INSTALL PASSED
+....
+
+The [.filename]#/etc/ssl/openssl.cnf# should then be modified, in order to:
+
+* Include the [.filename]#/etc/ssl/fipsmodule.cnf# file generated above,
+* Expose the FIPS module for possible use,
+* And explicitly activate the default module.
+
+[.programlisting]
+....
+[...]
+# For FIPS
+# Optionally include a file that is generated by the OpenSSL fipsinstall
+# application. This file contains configuration data required by the OpenSSL
+# fips provider. It contains a named section e.g. [fips_sect] which is
+# referenced from the [provider_sect] below.
+# Refer to the OpenSSL security policy for more information.
+.include /etc/ssl/fipsmodule.cnf
+
+[...]
+
+# List of providers to load
+[provider_sect]
+default = default_sect
+# The fips section name should match the section name inside the
+# included fipsmodule.cnf.
+fips = fips_sect
+
+# If no providers are activated explicitly, the default one is activated implicitly.
+# See man 7 OSSL_PROVIDER-default for more details.
+#
+# If you add a section explicitly activating any other provider(s), you most
+# probably need to explicitly activate the default provider, otherwise it
+# becomes unavailable in openssl. As a consequence applications depending on
+# OpenSSL may not work correctly which could lead to significant system
+# problems including inability to remotely access the system.
+[default_sect]
+activate = 1
+....
+
+With this done, it should be possible to confirm that the FIPS module is effectively available and working:
+
+[source,shell]
+....
+# echo test | openssl aes-128-cbc -a -provider fips -pbkdf2
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
+enter AES-128-CBC encryption password:
+Verifying - enter AES-128-CBC encryption password:
+U2FsdGVkX18idooW6e3LqWeeiKP76kufcOUClh57j8U=
+....
+
+This procedure has to be repeated every time the FIPS module is modified, e.g., after performing system updates, or after applying security fixes affecting OpenSSL in the base system.
[[kerberos5]]
== Kerberos
@@ -861,6 +1271,12 @@ To create the master key, run `kstash` and enter a password:
[source,shell]
....
# kstash
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
Master key: xxxxxxxxxxxxxxxxxxxxxxx
Verifying password - Master key: xxxxxxxxxxxxxxxxxxxxxxx
....
@@ -884,6 +1300,12 @@ Type `?` at the prompt to see the available options.
[source,shell]
....
kadmin> add tillman
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
@@ -906,6 +1328,12 @@ While there will not be any kerberized daemons running at this point, it is poss
[source,shell]
....
% kinit tillman
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
tillman@EXAMPLE.ORG's Password:
....
@@ -914,6 +1342,12 @@ Confirm that a ticket was successfully obtained using `klist`:
[source,shell]
....
% klist
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: tillman@EXAMPLE.ORG
@@ -953,6 +1387,12 @@ To generate the keytab, use `ext` to extract the server's host principal key to
[source,shell]
....
# kadmin
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
kadmin> add --random-key host/myserver.example.org
Max ticket life [unlimited]:
Max renewable life [unlimited]:
@@ -969,6 +1409,12 @@ This is good when being run on the server being kerberized, but the `--keytab _p
[source,shell]
....
# kadmin
+....
+
+The output should be similar to the following:
+
+[.programlisting]
+....
kadmin> ext_keytab --keytab=/tmp/example.keytab host/myserver.example.org
kadmin> exit
....
@@ -1028,15 +1474,15 @@ Client applications may also use slightly different command line options to acco
Following the instructions at http://web.mit.edu/Kerberos/www/[http://web.mit.edu/Kerberos/www/] is recommended.
Be careful of path issues: the MIT port installs into [.filename]#/usr/local/# by default, and the FreeBSD system applications run instead of the MIT versions if `PATH` lists the system directories first.
-When using MIT Kerberos as a KDC on FreeBSD, the following edits should also be made to [.filename]#rc.conf#:
+When using MIT Kerberos as a KDC on FreeBSD, execute the following commands to add the required configurations to [.filename]#/etc/rc.conf#:
-[.programlisting]
+[source,shell]
....
-kdc_program="/usr/local/sbin/kdc"
-kadmind_program="/usr/local/sbin/kadmind"
-kdc_flags=""
-kdc_enable="YES"
-kadmind_enable="YES"
+# sysrc kdc_program="/usr/local/sbin/kdc"
+# sysrc kadmind_program="/usr/local/sbin/kadmind"
+# sysrc kdc_flags=""
+# sysrc kdc_enable="YES"
+# sysrc kadmind_enable="YES"
....
=== Kerberos Tips, Tricks, and Troubleshooting
@@ -1084,908 +1530,417 @@ File system integrity checking tools like package:security/tripwire[] can allevi
* http://web.mit.edu/Kerberos/www/[MIT Kerberos home page]
* https://github.com/heimdal/heimdal/wiki[Heimdal Kerberos project wiki page]
-[[openssl]]
-== OpenSSL
-
-OpenSSL is an open source implementation of the SSL and TLS protocols.
-It provides an encryption transport layer on top of the normal communications layer, allowing it to be intertwined with many network applications and services.
-
-The version of OpenSSL included in FreeBSD supports the Secure Sockets Layer 3.0 (SSLv3) and Transport Layer Security 1.0/1.1/1.2 (TLSv1/TLSv1.1/TLSv1.2) network security protocols and can be used as a general cryptographic library.
-In FreeBSD 12.0-RELEASE and above, OpenSSL also supports Transport Layer Security 1.3 (TLSv1.3).
-
-OpenSSL is often used to encrypt authentication of mail clients and to secure web based transactions such as credit card payments.
-Some ports, such as package:www/apache24[] and package:databases/postgresql11-server[], include a compile option for building with OpenSSL.
-If selected, the port will add support using OpenSSL from the base system.
-To instead have the port compile against OpenSSL from the package:security/openssl[] port, add the following to [.filename]#/etc/make.conf#:
-
-[.programlisting]
-....
-DEFAULT_VERSIONS+= ssl=openssl
-....
-
-Another common use of OpenSSL is to provide certificates for use with software applications.
-Certificates can be used to verify the credentials of a company or individual.
-If a certificate has not been signed by an external _Certificate Authority_ (CA), such as http://www.verisign.com[http://www.verisign.com],
-the application that uses the certificate will produce a warning.
-There is a cost associated with obtaining a signed certificate and using a signed certificate is not mandatory as certificates can be self-signed.
-However, using an external authority will prevent warnings and can put users at ease.
-
-This section demonstrates how to create and use certificates on a FreeBSD system.
-Refer to crossref:network-servers[ldap-config,“Configuring an LDAP Server”] for an example of how to create a CA for signing one's own certificates.
-
-For more information about SSL, read the free https://www.feistyduck.com/books/openssl-cookbook/[OpenSSL Cookbook].
-
-=== Generating Certificates
-
-To generate a certificate that will be signed by an external CA, issue the following command and input the information requested at the prompts.
-This input information will be written to the certificate.
-At the `Common Name` prompt, input the fully qualified name for the system that will use the certificate.
-If this name does not match the server, the application verifying the certificate will issue a warning to the user, rendering the verification provided by the certificate as useless.
-
-[source,shell]
-....
-# openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048
-Generating a 2048 bit RSA private key
-..................+++
-.............................................................+++
-writing new private key to 'cert.key'
------
-You are about to be asked to enter information that will be incorporated
-into your certificate request.
-What you are about to enter is what is called a Distinguished Name or a DN.
-There are quite a few fields but you can leave some blank
-For some fields there will be a default value,
-If you enter '.', the field will be left blank.
------
-Country Name (2 letter code) [AU]:US
-State or Province Name (full name) [Some-State]:PA
-Locality Name (eg, city) []:Pittsburgh
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
-Organizational Unit Name (eg, section) []:Systems Administrator
-Common Name (eg, YOUR name) []:localhost.example.org
-Email Address []:trhodes@FreeBSD.org
-
-Please enter the following 'extra' attributes
-to be sent with your certificate request
-A challenge password []:
-An optional company name []:Another Name
-....
-
-Other options, such as the expire time and alternate encryption algorithms, are available when creating a certificate.
-A complete list of options is described in man:openssl[1].
+[[tcpwrappers]]
+== TCP Wrappers
-This command will create two files in the current directory.
-The certificate request, [.filename]#req.pem#, can be sent to a CA who will validate the entered credentials, sign the request, and return the signed certificate.
-The second file, [.filename]#cert.key#, is the private key for the certificate and should be stored in a secure location.
-If this falls in the hands of others, it can be used to impersonate the user or the server.
+TCP Wrappers is a host-based network access control system.
+By intercepting incoming network requests before they reach the actual network service,
+TCP Wrappers assess whether the source IP address is permitted or denied access based on predefined rules in configuration files.
-Alternately, if a signature from a CA is not required, a self-signed certificate can be created.
-First, generate the RSA key:
+However, while TCP Wrappers provide basic access control, they should not be considered a substitute for more robust security measures.
+For comprehensive protection, it's recommended to use advanced technologies like firewalls, along with proper user authentication practices and intrusion detection systems.
-[source,shell]
-....
-# openssl genrsa -rand -genkey -out cert.key 2048
-0 semi-random bytes loaded
-Generating RSA private key, 2048 bit long modulus
-.............................................+++
-.................................................................................................................+++
-e is 65537 (0x10001)
-....
+[[tcpwrappers-initial-configuration]]
+=== Initial Configuration
-Use this key to create a self-signed certificate. Follow the usual prompts for creating a certificate:
+TCP Wrappers are enabled by default in man:inetd[8].
+So the first step will be to enable man:inetd[8] executing the following commands:
[source,shell]
....
-# openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256
-You are about to be asked to enter information that will be incorporated
-into your certificate request.
-What you are about to enter is what is called a Distinguished Name or a DN.
-There are quite a few fields but you can leave some blank
-For some fields there will be a default value,
-If you enter '.', the field will be left blank.
------
-Country Name (2 letter code) [AU]:US
-State or Province Name (full name) [Some-State]:PA
-Locality Name (eg, city) []:Pittsburgh
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
-Organizational Unit Name (eg, section) []:Systems Administrator
-Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org
-Email Address []:trhodes@FreeBSD.org
+# sysrc inetd_enable="YES"
+# service inetd start
....
-This will create two new files in the current directory: a private key file [.filename]#cert.key#, and the certificate itself, [.filename]#cert.crt#.
-These should be placed in a directory, preferably under [.filename]#/etc/ssl/#, which is readable only by `root`.
-Permissions of `0700` are appropriate for these files and can be set using `chmod`.
-
-=== Using Certificates
-
-One use for a certificate is to encrypt connections to the Sendmail mail server in order to prevent the use of clear text authentication.
+Then, properly configure [.filename]#/etc/hosts.allow#.
-[NOTE]
+[WARNING]
====
-Some mail clients will display an error if the user has not installed a local copy of the certificate.
-Refer to the documentation included with the software for more information on certificate installation.
+Unlike other implementations of TCP Wrappers, the use of [.filename]#hosts.deny# is deprecated in FreeBSD.
+All configuration options should be placed in [.filename]#/etc/hosts.allow#.
====
-In FreeBSD 10.0-RELEASE and above, it is possible to create a self-signed certificate for Sendmail automatically.
-To enable this, add the following lines to [.filename]#/etc/rc.conf#:
+In the simplest configuration, daemon connection policies are set to either permit or block, depending on the options in [.filename]#/etc/hosts.allow#.
+The default configuration in FreeBSD is to allow all connections to the daemons started with inetd.
-[.programlisting]
-....
-sendmail_enable="YES"
-sendmail_cert_create="YES"
-sendmail_cert_cn="localhost.example.org"
-....
+Basic configuration usually takes the form of `daemon : address : action`, where `daemon` is the daemon which inetd started, `address` is a valid hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and `action` is either `allow` or `deny`.
+TCP Wrappers uses a first rule match semantic, meaning that the configuration file is scanned from the beginning for a matching rule.
+When a match is found, the rule is applied and the search process stops.
-This will automatically create a self-signed certificate, [.filename]#/etc/mail/certs/host.cert#, a signing key, [.filename]#/etc/mail/certs/host.key#, and a CA certificate, [.filename]#/etc/mail/certs/cacert.pem#.
-The certificate will use the `Common Name` specified in `sendmail_cert_cn`.
-After saving the edits, restart Sendmail:
+For example, to allow POP3 connections via the package:mail/qpopper[] daemon, the following lines should be appended to [.filename]#/etc/hosts.allow#:
-[source,shell]
+[.programlisting]
....
-# service sendmail restart
+# This line is required for POP3 connections:
+qpopper : ALL : allow
....
-If all went well, there will be no error messages in [.filename]#/var/log/maillog#.
-For a simple test, connect to the mail server's listening port using `telnet`:
+Whenever this file is edited, restart inetd:
[source,shell]
....
-# telnet example.com 25
-Trying 192.0.34.166...
-Connected to example.com.
-Escape character is '^]'.
-220 example.com ESMTP Sendmail 8.14.7/8.14.7; Fri, 18 Apr 2014 11:50:32 -0400 (EDT)
-ehlo example.com
-250-example.com Hello example.com [192.0.34.166], pleased to meet you
-250-ENHANCEDSTATUSCODES
-250-PIPELINING
-250-8BITMIME
-250-SIZE
-250-DSN
-250-ETRN
-250-AUTH LOGIN PLAIN
-250-STARTTLS
-250-DELIVERBY
-250 HELP
-quit
-221 2.0.0 example.com closing connection
-Connection closed by foreign host.
+# service inetd restart
....
-If the `STARTTLS` line appears in the output, everything is working correctly.
-
-[[ipsec]]
-== VPN over IPsec
+[[tcpwrappers-advanced-config]]
+=== Advanced Configuration
-Internet Protocol Security (IPsec) is a set of protocols which sit on top of the Internet Protocol (IP) layer.
-It allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session.
-The FreeBSD IPsec network stack is based on the http://www.kame.net/[http://www.kame.net/] implementation and supports both IPv4 and IPv6 sessions.
+TCP Wrappers provides advanced options to allow more control over the way connections are handled.
+In some cases, it may be appropriate to return a comment to certain hosts or daemon connections.
+In other cases, a log entry should be recorded or an email sent to the administrator.
+Other situations may require the use of a service for local connections only.
+This is all possible through the use of configuration options known as wildcards, expansion characters, and external command execution.
+To learn more about wildcards and their associated functionality, refer to man:hosts_access[5].
-IPsec is comprised of the following sub-protocols:
+[[fs-acl]]
+== Access Control Lists
-* _Encapsulated Security Payload (ESP)_: this protocol protects the IP packet data from third party interference by encrypting the contents using symmetric cryptography algorithms such as Blowfish and 3DES.
-* _Authentication Header (AH)_: this protocol protects the IP packet header from third party interference and spoofing by computing a cryptographic checksum and hashing the IP packet header fields with a secure hashing function. This is then followed by an additional header that contains the hash, to allow the information in the packet to be authenticated.
-* _IP Payload Compression Protocol (IPComp_): this protocol tries to increase communication performance by compressing the IP payload in order to reduce the amount of data sent.
+Access Control Lists (ACLs) extend traditional UNIX(R) file permissions by allowing fine-grained access control for users and groups on a per-file or per-directory basis.
+Each ACL entry defines a user or group and the associated permissions, such as read, write, and execute.
+FreeBSD provides commands like man:getfacl[1] and man:setfacl[1] to manage ACLs.
-These protocols can either be used together or separately, depending on the environment.
+ACLs are useful in scenarios requiring more specific access control than standard permissions, commonly used in multi-user environments or shared hosting.
+However, complexity may be unavoidable, but careful planning is required to ensure that the desired security properties are being provided
-IPsec supports two modes of operation.
-The first mode, _Transport Mode_, protects communications between two hosts.
-The second mode, _Tunnel Mode_, is used to build virtual tunnels, commonly known as Virtual Private Networks (VPNs).
-Consult man:ipsec[4] for detailed information on the IPsec subsystem in FreeBSD.
+[NOTE]
+====
+FreeBSD supports the implementation of NFSv4 ACLs in both UFS and OpenZFS.
+Please note that some arguments to the man:setfacl[1] command only work with POSIX ACLs and others in NFSv4 ACLs.
+====
-IPsec support is enabled by default on FreeBSD 11 and later.
-For previous versions of FreeBSD, add these options to a custom kernel configuration file and rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]:
+[[acl-enabling-support-ufs]]
+=== Enabling ACL Support in UFS
-[source,shell]
-....
-options IPSEC IP security
-device crypto
-....
+ACLs are enabled by the mount-time administrative flag, `acls`, which may be added to [.filename]#/etc/fstab#.
-If IPsec debugging support is desired, the following kernel option should also be added:
+Therefore it will be necessary to access [.filename]#/etc/fstab# and in the options section add the `acls` flag as follows:
-[source,shell]
+[.programlisting]
....
-options IPSEC_DEBUG debug for IP security
+# Device Mountpoint FStype Options Dump Pass#
+/dev/ada0s1a / ufs rw,acls 1 1
....
-This rest of this chapter demonstrates the process of setting up an IPsecVPN between a home network and a corporate network.
-In the example scenario:
-
-* Both sites are connected to the Internet through a gateway that is running FreeBSD.
-* The gateway on each network has at least one external IP address. In this example, the corporate LAN's external IP address is `172.16.5.4` and the home LAN's external IP address is `192.168.1.12`.
-* The internal addresses of the two networks can be either public or private IP addresses. However, the address space must not collide. For example, both networks cannot use `192.168.1.x`. In this example, the corporate LAN's internal IP address is `10.246.38.1` and the home LAN's internal IP address is `10.0.0.5`.
+[[security-acl-info]]
+=== Get ACLs information
-=== Configuring a VPN on FreeBSD
+It is possible to check the ACLs of a file or a directory using man:getfacl[1].
-To begin, package:security/ipsec-tools[] must be installed from the Ports Collection.
-This software provides a number of applications which support the configuration.
-
-The next requirement is to create two man:gif[4] pseudo-devices which will be used to tunnel packets and allow both networks to communicate properly.
-As `root`, run the following commands, replacing _internal_ and _external_ with the real IP addresses of the internal and external interfaces of the two gateways:
+For example, to view the ACL settings on [.filename]#~/test# file execute the following command:
[source,shell]
....
-# ifconfig gif0 create
-# ifconfig gif0 internal1 internal2
-# ifconfig gif0 tunnel external1 external2
+% getfacl test
....
-Verify the setup on each gateway, using `ifconfig`.
-Here is the output from Gateway 1:
+The output should be similar to the following in case of using NFSv4 ACLs:
[.programlisting]
....
-gif0: flags=8051 mtu 1280
-tunnel inet 172.16.5.4 --> 192.168.1.12
-inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6
-inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00
+# file: test
+# owner: freebsduser
+# group: freebsduser
+ owner@:rw-p--aARWcCos:-------:allow
+ group@:r-----a-R-c--s:-------:allow
+ everyone@:r-----a-R-c--s:-------:allow
....
-Here is the output from Gateway 2:
+And the output should be similar to the following in case of using POSIX.1e ACLs:
[.programlisting]
....
-gif0: flags=8051 mtu 1280
-tunnel inet 192.168.1.12 --> 172.16.5.4
-inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00
-inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4
+# file: test
+# owner: freebsduser
+# group: freebsduser
+user::rw-
+group::r--
+other::r--
....
-Once complete, both internal IP addresses should be reachable using man:ping[8]:
+[[security-working-acls]]
+=== Working with ACLs
-[source,shell]
-....
-priv-net# ping 10.0.0.5
-PING 10.0.0.5 (10.0.0.5): 56 data bytes
-64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms
-64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms
-64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms
-64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms
---- 10.0.0.5 ping statistics ---
-4 packets transmitted, 4 packets received, 0% packet loss
-round-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms
+man:setfacl[1] can be used to add, modify or remove ACLs from a file or directory.
-corp-net# ping 10.246.38.1
-PING 10.246.38.1 (10.246.38.1): 56 data bytes
-64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms
-64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms
-64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms
-64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms
-64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms
---- 10.246.38.1 ping statistics ---
-5 packets transmitted, 5 packets received, 0% packet loss
-round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms
-....
+As noted above, some arguments to man:setfacl[1] do not work with NFSv4 ACLs, and vice versa.
+This section covers how to execute the commands for POSIX ACLs and for NFSv4 ACLs and shows examples of both.
-As expected, both sides have the ability to send and receive ICMP packets from the privately configured addresses.
-Next, both gateways must be told how to route packets in order to correctly send traffic from either network.
-The following commands will achieve this goal:
+For example, to set the mandatory elements of the POSIX.1e default ACL:
[source,shell]
....
-corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0
-corp-net# route add net 10.0.0.0: gateway 10.0.0.5
-priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0
-priv-net# route add host 10.246.38.0: gateway 10.246.38.1
+% setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx directory
....
-At this point, internal machines should be reachable from each gateway as well as from machines behind the gateways.
-Again, use man:ping[8] to confirm:
+This other example sets read, write, and execute permissions for the file owner's POSIX.1e ACL entry and read and write permissions for group mail on file:
[source,shell]
....
-corp-net# ping 10.0.0.8
-PING 10.0.0.8 (10.0.0.8): 56 data bytes
-64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms
-64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms
-64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms
-64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=22.241 ms
-64 bytes from 10.0.0.8: icmp_seq=4 ttl=63 time=174.705 ms
---- 10.0.0.8 ping statistics ---
-5 packets transmitted, 5 packets received, 0% packet loss
-round-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms
-
-priv-net# ping 10.246.38.107
-PING 10.246.38.1 (10.246.38.107): 56 data bytes
-64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms
-64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms
-64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms
-64 bytes from 10.246.38.107: icmp_seq=3 ttl=64 time=21.145 ms
-64 bytes from 10.246.38.107: icmp_seq=4 ttl=64 time=36.708 ms
---- 10.246.38.107 ping statistics ---
-5 packets transmitted, 5 packets received, 0% packet loss
-round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms
+% setfacl -m u::rwx,g:mail:rw file
....
-Setting up the tunnels is the easy part. Configuring a secure link is a more in depth process.
-The following configuration uses pre-shared (PSK) RSA keys.
-Other than the IP addresses, the [.filename]#/usr/local/etc/racoon/racoon.conf# on both gateways will be identical and look similar to:
+To do the same as in the previous example but in NFSv4 ACL:
-[.programlisting]
-....
-path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
-log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
-
-padding # options are not to be changed
-{
- maximum_length 20;
- randomize off;
- strict_check off;
- exclusive_tail off;
-}
-
-timer # timing options. change as needed
-{
- counter 5;
- interval 20 sec;
- persend 1;
-# natt_keepalive 15 sec;
- phase1 30 sec;
- phase2 15 sec;
-}
-
-listen # address [port] that racoon will listen on
-{
- isakmp 172.16.5.4 [500];
- isakmp_natt 172.16.5.4 [4500];
-}
-
-remote 192.168.1.12 [500]
-{
- exchange_mode main,aggressive;
- doi ipsec_doi;
- situation identity_only;
- my_identifier address 172.16.5.4;
- peers_identifier address 192.168.1.12;
- lifetime time 8 hour;
- passive off;
- proposal_check obey;
-# nat_traversal off;
- generate_policy off;
-
- proposal {
- encryption_algorithm blowfish;
- hash_algorithm md5;
- authentication_method pre_shared_key;
- lifetime time 30 sec;
- dh_group 1;
- }
-}
-
-sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
-{ # $network must be the two internal networks you are joining.
- pfs_group 1;
- lifetime time 36000 sec;
- encryption_algorithm blowfish,3des;
- authentication_algorithm hmac_md5,hmac_sha1;
- compression_algorithm deflate;
-}
-....
-
-For descriptions of each available option, refer to the manual page for [.filename]#racoon.conf#.
-
-The Security Policy Database (SPD) needs to be configured so that FreeBSD and racoon are able to encrypt and decrypt network traffic between the hosts.
-
-This can be achieved with a shell script, similar to the following, on the corporate gateway.
-This file will be used during system initialization and should be saved as [.filename]#/usr/local/etc/racoon/setkey.conf#.
-
-[.programlisting]
+[source,shell]
....
-flush;
-spdflush;
-# To the home network
-spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;
-spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;
+% setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
....
-Once in place, racoon may be started on both gateways using the following command:
+To remove all ACL entries except for the three required from file in POSIX.1e ACL:
[source,shell]
....
-# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
+% setfacl -bn file
....
-The output should be similar to the following:
+To remove all ACL entries in NFSv4 ACL:
[source,shell]
....
-corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
-Foreground mode.
-2006-01-30 01:35:47: INFO: begin Identity Protection mode.
-2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon
-2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon
-2006-01-30 01:36:04: INFO: ISAKMP-SA established 172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a
-2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
-2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)
-2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=47784998(0x2d92426)
-2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
-2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b)
-2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)
+% setfacl -b file
....
-To ensure the tunnel is working properly, switch to another console and use man:tcpdump[1] to view network traffic using the following command.
-Replace `em0` with the network interface card as required:
+Refer to man:getfacl[1] and man:setfacl[1] for more information about the options available for these commands.
-[source,shell]
-....
-# tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12
-....
+[[capsicum]]
+== Capsicum
-Data similar to the following should appear on the console.
-If not, there is an issue and debugging the returned data will be required.
+Capsicum is a lightweight OS capability and sandbox framework implementing a hybrid capability system model.
+Capabilities are unforgeable tokens of authority that can be delegated and must be presented to perform an action.
+Capsicum makes file descriptors into capabilities.
-[.programlisting]
-....
-01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)
-01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xb)
-01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc)
-....
+Capsicum can be used for application and library compartmentalisation,
+the decomposition of larger bodies of software into isolated (sandboxed) components in order to implement security policies and limit the impact of software vulnerabilities.
-At this point, both networks should be available and seem to be part of the same network.
-Most likely both networks are protected by a firewall.
-To allow traffic to flow between them, rules need to be added to pass packets.
-For the man:ipfw[8] firewall, add the following lines to the firewall configuration file:
+[[security-accounting]]
+== Process Accounting
-[.programlisting]
-....
-ipfw add 00201 allow log esp from any to any
-ipfw add 00202 allow log ah from any to any
-ipfw add 00203 allow log ipencap from any to any
-ipfw add 00204 allow log udp from any 500 to any
-....
+Process accounting is a security method in which an administrator may keep track of system resources used and their allocation among users, provide for system monitoring, and minimally track a user's commands.
+
+Process accounting has both positive and negative points.
+One of the positives is that an intrusion may be narrowed down to the point of entry.
+A negative is the amount of logs generated by process accounting, and the disk space they may require.
+This section walks an administrator through the basics of process accounting.
[NOTE]
====
-The rule numbers may need to be altered depending on the current host configuration.
+If more fine-grained accounting is needed, refer to crossref:audit[audit,Security Event Auditing].
====
-For users of man:pf[4] or man:ipf[8], the following rules should do the trick:
-
-[.programlisting]
-....
-pass in quick proto esp from any to any
-pass in quick proto ah from any to any
-pass in quick proto ipencap from any to any
-pass in quick proto udp from any port = 500 to any port = 500
-pass in quick on gif0 from any to any
-pass out quick proto esp from any to any
-pass out quick proto ah from any to any
-pass out quick proto ipencap from any to any
-pass out quick proto udp from any port = 500 to any port = 500
-pass out quick on gif0 from any to any
-....
-
-Finally, to allow the machine to start support for the VPN during system initialization, add the following lines to [.filename]#/etc/rc.conf#:
-
-[.programlisting]
-....
-ipsec_enable="YES"
-ipsec_program="/usr/local/sbin/setkey"
-ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
-racoon_enable="yes"
-....
-
-[[openssh]]
-== OpenSSH
-
-OpenSSH is a set of network connectivity tools used to provide secure access to remote machines.
-Additionally, TCP/IP connections can be tunneled or forwarded securely through SSH connections.
-OpenSSH encrypts all traffic to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
-
-OpenSSH is maintained by the OpenBSD project and is installed by default in FreeBSD.
-
-When data is sent over the network in an unencrypted form, network sniffers anywhere in between the client and server can steal user/password information or data transferred during the session.
-OpenSSH offers a variety of authentication and encryption methods to prevent this from happening.
-More information about OpenSSH is available from http://www.openssh.com/[http://www.openssh.com/].
-
-This section provides an overview of the built-in client utilities to securely access other systems and securely transfer files from a FreeBSD system.
-It then describes how to configure a SSH server on a FreeBSD system.
-More information is available in the man pages mentioned in this chapter.
-
-=== Using the SSH Client Utilities
-
-To log into a SSH server, use `ssh` and specify a username that exists on that server and the IP address or hostname of the server.
-If this is the first time a connection has been made to the specified server, the user will be prompted to first verify the server's fingerprint:
-
-[source,shell]
-....
-# ssh user@example.com
-The authenticity of host 'example.com (10.0.0.1)' can't be established.
-ECDSA key fingerprint is 25:cc:73:b5:b3:96:75:3d:56:19:49:d2:5c:1f:91:3b.
-Are you sure you want to continue connecting (yes/no)? yes
-Permanently added 'example.com' (ECDSA) to the list of known hosts.
-Password for user@example.com: user_password
-....
-
-SSH utilizes a key fingerprint system to verify the authenticity of the server when the client connects.
-When the user accepts the key's fingerprint by typing `yes` when connecting for the first time, a copy of the key is saved to [.filename]#.ssh/known_hosts# in the user's home directory.
-Future attempts to login are verified against the saved key and `ssh` will display an alert if the server's key does not match the saved key.
-If this occurs, the user should first verify why the key has changed before continuing with the connection.
-
-Recent versions of OpenSSH only accept SSHv2 connections.
-SSH protocol version 1 is obsolete.
+=== Enabling and Utilizing Process Accounting
-Use man:scp[1] to securely copy a file to or from a remote machine.
-This example copies [.filename]#COPYRIGHT# on the remote system to a file of the same name in the current directory of the local system:
+Before using process accounting, it must be enabled using the following commands:
[source,shell]
....
-# scp user@example.com:/COPYRIGHT COPYRIGHT
-Password for user@example.com: *******
-COPYRIGHT 100% |*****************************| 4735
-00:00
-#
+# sysrc accounting_enable=yes
+# service accounting start
....
-Since the fingerprint was already verified for this host, the server's key is automatically checked before prompting for the user's password.
-
-The arguments passed to `scp` are similar to `cp`.
-The file or files to copy is the first argument and the destination to copy to is the second.
-Since the file is fetched over the network, one or more of the file arguments takes the form `user@host:<path_to_remote_file>`.
-Be aware when copying directories recursively that `scp` uses `-r`, whereas `cp` uses `-R`.
+The accounting information is stored in files located in [.filename]#/var/account#, which is automatically created, if necessary, the first time the accounting service starts.
+These files contain sensitive information, including all the commands issued by all users.
+Write access to the files is limited to `root`, and read access is limited to `root` and members of the `wheel` group.
+To also prevent members of `wheel` from reading the files, change the mode of the [.filename]#/var/account# directory to allow access only by `root`.
-To open an interactive session for copying files, use `sftp`.
-Refer to man:sftp[1] for a list of available commands while in an `sftp` session.
+Once enabled, accounting will begin to track information such as CPU statistics and executed commands.
+All accounting logs are in a non-human readable format which can be viewed using man:sa[8].
+If issued without any options, man:sa[8] prints information relating to the number of per-user calls, the total elapsed time in minutes, total CPU and user time in minutes, and the average number of I/O operations.
+Refer to man:sa[8] for the list of available options which control the output.
-[[security-ssh-keygen]]
-==== Key-based Authentication
+To display the commands issued by users, use `lastcomm`.
-Instead of using passwords, a client can be configured to connect to the remote machine using keys.
-To generate RSA authentication keys, use `ssh-keygen`.
-To generate a public and private key pair, specify the type of key and follow the prompts.
-It is recommended to protect the keys with a memorable, but hard to guess passphrase.
+For example, this command prints out all usage of `ls` by `trhodes` on the `ttyp1` terminal:
[source,shell]
....
-% ssh-keygen -t rsa
-Generating public/private rsa key pair.
-Enter file in which to save the key (/home/user/.ssh/id_rsa):
-Enter passphrase (empty for no passphrase): <.>
-Enter same passphrase again: <.>
-Your identification has been saved in /home/user/.ssh/id_rsa.
-Your public key has been saved in /home/user/.ssh/id_rsa.pub.
-The key fingerprint is:
-SHA256:54Xm9Uvtv6H4NOo6yjP/YCfODryvUU7yWHzMqeXwhq8 user@host.example.com
-The key's randomart image is:
-+---[RSA 2048]----+
-| |
-| |
-| |
-| . o.. |
-| .S*+*o |
-| . O=Oo . . |
-| = Oo= oo..|
-| .oB.* +.oo.|
-| =OE**.o..=|
-+----[SHA256]-----+
+# lastcomm ls trhodes ttyp1
....
-<.> Type a passphrase here. It can contain spaces and symbols.
-<.> Retype the passphrase to verify it.
-
-The private key is stored in [.filename]#~/.ssh/id_rsa# and the public key is stored in [.filename]#~/.ssh/id_rsa.pub#.
-The _public_ key must be copied to [.filename]#~/.ssh/authorized_keys# on the remote machine for key-based authentication to work.
-
-[WARNING]
-====
-Many users believe that keys are secure by design and will use a key without a passphrase.
-This is _dangerous_ behavior.
-An administrator can verify that a key pair is protected by a passphrase by viewing the private key manually.
-If the private key file contains the word `ENCRYPTED`, the key owner is using a passphrase.
-In addition, to better secure end users, `from` may be placed in the public key file.
-For example, adding `from="192.168.10.5"` in front of the `ssh-rsa` prefix will only allow that specific user to log in from that IP address.
-====
-
-The options and files vary with different versions of OpenSSH.
-To avoid problems, consult man:ssh-keygen[1].
-
-If a passphrase is used, the user is prompted for the passphrase each time a connection is made to the server.
-To load SSH keys into memory and remove the need to type the passphrase each time, use man:ssh-agent[1] and man:ssh-add[1].
+Many other useful options exist and are explained in man:lastcomm[1], man:acct[5], and man:sa[8].
-Authentication is handled by `ssh-agent`, using the private keys that are loaded into it.
-`ssh-agent` can be used to launch another application like a shell or a window manager.
+[[security-resourcelimits]]
+== Resource Limits
-To use `ssh-agent` in a shell, start it with a shell as an argument.
-Add the identity by running `ssh-add` and entering the passphrase for the private key.
-The user will then be able to `ssh` to any host that has the corresponding public key installed.
-For example:
+In FreeBSD, resource limits refer to the mechanisms that control and manage the allocation of various system resources to processes and users.
+These limits are designed to prevent a single process or user from consuming an excessive amount of resources, which could lead to performance degradation or system instability.
+Resource limits help ensure fair resource distribution among all active processes and users on the system.
-[source,shell]
-....
-% ssh-agent csh
-% ssh-add
-Enter passphrase for key '/usr/home/user/.ssh/id_rsa': <.>
-Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/user/.ssh/id_rsa)
-%
-....
-
-<.> Enter the passphrase for the key.
+FreeBSD provides several methods for an administrator to limit the amount of system resources an individual may use.
-To use `ssh-agent` in Xorg, add an entry for it in [.filename]#~/.xinitrc#.
-This provides the `ssh-agent` services to all programs launched in Xorg.
-An example [.filename]#~/.xinitrc# might look like this:
+The traditional method defines login classes by editing [.filename]#/etc/login.conf#.
+While this method is still supported, any changes require a multi-step process of editing this file, rebuilding the resource database, making necessary changes to [.filename]#/etc/master.passwd#, and rebuilding the password database.
+This can become time consuming, depending upon the number of users to configure.
-[.programlisting]
-....
-exec ssh-agent startxfce4
-....
+man:rctl[8] can be used to provide a more fine-grained method for controlling resource limits.
+This command supports more than user limits as it can also be used to set resource constraints on processes and jails.
-This launches `ssh-agent`, which in turn launches XFCE, every time Xorg starts.
-Once Xorg has been restarted so that the changes can take effect, run `ssh-add` to load all of the SSH keys.
+This section demonstrates both methods for controlling resources, beginning with the traditional method.
-[[security-ssh-tunneling]]
-==== SSH Tunneling
+[[security-resource-limits-types]]
+=== Types of Resources
-OpenSSH has the ability to create a tunnel to encapsulate another protocol in an encrypted session.
+FreeBSD provides limits for various types of resources, including:
-The following command tells `ssh` to create a tunnel for telnet:
+.Resource types
+[options="header", cols="1,1"]
+|===
+| Type | Description
-[source,shell]
-....
-% ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com
-%
-....
+| CPU Time
+| Limits the amount of CPU time a process can consume
-This example uses the following options:
+| Memory
+| Controls the amount of physical memory a process can use
-`-2`::
-Forces `ssh` to use version 2 to connect to the server.
+| Open Files
+| Limits the number of files a process can have open simultaneously
-`-N`::
-Indicates no command, or tunnel only.
-If omitted, `ssh` initiates a normal session.
+| Processes
+| Controls the number of processes a user or a process can create
-`-f`::
-Forces `ssh` to run in the background.
+| File Size
+| Limits the maximum size of files that a process can create
-`-L`::
-Indicates a local tunnel in _localport:remotehost:remoteport_ format.
+| Core Dumps
+| Controls whether processes are allowed to generate core dump files
-`user@foo.example.com`::
-The login name to use on the specified remote SSH server.
+| Network Resources
+| Limits the amount of network resources (e.g., sockets) a process can use
-An SSH tunnel works by creating a listen socket on `localhost` on the specified `localport`.
-It then forwards any connections received on `localport` via the SSH connection to the specified `remotehost:remoteport`.
-In the example, port `5023` on the client is forwarded to port `23` on the remote machine.
-Since port 23 is used by telnet, this creates an encrypted telnet session through an SSH tunnel.
+|===
-This method can be used to wrap any number of insecure TCP protocols such as SMTP, POP3, and FTP, as seen in the following examples.
+For a full listing of types see man:login.conf[5] and man:rctl[8].
-.Create a Secure Tunnel for SMTP
-[example]
-====
+[[users-limiting]]
+=== Configuring Login Classes
-[source,shell]
-....
-% ssh -2 -N -f -L 5025:localhost:25 user@mailserver.example.com
-user@mailserver.example.com's password: *****
-% telnet localhost 5025
-Trying 127.0.0.1...
-Connected to localhost.
-Escape character is '^]'.
-220 mailserver.example.com ESMTP
-....
-This can be used in conjunction with `ssh-keygen` and additional user accounts to create a more seamless SSH tunneling environment.
-Keys can be used in place of typing a password, and the tunnels can be run as a separate user.
-====
+In the traditional method, login classes and the resource limits to apply to a login class are defined in [.filename]#/etc/login.conf#.
+Each user account can be assigned to a login class, where `default` is the default login class.
+Each login class has a set of login capabilities associated with it.
+A login capability is a `_name_=_value_` pair, where _name_ is a well-known identifier and _value_ is an arbitrary string which is processed accordingly depending on the _name_.
-.Secure Access of a POP3 Server
-[example]
-====
-In this example, there is an SSH server that accepts connections from the outside.
-On the same network resides a mail server running a POP3 server.
-To check email in a secure manner, create an SSH connection to the SSH server and tunnel through to the mail server:
+The first step to configure a resource limit will be to open [.filename]#/etc/login.conf# by executing the following command:
[source,shell]
....
-% ssh -2 -N -f -L 2110:mail.example.com:110 user@ssh-server.example.com
-user@ssh-server.example.com's password: ******
+# ee /etc/login.conf
....
-Once the tunnel is up and running, point the email client to send POP3 requests to `localhost` on port 2110.
-This connection will be forwarded securely across the tunnel to `mail.example.com`.
-====
-
-.Bypassing a Firewall
-[example]
-====
-Some firewalls filter both incoming and outgoing connections.
-For example, a firewall might limit access from remote machines to ports 22 and 80 to only allow SSH and web surfing.
-This prevents access to any other service which uses a port other than 22 or 80.
+Then locate the section for the user class to be modified.
+In this example, let's assume the user class is named `limited`, create it in case it does not exist.
-The solution is to create an SSH connection to a machine outside of the network's firewall and use it to tunnel to the desired service:
-
-[source,shell]
+[.programlisting]
....
-% ssh -2 -N -f -L 8888:music.example.com:8000 user@unfirewalled-system.example.org
-user@unfirewalled-system.example.org's password: *******
+limited:\ <.>
+ :maxproc=50:\ <.>
+ :tc=default: <.>
....
-In this example, a streaming Ogg Vorbis client can now be pointed to `localhost` port 8888, which will be forwarded over to `music.example.com` on port 8000, successfully bypassing the firewall.
-====
-
-=== Enabling the SSH Server
+<.> Name of the user class.
+<.> Sets the maximum number of processes (maxproc) to 50 for users in the `limited` class.
+<.> Indicates that this user class inherits the default settings from the "default" class.
-In addition to providing built-in SSH client utilities, a FreeBSD system can be configured as an SSH server, accepting connections from other SSH clients.
-
-To see if sshd is operating, use the man:service[8] command:
+After modifying the [.filename]#/etc/login.conf# file, run man:cap_mkdb[1] to generate the database that FreeBSD uses to apply these settings:
[source,shell]
....
-# service sshd status
-....
-
-If the service is not running, add the following line to [.filename]#/etc/rc.conf#.
-
-[.programlisting]
-....
-sshd_enable="YES"
+# cap_mkdb /etc/login.conf
....
-This will start sshd, the daemon program for OpenSSH, the next time the system boots. To start it now:
+man:chpass[1] can be used to change the class to the desired user by executing the following command:
[source,shell]
....
-# service sshd start
+# chpass username
....
-The first time sshd starts on a FreeBSD system, the system's host keys will be automatically created and the fingerprint will be displayed on the console.
-Provide users with the fingerprint so that they can verify it the first time they connect to the server.
-
-Refer to man:sshd[8] for the list of available options when starting sshd and a more complete discussion about authentication, the login process, and the various configuration files.
-
-At this point, the sshd should be available to all users with a username and password on the system.
-
-=== SSH Server Security
-
-While sshd is the most widely used remote administration facility for FreeBSD, brute force and drive by attacks are common to any system exposed to public networks.
-Several additional parameters are available to prevent the success of these attacks and will be described in this section.
-
-It is a good idea to limit which users can log into the SSH server and from where using the `AllowUsers` keyword in the OpenSSH server configuration file.
-For example, to only allow `root` to log in from `192.168.1.32`, add this line to [.filename]#/etc/ssh/sshd_config#:
+This will open a text editor, add the new `limited` class there as follows:
[.programlisting]
....
-AllowUsers root@192.168.1.32
-....
+#Changing user information for username.
+Login: username
+Password: $6$2H.419USdGaiJeqK$6kgcTnDadasdasd3YnlNZsOni5AMymibkAfRCPirc7ZFjjv
+DVsKyXx26daabdfqSdasdsmL/ZMUpdHiO0
+Uid [#]: 1001
+Gid [# or name]: 1001
+Change [month day year]:
+Expire [month day year]:
+Class: limited
+Home directory: /home/username
+Shell: /bin/sh
+Full Name: User &
+Office Location:
+Office Phone:
+Home Phone:
+Other information:
+....
+
+Now, the user assigned to the `limited` class will have a maximum process limit of 50.
+Remember that this is just one example of setting a resource limit using the [.filename]#/etc/login.conf# file.
+
+Keep in mind that after making changes to the [.filename]#/etc/login.conf# file, the user needs to log out and log back in for the changes to take effect.
+Additionally, always exercise caution when editing system configuration files, especially when using privileged access.
+
+[[security-rctl]]
+=== Enabling and Configuring Resource Limits
-To allow `admin` to log in from anywhere, list that user without specifying an IP address:
+The man:rctl[8] system provides a more fine-grained way to set and manage resource limits for individual processes and users.
+It allows you to dynamically assign resource limits to specific processes or users, regardless of their user class.
-[.programlisting]
-....
-AllowUsers admin
-....
-
-Multiple users should be listed on the same line, like so:
+The first step to use man:rctl[8] will be to enable it adding the following line to [.filename]#/boot/loader.conf# and reboot the system:
[.programlisting]
....
-AllowUsers root@192.168.1.32 admin
+kern.racct.enable=1
....
-After making changes to [.filename]#/etc/ssh/sshd_config#, tell sshd to reload its configuration file by running:
+Then enable and start the man:rctl[8] service by executing the following commands:
[source,shell]
....
-# service sshd reload
+# sysrc rctl_enable="YES"
+# service rctl start
....
-[NOTE]
-====
-When this keyword is used, it is important to list each user that needs to log into this machine.
-Any user that is not specified in that line will be locked out.
-Also, the keywords used in the OpenSSH server configuration file are case-sensitive.
-If the keyword is not spelled correctly, including its case, it will be ignored.
-Always test changes to this file to make sure that the edits are working as expected.
-Refer to man:sshd_config[5] to verify the spelling and use of the available keywords.
-====
+Then man:rctl[8] may be used to set rules for the system.
-In addition, users may be forced to use two factor authentication via the use of a public and private key.
-When required, the user may generate a key pair through the use of man:ssh-keygen[1] and send the administrator the public key.
-This key file will be placed in the [.filename]#authorized_keys# as described above in the client section.
-To force the users to use keys only, the following option may be configured:
+Rule syntax (man:rctl.conf[5]) is controlled through the use of a subject, subject-id, resource, and action, as seen in this example rule:
[.programlisting]
....
-AuthenticationMethods publickey
+subject:subject-id:resource:action=amount/per
....
-[TIP]
-====
+For example to constrained the user to add no more than 10 processes execute the following command:
-Do not confuse [.filename]#/etc/ssh/sshd_config# with [.filename]#/etc/ssh/ssh_config# (note the extra `d` in the first filename).
-The first file configures the server and the second file configures the client.
-Refer to man:ssh_config[5] for a listing of the available client settings.
-====
-
-[[fs-acl]]
-== Access Control Lists
-
-Access Control Lists (ACLs) extend the standard UNIX(R) permission model in a POSIX(R).1e compatible way.
-This permits an administrator to take advantage of a more fine-grained permissions model.
-
-The FreeBSD [.filename]#GENERIC# kernel provides ACL support for UFS file systems.
-Users who prefer to compile a custom kernel must include the following option in their custom kernel configuration file:
-
-[.programlisting]
-....
-options UFS_ACL
-....
-
-If this option is not compiled in, a warning message will be displayed when attempting to mount a file system with ACL support.
-ACLs rely on extended attributes which are natively supported in UFS2.
-
-This chapter describes how to enable ACL support and provides some usage examples.
-
-=== Enabling ACL Support
-
-ACLs are enabled by the mount-time administrative flag, `acls`, which may be added to [.filename]#/etc/fstab#.
-The mount-time flag can also be automatically set in a persistent manner using man:tunefs[8] to modify a superblock ACLs flag in the file system header.
-In general, it is preferred to use the superblock flag for several reasons:
-
-* The superblock flag cannot be changed by a remount using `mount -u` as it requires a complete `umount` and fresh `mount`. This means that ACLs cannot be enabled on the root file system after boot. It also means that ACL support on a file system cannot be changed while the system is in use.
-* Setting the superblock flag causes the file system to always be mounted with ACLs enabled, even if there is not an [.filename]#fstab# entry or if the devices re-order. This prevents accidental mounting of the file system without ACL support.
-
-[NOTE]
-====
-It is desirable to discourage accidental mounting without ACLs enabled because nasty things can happen if ACLs are enabled, then disabled, then re-enabled without flushing the extended attributes.
-In general, once ACLs are enabled on a file system, they should not be disabled, as the resulting file protections may not be compatible with those intended by the users of the system, and re-enabling ACLs may re-attach the previous ACLs to files that have since had their permissions changed, resulting in unpredictable behavior.
-====
-
-File systems with ACLs enabled will show a plus (`+`) sign in their permission settings:
-
-[.programlisting]
+[source,shell]
....
-drwx------ 2 robert robert 512 Dec 27 11:54 private
-drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1
-drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2
-drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3
-drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html
+# rctl -a user:username:maxproc:deny=10/user
....
-In this example, [.filename]#directory1#, [.filename]#directory2#, and [.filename]#directory3# are all taking advantage of ACLs, whereas [.filename]#private# and [.filename]#public_html# are not.
-
-=== Using ACLs
-
-File system ACLs can be viewed using `getfacl`.
-For instance, to view the ACL settings on [.filename]#test#:
+To check the applied resource limits the man:rctl[8] command can be executed:
[source,shell]
....
-% getfacl test
- #file:test
- #owner:1001
- #group:1001
- user::rw-
- group::r--
- other::r--
+# rctl
....
-To change the ACL settings on this file, use `setfacl`.
-To remove all of the currently defined ACLs from a file or file system, include `-k`.
-However, the preferred method is to use `-b` as it leaves the basic fields required for ACLs to work.
+The output should be similar to the following:
-[source,shell]
+[.programlisting]
....
-% setfacl -k test
+user:username:maxproc:deny=10
....
-To modify the default ACL entries, use `-m`:
+Rules will persist across reboots if they have been added to [.filename]#/etc/rctl.conf#.
+The format is a rule, without the preceding command. For example, the previous rule could be added as:
-[source,shell]
+[.programlisting]
....
-% setfacl -m u:trhodes:rwx,group:web:r--,o::--- test
+user:username:maxproc:deny=10
....
-In this example, there were no pre-defined entries, as they were removed by the previous command.
-This command restores the default options and assigns the options listed.
-If a user or group is added which does not exist on the system, an `Invalid argument` error will be displayed.
-
-Refer to man:getfacl[1] and man:setfacl[1] for more information about the options available for these commands.
-
[[security-pkg]]
== Monitoring Third Party Security Issues
@@ -2000,36 +1955,44 @@ A FreeBSD add on utility known as pkg includes options explicitly for this purpo
pkg polls a database for security issues.
The database is updated and maintained by the FreeBSD Security Team and ports developers.
-Please refer to crossref:ports[pkgng-intro,instructions] for installing pkg.
-
Installation provides man:periodic[8] configuration files for maintaining the pkg audit database, and provides a programmatic method of keeping it updated.
-This functionality is enabled if `daily_status_security_pkgaudit_enable` is set to `YES` in man:periodic.conf[5].
-Ensure that daily security run emails, which are sent to ``root``'s email account, are being read.
After installation, and to audit third party utilities as part of the Ports Collection at any time, an administrator may choose to update the database and view known vulnerabilities of installed packages by invoking:
[source,shell]
....
-# pkg audit -F
+% pkg audit -F
....
-pkg displays messages any published vulnerabilities in installed packages:
+The output should be similar to the following:
[.programlisting]
....
-Affected package: cups-base-1.1.22.0_1
-Type of problem: cups-base -- HPGL buffer overflow vulnerability.
-Reference: <https://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001020eed82.html>
+vulnxml file up-to-date
+chromium-116.0.5845.96_1 is vulnerable:
+ chromium -- multiple vulnerabilities
+ CVE: CVE-2023-4431
+ CVE: CVE-2023-4427
+ CVE: CVE-2023-4428
+ CVE: CVE-2023-4429
+ CVE: CVE-2023-4430
+ WWW: https://vuxml.FreeBSD.org/freebsd/5fa332b9-4269-11ee-8290-a8a1599412c6.html
-1 problem(s) in your installed packages found.
+samba413-4.13.17_5 is vulnerable:
+ samba -- multiple vulnerabilities
+ CVE: CVE-2023-3347
+ CVE: CVE-2023-34966
+ CVE: CVE-2023-34968
+ CVE: CVE-2022-2127
+ CVE: CVE-2023-34967
+ WWW: https://vuxml.FreeBSD.org/freebsd/441e1e1a-27a5-11ee-a156-080027f5fec9.html
-You are advised to update or deinstall the affected package(s) immediately.
+2 problem(s) in 2 installed package(s) found.
....
By pointing a web browser to the displayed URL, an administrator may obtain more information about the vulnerability.
-This will include the versions affected, by FreeBSD port version, along with other web sites which may contain security advisories.
-pkg is a powerful utility and is extremely useful when coupled with package:ports-mgmt/portmaster[].
+This will include the versions affected, by FreeBSD port version, along with other web sites which may contain security advisories.
[[security-advisories]]
== FreeBSD Security Advisories
@@ -2040,9 +2003,7 @@ More information about the FreeBSD security team and the supported releases is a
One task of the security team is to respond to reported security vulnerabilities in the FreeBSD operating system.
Once a vulnerability is confirmed, the security team verifies the steps necessary to fix the vulnerability and updates the source code with the fix.
It then publishes the details as a "Security Advisory".
-Security advisories are published on the link:https://www.FreeBSD.org/security/advisories/[FreeBSD website] and mailed to the {freebsd-security-notifications}, {freebsd-security}, and {freebsd-announce} mailing lists.
-
-This section describes the format of a FreeBSD security advisory.
+Security advisories are published on the link:https://www.FreeBSD.org/security/advisories/[FreeBSD website] and mailed to the {freebsd-security-notifications}, {freebsd-security}, and {freebsd-announce}.
=== Format of a Security Advisory
@@ -2050,61 +2011,77 @@ Here is an example of a FreeBSD security advisory:
[.programlisting]
....
-=============================================================================
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
-FreeBSD-SA-14:04.bind Security Advisory
+FreeBSD-SA-23:07.bhyve Security Advisory
The FreeBSD Project
-Topic: BIND remote denial of service vulnerability
-
-Category: contrib
-Module: bind
-Announced: 2014-01-14
-Credits: ISC
-Affects: FreeBSD 8.x and FreeBSD 9.x
-Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
- 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
- 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
- 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
- 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
- 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
-CVE Name: CVE-2014-0591
+Topic: bhyve privileged guest escape via fwctl
+
+Category: core
+Module: bhyve
+Announced: 2023-08-01
+Credits: Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft
+Affects: FreeBSD 13.1 and 13.2
+Corrected: 2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE)
+ 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
+ 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)
+CVE Name: CVE-2023-3494
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
-following sections, please visit <URL:http://security.FreeBSD.org/>.
+following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
-BIND 9 is an implementation of the Domain Name System (DNS) protocols.
-The named(8) daemon is an Internet Domain Name Server.
+bhyve(8)'s fwctl interface provides a mechanism through which guest
+firmware can query the hypervisor for information about the virtual
+machine. The fwctl interface is available to guests when bhyve is run
+with the "-l bootrom" option, used for example when booting guests in
+UEFI mode.
+
+bhyve is currently only supported on the amd64 platform.
II. Problem Description
-Because of a defect in handling queries for NSEC3-signed zones, BIND can
-crash with an "INSIST" failure in name.c when processing queries possessing
-certain properties. This issue only affects authoritative nameservers with
-at least one NSEC3-signed zone. Recursive-only servers are not at risk.
+The fwctl driver implements a state machine which is executed when the
+guest accesses certain x86 I/O ports. The interface lets the guest copy
+a string into a buffer resident in the bhyve process' memory. A bug in
+the state machine implementation can result in a buffer overflowing when
+copying this string.
III. Impact
-An attacker who can send a specially crafted query could cause named(8)
-to crash, resulting in a denial of service.
+A malicious, privileged software running in a guest VM can exploit the
+buffer overflow to achieve code execution on the host in the bhyve
+userspace process, which typically runs as root. Note that bhyve runs
+in a Capsicum sandbox, so malicious code is constrained by the
+capabilities available to the bhyve process.
IV. Workaround
-No workaround is available, but systems not running authoritative DNS service
-with at least one NSEC3-signed zone using named(8) are not vulnerable.
+No workaround is available. bhyve guests that are executed without the
+"-l bootrom" option are unaffected.
V. Solution
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
Perform one of the following:
-1) Upgrade your vulnerable system to a supported FreeBSD stable or
-release / security branch (releng) dated after the correction date.
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all affected virtual machines.
2) To update your vulnerable system via a source code patch:
@@ -2114,92 +2091,83 @@ FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
-[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
-# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
-# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
-# gpg --verify bind-release.patch.asc
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc
+# gpg --verify bhyve.13.2.patch.asc
-[FreeBSD 9.2-STABLE]
-# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
-# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
-# gpg --verify bind-stable-9.patch.asc
+[FreeBSD 13.1]
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc
+# gpg --verify bhyve.13.1.patch.asc
-b) Execute the following commands as root:
+b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
-Recompile the operating system using buildworld and installworld as
+c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
-Restart the applicable daemons, or reboot the system.
-
-3) To update your vulnerable system via a binary patch:
-
-Systems running a RELEASE version of FreeBSD on the i386 or amd64
-platforms can be updated via the freebsd-update(8) utility:
-
-# freebsd-update fetch
-# freebsd-update install
+Restart all affected virtual machines.
VI. Correction details
-The following list contains the correction revision numbers for each
-affected branch.
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
-Branch/path Revision
+Branch/path Hash Revision
- -------------------------------------------------------------------------
-stable/8/ r260646
-releng/8.3/ r260647
-releng/8.4/ r260647
-stable/9/ r260646
-releng/9.1/ r260647
-releng/9.2/ r260647
+stable/13/ 9fe302d78109 stable/13-n255918
+releng/13.2/ 2bae613e0da3 releng/13.2-n254625
+releng/13.1/ 87702e38a4b4 releng/13.1-n250190
- -------------------------------------------------------------------------
-To see which files were modified by a particular revision, run the
-following command, replacing NNNNNN with the revision number, on a
-machine with Subversion installed:
+Run the following command to see which files were modified by a
+particular commit:
-# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+# git show --stat <commit hash>
-Or visit the following URL, replacing NNNNNN with the revision number:
+Or visit the following URL, replacing NNNNNN with the hash:
-<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
-VII. References
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
-<URL:https://kb.isc.org/article/AA-01078>
+# git rev-list --count --first-parent HEAD
-<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591>
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3494>
The latest revision of this advisory is available at
-<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07.bhyve.asc>
-----BEGIN PGP SIGNATURE-----
-iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
-ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
-XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
-ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
-9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
-fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
-OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
-zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
-Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
-067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
-7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
-UWWemqWuz3lAZuORQ9KX
-=OQzQ
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A
+Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K
+qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM
+cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K
+KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV
+fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb
+hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF
+NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip
+hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0
+drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0
+JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4
+LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI=
+=MlAY
-----END PGP SIGNATURE-----
....
Every security advisory uses the following format:
* Each security advisory is signed by the PGP key of the Security Officer. The public key for the Security Officer can be verified at crossref:pgpkeys[pgpkeys,OpenPGP Keys].
-* The name of the security advisory always begins with `FreeBSD-SA-` (for FreeBSD Security Advisory), followed by the year in two digit format (`14:`), followed by the advisory number for that year (`04.`), followed by the name of the affected application or subsystem (`bind`). The advisory shown here is the fourth advisory for 2014 and it affects BIND.
+* The name of the security advisory always begins with `FreeBSD-SA-` (for FreeBSD Security Advisory), followed by the year in two digit format (`23:`), followed by the advisory number for that year (`07.`), followed by the name of the affected application or subsystem (`bhyve`).
* The `Topic` field summarizes the vulnerability.
* The `Category` refers to the affected part of the system which may be one of `core`, `contrib`, or `ports`. The `core` category means that the vulnerability affects a core component of the FreeBSD operating system. The `contrib` category means that the vulnerability affects software included with FreeBSD, such as BIND. The `ports` category indicates that the vulnerability affects software available through the Ports Collection.
-* The `Module` field refers to the component location. In this example, the `bind` module is affected; therefore, this vulnerability affects an application installed with the operating system.
+* The `Module` field refers to the component location. In this example, the `bhyve` module is affected; therefore, this vulnerability affects an application installed with the operating system.
* The `Announced` field reflects the date the security advisory was published. This means that the security team has verified that the problem exists and that a patch has been committed to the FreeBSD source code repository.
* The `Credits` field gives credit to the individual or organization who noticed the vulnerability and reported it.
* The `Affects` field explains which releases of FreeBSD are affected by this vulnerability.
@@ -2208,383 +2176,7 @@ Every security advisory uses the following format:
* The `Background` field provides a description of the affected module.
* The `Problem Description` field explains the vulnerability. This can include information about the flawed code and how the utility could be maliciously used.
* The `Impact` field describes what type of impact the problem could have on a system.
-* The `Workaround` field indicates if a workaround is available to system administrators who cannot immediately patch the system .
+* The `Workaround` field indicates if a workaround is available to system administrators who cannot immediately patch the system.
* The `Solution` field provides the instructions for patching the affected system. This is a step by step tested and verified method for getting a system patched and working securely.
-* The `Correction Details` field displays each affected Subversion branch with the revision number that contains the corrected code.
+* The `Correction Details` field displays each affected Subversion or Git branch with the revision number that contains the corrected code.
* The `References` field offers sources of additional information regarding the vulnerability.
-
-[[security-accounting]]
-== Process Accounting
-
-Process accounting is a security method in which an administrator may keep track of system resources used and their allocation among users, provide for system monitoring, and minimally track a user's commands.
-
-Process accounting has both positive and negative points.
-One of the positives is that an intrusion may be narrowed down to the point of entry.
-A negative is the amount of logs generated by process accounting, and the disk space they may require.
-This section walks an administrator through the basics of process accounting.
-
-[NOTE]
-====
-If more fine-grained accounting is needed, refer to crossref:audit[audit,Security Event Auditing].
-====
-
-=== Enabling and Utilizing Process Accounting
-
-Before using process accounting, it must be enabled using the following commands:
-
-[source,shell]
-....
-# sysrc accounting_enable=yes
-# service accounting start
-....
-
-The accounting information is stored in files located in [.filename]#/var/account#, which is automatically created, if necessary, the first time the accounting service starts.
-These files contain sensitive information, including all the commands issued by all users.
-Write access to the files is limited to `root`, and read access is limited to `root` and members of the `wheel` group.
-To also prevent members of `wheel` from reading the files, change the mode of the [.filename]#/var/account# directory to allow access only by `root`.
-
-Once enabled, accounting will begin to track information such as CPU statistics and executed commands.
-All accounting logs are in a non-human readable format which can be viewed using `sa`.
-If issued without any options, `sa` prints information relating to the number of per-user calls, the total elapsed time in minutes, total CPU and user time in minutes, and the average number of I/O operations.
-Refer to man:sa[8] for the list of available options which control the output.
-
-To display the commands issued by users, use `lastcomm`.
-For example, this command prints out all usage of `ls` by `trhodes` on the `ttyp1` terminal:
-
-[source,shell]
-....
-# lastcomm ls trhodes ttyp1
-....
-
-Many other useful options exist and are explained in man:lastcomm[1], man:acct[5], and man:sa[8].
-
-[[security-resourcelimits]]
-== Resource Limits
-
-FreeBSD provides several methods for an administrator to limit the amount of system resources an individual may use.
-Disk quotas limit the amount of disk space available to users.
-Quotas are discussed in crossref:disks[quotas,"Disk Quotas"].
-
-Limits to other resources, such as CPU and memory, can be set using either a flat file or a command to configure a resource limits database.
-The traditional method defines login classes by editing [.filename]#/etc/login.conf#.
-While this method is still supported, any changes require a multi-step process of editing this file, rebuilding the resource database, making necessary changes to [.filename]#/etc/master.passwd#, and rebuilding the password database.
-This can become time consuming, depending upon the number of users to configure.
-
-`rctl` can be used to provide a more fine-grained method for controlling resource limits.
-This command supports more than user limits as it can also be used to set resource constraints on processes and jails.
-
-This section demonstrates both methods for controlling resources, beginning with the traditional method.
-
-[[users-limiting]]
-=== Configuring Login Classes
-
-In the traditional method, login classes and the resource limits to apply to a login class are defined in [.filename]#/etc/login.conf#.
-Each user account can be assigned to a login class, where `default` is the default login class.
-Each login class has a set of login capabilities associated with it.
-A login capability is a `_name_=_value_` pair, where _name_ is a well-known identifier and _value_ is an arbitrary string which is processed accordingly depending on the _name_.
-
-[NOTE]
-====
-Whenever [.filename]#/etc/login.conf# is edited, the [.filename]#/etc/login.conf.db# must be updated by executing the following command:
-
-[source,shell]
-....
-# cap_mkdb /etc/login.conf
-....
-
-====
-
-Resource limits differ from the default login capabilities in two ways.
-First, for every limit, there is a _soft_ and _hard_ limit.
-A soft limit may be adjusted by the user or application, but may not be set higher than the hard limit.
-The hard limit may be lowered by the user, but can only be raised by the superuser.
-Second, most resource limits apply per process to a specific user.
-
-<<resource-limits>> lists the most commonly used resource limits.
-All of the available resource limits and capabilities are described in detail in man:login.conf[5].
-
-[[resource-limits]]
-.Login Class Resource Limits
-[cols="20%,80%", frame="none", options="header"]
-|===
-| Resource Limit
-| Description
-
-|coredumpsize
-|The limit on the size of a core file generated by a program is subordinate to other limits on disk usage, such as `filesize` or disk quotas. This limit is often used as a less severe method of controlling disk space consumption. Since users do not generate core files and often do not delete them, this setting may save them from running out of disk space should a large program crash.
-
-|cputime
-|The maximum amount of CPU time a user's process may consume. Offending processes will be killed by the kernel. This is a limit on CPU _time_ consumed, not the percentage of the CPU as displayed in some of the fields generated by `top` and `ps`.
-
-|filesize
-|The maximum size of a file the user may own. Unlike disk quotas (crossref:disks[quotas,"Disk Quotas"]), this limit is enforced on individual files, not the set of all files a user owns.
-
-|maxproc
-|The maximum number of foreground and background processes a user can run. This limit may not be larger than the system limit specified by `kern.maxproc`. Setting this limit too small may hinder a user's productivity as some tasks, such as compiling a large program, start lots of processes.
-
-|memorylocked
-|The maximum amount of memory a process may request to be locked into main memory using man:mlock[2]. Some system-critical programs, such as man:amd[8], lock into main memory so that if the system begins to swap, they do not contribute to disk thrashing.
-
-|memoryuse
-|The maximum amount of memory a process may consume at any given time. It includes both core memory and swap usage. This is not a catch-all limit for restricting memory consumption, but is a good start.
-
-|openfiles
-|The maximum number of files a process may have open. In FreeBSD, files are used to represent sockets and IPC channels, so be careful not to set this too low. The system-wide limit for this is defined by `kern.maxfiles`.
-
-|sbsize
-|The limit on the amount of network memory a user may consume. This can be generally used to limit network communications.
-
-|stacksize
-|The maximum size of a process stack. This alone is not sufficient to limit the amount of memory a program may use, so it should be used in conjunction with other limits.
-|===
-
-There are a few other things to remember when setting resource limits:
-
-* Processes started at system startup by [.filename]#/etc/rc# are assigned to the `daemon` login class.
-* Although the default [.filename]#/etc/login.conf# is a good source of reasonable values for most limits, they may not be appropriate for every system. Setting a limit too high may open the system up to abuse, while setting it too low may put a strain on productivity.
-* Xorg takes a lot of resources and encourages users to run more programs simultaneously.
-* Many limits apply to individual processes, not the user as a whole. For example, setting `openfiles` to `50` means that each process the user runs may open up to `50` files. The total amount of files a user may open is the value of `openfiles` multiplied by the value of `maxproc`. This also applies to memory consumption.
-
-For further information on resource limits and login classes and capabilities in general, refer to man:cap.mkdb[1], man:getrlimit[2], and man:login.conf[5].
-
-=== Enabling and Configuring Resource Limits
-
-The `kern.racct.enable` tunable must be set to a non-zero value.
-Custom kernels require specific configuration:
-
-[.programlisting]
-....
-options RACCT
-options RCTL
-....
-
-Once the system has rebooted into the new kernel, `rctl` may be used to set rules for the system.
-
-Rule syntax is controlled through the use of a subject, subject-id, resource, and action, as seen in this example rule:
-
-[.programlisting]
-....
-user:trhodes:maxproc:deny=10/user
-....
-
-In this rule, the subject is `user`, the subject-id is `trhodes`, the resource, `maxproc`, is the maximum number of processes, and the action is `deny`, which blocks any new processes from being created.
-This means that the user, `trhodes`, will be constrained to no greater than `10` processes.
-Other possible actions include logging to the console, passing a notification to man:devd[8], or sending a sigterm to the process.
-
-Some care must be taken when adding rules.
-Since this user is constrained to `10` processes, this example will prevent the user from performing other tasks after logging in and executing a `screen` session.
-Once a resource limit has been hit, an error will be printed, as in this example:
-
-[source,shell]
-....
-% man test
- /usr/bin/man: Cannot fork: Resource temporarily unavailable
-eval: Cannot fork: Resource temporarily unavailable
-....
-
-As another example, a jail can be prevented from exceeding a memory limit.
-This rule could be written as:
-
-[source,shell]
-....
-# rctl -a jail:httpd:memoryuse:deny=2G/jail
-....
-
-Rules will persist across reboots if they have been added to [.filename]#/etc/rctl.conf#.
-The format is a rule, without the preceding command. For example, the previous rule could be added as:
-
-[.programlisting]
-....
-# Block jail from using more than 2G memory:
-jail:httpd:memoryuse:deny=2G/jail
-....
-
-To remove a rule, use `rctl` to remove it from the list:
-
-[source,shell]
-....
-# rctl -r user:trhodes:maxproc:deny=10/user
-....
-
-A method for removing all rules is documented in man:rctl[8].
-However, if removing all rules for a single user is required, this command may be issued:
-
-[source,shell]
-....
-# rctl -r user:trhodes
-....
-
-Many other resources exist which can be used to exert additional control over various `subjects`.
-See man:rctl[8] to learn about them.
-
-[[security-sudo]]
-== Shared Administration with Sudo
-
-System administrators often need the ability to grant enhanced permissions to users so they may perform privileged tasks.
-The idea that team members are provided access to a FreeBSD system to perform their specific tasks opens up unique challenges to every administrator.
-These team members only need a subset of access beyond normal end user levels; however, they almost always tell management they are unable to perform their tasks without superuser access.
-Thankfully, there is no reason to provide such access to end users because tools exist to manage this exact requirement.
-
-Up to this point, the security chapter has covered permitting access to authorized users and attempting to prevent unauthorized access.
-Another problem arises once authorized users have access to the system resources.
-In many cases, some users may need access to application startup scripts, or a team of administrators need to maintain the system.
-Traditionally, the standard users and groups, file permissions, and even the man:su[1] command would manage this access.
-And as applications required more access, as more users needed to use system resources, a better solution was required.
-The most used application is currently Sudo.
-
-Sudo allows administrators to configure more rigid access to system commands and provide for some advanced logging features.
-As a tool, it is available from the Ports Collection as package:security/sudo[] or by use of the man:pkg[8] utility.
-To use the man:pkg[8] tool:
-
-[source,shell]
-....
-# pkg install sudo
-....
-
-After the installation is complete, the installed `visudo` will open the configuration file with a text editor.
-Using `visudo` is highly recommended as it comes with a built in syntax checker to verify there are no errors before the file is saved.
-
-The configuration file is made up of several small sections which allow for extensive configuration.
-In the following example, web application maintainer, user1, needs to start, stop, and restart the web application known as _webservice_.
-To grant this user permission to perform these tasks, add this line to the end of [.filename]#/usr/local/etc/sudoers#:
-
-[.programlisting]
-....
-user1 ALL=(ALL) /usr/sbin/service webservice *
-....
-
-The user may now start _webservice_ using this command:
-
-[source,shell]
-....
-% sudo /usr/sbin/service webservice start
-....
-
-While this configuration allows a single user access to the webservice service;
-however, in most organizations, there is an entire web team in charge of managing the service.
-A single line can also give access to an entire group.
-These steps will create a web group, add a user to this group, and allow all members of the group to manage the service:
-
-[source,shell]
-....
-# pw groupadd -g 6001 -n webteam
-....
-
-Using the same man:pw[8] command, the user is added to the webteam group:
-
-[source,shell]
-....
-# pw groupmod -m user1 -n webteam
-....
-
-Finally, this line in [.filename]#/usr/local/etc/sudoers# allows any member of the webteam group to manage _webservice_:
-
-[.programlisting]
-....
-%webteam ALL=(ALL) /usr/sbin/service webservice *
-....
-
-Unlike man:su[1], Sudo only requires the end user password.
-This adds an advantage where users will not need shared passwords,
-a finding in most security audits and just bad all the way around.
-
-Users permitted to run applications with Sudo only enter their own passwords.
-This is more secure and gives better control than man:su[1],
-where the `root` password is entered and the user acquires all `root` permissions.
-
-[TIP]
-====
-
-Most organizations are moving or have moved toward a two factor authentication model.
-In these cases, the user may not have a password to enter.
-Sudo provides for these cases with the `NOPASSWD` variable.
-Adding it to the configuration above will allow all members of the _webteam_ group to manage the service without the password requirement:
-
-[.programlisting]
-....
-%webteam ALL=(ALL) NOPASSWD: /usr/sbin/service webservice *
-....
-
-====
-
-[[security-sudo-loggin]]
-=== Logging Output
-
-An advantage to implementing Sudo is the ability to enable session logging.
-Using the built in log mechanisms and the included sudoreplay command,
-all commands initiated through Sudo are logged for later verification.
-To enable this feature, add a default log directory entry, this example uses a user variable.
-Several other log filename conventions exist, consult the manual page for sudoreplay for additional information.
-
-[.programlisting]
-....
-Defaults iolog_dir=/var/log/sudo-io/%{user}
-....
-
-[TIP]
-====
-
-This directory will be created automatically after the logging is configured.
-It is best to let the system create directory with default permissions just to be safe.
-In addition, this entry will also log administrators who use the sudoreplay command.
-To change this behavior, read and uncomment the logging options inside [.filename]#sudoers#.
-====
-
-Once this directive has been added to the [.filename]#sudoers# file, any user configuration can be updated with the request to log access.
-In the example shown, the updated _webteam_ entry would have the following additional changes:
-
-[.programlisting]
-....
-%webteam ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: /usr/sbin/service webservice *
-....
-
-From this point on, all _webteam_ members altering the status of the _webservice_ application will be logged.
-The list of previous and current sessions can be displayed with:
-
-[source,shell]
-....
-# sudoreplay -l
-....
-
-In the output, to replay a specific session, search for the `TSID=` entry, and pass that to sudoreplay with no other options to replay the session at normal speed.
-For example:
-
-[source,shell]
-....
-# sudoreplay user1/00/00/02
-....
-
-[WARNING]
-====
-
-While sessions are logged, any administrator is able to remove sessions and leave only a question of why they had done so.
-It is worthwhile to add a daily check through an intrusion detection system (IDS) or similar software so that other administrators are alerted to manual alterations.
-====
-
-The `sudoreplay` is extremely extendable.
-Consult the documentation for more information.
-
-[[security-doas]]
-== Using doas as an alternative to sudo
-
-As an alternative to package:security/sudo[] package:security/doas[] can be used to provide the ability for users to get enhanced privileges.
-
-The doas utility is available via the ports collection in package:security/doas[] or via the man:pkg[8] utility.
-
-After the installation [.filename]#/usr/local/etc/doas.conf# must be configured to grant access for users for specific commands, or roles.
-
-The simpliest entry could be the following, which grants local_user root permissions without asking for its password when executing the doas command.
-
-[source,shell]
-....
-permit nopass local_user as root
-....
-
-For more configuration examples, please read man:doas.conf[5].
-
-After the installation and configuration of the `doas` utility, a command can now be executed with enhanced privileges, like for example.
-
-[source,shell]
-....
-$ doas vi /etc/rc.conf
-....