aboutsummaryrefslogtreecommitdiff
path: root/documentation/content/en/books/handbook/security/_index.po
diff options
context:
space:
mode:
Diffstat (limited to 'documentation/content/en/books/handbook/security/_index.po')
-rw-r--r--documentation/content/en/books/handbook/security/_index.po5340
1 files changed, 2275 insertions, 3065 deletions
diff --git a/documentation/content/en/books/handbook/security/_index.po b/documentation/content/en/books/handbook/security/_index.po
index 34d8f37085..45b134ecb4 100644
--- a/documentation/content/en/books/handbook/security/_index.po
+++ b/documentation/content/en/books/handbook/security/_index.po
@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: FreeBSD Documentation VERSION\n"
-"POT-Creation-Date: 2022-07-07 23:22-0300\n"
+"POT-Creation-Date: 2024-01-17 20:35-0300\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -31,7 +31,7 @@ msgstr ""
#. type: YAML Front Matter: title
#: documentation/content/en/books/handbook/security/_index.adoc:1
#, no-wrap
-msgid "Chapter 14. Security"
+msgid "Chapter 16. Security"
msgstr ""
#. type: Title =
@@ -47,16 +47,15 @@ msgid "Synopsis"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:56
+#: documentation/content/en/books/handbook/security/_index.adoc:55
msgid ""
-"Security, whether physical or virtual, is a topic so broad that an entire "
-"industry has evolved around it. Hundreds of standard practices have been "
-"authored about how to secure systems and networks, and as a user of FreeBSD, "
-"understanding how to protect against attacks and intruders is a must."
+"Hundreds of standard practices have been authored about how to secure "
+"systems and networks, and as a user of FreeBSD, understanding how to protect "
+"against attacks and intruders is a must."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:59
+#: documentation/content/en/books/handbook/security/_index.adoc:58
msgid ""
"In this chapter, several fundamentals and techniques will be discussed. The "
"FreeBSD system comes with multiple layers of security, and many more third "
@@ -64,101 +63,90 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:61
-msgid "After reading this chapter, you will know:"
+#: documentation/content/en/books/handbook/security/_index.adoc:60
+msgid "This chapter covers:"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:63
+#: documentation/content/en/books/handbook/security/_index.adoc:62
msgid "Basic FreeBSD system security concepts."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:64
+#: documentation/content/en/books/handbook/security/_index.adoc:63
msgid "The various crypt mechanisms available in FreeBSD."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:65
-msgid "How to set up one-time password authentication."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:66
-msgid "How to configure TCP Wrapper for use with man:inetd[8]."
+#: documentation/content/en/books/handbook/security/_index.adoc:64
+msgid "How to configure TCP Wrappers for use with man:inetd[8]."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:67
+#: documentation/content/en/books/handbook/security/_index.adoc:65
msgid "How to set up Kerberos on FreeBSD."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:68
-msgid "How to configure IPsec and create a VPN."
+#: documentation/content/en/books/handbook/security/_index.adoc:66
+msgid "How to configure and use OpenSSH on FreeBSD."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:69
-msgid "How to configure and use OpenSSH on FreeBSD."
+#: documentation/content/en/books/handbook/security/_index.adoc:67
+msgid "How to use OpenSSL on FreeBSD."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:70
+#: documentation/content/en/books/handbook/security/_index.adoc:68
msgid "How to use file system ACLs."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:71
+#: documentation/content/en/books/handbook/security/_index.adoc:69
msgid ""
"How to use pkg to audit third party software packages installed from the "
"Ports Collection."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:72
+#: documentation/content/en/books/handbook/security/_index.adoc:70
msgid "How to utilize FreeBSD security advisories."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:73
+#: documentation/content/en/books/handbook/security/_index.adoc:71
msgid "What Process Accounting is and how to enable it on FreeBSD."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:74
+#: documentation/content/en/books/handbook/security/_index.adoc:72
msgid ""
"How to control user resources using login classes or the resource limits "
"database."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:76
-msgid "Before reading this chapter, you should:"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:78
-msgid "Understand basic FreeBSD and Internet concepts."
+#: documentation/content/en/books/handbook/security/_index.adoc:73
+msgid "What is Capsicum and a basic example."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:81
+#: documentation/content/en/books/handbook/security/_index.adoc:75
msgid ""
-"Additional security topics are covered elsewhere in this Handbook. For "
-"example, Mandatory Access Control is discussed in crossref:mac[mac,Mandatory "
-"Access Control] and Internet firewalls are discussed in crossref:"
-"firewalls[firewalls,Firewalls]."
+"Certain topics due to their complexity are found in dedicated chapters such "
+"as crossref:firewalls[firewalls,Firewalls], crossref:mac[mac,Mandatory "
+"Access Control] and articles like extref:{vpn-ipsec}[VPN over IPsec]."
msgstr ""
#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:83
+#: documentation/content/en/books/handbook/security/_index.adoc:77
#, no-wrap
msgid "Introduction"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:88
+#: documentation/content/en/books/handbook/security/_index.adoc:82
msgid ""
"Security is everyone's responsibility. A weak entry point in any system "
"could allow intruders to gain access to critical information and cause havoc "
@@ -168,7 +156,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:91
+#: documentation/content/en/books/handbook/security/_index.adoc:85
msgid ""
"The CIA triad is a bedrock concept of computer security as customers and "
"users expect their data to be protected. For example, a customer expects "
@@ -178,7 +166,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:97
+#: documentation/content/en/books/handbook/security/_index.adoc:91
msgid ""
"To provide CIA, security professionals apply a defense in depth strategy. "
"The idea of defense in depth is to add several layers of security to prevent "
@@ -191,7 +179,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:100
+#: documentation/content/en/books/handbook/security/_index.adoc:94
msgid ""
"What is a threat as it pertains to computer security? Threats are not "
"limited to remote attackers who attempt to access a system without "
@@ -201,7 +189,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:104
+#: documentation/content/en/books/handbook/security/_index.adoc:98
msgid ""
"Systems and networks can be accessed without permission, sometimes by "
"accident, or by remote attackers, and in some cases, via corporate espionage "
@@ -212,7 +200,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:110
+#: documentation/content/en/books/handbook/security/_index.adoc:104
msgid ""
"When applying security to systems, it is recommended to start by securing "
"the basic accounts and system configuration, and then to secure the network "
@@ -225,213 +213,232 @@ msgid ""
"security team."
msgstr ""
+#. type: Title ==
+#: documentation/content/en/books/handbook/security/_index.adoc:106
+#, no-wrap
+msgid "Securing Accounts"
+msgstr ""
+
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:113
+#: documentation/content/en/books/handbook/security/_index.adoc:109
msgid ""
-"The rest of this introduction describes how some of these basic security "
-"configurations are performed on a FreeBSD system. The rest of this chapter "
-"describes some specific tools which can be used when implementing a security "
-"policy on a FreeBSD system."
+"Maintaining secure accounts in FreeBSD is crucial for data confidentiality, "
+"system integrity, and privilege separation, as it prevents unauthorized "
+"access, malware, and data breaches while ensuring compliance and protecting "
+"an organization's reputation."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:115
+#: documentation/content/en/books/handbook/security/_index.adoc:111
#, no-wrap
msgid "Preventing Logins"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:120
+#: documentation/content/en/books/handbook/security/_index.adoc:115
msgid ""
-"In securing a system, a good starting point is an audit of accounts. Ensure "
-"that `root` has a strong password and that this password is not shared. "
+"In securing a system, a good starting point is an audit of accounts. "
"Disable any accounts that do not need login access."
msgstr ""
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:119
+msgid ""
+"Ensure that `root` has a strong password and that this password is not "
+"shared."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:122
+msgid "To deny login access to accounts, two methods exist."
+msgstr ""
+
#. type: Plain text
#: documentation/content/en/books/handbook/security/_index.adoc:124
msgid ""
-"To deny login access to accounts, two methods exist. The first is to lock "
-"the account. This example locks the `toor` account:"
+"The first is to lock the account, this example shows how to lock the `imani` "
+"account:"
msgstr ""
#. type: delimited block . 4
#: documentation/content/en/books/handbook/security/_index.adoc:128
#, no-wrap
-msgid "# pw lock toor\n"
+msgid "# pw lock imani\n"
msgstr ""
#. type: Plain text
#: documentation/content/en/books/handbook/security/_index.adoc:132
msgid ""
"The second method is to prevent login access by changing the shell to [."
-"filename]#/usr/sbin/nologin#. Only the superuser can change the shell for "
-"other users:"
+"filename]#/usr/sbin/nologin#. The man:nologin[8] shell prevents the system "
+"from assigning a shell to the user when they attempt to login."
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:136
-#, no-wrap
-msgid "# chsh -s /usr/sbin/nologin toor\n"
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:134
+msgid "Only the superuser can change the shell for other users:"
msgstr ""
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:139
-msgid ""
-"The [.filename]#/usr/sbin/nologin# shell prevents the system from assigning "
-"a shell to the user when they attempt to login."
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:138
+#, no-wrap
+msgid "# chsh -s /usr/sbin/nologin imani\n"
msgstr ""
#. type: Title ===
#: documentation/content/en/books/handbook/security/_index.adoc:141
#, no-wrap
-msgid "Permitted Account Escalation"
+msgid "Password Hashes"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:150
+#: documentation/content/en/books/handbook/security/_index.adoc:146
msgid ""
-"In some cases, system administration needs to be shared with other users. "
-"FreeBSD has two methods to handle this. The first one, which is not "
-"recommended, is a shared root password used by members of the `wheel` "
-"group. With this method, a user types `su` and enters the password for "
-"`wheel` whenever superuser access is needed. The user should then type "
-"`exit` to leave privileged access after finishing the commands that required "
-"administrative access. To add a user to this group, edit [.filename]#/etc/"
-"group# and add the user to the end of the `wheel` entry. The user must be "
-"separated by a comma character with no space."
+"Passwords are a necessary evil of technology. When they must be used, they "
+"should be complex and a powerful hash mechanism should be used to encrypt "
+"the version that is stored in the password database. FreeBSD supports "
+"several algorithms, including SHA256, SHA512 and Blowfish hash algorithms in "
+"its `crypt()` library, see man:crypt[3] for details."
msgstr ""
#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:148
+msgid ""
+"The default of SHA512 should not be changed to a less secure hashing "
+"algorithm, but can be changed to the more secure Blowfish algorithm."
+msgstr ""
+
+#. type: delimited block = 4
#: documentation/content/en/books/handbook/security/_index.adoc:153
msgid ""
-"The second, and recommended, method to permit privilege escalation is to "
-"install the package:security/sudo[] package or port. This software provides "
-"additional auditing, more fine-grained user control, and can be configured "
-"to lock users into running only the specified privileged commands."
+"Blowfish is not part of AES and is not considered compliant with any Federal "
+"Information Processing Standards (FIPS). Its use may not be permitted in "
+"some environments."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:156
+#: documentation/content/en/books/handbook/security/_index.adoc:157
msgid ""
-"After installation, use `visudo` to edit [.filename]#/usr/local/etc/"
-"sudoers#. This example creates a new `webadmin` group, adds the `trhodes` "
-"account to that group, and configures that group access to restart package:"
-"apache24[]:"
+"To determine which hash algorithm is used to encrypt a user's password, the "
+"superuser can view the hash for the user in the FreeBSD password database. "
+"Each hash starts with a symbol which indicates the type of hash mechanism "
+"used to encrypt the password."
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:162
-#, no-wrap
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:164
msgid ""
-"# pw groupadd webadmin -M trhodes -g 6000\n"
-"# visudo\n"
-"%webadmin ALL=(ALL) /usr/sbin/service apache24 *\n"
+"If DES is used, there is no beginning symbol. For MD5, the symbol is `$`. "
+"For SHA256 and SHA512, the symbol is `$6$`. For Blowfish, the symbol is "
+"`$2a$`. In this example, the password for `imani` is hashed using the "
+"default SHA512 algorithm as the hash starts with `$6$`. Note that the "
+"encrypted hash, not the password itself, is stored in the password database:"
msgstr ""
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:165
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:168
#, no-wrap
-msgid "Password Hashes"
+msgid "# grep imani /etc/master.passwd\n"
msgstr ""
#. type: Plain text
#: documentation/content/en/books/handbook/security/_index.adoc:171
-msgid ""
-"Passwords are a necessary evil of technology. When they must be used, they "
-"should be complex and a powerful hash mechanism should be used to encrypt "
-"the version that is stored in the password database. FreeBSD supports the "
-"DES, MD5, SHA256, SHA512, and Blowfish hash algorithms in its `crypt()` "
-"library. The default of SHA512 should not be changed to a less secure "
-"hashing algorithm, but can be changed to the more secure Blowfish algorithm."
+#: documentation/content/en/books/handbook/security/_index.adoc:187
+#: documentation/content/en/books/handbook/security/_index.adoc:238
+#: documentation/content/en/books/handbook/security/_index.adoc:446
+#: documentation/content/en/books/handbook/security/_index.adoc:538
+#: documentation/content/en/books/handbook/security/_index.adoc:706
+#: documentation/content/en/books/handbook/security/_index.adoc:736
+#: documentation/content/en/books/handbook/security/_index.adoc:770
+#: documentation/content/en/books/handbook/security/_index.adoc:997
+#: documentation/content/en/books/handbook/security/_index.adoc:1039
+#: documentation/content/en/books/handbook/security/_index.adoc:1084
+#: documentation/content/en/books/handbook/security/_index.adoc:1104
+#: documentation/content/en/books/handbook/security/_index.adoc:1156
+#: documentation/content/en/books/handbook/security/_index.adoc:1282
+#: documentation/content/en/books/handbook/security/_index.adoc:1311
+#: documentation/content/en/books/handbook/security/_index.adoc:1339
+#: documentation/content/en/books/handbook/security/_index.adoc:1353
+#: documentation/content/en/books/handbook/security/_index.adoc:1398
+#: documentation/content/en/books/handbook/security/_index.adoc:1420
+#: documentation/content/en/books/handbook/security/_index.adoc:1935
+#: documentation/content/en/books/handbook/security/_index.adoc:1973
+msgid "The output should be similar to the following:"
msgstr ""
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:176
-msgid ""
-"Blowfish is not part of AES and is not considered compliant with any Federal "
-"Information Processing Standards (FIPS). Its use may not be permitted in "
-"some environments."
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:175
+#, no-wrap
+msgid "imani:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:imani:/usr/home/imani:/bin/sh\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:178
+msgid "The hash mechanism is set in the user's login class."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:186
+#: documentation/content/en/books/handbook/security/_index.adoc:180
msgid ""
-"To determine which hash algorithm is used to encrypt a user's password, the "
-"superuser can view the hash for the user in the FreeBSD password database. "
-"Each hash starts with a symbol which indicates the type of hash mechanism "
-"used to encrypt the password. If DES is used, there is no beginning "
-"symbol. For MD5, the symbol is `$`. For SHA256 and SHA512, the symbol is `"
-"$6$`. For Blowfish, the symbol is `$2a$`. In this example, the password "
-"for `dru` is hashed using the default SHA512 algorithm as the hash starts "
-"with `$6$`. Note that the encrypted hash, not the password itself, is "
-"stored in the password database:"
+"The following command can be run to check which hash mechanism is currently "
+"being used:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:184
+#, no-wrap
+msgid "# grep user /etc/master.passwd\n"
msgstr ""
#. type: delimited block . 4
#: documentation/content/en/books/handbook/security/_index.adoc:191
#, no-wrap
-msgid ""
-"# grep dru /etc/master.passwd\n"
-"dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:dru:/usr/home/dru:/bin/csh\n"
+msgid ":passwd_format=sha512:\\\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:195
+#: documentation/content/en/books/handbook/security/_index.adoc:194
msgid ""
-"The hash mechanism is set in the user's login class. For this example, the "
-"user is in the `default` login class and the hash algorithm is set with this "
-"line in [.filename]#/etc/login.conf#:"
+"For example, to change the algorithm to Blowfish, modify that line to look "
+"like this:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:199
+#: documentation/content/en/books/handbook/security/_index.adoc:198
#, no-wrap
-msgid " :passwd_format=sha512:\\\n"
+msgid ":passwd_format=blf:\\\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:202
+#: documentation/content/en/books/handbook/security/_index.adoc:201
msgid ""
-"To change the algorithm to Blowfish, modify that line to look like this:"
+"Then, man:cap_mkdb[1] must be executed to upgrade the login.conf database:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:206
+#: documentation/content/en/books/handbook/security/_index.adoc:205
+#: documentation/content/en/books/handbook/security/_index.adoc:272
+#: documentation/content/en/books/handbook/security/_index.adoc:1853
#, no-wrap
-msgid " :passwd_format=blf:\\\n"
+msgid "# cap_mkdb /etc/login.conf\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:211
+#: documentation/content/en/books/handbook/security/_index.adoc:209
msgid ""
-"Then run `cap_mkdb /etc/login.conf` as described in <<users-limiting>>. "
"Note that this change will not affect any existing password hashes. This "
"means that all passwords should be re-hashed by asking users to run `passwd` "
"in order to change their password."
msgstr ""
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:218
-msgid ""
-"For remote logins, two-factor authentication should be used. An example of "
-"two-factor authentication is \"something you have\", such as a key, and "
-"\"something you know\", such as the passphrase for that key. Since OpenSSH "
-"is part of the FreeBSD base system, all network logins should be over an "
-"encrypted connection and use key-based authentication instead of passwords. "
-"For more information, refer to <<openssh>>. Kerberos users may need to make "
-"additional changes to implement OpenSSH in their network. These changes are "
-"described in <<kerberos5>>."
-msgstr ""
-
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:220
+#: documentation/content/en/books/handbook/security/_index.adoc:211
#, no-wrap
msgid "Password Policy Enforcement"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:224
+#: documentation/content/en/books/handbook/security/_index.adoc:215
msgid ""
"Enforcing a strong password policy for local accounts is a fundamental "
"aspect of system security. In FreeBSD, password length, password strength, "
@@ -440,72 +447,59 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:227
+#: documentation/content/en/books/handbook/security/_index.adoc:218
msgid ""
"This section demonstrates how to configure the minimum and maximum password "
-"length and the enforcement of mixed characters using the [."
-"filename]#pam_passwdqc.so# module. This module is enforced when a user "
-"changes their password."
+"length and the enforcement of mixed characters using the man:pam_passwdqc[8] "
+"module. This module is enforced when a user changes their password."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:230
+#: documentation/content/en/books/handbook/security/_index.adoc:220
msgid ""
"To configure this module, become the superuser and uncomment the line "
-"containing `pam_passwdqc.so` in [.filename]#/etc/pam.d/passwd#. Then, edit "
-"that line to match the password policy:"
+"containing `pam_passwdqc.so` in [.filename]#/etc/pam.d/passwd#."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:222
+msgid "Then, edit that line to match the password policy:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:234
+#: documentation/content/en/books/handbook/security/_index.adoc:226
#, no-wrap
msgid "password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:244
-msgid ""
-"This example sets several requirements for new passwords. The `min` setting "
-"controls the minimum password length. It has five values because this "
-"module defines five different types of passwords based on their complexity. "
-"Complexity is defined by the type of characters that must exist in a "
-"password, such as letters, numbers, symbols, and case. The types of "
-"passwords are described in man:pam_passwdqc[8]. In this example, the first "
-"three types of passwords are disabled, meaning that passwords that meet "
-"those complexity requirements will not be accepted, regardless of their "
-"length. The `12` sets a minimum password policy of at least twelve "
-"characters, if the password also contains characters with three types of "
-"complexity. The `10` sets the password policy to also allow passwords of at "
-"least ten characters, if the password contains characters with four types of "
-"complexity."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:247
-msgid ""
-"The `similar` setting denies passwords that are similar to the user's "
-"previous password. The `retry` setting provides a user with three "
-"opportunities to enter a new password."
+#: documentation/content/en/books/handbook/security/_index.adoc:229
+msgid "The explanation of the parameters can be found in man:pam_passwdqc[8]."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:249
+#: documentation/content/en/books/handbook/security/_index.adoc:231
msgid ""
"Once this file is saved, a user changing their password will see a message "
"similar to the following:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:255
+#: documentation/content/en/books/handbook/security/_index.adoc:235
+#, no-wrap
+msgid "% passwd\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:243
#, no-wrap
msgid ""
-"% passwd\n"
-"Changing local password for trhodes\n"
+"Changing local password for user\n"
"Old Password:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:266
+#: documentation/content/en/books/handbook/security/_index.adoc:254
#, no-wrap
msgid ""
"You can now choose the new password.\n"
@@ -521,7 +515,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:269
+#: documentation/content/en/books/handbook/security/_index.adoc:257
msgid ""
"If a password that does not match the policy is entered, it will be rejected "
"with a warning and the user will have an opportunity to try again, up to the "
@@ -529,253 +523,344 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:273
+#: documentation/content/en/books/handbook/security/_index.adoc:259
msgid ""
-"Most password policies require passwords to expire after so many days. To "
-"set a password age time in FreeBSD, set `passwordtime` for the user's login "
-"class in [.filename]#/etc/login.conf#. The `default` login class contains "
-"an example:"
+"If your organization's policy requires passwords to expire, FreeBSD supports "
+"the `passwordtime` in the user's login class in [.filename]#/etc/login.conf#"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:261
+msgid "The `default` login class contains an example:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:277
+#: documentation/content/en/books/handbook/security/_index.adoc:265
#, no-wrap
msgid "# :passwordtime=90d:\\\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:280
+#: documentation/content/en/books/handbook/security/_index.adoc:268
msgid ""
"So, to set an expiry of 90 days for this login class, remove the comment "
-"symbol (`#`), save the edit, and run `cap_mkdb /etc/login.conf`."
+"symbol (#), save the edit, and execute the following command:"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:282
+#: documentation/content/en/books/handbook/security/_index.adoc:275
msgid ""
"To set the expiration on individual users, pass an expiration date or the "
"number of days to expiry and a username to `pw`:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:286
+#: documentation/content/en/books/handbook/security/_index.adoc:279
#, no-wrap
-msgid "# pw usermod -p 30-apr-2015 -n trhodes\n"
+msgid "# pw usermod -p 30-apr-2025 -n user\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:290
+#: documentation/content/en/books/handbook/security/_index.adoc:283
msgid ""
"As seen here, an expiration date is set in the form of day, month, and "
"year. For more information, see man:pw[8]."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:292
+#: documentation/content/en/books/handbook/security/_index.adoc:285
#, no-wrap
-msgid "Detecting Rootkits"
+msgid "Shared Administration with sudo"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:298
+#: documentation/content/en/books/handbook/security/_index.adoc:291
msgid ""
-"A _rootkit_ is any unauthorized software that attempts to gain `root` access "
-"to a system. Once installed, this malicious software will normally open up "
-"another avenue of entry for an attacker. Realistically, once a system has "
-"been compromised by a rootkit and an investigation has been performed, the "
-"system should be reinstalled from scratch. There is tremendous risk that "
-"even the most prudent security or systems engineer will miss something an "
-"attacker left behind."
+"System administrators often need the ability to grant enhanced permissions "
+"to users so they may perform privileged tasks. The idea that team members "
+"are provided access to a FreeBSD system to perform their specific tasks "
+"opens up unique challenges to every administrator. These team members only "
+"need a subset of access beyond normal end user levels; however, they almost "
+"always tell management they are unable to perform their tasks without "
+"superuser access. Thankfully, there is no reason to provide such access to "
+"end users because tools exist to manage this exact requirement."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:295
+msgid "Even administrators should limit their privileges when not needed."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:302
+#: documentation/content/en/books/handbook/security/_index.adoc:303
msgid ""
-"A rootkit does do one thing useful for administrators: once detected, it is "
-"a sign that a compromise happened at some point. But, these types of "
-"applications tend to be very well hidden. This section demonstrates a tool "
-"that can be used to detect rootkits, package:security/rkhunter[]."
+"Up to this point, the security chapter has covered permitting access to "
+"authorized users and attempting to prevent unauthorized access. Another "
+"problem arises once authorized users have access to the system resources. "
+"In many cases, some users may need access to application startup scripts, or "
+"a team of administrators need to maintain the system. Traditionally, the "
+"standard users and groups, file permissions, and even the man:su[1] command "
+"would manage this access. And as applications required more access, as more "
+"users needed to use system resources, a better solution was required. The "
+"most used application is currently Sudo."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:305
+#: documentation/content/en/books/handbook/security/_index.adoc:306
msgid ""
-"After installation of this package or port, the system may be checked using "
-"the following command. It will produce a lot of information and will "
-"require some manual pressing of kbd:[ENTER]:"
+"Sudo allows administrators to configure more rigid access to system commands "
+"and provide for some advanced logging features. As a tool, it is available "
+"from the Ports Collection as package:security/sudo[] or by use of the man:"
+"pkg[8] utility."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:308
+#: documentation/content/en/books/handbook/security/_index.adoc:388
+msgid "Execute the following command to install it:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:309
+#: documentation/content/en/books/handbook/security/_index.adoc:312
#, no-wrap
-msgid "# rkhunter -c\n"
+msgid "# pkg install sudo\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:315
+#: documentation/content/en/books/handbook/security/_index.adoc:316
msgid ""
-"After the process completes, a status message will be printed to the "
-"screen. This message will include the amount of files checked, suspect "
-"files, possible rootkits, and more. During the check, some generic security "
-"warnings may be produced about hidden files, the OpenSSH protocol selection, "
-"and known vulnerable versions of installed software. These can be handled "
-"now or after a more detailed analysis has been performed."
+"After the installation is complete, the installed `visudo` will open the "
+"configuration file with a text editor. Using `visudo` is highly recommended "
+"as it comes with a built in syntax checker to verify there are no errors "
+"before the file is saved."
msgstr ""
#. type: Plain text
#: documentation/content/en/books/handbook/security/_index.adoc:320
msgid ""
-"Every administrator should know what is running on the systems they are "
-"responsible for. Third-party tools like rkhunter and package:sysutils/"
-"lsof[], and native commands such as `netstat` and `ps`, can show a great "
-"deal of information on the system. Take notes on what is normal, ask "
-"questions when something seems out of place, and be paranoid. While "
-"preventing a compromise is ideal, detecting a compromise is a must."
+"The configuration file is made up of several small sections which allow for "
+"extensive configuration. In the following example, web application "
+"maintainer, user1, needs to start, stop, and restart the web application "
+"known as _webservice_. To grant this user permission to perform these "
+"tasks, add this line to the end of [.filename]#/usr/local/etc/sudoers#:"
msgstr ""
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:322
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:324
#, no-wrap
-msgid "Binary Verification"
+msgid "user1 ALL=(ALL) /usr/sbin/service webservice *\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:326
-msgid ""
-"Verification of system files and binaries is important because it provides "
-"the system administration and security teams information about system "
-"changes. A software application that monitors the system for changes is "
-"called an Intrusion Detection System (IDS)."
+#: documentation/content/en/books/handbook/security/_index.adoc:327
+msgid "The user may now start _webservice_ using this command:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:331
+#, no-wrap
+msgid "% sudo /usr/sbin/service webservice start\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:330
+#: documentation/content/en/books/handbook/security/_index.adoc:337
msgid ""
-"FreeBSD provides native support for a basic IDS system. While the nightly "
-"security emails will notify an administrator of changes, the information is "
-"stored locally and there is a chance that a malicious user could modify this "
-"information in order to hide their changes to the system. As such, it is "
-"recommended to create a separate set of binary signatures and store them on "
-"a read-only, root-owned directory or, preferably, on a removable USB disk or "
-"remote rsync server."
+"While this configuration allows a single user access to the webservice "
+"service; however, in most organizations, there is an entire web team in "
+"charge of managing the service. A single line can also give access to an "
+"entire group. These steps will create a web group, add a user to this "
+"group, and allow all members of the group to manage the service:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:341
+#, no-wrap
+msgid "# pw groupadd -g 6001 -n webteam\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:336
+#: documentation/content/en/books/handbook/security/_index.adoc:344
msgid ""
-"The built-in `mtree` utility can be used to generate a specification of the "
-"contents of a directory. A seed, or a numeric constant, is used to generate "
-"the specification and is required to check that the specification has not "
-"changed. This makes it possible to determine if a file or binary has been "
-"modified. Since the seed value is unknown by an attacker, faking or "
-"checking the checksum values of files will be difficult to impossible. The "
-"following example generates a set of SHA256 hashes, one for each system "
-"binary in [.filename]#/bin#, and saves those values to a hidden file in "
-"``root``'s home directory, [.filename]#/root/.bin_chksum_mtree#:"
+"Using the same man:pw[8] command, the user is added to the webteam group:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:341
+#: documentation/content/en/books/handbook/security/_index.adoc:348
#, no-wrap
+msgid "# pw groupmod -m user1 -n webteam\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:351
msgid ""
-"# mtree -s 3483151339707503 -c -K cksum,sha256digest -p /bin > /root/.bin_chksum_mtree\n"
-"# mtree: /bin checksum: 3427012225\n"
+"Finally, this line in [.filename]#/usr/local/etc/sudoers# allows any member "
+"of the webteam group to manage _webservice_:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:355
+#, no-wrap
+msgid "%webteam ALL=(ALL) /usr/sbin/service webservice *\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:345
+#: documentation/content/en/books/handbook/security/_index.adoc:359
msgid ""
-"The _3483151339707503_ represents the seed. This value should be "
-"remembered, but not shared."
+"Unlike man:su[1], man:sudo[8] only requires the end user password. This "
+"avoids sharing passwords, which is a poor practice."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:347
+#: documentation/content/en/books/handbook/security/_index.adoc:363
+msgid ""
+"Users permitted to run applications with man:sudo[8] only enter their own "
+"passwords. This is more secure and gives better control than man:su[1], "
+"where the `root` password is entered and the user acquires all `root` "
+"permissions."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:368
msgid ""
-"Viewing [.filename]#/root/.bin_cksum_mtree# should yield output similar to "
-"the following:"
+"Most organizations are moving or have moved toward a two factor "
+"authentication model. In these cases, the user may not have a password to "
+"enter."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:371
+msgid ""
+"man:sudo[8] can be configured to permit two factor authentication model by "
+"using the `NOPASSWD` variable. Adding it to the configuration above will "
+"allow all members of the _webteam_ group to manage the service without the "
+"password requirement:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:354
+#: documentation/content/en/books/handbook/security/_index.adoc:375
#, no-wrap
+msgid "%webteam ALL=(ALL) NOPASSWD: /usr/sbin/service webservice *\n"
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:379
+#, no-wrap
+msgid "Shared Administration with Doas"
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:383
+msgid ""
+"man:doas[1] is a command-line utility ported from OpenBSD. It serves as an "
+"alternative to the widely used man:sudo[8] command in Unix-like systems."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:386
msgid ""
-"# user: root\n"
-"# machine: dreadnaught\n"
-"# tree: /bin\n"
-"# date: Mon Feb 3 10:19:53 2014\n"
+"With doas, users can execute commands with elevated privileges, typically as "
+"the root user, while maintaining a simplified and security-conscious "
+"approach. Unlike man:sudo[8], doas emphasizes simplicity and minimalism, "
+"focusing on streamlined privilege delegation without an overwhelming array "
+"of configuration options."
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:370
+#: documentation/content/en/books/handbook/security/_index.adoc:392
#, no-wrap
-msgid ""
-"# .\n"
-"/set type=file uid=0 gid=0 mode=0555 nlink=1 flags=none\n"
-". type=dir mode=0755 nlink=2 size=1024 \\\n"
-" time=1380277977.000000000\n"
-" \\133 nlink=2 size=11704 time=1380277977.000000000 \\\n"
-" cksum=484492447 \\\n"
-" sha256digest=6207490fbdb5ed1904441fbfa941279055c3e24d3a4049aeb45094596400662a\n"
-" cat size=12096 time=1380277975.000000000 cksum=3909216944 \\\n"
-" sha256digest=65ea347b9418760b247ab10244f47a7ca2a569c9836d77f074e7a306900c1e69\n"
-" chflags size=8168 time=1380277975.000000000 cksum=3949425175 \\\n"
-" sha256digest=c99eb6fc1c92cac335c08be004a0a5b4c24a0c0ef3712017b12c89a978b2dac3\n"
-" chio size=18520 time=1380277975.000000000 cksum=2208263309 \\\n"
-" sha256digest=ddf7c8cb92a58750a675328345560d8cc7fe14fb3ccd3690c34954cbe69fc964\n"
-" chmod size=8640 time=1380277975.000000000 cksum=2214429708 \\\n"
-" sha256digest=a435972263bf814ad8df082c0752aa2a7bdd8b74ff01431ccbd52ed1e490bbe7\n"
+msgid "# pkg install doas\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:374
+#: documentation/content/en/books/handbook/security/_index.adoc:395
msgid ""
-"The machine's hostname, the date and time the specification was created, and "
-"the name of the user who created the specification are included in this "
-"report. There is a checksum, size, time, and SHA256 digest for each binary "
-"in the directory."
+"After the installation [.filename]#/usr/local/etc/doas.conf# must be "
+"configured to grant access for users for specific commands, or roles."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:377
+#: documentation/content/en/books/handbook/security/_index.adoc:397
msgid ""
-"To verify that the binary signatures have not changed, compare the current "
-"contents of the directory to the previously generated specification, and "
-"save the results to a file. This command requires the seed that was used to "
-"generate the original specification:"
+"The simplest entry could be the following, which grants the user "
+"`local_user` with `root` permissions without asking for its password when "
+"executing the doas command."
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:382
+#: documentation/content/en/books/handbook/security/_index.adoc:401
#, no-wrap
-msgid ""
-"# mtree -s 3483151339707503 -p /bin < /root/.bin_chksum_mtree >> /root/.bin_chksum_output\n"
-"# mtree: /bin checksum: 3427012225\n"
+msgid "permit nopass local_user as root\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:387
+#: documentation/content/en/books/handbook/security/_index.adoc:404
msgid ""
-"This should produce the same checksum for [.filename]#/bin# that was "
-"produced when the specification was created. If no changes have occurred to "
-"the binaries in this directory, the [.filename]#/root/.bin_chksum_output# "
-"output file will be empty. To simulate a change, change the date on [."
-"filename]#/bin/cat# using `touch` and run the verification command again:"
+"After the installation and configuration of the `doas` utility, a command "
+"can now be executed with enhanced privileges, for example:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:395
+#: documentation/content/en/books/handbook/security/_index.adoc:408
+#, no-wrap
+msgid "$ doas vi /etc/rc.conf\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:411
+msgid "For more configuration examples, please read man:doas.conf[5]."
+msgstr ""
+
+#. type: Title ==
+#: documentation/content/en/books/handbook/security/_index.adoc:413
#, no-wrap
+msgid "Intrusion Detection System (IDS)"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:417
msgid ""
-"# touch /bin/cat\n"
-"# mtree -s 3483151339707503 -p /bin < /root/.bin_chksum_mtree >> /root/.bin_chksum_output\n"
-"# more /root/.bin_chksum_output\n"
-"cat changed\n"
-"\tmodification time expected Fri Sep 27 06:32:55 2013 found Mon Feb 3 10:28:43 2014\n"
+"Verification of system files and binaries is important because it provides "
+"the system administration and security teams information about system "
+"changes. A software application that monitors the system for changes is "
+"called an Intrusion Detection System (IDS)."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:421
+msgid ""
+"FreeBSD provides native support for a basic IDS system called man:mtree[8]. "
+"While the nightly security emails will notify an administrator of changes, "
+"the information is stored locally and there is a chance that a malicious "
+"user could modify this information in order to hide their changes to the "
+"system. As such, it is recommended to create a separate set of binary "
+"signatures and store them on a read-only, root-owned directory or, "
+"preferably, on a removable USB disk or remote server."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:423
+msgid "It is also recommended to run `freebsd-update IDS` after each update."
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:425
+#, no-wrap
+msgid "Generating the Specification File"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:399
+#: documentation/content/en/books/handbook/security/_index.adoc:431
+msgid ""
+"The built-in man:mtree[8] utility can be used to generate a specification of "
+"the contents of a directory. A seed, or a numeric constant, is used to "
+"generate the specification and is required to check that the specification "
+"has not changed. This makes it possible to determine if a file or binary "
+"has been modified. Since the seed value is unknown by an attacker, faking "
+"or checking the checksum values of files will be difficult to impossible."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:436
msgid ""
"It is recommended to create specifications for the directories which contain "
"binaries and configuration files, as well as any directories containing "
@@ -786,699 +871,1438 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:404
+#: documentation/content/en/books/handbook/security/_index.adoc:439
+msgid ""
+"The following example generates a set of `sha512` hashes, one for each "
+"system binary in [.filename]#/bin#, and saves those values to a hidden file "
+"in user's home directory, [.filename]#/home/user/.bin_chksum_mtree#:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:443
+#, no-wrap
+msgid "# mtree -s 123456789 -c -K cksum,sha512 -p /bin > /home/user/.bin_chksum_mtree\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:450
+#, no-wrap
+msgid "mtree: /bin checksum: 3427012225\n"
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:456
msgid ""
-"More advanced IDS systems exist, such as package:security/aide[]. In most "
-"cases, `mtree` provides the functionality administrators need. It is "
-"important to keep the seed value and the checksum output hidden from "
-"malicious users. More information about `mtree` can be found in man:"
-"mtree[8]."
+"The `123456789` value represents the seed, and should be chosen randomly. "
+"This value should be remembered, *but not shared*."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:458
+msgid ""
+"It is important to keep the seed value and the checksum output hidden from "
+"malicious users."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:406
+#: documentation/content/en/books/handbook/security/_index.adoc:461
#, no-wrap
-msgid "System Tuning for Security"
+msgid "The Specification File Structure"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:411
+#: documentation/content/en/books/handbook/security/_index.adoc:465
msgid ""
-"In FreeBSD, many system features can be tuned using `sysctl`. A few of the "
-"security features which can be tuned to prevent Denial of Service (DoS) "
-"attacks will be covered in this section. More information about using "
-"`sysctl`, including how to temporarily change values and how to make the "
-"changes permanent after testing, can be found in crossref:"
-"config[configtuning-sysctl,“Tuning with sysctl(8)”]."
+"The mtree format is a textual format that describes a collection of "
+"filesystem objects. Such files are typically used to create or verify "
+"directory hierarchies."
msgstr ""
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:416
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:467
msgid ""
-"Any time a setting is changed with `sysctl`, the chance to cause undesired "
-"harm is increased, affecting the availability of the system. All changes "
-"should be monitored and, if possible, tried on a testing system before being "
-"used on a production system."
+"An mtree file consists of a series of lines, each providing information "
+"about a single filesystem object. Leading whitespace is always ignored."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:423
+#: documentation/content/en/books/handbook/security/_index.adoc:469
msgid ""
-"By default, the FreeBSD kernel boots with a security level of `-1`. This is "
-"called \"insecure mode\" because immutable file flags may be turned off and "
-"all devices may be read from or written to. The security level will remain "
-"at `-1` unless it is altered through `sysctl` or by a setting in the startup "
-"scripts. The security level may be increased during system startup by "
-"setting `kern_securelevel_enable` to `YES` in [.filename]#/etc/rc.conf#, and "
-"the value of `kern_securelevel` to the desired security level. See man:"
-"security[7] and man:init[8] for more information on these settings and the "
-"available security levels."
+"The specification file created above will be used to explain the format and "
+"content:"
msgstr ""
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:428
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:476
+#, no-wrap
msgid ""
-"Increasing the `securelevel` can break Xorg and cause other issues. Be "
-"prepared to do some debugging."
+"# user: root <.>\n"
+"# machine: machinename <.>\n"
+"# tree: /bin <.>\n"
+"# date: Thu Aug 24 21:58:37 2023 <.>\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:491
+#, no-wrap
+msgid ""
+"# .\n"
+"/set type=file uid=0 gid=0 mode=0555 nlink=1 flags=uarch <.>\n"
+". type=dir mode=0755 nlink=2 time=1681388848.239523000 <.>\n"
+" \\133 nlink=2 size=12520 time=1685991378.688509000 \\\n"
+" cksum=520880818 \\\n"
+" sha512=5c1374ce0e2ba1b3bc5a41b23f4bbdc1ec89ae82fa01237f376a5eeef41822e68f1d8f75ec46b7bceb65396c122a9d837d692740fdebdcc376a05275adbd3471\n"
+" cat size=14600 time=1685991378.694601000 cksum=3672531848 \\ <.>\n"
+" sha512=b30b96d155fdc4795432b523989a6581d71cdf69ba5f0ccb45d9b9e354b55a665899b16aee21982fffe20c4680d11da4e3ed9611232a775c69f926e5385d53a2\n"
+" chflags size=8920 time=1685991378.700385000 cksum=1629328991 \\\n"
+" sha512=289a088cbbcbeb436dd9c1f74521a89b66643976abda696b99b9cc1fbfe8b76107c5b54d4a6a9b65332386ada73fc1bbb10e43c4e3065fa2161e7be269eaf86a\n"
+" chio size=20720 time=1685991378.706095000 cksum=1948751604 \\\n"
+" sha512=46f58277ff16c3495ea51e74129c73617f31351e250315c2b878a88708c2b8a7bb060e2dc8ff92f606450dbc7dd2816da4853e465ec61ee411723e8bf52709ee\n"
+" chmod size=9616 time=1685991378.712546000 cksum=4244658911 \\\n"
+" sha512=1769313ce08cba84ecdc2b9c07ef86d2b70a4206420dd71343867be7ab59659956f6f5a458c64e2531a1c736277a8e419c633a31a8d3c7ccc43e99dd4d71d630\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:435
+#: documentation/content/en/books/handbook/security/_index.adoc:494
+msgid "User who created the specification."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:495
+msgid "Machine's hostname."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:496
+msgid "Directory path."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:497
+msgid "The Date and time when the specification was created."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:498
msgid ""
-"The `net.inet.tcp.blackhole` and `net.inet.udp.blackhole` settings can be "
-"used to drop incoming SYN packets on closed ports without sending a return "
-"RST response. The default behavior is to return an RST to show a port is "
-"closed. Changing the default provides some level of protection against "
-"ports scans, which are used to determine which applications are running on a "
-"system. Set `net.inet.tcp.blackhole` to `2` and `net.inet.udp.blackhole` to "
-"`1`. Refer to man:blackhole[4] for more information about these settings."
+"`/set` special commands, defines some settings obtained from the files "
+"analyzed."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:439
+#: documentation/content/en/books/handbook/security/_index.adoc:499
msgid ""
-"The `net.inet.icmp.drop_redirect` and `net.inet.ip.redirect` settings help "
-"prevent against _redirect attacks_. A redirect attack is a type of DoS "
-"which sends mass numbers of ICMP type 5 packets. Since these packets are "
-"not required, set `net.inet.icmp.drop_redirect` to `1` and set `net.inet.ip."
-"redirect` to `0`."
+"Refers to the parsed directory and indicates things like what type it is, "
+"its mode, the number of hard links, and the time in UNIX format since it was "
+"modified."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:443
+#: documentation/content/en/books/handbook/security/_index.adoc:500
+msgid ""
+"Refers to the file and shows the size, time and a list of hashes to verify "
+"the integrity."
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:502
+#, no-wrap
+msgid "Verify the Specification file"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:505
+msgid ""
+"To verify that the binary signatures have not changed, compare the current "
+"contents of the directory to the previously generated specification, and "
+"save the results to a file."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:507
+msgid ""
+"This command requires the seed that was used to generate the original "
+"specification:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:511
+#: documentation/content/en/books/handbook/security/_index.adoc:528
+#, no-wrap
+msgid "# mtree -s 123456789 -p /bin < /home/user/.bin_chksum_mtree >> /home/user/.bin_chksum_output\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:515
msgid ""
-"Source routing is a method for detecting and accessing non-routable "
-"addresses on the internal network. This should be disabled as non-routable "
-"addresses are normally not routable on purpose. To disable this feature, "
-"set `net.inet.ip.sourceroute` and `net.inet.ip.accept_sourceroute` to `0`."
+"This should produce the same checksum for [.filename]#/bin# that was "
+"produced when the specification was created. If no changes have occurred to "
+"the binaries in this directory, the [.filename]#/home/user/."
+"bin_chksum_output# output file will be empty."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:447
+#: documentation/content/en/books/handbook/security/_index.adoc:517
msgid ""
-"When a machine on the network needs to send messages to all hosts on a "
-"subnet, an ICMP echo request message is sent to the broadcast address. "
-"However, there is no reason for an external host to perform such an action. "
-"To reject all external broadcast requests, set `net.inet.icmp.bmcastecho` to "
-"`0`."
+"To simulate a change, change the date on [.filename]#/bin/cat# using man:"
+"touch[1] and run the verification command again:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:521
+#, no-wrap
+msgid "# touch /bin/cat\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:524
+msgid "Run the verification command again:"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:449
-msgid "Some additional settings are documented in man:security[7]."
+#: documentation/content/en/books/handbook/security/_index.adoc:531
+msgid "And then check the content of the output file:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:535
+#, no-wrap
+msgid "# cat /root/.bin_chksum_output\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:542
+#, no-wrap
+msgid "cat: modification time (Fri Aug 25 13:30:17 2023, Fri Aug 25 13:34:20 2023)\n"
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:548
+msgid ""
+"This is just an example of what would be displayed when executing the "
+"command, to show the changes that would occur in the metadata."
msgstr ""
#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:451
+#: documentation/content/en/books/handbook/security/_index.adoc:551
#, no-wrap
-msgid "One-time Passwords"
+msgid "Secure levels"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:458
+#: documentation/content/en/books/handbook/security/_index.adoc:555
+msgid ""
+"securelevel is a security mechanism implemented in the kernel. When the "
+"securelevel is positive, the kernel restricts certain tasks; not even the "
+"superuser (root) is allowed to do them."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:557
+msgid "The securelevel mechanism limits the ability to:"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:559
+msgid "Unset certain file flags, such as `schg` (the system immutable flag)."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:560
+msgid ""
+"Write to kernel memory via [.filename]#/dev/mem# and [.filename]#/dev/kmem#."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:561
+msgid "Load kernel modules."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:562
+msgid "Alter firewall rules."
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:564
+#, no-wrap
+msgid "Secure Levels Definitions"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:568
+msgid ""
+"The kernel runs with five different security levels. Any super-user process "
+"can raise the level, but no process can lower it."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:570
+msgid "The security definitions are:"
+msgstr ""
+
+#. type: Labeled list
+#: documentation/content/en/books/handbook/security/_index.adoc:571
+#, no-wrap
+msgid "-1"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:574
+#, no-wrap
msgid ""
-"By default, FreeBSD includes support for One-time Passwords In Everything "
-"(OPIE). OPIE is designed to prevent replay attacks, in which an attacker "
-"discovers a user's password and uses it to access a system. Since a "
-"password is only used once in OPIE, a discovered password is of little use "
-"to an attacker. OPIE uses a secure hash and a challenge/response system to "
-"manage passwords. The FreeBSD implementation uses the MD5 hash by default."
+"*Permanently insecure mode* - always run the system in insecure mode.\n"
+"This is the default initial value.\n"
+msgstr ""
+
+#. type: Labeled list
+#: documentation/content/en/books/handbook/security/_index.adoc:575
+#, no-wrap
+msgid "0"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:464
+#: documentation/content/en/books/handbook/security/_index.adoc:578
+#, no-wrap
msgid ""
-"OPIE uses three different types of passwords. The first is the usual "
-"UNIX(R) or Kerberos password. The second is the one-time password which is "
-"generated by `opiekey`. The third type of password is the \"secret password"
-"\" which is used to generate one-time passwords. The secret password has "
-"nothing to do with, and should be different from, the UNIX(R) password."
+"*Insecure mode* - immutable and append-only flags may be turned off.\n"
+"All devices may be read or written subject to their permissions.\n"
+msgstr ""
+
+#. type: Labeled list
+#: documentation/content/en/books/handbook/security/_index.adoc:579
+#, no-wrap
+msgid "1"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:473
+#: documentation/content/en/books/handbook/security/_index.adoc:585
+#, no-wrap
msgid ""
-"There are two other pieces of data that are important to OPIE. One is the "
-"\"seed\" or \"key\", consisting of two letters and five digits. The other "
-"is the \"iteration count\", a number between 1 and 100. OPIE creates the "
-"one-time password by concatenating the seed and the secret password, "
-"applying the MD5 hash as many times as specified by the iteration count, and "
-"turning the result into six short English words which represent the one-time "
-"password. The authentication system keeps track of the last one-time "
-"password used, and the user is authenticated if the hash of the user-"
-"provided password is equal to the previous password. Since a one-way hash "
-"is used, it is impossible to generate future one-time passwords if a "
-"successfully used password is captured. The iteration count is decremented "
-"after each successful login to keep the user and the login program in sync. "
-"When the iteration count gets down to `1`, OPIE must be reinitialized."
+"*Secure mode* - the system immutable and system append-only flags may not be turned off;\n"
+"disks for mounted file systems, [.filename]#/dev/mem# and [.filename]#/dev/kmem# may not be opened for writing;\n"
+"[.filename]#/dev/io# (if your platform has it) may not be opened at all; kernel modules (see man:kld[4]) may not be loaded or unloaded.\n"
+"The kernel debugger may not be entered using the debug.kdb.enter sysctl.\n"
+"A panic or trap cannot be forced using the debug.kdb.panic, debug.kdb.panic_str and other sysctl's.\n"
+msgstr ""
+
+#. type: Labeled list
+#: documentation/content/en/books/handbook/security/_index.adoc:586
+#, no-wrap
+msgid "2"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:478
+#: documentation/content/en/books/handbook/security/_index.adoc:589
+#, no-wrap
msgid ""
-"There are a few programs involved in this process. A one-time password, or "
-"a consecutive list of one-time passwords, is generated by passing an "
-"iteration count, a seed, and a secret password to man:opiekey[1]. In "
-"addition to initializing OPIE, man:opiepasswd[1] is used to change "
-"passwords, iteration counts, or seeds. The relevant credential files in [."
-"filename]#/etc/opiekeys# are examined by man:opieinfo[1] which prints out "
-"the invoking user's current iteration count and seed."
+"*Highly secure mode* - same as secure mode, plus disks may not be opened for writing (except by man:mount[2]) whether mounted or not.\n"
+"This level precludes tampering with file systems by unmounting them, but also inhibits running man:newfs[8] while the system is multiuser.\n"
+msgstr ""
+
+#. type: Labeled list
+#: documentation/content/en/books/handbook/security/_index.adoc:590
+#, no-wrap
+msgid "3"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:484
+#: documentation/content/en/books/handbook/security/_index.adoc:592
+#, no-wrap
+msgid "*Network secure mode* - same as highly secure mode, plus IP packet filter rules (see man:ipfw[8], man:ipfirewall[4] and man:pfctl[8]) cannot be changed and man:dummynet[4] or man:pf[4] configuration cannot be adjusted.\n"
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:597
msgid ""
-"This section describes four different sorts of operations. The first is how "
-"to set up one-time-passwords for the first time over a secure connection. "
-"The second is how to use `opiepasswd` over an insecure connection. The "
-"third is how to log in over an insecure connection. The fourth is how to "
-"generate a number of keys which can be written down or printed out to use at "
-"insecure locations."
+"In summary, the key difference between `Permanently Insecure Mode` and "
+"`Insecure Mode` in FreeBSD secure levels is the degree of security they "
+"provide. `Permanently Insecure Mode` completely lifts all security "
+"restrictions, while `Insecure Mode` relaxes some restrictions but still "
+"maintains a level of control and security."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:485
+#: documentation/content/en/books/handbook/security/_index.adoc:600
#, no-wrap
-msgid "Initializing OPIE"
+msgid "Modify Secure Levels"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:488
+#: documentation/content/en/books/handbook/security/_index.adoc:603
msgid ""
-"To initialize OPIE for the first time, run this command from a secure "
-"location:"
+"In order to change the securelevel of the system it is necessary to activate "
+"`kern_securelevel_enable` by executing the following command:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:499
+#: documentation/content/en/books/handbook/security/_index.adoc:607
#, no-wrap
+msgid "# sysrc kern_securelevel_enable=\"YES\"\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:610
+msgid "And set the value of `kern_securelevel` to the desired security level:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:614
+#, no-wrap
+msgid "# sysrc kern_securelevel=2\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:617
msgid ""
-"% opiepasswd -c\n"
-"Adding unfurl:\n"
-"Only use this method from the console; NEVER from remote. If you are using\n"
-"telnet, xterm, or a dial-in, type ^C now or exit with no password.\n"
-"Then run opiepasswd without the -c parameter.\n"
-"Using MD5 to compute responses.\n"
-"Enter new secret pass phrase:\n"
-"Again new secret pass phrase:\n"
+"To check the status of the securelevel on a running system execute the "
+"following command:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:502
+#: documentation/content/en/books/handbook/security/_index.adoc:621
#, no-wrap
+msgid "# sysctl -n kern.securelevel\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:625
msgid ""
-"ID unfurl OTP key is 499 to4268\n"
-"MOS MALL GOAT ARM AVID COED\n"
+"The output contains the current value of the securelevel. If it is greater "
+"than 0, at least some of the securelevel's protections are enabled."
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:629
+#, no-wrap
+msgid "-1\n"
+msgstr ""
+
+#. type: Title ==
+#: documentation/content/en/books/handbook/security/_index.adoc:632
+#, no-wrap
+msgid "File flags"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:505
+#: documentation/content/en/books/handbook/security/_index.adoc:636
msgid ""
-"The `-c` sets console mode which assumes that the command is being run from "
-"a secure location, such as a computer under the user's control or an SSH "
-"session to a computer under the user's control."
+"File flags allow users to attach additional metadata or attributes to files "
+"and directories beyond basic permissions and ownership. These flags provide "
+"a way to control various behaviors and properties of files without needing "
+"to resort to creating special directories or using extended attributes."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:509
+#: documentation/content/en/books/handbook/security/_index.adoc:639
msgid ""
-"When prompted, enter the secret password which will be used to generate the "
-"one-time login keys. This password should be difficult to guess and should "
-"be different than the password which is associated with the user's login "
-"account. It must be between 10 and 127 characters long. Remember this "
-"password."
+"File flags can be used to achieve different goals, such as preventing file "
+"deletion, making files append-only, synchronizing file updates, and more. "
+"Some commonly used file flags in FreeBSD include the \"immutable\" flag, "
+"which prevents modification or deletion of a file, and the \"append-only\" "
+"flag, which allows only data to be added to the end of a file but not "
+"modified or removed."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:514
+#: documentation/content/en/books/handbook/security/_index.adoc:643
msgid ""
-"The `ID` line lists the login name (`unfurl`), default iteration count "
-"(`499`), and default seed (`to4268`). When logging in, the system will "
-"remember these parameters and display them, meaning that they do not have to "
-"be memorized. The last line lists the generated one-time password which "
-"corresponds to those parameters and the secret password. At the next login, "
-"use this one-time password."
+"These flags can be managed using the man:chflags[1] command in FreeBSD, "
+"providing administrators and users with greater control over the behavior "
+"and characteristics of their files and directories. It is important to note "
+"that file flags are typically managed by root or users with appropriate "
+"privileges, as they can influence how files are accessed and manipulated. "
+"Some flags are available for the use of the file's owner, as described in "
+"man:chflags[1]."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:515
+#: documentation/content/en/books/handbook/security/_index.adoc:645
#, no-wrap
-msgid "Insecure Connection Initialization"
+msgid "Work with File Flags"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:521
+#: documentation/content/en/books/handbook/security/_index.adoc:648
msgid ""
-"To initialize or change the secret password on an insecure system, a secure "
-"connection is needed to some place where `opiekey` can be run. This might "
-"be a shell prompt on a trusted machine. An iteration count is needed, where "
-"100 is probably a good value, and the seed can either be specified or the "
-"randomly-generated one used. On the insecure connection, the machine being "
-"initialized, use man:opiepasswd[1]:"
+"In this example, a file named [.filename]#~/important.txt# in user's home "
+"directory want to be protected against deletions."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:650
+msgid "Execute the following command to set the `schg` file flag:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:525
+#: documentation/content/en/books/handbook/security/_index.adoc:654
#, no-wrap
-msgid "% opiepasswd\n"
+msgid "# chflags schg ~/important.txt\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:657
+msgid ""
+"When any user, including the `root` user, tries to delete the file, the "
+"system will display the message:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:534
+#: documentation/content/en/books/handbook/security/_index.adoc:661
#, no-wrap
+msgid "rm: important.txt: Operation not permitted\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:664
msgid ""
-"Updating unfurl:\n"
-"You need the response from an OTP generator.\n"
-"Old secret pass phrase:\n"
-"\totp-md5 498 to4268 ext\n"
-"\tResponse: GAME GAG WELT OUT DOWN CHAT\n"
-"New secret pass phrase:\n"
-"\totp-md5 499 to4269\n"
-"\tResponse: LINE PAP MILK NELL BUOY TROY\n"
+"To delete the file, it will be necessary to delete the file flags of that "
+"file by executing the following command:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:537
+#: documentation/content/en/books/handbook/security/_index.adoc:668
#, no-wrap
-msgid ""
-"ID mark OTP key is 499 gr4269\n"
-"LINE PAP MILK NELL BUOY TROY\n"
+msgid "# chflags noschg ~/important.txt\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:541
+#: documentation/content/en/books/handbook/security/_index.adoc:671
msgid ""
-"To accept the default seed, press kbd:[Return]. Before entering an access "
-"password, move over to the secure connection and give it the same parameters:"
+"A list of supported file flags and their functionality can be found in man:"
+"chflags[1]."
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:549
-#: documentation/content/en/books/handbook/security/_index.adoc:590
+#. type: Title ==
+#: documentation/content/en/books/handbook/security/_index.adoc:673
#, no-wrap
+msgid "OpenSSH"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:678
+msgid ""
+"OpenSSH is a set of network connectivity tools used to provide secure access "
+"to remote machines. Additionally, TCP/IP connections can be tunneled or "
+"forwarded securely through SSH connections. OpenSSH encrypts all traffic to "
+"eliminate eavesdropping, connection hijacking, and other network-level "
+"attacks."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:680
+msgid ""
+"OpenSSH is maintained by the OpenBSD project and is installed by default in "
+"FreeBSD."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:683
msgid ""
-"% opiekey 498 to4268\n"
-"Using the MD5 algorithm to compute response.\n"
-"Reminder: Do not use opiekey from telnet or dial-in sessions.\n"
-"Enter secret pass phrase:\n"
-"GAME GAG WELT OUT DOWN CHAT\n"
+"When data is sent over the network in an unencrypted form, network sniffers "
+"anywhere in between the client and server can steal user/password "
+"information or data transferred during the session. OpenSSH offers a "
+"variety of authentication and encryption methods to prevent this from "
+"happening."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:552
+#: documentation/content/en/books/handbook/security/_index.adoc:685
msgid ""
-"Switch back over to the insecure connection, and copy the generated one-time "
-"password over to the relevant program."
+"More information about OpenSSH is available in the link:https://www.openssh."
+"com/[web page]."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:688
+msgid ""
+"This section provides an overview of the built-in client utilities to "
+"securely access other systems and securely transfer files from a FreeBSD "
+"system. It then describes how to configure a SSH server on a FreeBSD system."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:693
+msgid ""
+"As stated, this chapter will cover the base system version of OpenSSH. A "
+"version of OpenSSH is also available in the package:security/openssh-"
+"portable[], which provides additional configuration options and is updated "
+"more regularly."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:553
+#: documentation/content/en/books/handbook/security/_index.adoc:695
#, no-wrap
-msgid "Generating a Single One-time Password"
+msgid "Using the SSH Client Utilities"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:556
+#: documentation/content/en/books/handbook/security/_index.adoc:699
msgid ""
-"After initializing OPIE and logging in, a prompt like this will be displayed:"
+"To log into a SSH server, use man:ssh[1] and specify a username that exists "
+"on that server and the IP address or hostname of the server. If this is the "
+"first time a connection has been made to the specified server, the user will "
+"be prompted to first verify the server's fingerprint:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:563
+#: documentation/content/en/books/handbook/security/_index.adoc:703
#, no-wrap
+msgid "# ssh user@example.com\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:714
+#, no-wrap
+msgid ""
+"The authenticity of host 'example.com (10.0.0.1)' can't be established.\n"
+"ECDSA key fingerprint is 25:cc:73:b5:b3:96:75:3d:56:19:49:d2:5c:1f:91:3b.\n"
+"Are you sure you want to continue connecting (yes/no)? yes\n"
+"Permanently added 'example.com' (ECDSA) to the list of known hosts.\n"
+"Password for user@example.com: user_password\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:720
msgid ""
-"% telnet example.com\n"
-"Trying 10.0.0.1...\n"
-"Connected to example.com\n"
-"Escape character is '^]'.\n"
+"SSH utilizes a key fingerprint system to verify the authenticity of the "
+"server when the client connects. When the user accepts the key's "
+"fingerprint by typing `yes` when connecting for the first time, a copy of "
+"the key is saved to [.filename]#~/.ssh/known_hosts# in the user's home "
+"directory. Future attempts to login are verified against the saved key and "
+"man:ssh[1] will display an alert if the server's key does not match the "
+"saved key. If this occurs, the user should first verify why the key has "
+"changed before continuing with the connection."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:724
+msgid "How to perform this check is outside the scope of this chapter."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:727
+msgid "Use man:scp[1] to securely copy a file to or from a remote machine."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:729
+msgid ""
+"This example copies `COPYRIGHT` on the remote system to a file of the same "
+"name in the current directory of the local system:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:565
+#: documentation/content/en/books/handbook/security/_index.adoc:733
#, no-wrap
-msgid "FreeBSD/i386 (example.com) (ttypa)\n"
+msgid "# scp user@example.com:/COPYRIGHT COPYRIGHT\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:569
+#: documentation/content/en/books/handbook/security/_index.adoc:741
#, no-wrap
msgid ""
-"login: <username>\n"
-"otp-md5 498 gr4269 ext\n"
-"Password:\n"
+"Password for user@example.com: *******\n"
+"COPYRIGHT 100% |*****************************| 4735\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:574
+#: documentation/content/en/books/handbook/security/_index.adoc:744
msgid ""
-"The OPIE prompts provides a useful feature. If kbd:[Return] is pressed at "
-"the password prompt, the prompt will turn echo on and display what is "
-"typed. This can be useful when attempting to type in a password by hand "
-"from a printout."
+"Since the fingerprint was already verified for this host, the server's key "
+"is automatically checked before prompting for the user's password."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:580
+#: documentation/content/en/books/handbook/security/_index.adoc:749
msgid ""
-"At this point, generate the one-time password to answer this login prompt. "
-"This must be done on a trusted system where it is safe to run man:"
-"opiekey[1]. There are versions of this command for Windows(R), Mac OS(R) "
-"and FreeBSD. This command needs the iteration count and the seed as command "
-"line options. Use cut-and-paste from the login prompt on the machine being "
-"logged in to."
+"The arguments passed to man:scp[1] are similar to man:cp[1]. The file or "
+"files to copy is the first argument and the destination to copy to is the "
+"second. Since the file is fetched over the network, one or more of the file "
+"arguments takes the form `user@host:<path_to_remote_file>`. Be aware when "
+"copying directories recursively that man:scp[1] uses `-r`, whereas man:cp[1] "
+"uses `-R`."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:582
-msgid "On the trusted system:"
+#: documentation/content/en/books/handbook/security/_index.adoc:751
+msgid "To open an interactive session for copying files, use man:sftp[1]."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:593
-msgid "Once the one-time password is generated, continue to log in."
+#: documentation/content/en/books/handbook/security/_index.adoc:753
+msgid ""
+"Refer to man:sftp[1] for a list of available commands while in an man:"
+"sftp[1] session."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:594
+#: documentation/content/en/books/handbook/security/_index.adoc:755
#, no-wrap
-msgid "Generating Multiple One-time Passwords"
+msgid "Key-based Authentication"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:598
+#: documentation/content/en/books/handbook/security/_index.adoc:759
msgid ""
-"Sometimes there is no access to a trusted machine or secure connection. In "
-"this case, it is possible to use man:opiekey[1] to generate a number of one-"
-"time passwords beforehand. For example:"
+"Instead of using passwords, a client can be configured to connect to the "
+"remote machine using keys. For security reasons, this is the preferred "
+"method."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:763
+msgid ""
+"man:ssh-keygen[1] can be used to generate the authentication keys. To "
+"generate a public and private key pair, specify the type of key and follow "
+"the prompts. It is recommended to protect the keys with a memorable, but "
+"hard to guess passphrase."
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:610
+#: documentation/content/en/books/handbook/security/_index.adoc:767
+#, no-wrap
+msgid "% ssh-keygen -t rsa -b 4096\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:794
#, no-wrap
msgid ""
-"% opiekey -n 5 30 zz99999\n"
-"Using the MD5 algorithm to compute response.\n"
-"Reminder: Do not use opiekey from telnet or dial-in sessions.\n"
-"Enter secret pass phrase: <secret password>\n"
-"26: JOAN BORE FOSS DES NAY QUIT\n"
-"27: LATE BIAS SLAY FOLK MUCH TRIG\n"
-"28: SALT TIN ANTI LOON NEAL USE\n"
-"29: RIO ODIN GO BYE FURY TIC\n"
-"30: GREW JIVE SAN GIRD BOIL PHI\n"
+"Generating public/private rsa key pair.\n"
+"Enter file in which to save the key (/home/user/.ssh/id_rsa):\n"
+"Created directory '/home/user/.ssh/.ssh'.\n"
+"Enter passphrase (empty for no passphrase):\n"
+"Enter same passphrase again:\n"
+"Your identification has been saved in /home/user/.ssh/id_rsa.\n"
+"Your public key has been saved in /home/user/.ssh/id_rsa.pub.\n"
+"The key fingerprint is:\n"
+"SHA256:54Xm9Uvtv6H4NOo6yjP/YCfODryvUU7yWHzMqeXwhq8 user@host.example.com\n"
+"The key's randomart image is:\n"
+"+---[RSA 2048]----+\n"
+"| |\n"
+"| |\n"
+"| |\n"
+"| . o.. |\n"
+"| .S*+*o |\n"
+"| . O=Oo . . |\n"
+"| = Oo= oo..|\n"
+"| .oB.* +.oo.|\n"
+"| =OE**.o..=|\n"
+"+----[SHA256]-----+\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:617
+#: documentation/content/en/books/handbook/security/_index.adoc:798
+msgid ""
+"The private key is stored in [.filename]#~/.ssh/id_rsa# and the public key "
+"is stored in [.filename]#~/.ssh/id_rsa.pub#. The _public_ key must be "
+"copied to [.filename]#~/.ssh/authorized_keys# on the remote machine for key-"
+"based authentication to work."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:802
msgid ""
-"The `-n 5` requests five keys in sequence, and `30` specifies what the last "
-"iteration number should be. Note that these are printed out in _reverse_ "
-"order of use. The really paranoid might want to write the results down by "
-"hand; otherwise, print the list. Each line shows both the iteration count "
-"and the one-time password. Scratch off the passwords as they are used."
+"Utilizing a passphrase for OpenSSH keys is a key security practice, "
+"providing an extra layer of protection against unauthorized access and "
+"enhancing overall cybersecurity."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:804
+msgid "In case of loss or theft, this adds another layer of security."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:618
+#: documentation/content/en/books/handbook/security/_index.adoc:807
#, no-wrap
-msgid "Restricting Use of UNIX(R) Passwords"
+msgid "SSH Tunneling"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:623
+#: documentation/content/en/books/handbook/security/_index.adoc:810
msgid ""
-"OPIE can restrict the use of UNIX(R) passwords based on the IP address of a "
-"login session. The relevant file is [.filename]#/etc/opieaccess#, which is "
-"present by default. Refer to man:opieaccess[5] for more information on this "
-"file and which security considerations to be aware of when using it."
+"OpenSSH has the ability to create a tunnel to encapsulate another protocol "
+"in an encrypted session."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:625
-msgid "Here is a sample [.filename]#opieaccess#:"
+#: documentation/content/en/books/handbook/security/_index.adoc:812
+msgid "The following command tells man:ssh[1] to create a tunnel:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:629
+#: documentation/content/en/books/handbook/security/_index.adoc:816
#, no-wrap
-msgid "permit 192.168.0.0 255.255.0.0\n"
+msgid "% ssh -D 8080 user@example.com\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:632
+#: documentation/content/en/books/handbook/security/_index.adoc:819
+msgid "This example uses the following options:"
+msgstr ""
+
+#. type: Labeled list
+#: documentation/content/en/books/handbook/security/_index.adoc:820
+#, no-wrap
+msgid "-D"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:822
+msgid "Specifies a local \"dynamic\" application-level port forwarding."
+msgstr ""
+
+#. type: Labeled list
+#: documentation/content/en/books/handbook/security/_index.adoc:823
+#, no-wrap
+msgid "user@foo.example.com"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:825
+msgid "The login name to use on the specified remote SSH server."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:827
msgid ""
-"This line allows users whose IP source address (which is vulnerable to "
-"spoofing) matches the specified value and mask, to use UNIX(R) passwords at "
-"any time."
+"An SSH tunnel works by creating a listen socket on `localhost` on the "
+"specified `localport`."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:634
+#: documentation/content/en/books/handbook/security/_index.adoc:829
msgid ""
-"If no rules in [.filename]#opieaccess# are matched, the default is to deny "
-"non-OPIE logins."
+"This method can be used to wrap any number of insecure TCP protocols such as "
+"SMTP, POP3, and FTP."
msgstr ""
-#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:636
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:830
+#, no-wrap
+msgid "Enabling the SSH Server"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:833
+msgid ""
+"In addition to providing built-in SSH client utilities, a FreeBSD system can "
+"be configured as an SSH server, accepting connections from other SSH clients."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:838
+msgid ""
+"As stated, this chapter will cover the base system version of OpenSSH. "
+"Please *not* confuse with package:security/openssh-portable[], the version "
+"of OpenSSH that ships with the FreeBSD ports."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:841
+msgid ""
+"In order to have the SSH Server enabled across reboots execute the following "
+"command:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:845
+#, no-wrap
+msgid "# sysrc sshd_enable=\"YES\"\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:848
+msgid "Then execute the following command to enable the service:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:852
#, no-wrap
-msgid "TCP Wrapper"
+msgid "# service sshd start\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:856
+msgid ""
+"The first time sshd starts on a FreeBSD system, the system's host keys will "
+"be automatically created and the fingerprint will be displayed on the "
+"console. Provide users with the fingerprint so that they can verify it the "
+"first time they connect to the server."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:641
+#: documentation/content/en/books/handbook/security/_index.adoc:858
msgid ""
-"TCP Wrapper is a host-based access control system which extends the "
-"abilities of crossref:network-servers[network-inetd,“The inetd Super-"
-"Server”]. It can be configured to provide logging support, return messages, "
-"and connection restrictions for the server daemons under the control of "
-"inetd. Refer to man:tcpd[8] for more information about TCP Wrapper and its "
-"features."
+"Refer to man:sshd[8] for the list of available options when starting sshd "
+"and a complete discussion about authentication, the login process, and the "
+"various configuration files."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:644
+#: documentation/content/en/books/handbook/security/_index.adoc:860
msgid ""
-"TCP Wrapper should not be considered a replacement for a properly configured "
-"firewall. Instead, TCP Wrapper should be used in conjunction with a "
-"firewall and other security enhancements in order to provide another layer "
-"of protection in the implementation of a security policy."
+"At this point, the sshd should be available to all users with a username and "
+"password on the system."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:645
+#: documentation/content/en/books/handbook/security/_index.adoc:862
#, no-wrap
-msgid "Initial Configuration"
+msgid "Configuring publickey auth method"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:648
+#: documentation/content/en/books/handbook/security/_index.adoc:867
+msgid ""
+"Configuring OpenSSH to use public key authentication enhances security by "
+"leveraging asymmetric cryptography for authentication. This method "
+"eliminates password-related risks, such as weak passwords or interception "
+"during transmission, while thwarting various password-based attacks. "
+"However, it's vital to ensure the private keys are well-protected to prevent "
+"unauthorized access."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:869
+msgid ""
+"The first step will be to configure man:sshd[8] to use the required "
+"authentication method."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:871
+msgid ""
+"Edit [.filename]#/etc/ssh/sshd_config# and uncomment the following "
+"configuration:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:875
+#, no-wrap
+msgid "PubkeyAuthentication yes\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:879
msgid ""
-"To enable TCP Wrapper in FreeBSD, add the following lines to [.filename]#/"
-"etc/rc.conf#:"
+"Once the configuration is done, the users will have to send the system "
+"administrator their *public key* and these keys will be added in [."
+"filename]#.ssh/authorized_keys#. The process for generating the keys is "
+"described in <<Key-based Authentication>>."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:881
+msgid "Then restart the server executing the following command:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:653
+#: documentation/content/en/books/handbook/security/_index.adoc:885
+#: documentation/content/en/books/handbook/security/_index.adoc:955
+#, no-wrap
+msgid "# service sshd reload\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:888
+msgid ""
+"It is strongly recommended to follow the security improvements indicated in "
+"<<security-sshd-security-options>>."
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:890
#, no-wrap
+msgid "SSH Server Security Options"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:893
msgid ""
-"inetd_enable=\"YES\"\n"
-"inetd_flags=\"-Ww\"\n"
+"While sshd is the most widely used remote administration facility for "
+"FreeBSD, brute force and drive by attacks are common to any system exposed "
+"to public networks."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:656
-msgid "Then, properly configure [.filename]#/etc/hosts.allow#."
+#: documentation/content/en/books/handbook/security/_index.adoc:896
+msgid ""
+"Several additional parameters are available to prevent the success of these "
+"attacks and will be described in this section. All configurations will be "
+"done in [.filename]#/etc/ssh/sshd_config#"
msgstr ""
#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:661
+#: documentation/content/en/books/handbook/security/_index.adoc:902
msgid ""
-"Unlike other implementations of TCP Wrapper, the use of [.filename]#hosts."
-"deny# is deprecated in FreeBSD. All configuration options should be placed "
-"in [.filename]#/etc/hosts.allow#."
+"Do not confuse [.filename]#/etc/ssh/sshd_config# with [.filename]#/etc/ssh/"
+"ssh_config# (note the extra `d` in the first filename). The first file "
+"configures the server and the second file configures the client. Refer to "
+"man:ssh_config[5] for a listing of the available client settings."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:665
+#: documentation/content/en/books/handbook/security/_index.adoc:906
msgid ""
-"In the simplest configuration, daemon connection policies are set to either "
-"permit or block, depending on the options in [.filename]#/etc/hosts.allow#. "
-"The default configuration in FreeBSD is to allow all connections to the "
-"daemons started with inetd."
+"By default, authentication can be done with both pubkey and password. To "
+"allow *only* pubkey authentication, *which is strongly recommended*, change "
+"the variable:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:910
+#, no-wrap
+msgid "PasswordAuthentication no\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:669
+#: documentation/content/en/books/handbook/security/_index.adoc:914
msgid ""
-"Basic configuration usually takes the form of `daemon : address : action`, "
-"where `daemon` is the daemon which inetd started, `address` is a valid "
-"hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and "
-"`action` is either `allow` or `deny`. TCP Wrapper uses a first rule match "
-"semantic, meaning that the configuration file is scanned from the beginning "
-"for a matching rule. When a match is found, the rule is applied and the "
-"search process stops."
+"It is a good idea to limit which users can log into the SSH server and from "
+"where using the `AllowUsers` keyword in the OpenSSH server configuration "
+"file. For example, to only allow `user` to log in from `192.168.1.32`, add "
+"this line to [.filename]#/etc/ssh/sshd_config#:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:918
+#, no-wrap
+msgid "AllowUsers user@192.168.1.32\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:671
+#: documentation/content/en/books/handbook/security/_index.adoc:921
msgid ""
-"For example, to allow POP3 connections via the package:mail/qpopper[] "
-"daemon, the following lines should be appended to [.filename]#hosts.allow#:"
+"To allow `user` to log in from anywhere, list that user without specifying "
+"an IP address:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:925
+#, no-wrap
+msgid "AllowUsers user\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:928
+msgid "Multiple users should be listed on the same line, like so:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:676
+#: documentation/content/en/books/handbook/security/_index.adoc:932
#, no-wrap
+msgid "AllowUsers root@192.168.1.32 user\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:935
msgid ""
-"# This line is required for POP3 connections:\n"
-"qpopper : ALL : allow\n"
+"After making all the changes, and before restarting the service, it is "
+"recommended to verify that the configuration made is correct by executing "
+"the following command:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:939
+#, no-wrap
+msgid "# sshd -t\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:679
-msgid "Whenever this file is edited, restart inetd:"
+#: documentation/content/en/books/handbook/security/_index.adoc:943
+msgid ""
+"If the configuration file is correct, no output will be shown. In case the "
+"configuration file is incorrect, it will show something like this:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:683
+#: documentation/content/en/books/handbook/security/_index.adoc:948
#, no-wrap
-msgid "# service inetd restart\n"
+msgid ""
+"/etc/ssh/sshd_config: line 3: Bad configuration option: sdadasdasdasads\n"
+"/etc/ssh/sshd_config: terminating, 1 bad configuration options\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:951
+msgid ""
+"After making the changes and checking that the configuration file is "
+"correct, tell sshd to reload its configuration file by running:"
+msgstr ""
+
+#. type: Title ==
+#: documentation/content/en/books/handbook/security/_index.adoc:958
+#, no-wrap
+msgid "OpenSSL"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:961
+msgid ""
+"OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer "
+"(SSL) and Transport Layer Security (TLS) network protocols and many "
+"cryptography routines."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:964
+msgid ""
+"The openssl program is a command line tool for using the various "
+"cryptography functions of OpenSSL's crypto library from the shell. It can "
+"be used for"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:966
+msgid "Creation and management of private keys, public keys and parameters"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:967
+msgid "Public key cryptographic operations"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:968
+msgid "Creation of X.509 certificates, CSRs and CRLs"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:969
+msgid "Calculation of Message Digests"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:970
+msgid "Encryption and Decryption with Ciphers"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:971
+msgid "SSL/TLS Client and Server Tests"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:972
+msgid "Handling of S/MIME signed or encrypted mail"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:973
+msgid "Time Stamp requests, generation and verification"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:974
+msgid "Benchmarking the crypto routines"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:976
+msgid ""
+"For more information about OpenSSL, read the free https://www.feistyduck.com/"
+"books/openssl-cookbook/[OpenSSL Cookbook]."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:685
+#: documentation/content/en/books/handbook/security/_index.adoc:978
#, no-wrap
-msgid "Advanced Configuration"
+msgid "Generating Certificates"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:692
+#: documentation/content/en/books/handbook/security/_index.adoc:981
msgid ""
-"TCP Wrapper provides advanced options to allow more control over the way "
-"connections are handled. In some cases, it may be appropriate to return a "
-"comment to certain hosts or daemon connections. In other cases, a log entry "
-"should be recorded or an email sent to the administrator. Other situations "
-"may require the use of a service for local connections only. This is all "
-"possible through the use of configuration options known as wildcards, "
-"expansion characters, and external command execution."
+"OpenSSL supports the generation of certificates both to be validated by a "
+"link:https://en.wikipedia.org/wiki/Certificate_authority[CA] and for own use."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:697
+#: documentation/content/en/books/handbook/security/_index.adoc:988
msgid ""
-"Suppose that a situation occurs where a connection should be denied yet a "
-"reason should be sent to the host who attempted to establish that "
-"connection. That action is possible with `twist`. When a connection "
-"attempt is made, `twist` executes a shell command or script. An example "
-"exists in [.filename]#hosts.allow#:"
+"Run the command man:openssl[1] to generate a valid certificate for a link:"
+"https://en.wikipedia.org/wiki/Certificate_authority[CA] with the following "
+"arguments. This command will create two files in the current directory. "
+"The certificate request, [.filename]#req.pem#, can be sent to a link:https://"
+"en.wikipedia.org/wiki/Certificate_authority[CA] which, will validate the "
+"entered credentials, sign the request, and return the signed certificate. "
+"The second file, [.filename]#cert.key#, is the private key for the "
+"certificate and should be stored in a secure location. If this falls in the "
+"hands of others, it can be used to impersonate the user or the server."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:990
+#: documentation/content/en/books/handbook/security/_index.adoc:1032
+msgid "Execute the following command to generate the certificate:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:704
+#: documentation/content/en/books/handbook/security/_index.adoc:994
+#, no-wrap
+msgid "# openssl req -new -nodes -out req.pem -keyout cert.key -sha3-512 -newkey rsa:4096\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1019
#, no-wrap
msgid ""
-"# The rest of the daemons are protected.\n"
-"ALL : ALL \\\n"
-"\t: severity auth.info \\\n"
-"\t: twist /bin/echo \"You are not welcome to use %d from %h.\"\n"
+"Generating a RSA private key\n"
+"..................................................................................................................................+++++\n"
+"......................................+++++\n"
+"writing new private key to 'cert.key'\n"
+"-----\n"
+"You are about to be asked to enter information that will be incorporated\n"
+"into your certificate request.\n"
+"What you are about to enter is what is called a Distinguished Name or a DN.\n"
+"There are quite a few fields but you can leave some blank\n"
+"For some fields there will be a default value,\n"
+"If you enter '.', the field will be left blank.\n"
+"-----\n"
+"Country Name (2 letter code) [AU]:ES\n"
+"State or Province Name (full name) [Some-State]:Valencian Community\n"
+"Locality Name (eg, city) []:Valencia\n"
+"Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company\n"
+"Organizational Unit Name (eg, section) []:Systems Administrator\n"
+"Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org\n"
+"Email Address []:user@FreeBSD.org\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1024
+#, no-wrap
+msgid ""
+"Please enter the following 'extra' attributes\n"
+"to be sent with your certificate request\n"
+"A challenge password []:123456789\n"
+"An optional company name []:Another name\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:710
+#: documentation/content/en/books/handbook/security/_index.adoc:1030
msgid ""
-"In this example, the message \"You are not allowed to use _daemon name_ from "
-"_hostname_.\" will be returned for any daemon not configured in [."
-"filename]#hosts.allow#. This is useful for sending a reply back to the "
-"connection initiator right after the established connection is dropped. Any "
-"message returned _must_ be wrapped in quote (`\"`) characters."
+"Alternately, if a signature from a link:https://en.wikipedia.org/wiki/"
+"Certificate_authority[CA] is not required, a self-signed certificate can be "
+"created. This will create two new files in the current directory: a private "
+"key file [.filename]#cert.key#, and the certificate itself, [.filename]#cert."
+"crt#. These should be placed in a directory, preferably under [.filename]#/"
+"etc/ssl/#, which is readable only by `root`. Permissions of `0700` are "
+"appropriate for these files and can be set using `chmod`."
msgstr ""
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:714
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1036
+#, no-wrap
+msgid "# openssl req -new -x509 -days 365 -sha3-512 -keyout /etc/ssl/private/cert.key -out /etc/ssl/certs/cert.crt\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1063
+#, no-wrap
msgid ""
-"It may be possible to launch a denial of service attack on the server if an "
-"attacker floods these daemons with connection requests."
+"Generating a RSA private key\n"
+"........................................+++++\n"
+"...........+++++\n"
+"writing new private key to '/etc/ssl/private/cert.key'\n"
+"Enter PEM pass phrase:\n"
+"Verifying - Enter PEM pass phrase:\n"
+"-----\n"
+"You are about to be asked to enter information that will be incorporated\n"
+"into your certificate request.\n"
+"What you are about to enter is what is called a Distinguished Name or a DN.\n"
+"There are quite a few fields but you can leave some blank\n"
+"For some fields there will be a default value,\n"
+"If you enter '.', the field will be left blank.\n"
+"-----\n"
+"Country Name (2 letter code) [AU]:ES\n"
+"State or Province Name (full name) [Some-State]:Valencian Community\n"
+"Locality Name (eg, city) []:Valencia\n"
+"Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company\n"
+"Organizational Unit Name (eg, section) []:Systems Administrator\n"
+"Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org\n"
+"Email Address []:user@FreeBSD.org\n"
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:1066
+#, no-wrap
+msgid "Configuring the FIPS Provider"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:720
+#: documentation/content/en/books/handbook/security/_index.adoc:1073
msgid ""
-"Another possibility is to use `spawn`. Like `twist`, `spawn` implicitly "
-"denies the connection and may be used to run external shell commands or "
-"scripts. Unlike `twist`, `spawn` will not send a reply back to the host who "
-"established the connection. For example, consider the following "
-"configuration:"
+"With the import of OpenSSL 3 into the base system (on FreeBSD 14 and later), "
+"its new concept of provider modules was introduced in the system. Besides "
+"the default provider module built-in to the library, the _legacy_ module "
+"implements the now optional deprecated cryptography algorithms, while the "
+"_fips_ module restricts the OpenSSL implementation to the cryptography "
+"algorithms present in the link:https://en.wikipedia.org/wiki/"
+"Federal_Information_Processing_Standards[FIPS] set of standards. This part "
+"of OpenSSL receives link:https://www.openssl.org/docs/fips.html[particular "
+"care], including a link:https://www.openssl.org/news/fips-cve.html[list of "
+"relevant security issues], and is subject to the link:https://github.com/"
+"openssl/openssl/blob/master/README-FIPS.md[FIPS 140 validation process] on a "
+"regular basis. The link:https://www.openssl.org/source/[list of FIPS "
+"validated versions] is also available. This allows users to ensure FIPS "
+"compliance in their use of OpenSSL."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:1077
+msgid ""
+"Importantly, the man:fips_module[7] is protected by an additional security "
+"measure, preventing its use without passing an integrity check. This check "
+"can be setup by the local system administrator, allowing every user of "
+"OpenSSL 3 to load this module. When not configured correctly, the FIPS "
+"module is expected to fail as follows:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1081
+#: documentation/content/en/books/handbook/security/_index.adoc:1153
+#, no-wrap
+msgid "# echo test | openssl aes-128-cbc -a -provider fips -pbkdf2\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:728
+#: documentation/content/en/books/handbook/security/_index.adoc:1093
#, no-wrap
msgid ""
-"# We do not allow connections from example.com:\n"
-"ALL : .example.com \\\n"
-"\t: spawn (/bin/echo %a from %h attempted to access %d >> \\\n"
-"\t /var/log/connections.log) \\\n"
-"\t: deny\n"
+"aes-128-cbc: unable to load provider fips\n"
+"Hint: use -provider-path option or OPENSSL_MODULES environment variable.\n"
+"00206124D94D0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:crypto/openssl/providers/fips/self_test.c:275:\n"
+"00206124D94D0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:crypto/openssl/providers/fips/self_test.c:373:\n"
+"00206124D94D0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:crypto/openssl/providers/fips/fipsprov.c:707:\n"
+"00206124D94D0000:error:078C0105:common libcrypto routines:provider_init:init fail:crypto/openssl/crypto/provider_core.c:932:name=fips\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:733
+#: documentation/content/en/books/handbook/security/_index.adoc:1097
+msgid ""
+"The check can be configured through the creation of a file in [.filename]#/"
+"etc/ssl/fipsmodule.cnf#, which will then be referenced in OpenSSL's main "
+"configuration file [.filename]#/etc/ssl/openssl.cnf#. OpenSSL provides the "
+"man:openssl-fipsinstall[1] utility to help with this process, which can be "
+"used as follows:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1101
+#, no-wrap
+msgid "# openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out /etc/ssl/fipsmodule.cnf\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1108
+#, no-wrap
+msgid "INSTALL PASSED\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:1111
msgid ""
-"This will deny all connection attempts from `*.example.com` and log the "
-"hostname, IP address, and the daemon to which access was attempted to [."
-"filename]#/var/log/connections.log#. This example uses the substitution "
-"characters `%a` and `%h`. Refer to man:hosts_access[5] for the complete "
-"list."
+"The [.filename]#/etc/ssl/openssl.cnf# should then be modified, in order to:"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:737
+#: documentation/content/en/books/handbook/security/_index.adoc:1113
+msgid "Include the [.filename]#/etc/ssl/fipsmodule.cnf# file generated above,"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:1114
+msgid "Expose the FIPS module for possible use,"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:1115
+msgid "And explicitly activate the default module."
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1126
+#, no-wrap
msgid ""
-"To match every instance of a daemon, domain, or IP address, use `ALL`. "
-"Another wildcard is `PARANOID` which may be used to match any host which "
-"provides an IP address that may be forged because the IP address differs "
-"from its resolved hostname. In this example, all connection requests to "
-"Sendmail which have an IP address that varies from its hostname will be "
-"denied:"
+"[...]\n"
+"# For FIPS\n"
+"# Optionally include a file that is generated by the OpenSSL fipsinstall\n"
+"# application. This file contains configuration data required by the OpenSSL\n"
+"# fips provider. It contains a named section e.g. [fips_sect] which is\n"
+"# referenced from the [provider_sect] below.\n"
+"# Refer to the OpenSSL security policy for more information.\n"
+".include /etc/ssl/fipsmodule.cnf\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:742
+#: documentation/content/en/books/handbook/security/_index.adoc:1128
+#, no-wrap
+msgid "[...]\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1135
#, no-wrap
msgid ""
-"# Block possibly spoofed requests to sendmail:\n"
-"sendmail : PARANOID : deny\n"
+"# List of providers to load\n"
+"[provider_sect]\n"
+"default = default_sect\n"
+"# The fips section name should match the section name inside the\n"
+"# included fipsmodule.cnf.\n"
+"fips = fips_sect\n"
msgstr ""
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:747
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1146
+#, no-wrap
msgid ""
-"Using the `PARANOID` wildcard will result in denied connections if the "
-"client or server has a broken DNS setup."
+"# If no providers are activated explicitly, the default one is activated implicitly.\n"
+"# See man 7 OSSL_PROVIDER-default for more details.\n"
+"#\n"
+"# If you add a section explicitly activating any other provider(s), you most\n"
+"# probably need to explicitly activate the default provider, otherwise it\n"
+"# becomes unavailable in openssl. As a consequence applications depending on\n"
+"# OpenSSL may not work correctly which could lead to significant system\n"
+"# problems including inability to remotely access the system.\n"
+"[default_sect]\n"
+"activate = 1\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:750
+#: documentation/content/en/books/handbook/security/_index.adoc:1149
msgid ""
-"To learn more about wildcards and their associated functionality, refer to "
-"man:hosts_access[5]."
+"With this done, it should be possible to confirm that the FIPS module is "
+"effectively available and working:"
msgstr ""
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:754
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1162
+#, no-wrap
+msgid ""
+"enter AES-128-CBC encryption password:\n"
+"Verifying - enter AES-128-CBC encryption password:\n"
+"U2FsdGVkX18idooW6e3LqWeeiKP76kufcOUClh57j8U=\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:1165
msgid ""
-"When adding new configuration lines, make sure that any unneeded entries for "
-"that daemon are commented out in [.filename]#hosts.allow#."
+"This procedure has to be repeated every time the FIPS module is modified, e."
+"g., after performing system updates, or after applying security fixes "
+"affecting OpenSSL in the base system."
msgstr ""
#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:757
+#: documentation/content/en/books/handbook/security/_index.adoc:1167
#, no-wrap
msgid "Kerberos"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:763
+#: documentation/content/en/books/handbook/security/_index.adoc:1173
msgid ""
"Kerberos is a network authentication protocol which was originally created "
"by the Massachusetts Institute of Technology (MIT) as a way to securely "
@@ -1492,7 +2316,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:767
+#: documentation/content/en/books/handbook/security/_index.adoc:1177
msgid ""
"The only function of Kerberos is to provide the secure authentication of "
"users and servers on the network. It does not provide authorization or "
@@ -1501,7 +2325,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:775
+#: documentation/content/en/books/handbook/security/_index.adoc:1185
msgid ""
"The current version of the protocol is version 5, described in RFC 4120. "
"Several free implementations of this protocol are available, covering a wide "
@@ -1516,7 +2340,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:778
+#: documentation/content/en/books/handbook/security/_index.adoc:1188
msgid ""
"In Kerberos users and services are identified as \"principals\" which are "
"contained within an administrative grouping, called a \"realm\". A typical "
@@ -1525,31 +2349,31 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:780
+#: documentation/content/en/books/handbook/security/_index.adoc:1190
msgid ""
"This section provides a guide on how to set up Kerberos using the Heimdal "
"distribution included in FreeBSD."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:782
+#: documentation/content/en/books/handbook/security/_index.adoc:1192
msgid ""
"For purposes of demonstrating a Kerberos installation, the name spaces will "
"be as follows:"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:784
+#: documentation/content/en/books/handbook/security/_index.adoc:1194
msgid "The DNS domain (zone) will be `example.org`."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:785
+#: documentation/content/en/books/handbook/security/_index.adoc:1195
msgid "The Kerberos realm will be `EXAMPLE.ORG`."
msgstr ""
#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:790
+#: documentation/content/en/books/handbook/security/_index.adoc:1200
msgid ""
"Use real domain names when setting up Kerberos, even if it will run "
"internally. This avoids DNS problems and assures inter-operation with other "
@@ -1557,13 +2381,13 @@ msgid ""
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:792
+#: documentation/content/en/books/handbook/security/_index.adoc:1202
#, no-wrap
msgid "Setting up a Heimdal KDC"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:798
+#: documentation/content/en/books/handbook/security/_index.adoc:1208
msgid ""
"The Key Distribution Center (KDC) is the centralized authentication service "
"that Kerberos provides, the \"trusted third party\" of the system. It is "
@@ -1574,30 +2398,30 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:800
+#: documentation/content/en/books/handbook/security/_index.adoc:1210
msgid ""
"While running a KDC requires few computing resources, a dedicated machine "
"acting only as a KDC is recommended for security reasons."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:802
+#: documentation/content/en/books/handbook/security/_index.adoc:1212
msgid "To begin, install the package:security/heimdal[] package as follows:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:806
+#: documentation/content/en/books/handbook/security/_index.adoc:1216
#, no-wrap
msgid "# pkg install heimdal\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:809
+#: documentation/content/en/books/handbook/security/_index.adoc:1219
msgid "Next, update [.filename]#/etc/rc.conf# using `sysrc` as follows:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:814
+#: documentation/content/en/books/handbook/security/_index.adoc:1224
#, no-wrap
msgid ""
"# sysrc kdc_enable=yes\n"
@@ -1605,12 +2429,12 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:817
+#: documentation/content/en/books/handbook/security/_index.adoc:1227
msgid "Next, edit [.filename]#/etc/krb5.conf# as follows:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:829
+#: documentation/content/en/books/handbook/security/_index.adoc:1239
#, no-wrap
msgid ""
"[libdefaults]\n"
@@ -1625,14 +2449,14 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:833
+#: documentation/content/en/books/handbook/security/_index.adoc:1243
msgid ""
"In this example, the KDC will use the fully-qualified hostname `kerberos."
"example.org`. The hostname of the KDC must be resolvable in the DNS."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:836
+#: documentation/content/en/books/handbook/security/_index.adoc:1246
msgid ""
"Kerberos can also use the DNS to locate KDCs, instead of a `[realms]` "
"section in [.filename]#/etc/krb5.conf#. For large organizations that have "
@@ -1640,7 +2464,7 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:843
+#: documentation/content/en/books/handbook/security/_index.adoc:1253
#, no-wrap
msgid ""
"[libdefaults]\n"
@@ -1650,12 +2474,12 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:846
+#: documentation/content/en/books/handbook/security/_index.adoc:1256
msgid "With the following lines being included in the `example.org` zone file:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:854
+#: documentation/content/en/books/handbook/security/_index.adoc:1264
#, no-wrap
msgid ""
"_kerberos._udp IN SRV 01 00 88 kerberos.example.org.\n"
@@ -1666,7 +2490,7 @@ msgid ""
msgstr ""
#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:859
+#: documentation/content/en/books/handbook/security/_index.adoc:1269
msgid ""
"In order for clients to be able to find the Kerberos services, they _must_ "
"have either a fully configured [.filename]#/etc/krb5.conf# or a minimally "
@@ -1675,7 +2499,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:865
+#: documentation/content/en/books/handbook/security/_index.adoc:1275
msgid ""
"Next, create the Kerberos database which contains the keys of all principals "
"(users and hosts) encrypted with a master password. It is not required to "
@@ -1685,16 +2509,21 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:871
+#: documentation/content/en/books/handbook/security/_index.adoc:1279
+#, no-wrap
+msgid "# kstash\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1287
#, no-wrap
msgid ""
-"# kstash\n"
"Master key: xxxxxxxxxxxxxxxxxxxxxxx\n"
"Verifying password - Master key: xxxxxxxxxxxxxxxxxxxxxxx\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:877
+#: documentation/content/en/books/handbook/security/_index.adoc:1293
msgid ""
"Once the master key has been created, the database should be initialized. "
"The Kerberos administrative tool man:kadmin[8] can be used on the KDC in a "
@@ -1705,7 +2534,7 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:883
+#: documentation/content/en/books/handbook/security/_index.adoc:1299
#, no-wrap
msgid ""
"# kadmin -l\n"
@@ -1714,7 +2543,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:888
+#: documentation/content/en/books/handbook/security/_index.adoc:1304
msgid ""
"Lastly, while still in `kadmin`, create the first principal using `add`. "
"Stick to the default options for the principal for now, as these can be "
@@ -1723,10 +2552,15 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:899
+#: documentation/content/en/books/handbook/security/_index.adoc:1308
+#, no-wrap
+msgid "kadmin> add tillman\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1321
#, no-wrap
msgid ""
-"kadmin> add tillman\n"
"Max ticket life [unlimited]:\n"
"Max renewable life [unlimited]:\n"
"Principal expiration time [never]:\n"
@@ -1737,12 +2571,12 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:902
+#: documentation/content/en/books/handbook/security/_index.adoc:1324
msgid "Next, start the KDC services by running:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:907
+#: documentation/content/en/books/handbook/security/_index.adoc:1329
#, no-wrap
msgid ""
"# service kdc start\n"
@@ -1750,7 +2584,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:910
+#: documentation/content/en/books/handbook/security/_index.adoc:1332
msgid ""
"While there will not be any kerberized daemons running at this point, it is "
"possible to confirm that the KDC is functioning by obtaining a ticket for "
@@ -1758,29 +2592,38 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:915
+#: documentation/content/en/books/handbook/security/_index.adoc:1336
#, no-wrap
-msgid ""
-"% kinit tillman\n"
-"tillman@EXAMPLE.ORG's Password:\n"
+msgid "% kinit tillman\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1343
+#, no-wrap
+msgid "tillman@EXAMPLE.ORG's Password:\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:918
+#: documentation/content/en/books/handbook/security/_index.adoc:1346
msgid "Confirm that a ticket was successfully obtained using `klist`:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:924
+#: documentation/content/en/books/handbook/security/_index.adoc:1350
+#, no-wrap
+msgid "% klist\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1358
#, no-wrap
msgid ""
-"% klist\n"
"Credentials cache: FILE:/tmp/krb5cc_1001\n"
"\tPrincipal: tillman@EXAMPLE.ORG\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:927
+#: documentation/content/en/books/handbook/security/_index.adoc:1361
#, no-wrap
msgid ""
" Issued Expires Principal\n"
@@ -1788,24 +2631,24 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:930
+#: documentation/content/en/books/handbook/security/_index.adoc:1364
msgid "The temporary ticket can be destroyed when the test is finished:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:934
+#: documentation/content/en/books/handbook/security/_index.adoc:1368
#, no-wrap
msgid "% kdestroy\n"
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:936
+#: documentation/content/en/books/handbook/security/_index.adoc:1370
#, no-wrap
msgid "Configuring a Server to Use Kerberos"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:940
+#: documentation/content/en/books/handbook/security/_index.adoc:1374
msgid ""
"The first step in configuring a server to use Kerberos authentication is to "
"ensure that it has the correct configuration in [.filename]#/etc/krb5."
@@ -1814,7 +2657,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:949
+#: documentation/content/en/books/handbook/security/_index.adoc:1383
msgid ""
"Next, create [.filename]#/etc/krb5.keytab# on the server. This is the main "
"part of \"Kerberizing\" a service - it corresponds to generating a secret "
@@ -1834,7 +2677,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:953
+#: documentation/content/en/books/handbook/security/_index.adoc:1387
msgid ""
"Of course, `kadmin` is a kerberized service; a Kerberos ticket is needed to "
"authenticate to the network service, but to ensure that the user running "
@@ -1849,7 +2692,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:957
+#: documentation/content/en/books/handbook/security/_index.adoc:1391
msgid ""
"After installing [.filename]#/etc/krb5.conf#, use `add --random-key` in "
"`kadmin`. This adds the server's host principal to the database, but does "
@@ -1859,10 +2702,16 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:969
+#: documentation/content/en/books/handbook/security/_index.adoc:1395
+#: documentation/content/en/books/handbook/security/_index.adoc:1417
+#, no-wrap
+msgid "# kadmin\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1409
#, no-wrap
msgid ""
-"# kadmin\n"
"kadmin> add --random-key host/myserver.example.org\n"
"Max ticket life [unlimited]:\n"
"Max renewable life [unlimited]:\n"
@@ -1874,7 +2723,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:973
+#: documentation/content/en/books/handbook/security/_index.adoc:1413
msgid ""
"Note that `ext_keytab` stores the extracted key in [.filename]#/etc/krb5."
"keytab# by default. This is good when being run on the server being "
@@ -1883,16 +2732,15 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:979
+#: documentation/content/en/books/handbook/security/_index.adoc:1425
#, no-wrap
msgid ""
-"# kadmin\n"
"kadmin> ext_keytab --keytab=/tmp/example.keytab host/myserver.example.org\n"
"kadmin> exit\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:983
+#: documentation/content/en/books/handbook/security/_index.adoc:1429
msgid ""
"The keytab can then be securely copied to the server using man:scp[1] or a "
"removable media. Be sure to specify a non-default keytab name to avoid "
@@ -1900,7 +2748,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:988
+#: documentation/content/en/books/handbook/security/_index.adoc:1434
msgid ""
"At this point, the server can read encrypted messages from the KDC using its "
"shared key, stored in [.filename]#krb5.keytab#. It is now ready for the "
@@ -1910,33 +2758,33 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:992
+#: documentation/content/en/books/handbook/security/_index.adoc:1438
#, no-wrap
msgid "GSSAPIAuthentication yes\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:995
+#: documentation/content/en/books/handbook/security/_index.adoc:1441
msgid ""
"After making this change, man:sshd[8] must be restarted for the new "
"configuration to take effect: `service sshd restart`."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:996
+#: documentation/content/en/books/handbook/security/_index.adoc:1442
#, no-wrap
msgid "Configuring a Client to Use Kerberos"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1000
+#: documentation/content/en/books/handbook/security/_index.adoc:1446
msgid ""
"As it was for the server, the client requires configuration in [.filename]#/"
"etc/krb5.conf#. Copy the file in place (securely) or re-enter it as needed."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1005
+#: documentation/content/en/books/handbook/security/_index.adoc:1451
msgid ""
"Test the client by using `kinit`, `klist`, and `kdestroy` from the client to "
"obtain, show, and then delete a ticket for an existing principal. Kerberos "
@@ -1948,14 +2796,14 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1007
+#: documentation/content/en/books/handbook/security/_index.adoc:1453
msgid ""
"When testing a Kerberized application, try using a packet sniffer such as "
"`tcpdump` to confirm that no sensitive information is sent in the clear."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1010
+#: documentation/content/en/books/handbook/security/_index.adoc:1456
msgid ""
"Various Kerberos client applications are available. With the advent of a "
"bridge so that applications using SASL for authentication can use GSS-API "
@@ -1964,7 +2812,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1015
+#: documentation/content/en/books/handbook/security/_index.adoc:1461
msgid ""
"Users within a realm typically have their Kerberos principal mapped to a "
"local user account. Occasionally, one needs to grant access to a local user "
@@ -1975,7 +2823,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1018
+#: documentation/content/en/books/handbook/security/_index.adoc:1464
msgid ""
"The [.filename]#.k5login# and [.filename]#.k5users# files, placed in a "
"user's home directory, can be used to solve this problem. For example, if "
@@ -1985,7 +2833,7 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1023
+#: documentation/content/en/books/handbook/security/_index.adoc:1469
#, no-wrap
msgid ""
"tillman@example.org\n"
@@ -1993,18 +2841,18 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1026
+#: documentation/content/en/books/handbook/security/_index.adoc:1472
msgid "Refer to man:ksu[1] for more information about [.filename]#.k5users#."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1027
+#: documentation/content/en/books/handbook/security/_index.adoc:1473
#, no-wrap
msgid "MIT Differences"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1031
+#: documentation/content/en/books/handbook/security/_index.adoc:1477
msgid ""
"The major difference between the MIT and Heimdal implementations is that "
"`kadmin` has a different, but equivalent, set of commands and uses a "
@@ -2013,7 +2861,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1035
+#: documentation/content/en/books/handbook/security/_index.adoc:1481
msgid ""
"Client applications may also use slightly different command line options to "
"accomplish the same tasks. Following the instructions at http://web.mit.edu/"
@@ -2024,38 +2872,38 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1037
+#: documentation/content/en/books/handbook/security/_index.adoc:1483
msgid ""
-"When using MIT Kerberos as a KDC on FreeBSD, the following edits should also "
-"be made to [.filename]#rc.conf#:"
+"When using MIT Kerberos as a KDC on FreeBSD, execute the following commands "
+"to add the required configurations to [.filename]#/etc/rc.conf#:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1045
+#: documentation/content/en/books/handbook/security/_index.adoc:1491
#, no-wrap
msgid ""
-"kdc_program=\"/usr/local/sbin/kdc\"\n"
-"kadmind_program=\"/usr/local/sbin/kadmind\"\n"
-"kdc_flags=\"\"\n"
-"kdc_enable=\"YES\"\n"
-"kadmind_enable=\"YES\"\n"
+"# sysrc kdc_program=\"/usr/local/sbin/kdc\"\n"
+"# sysrc kadmind_program=\"/usr/local/sbin/kadmind\"\n"
+"# sysrc kdc_flags=\"\"\n"
+"# sysrc kdc_enable=\"YES\"\n"
+"# sysrc kadmind_enable=\"YES\"\n"
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1047
+#: documentation/content/en/books/handbook/security/_index.adoc:1493
#, no-wrap
msgid "Kerberos Tips, Tricks, and Troubleshooting"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1050
+#: documentation/content/en/books/handbook/security/_index.adoc:1496
msgid ""
"When configuring and troubleshooting Kerberos, keep the following points in "
"mind:"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1052
+#: documentation/content/en/books/handbook/security/_index.adoc:1498
msgid ""
"When using either Heimdal or MITKerberos from ports, ensure that the `PATH` "
"lists the port's versions of the client applications before the system "
@@ -2063,7 +2911,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1053
+#: documentation/content/en/books/handbook/security/_index.adoc:1499
msgid ""
"If all the computers in the realm do not have synchronized time settings, "
"authentication may fail. crossref:network-servers[network-ntp,“Clock "
@@ -2071,7 +2919,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1054
+#: documentation/content/en/books/handbook/security/_index.adoc:1500
msgid ""
"If the hostname is changed, the `host/` principal must be changed and the "
"keytab updated. This also applies to special keytab entries like the `HTTP/` "
@@ -2079,7 +2927,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1055
+#: documentation/content/en/books/handbook/security/_index.adoc:1501
msgid ""
"All hosts in the realm must be both forward and reverse resolvable in DNS "
"or, at a minimum, exist in [.filename]#/etc/hosts#. CNAMEs will work, but "
@@ -2089,7 +2937,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1056
+#: documentation/content/en/books/handbook/security/_index.adoc:1502
msgid ""
"Some operating systems that act as clients to the KDC do not set the "
"permissions for `ksu` to be setuid `root`. This means that `ksu` does not "
@@ -2097,7 +2945,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1057
+#: documentation/content/en/books/handbook/security/_index.adoc:1503
msgid ""
"With MITKerberos, to allow a principal to have a ticket life longer than the "
"default lifetime of ten hours, use `modify_principal` at the man:kadmin[8] "
@@ -2107,7 +2955,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1058
+#: documentation/content/en/books/handbook/security/_index.adoc:1504
msgid ""
"When running a packet sniffer on the KDC to aid in troubleshooting while "
"running `kinit` from a workstation, the Ticket Granting Ticket (TGT) is sent "
@@ -2125,7 +2973,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1059
+#: documentation/content/en/books/handbook/security/_index.adoc:1505
msgid ""
"Host principals can have a longer ticket lifetime. If the user principal has "
"a lifetime of a week but the host being connected to has a lifetime of nine "
@@ -2134,7 +2982,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1060
+#: documentation/content/en/books/handbook/security/_index.adoc:1506
msgid ""
"When setting up [.filename]#krb5.dict# to prevent specific bad passwords "
"from being used as described in man:kadmind[8], remember that it only "
@@ -2144,13 +2992,13 @@ msgid ""
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1061
+#: documentation/content/en/books/handbook/security/_index.adoc:1507
#, no-wrap
msgid "Mitigating Kerberos Limitations"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1066
+#: documentation/content/en/books/handbook/security/_index.adoc:1512
msgid ""
"Since Kerberos is an all or nothing approach, every service enabled on the "
"network must either be modified to work with Kerberos or be otherwise "
@@ -2161,7 +3009,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1071
+#: documentation/content/en/books/handbook/security/_index.adoc:1517
msgid ""
"The KDC is a single point of failure. By design, the KDC must be as secure "
"as its master password database. The KDC should have absolutely no other "
@@ -2171,7 +3019,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1075
+#: documentation/content/en/books/handbook/security/_index.adoc:1521
msgid ""
"A compromised master key is not quite as bad as one might fear. The master "
"key is only used to encrypt the Kerberos database and as a seed for the "
@@ -2180,7 +3028,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1078
+#: documentation/content/en/books/handbook/security/_index.adoc:1524
msgid ""
"If the KDC is unavailable, network services are unusable as authentication "
"cannot be performed. This can be alleviated with a single master KDC and "
@@ -2189,7 +3037,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1083
+#: documentation/content/en/books/handbook/security/_index.adoc:1529
msgid ""
"Kerberos allows users, hosts and services to authenticate between "
"themselves. It does not have a mechanism to authenticate the KDC to the "
@@ -2199,1759 +3047,915 @@ msgid ""
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1084
+#: documentation/content/en/books/handbook/security/_index.adoc:1530
#, no-wrap
msgid "Resources and Further Information"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1087
+#: documentation/content/en/books/handbook/security/_index.adoc:1533
msgid ""
"http://www.faqs.org/faqs/Kerberos-faq/general/preamble.html[The Kerberos FAQ]"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1088
+#: documentation/content/en/books/handbook/security/_index.adoc:1534
msgid ""
"http://web.mit.edu/Kerberos/www/dialogue.html[Designing an Authentication "
"System: a Dialog in Four Scenes]"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1089
+#: documentation/content/en/books/handbook/security/_index.adoc:1535
msgid ""
"https://www.ietf.org/rfc/rfc4120.txt[RFC 4120, The Kerberos Network "
"Authentication Service (V5)]"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1090
+#: documentation/content/en/books/handbook/security/_index.adoc:1536
msgid "http://web.mit.edu/Kerberos/www/[MIT Kerberos home page]"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1091
+#: documentation/content/en/books/handbook/security/_index.adoc:1537
msgid ""
"https://github.com/heimdal/heimdal/wiki[Heimdal Kerberos project wiki page]"
msgstr ""
#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:1093
+#: documentation/content/en/books/handbook/security/_index.adoc:1539
#, no-wrap
-msgid "OpenSSL"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1097
-msgid ""
-"OpenSSL is an open source implementation of the SSL and TLS protocols. It "
-"provides an encryption transport layer on top of the normal communications "
-"layer, allowing it to be intertwined with many network applications and "
-"services."
+msgid "TCP Wrappers"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1099
-msgid ""
-"The version of OpenSSL included in FreeBSD supports Transport Layer Security "
-"1.0/1.1/1.2/1.3 (TLSv1/TLSv1.1/TLSv1.2/TLSv1.3) network security protocols "
-"and can be used as a general cryptographic library."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1104
-msgid ""
-"OpenSSL is often used to encrypt authentication of mail clients and to "
-"secure web based transactions such as credit card payments. Some ports, "
-"such as package:www/apache24[] and package:databases/postgresql11-server[], "
-"include a compile option for building with OpenSSL. If selected, the port "
-"will add support using OpenSSL from the base system. To instead have the "
-"port compile against OpenSSL from the package:security/openssl[] port, add "
-"the following to [.filename]#/etc/make.conf#:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1108
-#, no-wrap
-msgid "DEFAULT_VERSIONS+= ssl=openssl\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1116
-msgid ""
-"Another common use of OpenSSL is to provide certificates for use with "
-"software applications. Certificates can be used to verify the credentials "
-"of a company or individual. If a certificate has not been signed by an "
-"external _Certificate Authority_ (CA), such as http://www.verisign."
-"com[http://www.verisign.com], the application that uses the certificate will "
-"produce a warning. There is a cost associated with obtaining a signed "
-"certificate and using a signed certificate is not mandatory as certificates "
-"can be self-signed. However, using an external authority will prevent "
-"warnings and can put users at ease."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1119
+#: documentation/content/en/books/handbook/security/_index.adoc:1544
msgid ""
-"This section demonstrates how to create and use certificates on a FreeBSD "
-"system. Refer to crossref:network-servers[ldap-config,“Configuring an LDAP "
-"Server”] for an example of how to create a CA for signing one's own "
-"certificates."
+"TCP Wrappers is a host-based network access control system. By intercepting "
+"incoming network requests before they reach the actual network service, TCP "
+"Wrappers assess whether the source IP address is permitted or denied access "
+"based on predefined rules in configuration files."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1121
+#: documentation/content/en/books/handbook/security/_index.adoc:1547
msgid ""
-"For more information about SSL, read the free https://www.feistyduck.com/"
-"books/openssl-cookbook/[OpenSSL Cookbook]."
+"However, while TCP Wrappers provide basic access control, they should not be "
+"considered a substitute for more robust security measures. For "
+"comprehensive protection, it's recommended to use advanced technologies like "
+"firewalls, along with proper user authentication practices and intrusion "
+"detection systems."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1122
-#, no-wrap
-msgid "Generating Certificates"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1128
-msgid ""
-"To generate a certificate that will be signed by an external CA, issue the "
-"following command and input the information requested at the prompts. This "
-"input information will be written to the certificate. At the `Common Name` "
-"prompt, input the fully qualified name for the system that will use the "
-"certificate. If this name does not match the server, the application "
-"verifying the certificate will issue a warning to the user, rendering the "
-"verification provided by the certificate as useless."
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1151
-#, no-wrap
-msgid ""
-"# openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048\n"
-"Generating a 2048 bit RSA private key\n"
-"..................+++\n"
-".............................................................+++\n"
-"writing new private key to 'cert.key'\n"
-"-----\n"
-"You are about to be asked to enter information that will be incorporated\n"
-"into your certificate request.\n"
-"What you are about to enter is what is called a Distinguished Name or a DN.\n"
-"There are quite a few fields but you can leave some blank\n"
-"For some fields there will be a default value,\n"
-"If you enter '.', the field will be left blank.\n"
-"-----\n"
-"Country Name (2 letter code) [AU]:US\n"
-"State or Province Name (full name) [Some-State]:PA\n"
-"Locality Name (e.g., city) []:Pittsburgh\n"
-"Organization Name (e.g., company) [Internet Widgits Pty Ltd]:My Company\n"
-"Organizational Unit Name (e.g., section) []:Systems Administrator\n"
-"Common Name (e.g., YOUR name) []:localhost.example.org\n"
-"Email Address []:trhodes@FreeBSD.org\n"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1156
+#: documentation/content/en/books/handbook/security/_index.adoc:1549
#, no-wrap
-msgid ""
-"Please enter the following 'extra' attributes\n"
-"to be sent with your certificate request\n"
-"A challenge password []:\n"
-"An optional company name []:Another Name\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1160
-msgid ""
-"Other options, such as the expire time and alternate encryption algorithms, "
-"are available when creating a certificate. A complete list of options is "
-"described in man:openssl[1]."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1165
-msgid ""
-"This command will create two files in the current directory. The "
-"certificate request, [.filename]#req.pem#, can be sent to a CA who will "
-"validate the entered credentials, sign the request, and return the signed "
-"certificate. The second file, [.filename]#cert.key#, is the private key for "
-"the certificate and should be stored in a secure location. If this falls in "
-"the hands of others, it can be used to impersonate the user or the server."
+msgid "Initial Configuration"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1168
+#: documentation/content/en/books/handbook/security/_index.adoc:1553
msgid ""
-"Alternately, if a signature from a CA is not required, a self-signed "
-"certificate can be created. First, generate the RSA key:"
+"TCP Wrappers are enabled by default in man:inetd[8]. So the first step will "
+"be to enable man:inetd[8] executing the following commands:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1177
+#: documentation/content/en/books/handbook/security/_index.adoc:1558
#, no-wrap
msgid ""
-"# openssl genrsa -rand -genkey -out cert.key 2048\n"
-"0 semi-random bytes loaded\n"
-"Generating RSA private key, 2048 bit long modulus\n"
-".............................................+++\n"
-".................................................................................................................+++\n"
-"e is 65537 (0x10001)\n"
+"# sysrc inetd_enable=\"YES\"\n"
+"# service inetd start\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1180
-msgid ""
-"Use this key to create a self-signed certificate. Follow the usual prompts "
-"for creating a certificate:"
+#: documentation/content/en/books/handbook/security/_index.adoc:1561
+msgid "Then, properly configure [.filename]#/etc/hosts.allow#."
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1198
-#, no-wrap
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1566
msgid ""
-"# openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256\n"
-"You are about to be asked to enter information that will be incorporated\n"
-"into your certificate request.\n"
-"What you are about to enter is what is called a Distinguished Name or a DN.\n"
-"There are quite a few fields but you can leave some blank\n"
-"For some fields there will be a default value,\n"
-"If you enter '.', the field will be left blank.\n"
-"-----\n"
-"Country Name (2 letter code) [AU]:US\n"
-"State or Province Name (full name) [Some-State]:PA\n"
-"Locality Name (e.g., city) []:Pittsburgh\n"
-"Organization Name (e.g., company) [Internet Widgits Pty Ltd]:My Company\n"
-"Organizational Unit Name (e.g., section) []:Systems Administrator\n"
-"Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org\n"
-"Email Address []:trhodes@FreeBSD.org\n"
+"Unlike other implementations of TCP Wrappers, the use of [.filename]#hosts."
+"deny# is deprecated in FreeBSD. All configuration options should be placed "
+"in [.filename]#/etc/hosts.allow#."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1203
+#: documentation/content/en/books/handbook/security/_index.adoc:1570
msgid ""
-"This will create two new files in the current directory: a private key file "
-"[.filename]#cert.key#, and the certificate itself, [.filename]#cert.crt#. "
-"These should be placed in a directory, preferably under [.filename]#/etc/ssl/"
-"#, which is readable only by `root`. Permissions of `0700` are appropriate "
-"for these files and can be set using `chmod`."
-msgstr ""
-
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1204
-#, no-wrap
-msgid "Using Certificates"
+"In the simplest configuration, daemon connection policies are set to either "
+"permit or block, depending on the options in [.filename]#/etc/hosts.allow#. "
+"The default configuration in FreeBSD is to allow all connections to the "
+"daemons started with inetd."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1207
-msgid ""
-"One use for a certificate is to encrypt connections to the Sendmail mail "
-"server in order to prevent the use of clear text authentication."
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1212
+#: documentation/content/en/books/handbook/security/_index.adoc:1574
msgid ""
-"Some mail clients will display an error if the user has not installed a "
-"local copy of the certificate. Refer to the documentation included with the "
-"software for more information on certificate installation."
+"Basic configuration usually takes the form of `daemon : address : action`, "
+"where `daemon` is the daemon which inetd started, `address` is a valid "
+"hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and "
+"`action` is either `allow` or `deny`. TCP Wrappers uses a first rule match "
+"semantic, meaning that the configuration file is scanned from the beginning "
+"for a matching rule. When a match is found, the rule is applied and the "
+"search process stops."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1216
+#: documentation/content/en/books/handbook/security/_index.adoc:1576
msgid ""
-"In FreeBSD 10.0-RELEASE and above, it is possible to create a self-signed "
-"certificate for Sendmail automatically. To enable this, add the following "
-"lines to [.filename]#/etc/rc.conf#:"
+"For example, to allow POP3 connections via the package:mail/qpopper[] "
+"daemon, the following lines should be appended to [.filename]#/etc/hosts."
+"allow#:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1222
+#: documentation/content/en/books/handbook/security/_index.adoc:1581
#, no-wrap
msgid ""
-"sendmail_enable=\"YES\"\n"
-"sendmail_cert_create=\"YES\"\n"
-"sendmail_cert_cn=\"localhost.example.org\"\n"
+"# This line is required for POP3 connections:\n"
+"qpopper : ALL : allow\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1227
-msgid ""
-"This will automatically create a self-signed certificate, [.filename]#/etc/"
-"mail/certs/host.cert#, a signing key, [.filename]#/etc/mail/certs/host.key#, "
-"and a CA certificate, [.filename]#/etc/mail/certs/cacert.pem#. The "
-"certificate will use the `Common Name` specified in `sendmail_cert_cn`. "
-"After saving the edits, restart Sendmail:"
+#: documentation/content/en/books/handbook/security/_index.adoc:1584
+msgid "Whenever this file is edited, restart inetd:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1231
+#: documentation/content/en/books/handbook/security/_index.adoc:1588
#, no-wrap
-msgid "# service sendmail restart\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1235
-msgid ""
-"If all went well, there will be no error messages in [.filename]#/var/log/"
-"maillog#. For a simple test, connect to the mail server's listening port "
-"using `telnet`:"
+msgid "# service inetd restart\n"
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1258
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:1591
#, no-wrap
-msgid ""
-"# telnet example.com 25\n"
-"Trying 192.0.34.166...\n"
-"Connected to example.com.\n"
-"Escape character is '^]'.\n"
-"220 example.com ESMTP Sendmail 8.14.7/8.14.7; Fri, 18 Apr 2014 11:50:32 -0400 (EDT)\n"
-"ehlo example.com\n"
-"250-example.com Hello example.com [192.0.34.166], pleased to meet you\n"
-"250-ENHANCEDSTATUSCODES\n"
-"250-PIPELINING\n"
-"250-8BITMIME\n"
-"250-SIZE\n"
-"250-DSN\n"
-"250-ETRN\n"
-"250-AUTH LOGIN PLAIN\n"
-"250-STARTTLS\n"
-"250-DELIVERBY\n"
-"250 HELP\n"
-"quit\n"
-"221 2.0.0 example.com closing connection\n"
-"Connection closed by foreign host.\n"
+msgid "Advanced Configuration"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1261
+#: documentation/content/en/books/handbook/security/_index.adoc:1599
msgid ""
-"If the `STARTTLS` line appears in the output, everything is working "
-"correctly."
+"TCP Wrappers provides advanced options to allow more control over the way "
+"connections are handled. In some cases, it may be appropriate to return a "
+"comment to certain hosts or daemon connections. In other cases, a log entry "
+"should be recorded or an email sent to the administrator. Other situations "
+"may require the use of a service for local connections only. This is all "
+"possible through the use of configuration options known as wildcards, "
+"expansion characters, and external command execution. To learn more about "
+"wildcards and their associated functionality, refer to man:hosts_access[5]."
msgstr ""
#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:1263
-#, no-wrap
-msgid "VPN over IPsec"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1268
-msgid ""
-"Internet Protocol Security (IPsec) is a set of protocols which sit on top of "
-"the Internet Protocol (IP) layer. It allows two or more hosts to "
-"communicate in a secure manner by authenticating and encrypting each IP "
-"packet of a communication session. The FreeBSD IPsec network stack is based "
-"on the http://www.kame.net/[http://www.kame.net/] implementation and "
-"supports both IPv4 and IPv6 sessions."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1270
-msgid "IPsec is comprised of the following sub-protocols:"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1272
-msgid ""
-"_Encapsulated Security Payload (ESP)_: this protocol protects the IP packet "
-"data from third party interference by encrypting the contents using "
-"symmetric cryptography algorithms such as Blowfish and 3DES."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1273
-msgid ""
-"_Authentication Header (AH)_: this protocol protects the IP packet header "
-"from third party interference and spoofing by computing a cryptographic "
-"checksum and hashing the IP packet header fields with a secure hashing "
-"function. This is then followed by an additional header that contains the "
-"hash, to allow the information in the packet to be authenticated."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1274
-msgid ""
-"_IP Payload Compression Protocol (IPComp_): this protocol tries to increase "
-"communication performance by compressing the IP payload in order to reduce "
-"the amount of data sent."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1276
-msgid ""
-"These protocols can either be used together or separately, depending on the "
-"environment."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1281
-msgid ""
-"IPsec supports two modes of operation. The first mode, _Transport Mode_, "
-"protects communications between two hosts. The second mode, _Tunnel Mode_, "
-"is used to build virtual tunnels, commonly known as Virtual Private Networks "
-"(VPNs). Consult man:ipsec[4] for detailed information on the IPsec "
-"subsystem in FreeBSD."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1284
-msgid ""
-"IPsec support is enabled by default on FreeBSD 11 and later. For previous "
-"versions of FreeBSD, add these options to a custom kernel configuration file "
-"and rebuild the kernel using the instructions in crossref:"
-"kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1289
-#, no-wrap
-msgid ""
-"options IPSEC IP security\n"
-"device crypto\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1292
-msgid ""
-"If IPsec debugging support is desired, the following kernel option should "
-"also be added:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1296
+#: documentation/content/en/books/handbook/security/_index.adoc:1601
#, no-wrap
-msgid "options IPSEC_DEBUG debug for IP security\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1300
-msgid ""
-"This rest of this chapter demonstrates the process of setting up an IPsecVPN "
-"between a home network and a corporate network. In the example scenario:"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1302
-msgid ""
-"Both sites are connected to the Internet through a gateway that is running "
-"FreeBSD."
+msgid "Access Control Lists"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1303
+#: documentation/content/en/books/handbook/security/_index.adoc:1606
msgid ""
-"The gateway on each network has at least one external IP address. In this "
-"example, the corporate LAN's external IP address is `172.16.5.4` and the "
-"home LAN's external IP address is `192.168.1.12`."
+"Access Control Lists (ACLs) extend traditional UNIX(R) file permissions by "
+"allowing fine-grained access control for users and groups on a per-file or "
+"per-directory basis. Each ACL entry defines a user or group and the "
+"associated permissions, such as read, write, and execute. FreeBSD provides "
+"commands like man:getfacl[1] and man:setfacl[1] to manage ACLs."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1304
+#: documentation/content/en/books/handbook/security/_index.adoc:1609
msgid ""
-"The internal addresses of the two networks can be either public or private "
-"IP addresses. However, the address space must not overlap. In this example, "
-"the corporate LAN's internal IP address is `10.246.38.1` and the home LAN's "
-"internal IP address is `10.0.0.5`."
+"ACLs are useful in scenarios requiring more specific access control than "
+"standard permissions, commonly used in multi-user environments or shared "
+"hosting. However, complexity may be unavoidable, but careful planning is "
+"required to ensure that the desired security properties are being provided"
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1309
-#, no-wrap
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1614
msgid ""
-" corporate home\n"
-"10.246.38.1/24 -- 172.16.5.4 <--> 192.168.1.12 -- 10.0.0.5/24\n"
+"FreeBSD supports the implementation of NFSv4 ACLs in both UFS and OpenZFS. "
+"Please note that some arguments to the man:setfacl[1] command only work with "
+"POSIX ACLs and others in NFSv4 ACLs."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1311
+#: documentation/content/en/books/handbook/security/_index.adoc:1617
#, no-wrap
-msgid "Configuring a VPN on FreeBSD"
+msgid "Enabling ACL Support in UFS"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1315
-msgid ""
-"To begin, package:security/ipsec-tools[] must be installed from the Ports "
-"Collection. This software provides a number of applications which support "
-"the configuration."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1318
-msgid ""
-"The next requirement is to create two man:gif[4] pseudo-devices which will "
-"be used to tunnel packets and allow both networks to communicate properly. "
-"As `root`, run the following command on each gateway:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1324
-#, no-wrap
-msgid ""
-"corp-gw# ifconfig gif0 create\n"
-"corp-gw# ifconfig gif0 10.246.38.1 10.0.0.5\n"
-"corp-gw# ifconfig gif0 tunnel 172.16.5.4 192.168.1.12\n"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1331
-#, no-wrap
+#: documentation/content/en/books/handbook/security/_index.adoc:1620
msgid ""
-"home-gw# ifconfig gif0 create\n"
-"home-gw# ifconfig gif0 10.0.0.5 10.246.38.1\n"
-"home-gw# ifconfig gif0 tunnel 192.168.1.12 172.16.5.4\n"
+"ACLs are enabled by the mount-time administrative flag, `acls`, which may be "
+"added to [.filename]#/etc/fstab#."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1335
+#: documentation/content/en/books/handbook/security/_index.adoc:1622
msgid ""
-"Verify the setup on each gateway, using `ifconfig gif0`. Here is the output "
-"from the home gateway:"
+"Therefore it will be necessary to access [.filename]#/etc/fstab# and in the "
+"options section add the `acls` flag as follows:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1342
+#: documentation/content/en/books/handbook/security/_index.adoc:1627
#, no-wrap
msgid ""
-"gif0: flags=8051 mtu 1280\n"
-"tunnel inet 172.16.5.4 --> 192.168.1.12\n"
-"inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6\n"
-"inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1345
-msgid "Here is the output from the corporate gateway:"
+"# Device Mountpoint FStype Options Dump Pass#\n"
+"/dev/ada0s1a / ufs rw,acls 1 1\n"
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1352
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:1630
#, no-wrap
-msgid ""
-"gif0: flags=8051 mtu 1280\n"
-"tunnel inet 192.168.1.12 --> 172.16.5.4\n"
-"inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00\n"
-"inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4\n"
+msgid "Get ACLs information"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1355
-msgid ""
-"Once complete, both internal IP addresses should be reachable using man:"
-"ping[8]:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1367
-#, no-wrap
+#: documentation/content/en/books/handbook/security/_index.adoc:1633
msgid ""
-"home-gw# ping 10.0.0.5\n"
-"PING 10.0.0.5 (10.0.0.5): 56 data bytes\n"
-"64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms\n"
-"64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms\n"
-"64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms\n"
-"64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms\n"
-"--- 10.0.0.5 ping statistics ---\n"
-"4 packets transmitted, 4 packets received, 0% packet loss\n"
-"round-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms\n"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1378
-#, no-wrap
-msgid ""
-"corp-gw# ping 10.246.38.1\n"
-"PING 10.246.38.1 (10.246.38.1): 56 data bytes\n"
-"64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms\n"
-"64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms\n"
-"64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms\n"
-"64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms\n"
-"64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms\n"
-"--- 10.246.38.1 ping statistics ---\n"
-"5 packets transmitted, 5 packets received, 0% packet loss\n"
-"round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms\n"
+"It is possible to check the ACLs of a file or a directory using man:"
+"getfacl[1]."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1383
+#: documentation/content/en/books/handbook/security/_index.adoc:1635
msgid ""
-"As expected, both sides have the ability to send and receive ICMP packets "
-"from the privately configured addresses. Next, both gateways must be told "
-"how to route packets in order to correctly send traffic from the networks "
-"behind each gateway. The following commands will achieve this goal:"
+"For example, to view the ACL settings on [.filename]#~/test# file execute "
+"the following command:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1390
+#: documentation/content/en/books/handbook/security/_index.adoc:1639
#, no-wrap
-msgid ""
-"corp-gw# route add 10.0.0.0 10.0.0.5 255.255.255.0\n"
-"corp-gw# route add net 10.0.0.0: gateway 10.0.0.5\n"
-"home-gw# route add 10.246.38.0 10.246.38.1 255.255.255.0\n"
-"home-gw# route add host 10.246.38.0: gateway 10.246.38.1\n"
+msgid "% getfacl test\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1394
-msgid ""
-"Internal machines should be reachable from each gateway as well as from "
-"machines behind the gateways. Again, use man:ping[8] to confirm:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1405
-#, no-wrap
+#: documentation/content/en/books/handbook/security/_index.adoc:1642
msgid ""
-"corp-gw# ping -c 3 10.0.0.8\n"
-"PING 10.0.0.8 (10.0.0.8): 56 data bytes\n"
-"64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms\n"
-"64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms\n"
-"64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms\n"
-"--- 10.0.0.8 ping statistics ---\n"
-"3 packets transmitted, 3 packets received, 0% packet loss\n"
-"round-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms\n"
+"The output should be similar to the following in case of using NFSv4 ACLs:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1414
+#: documentation/content/en/books/handbook/security/_index.adoc:1651
#, no-wrap
msgid ""
-"home-gw# ping -c 3 10.246.38.107\n"
-"PING 10.246.38.1 (10.246.38.107): 56 data bytes\n"
-"64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms\n"
-"64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms\n"
-"64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms\n"
-"--- 10.246.38.107 ping statistics ---\n"
-"3 packets transmitted, 3 packets received, 0% packet loss\n"
-"round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms\n"
+"# file: test\n"
+"# owner: freebsduser\n"
+"# group: freebsduser\n"
+" owner@:rw-p--aARWcCos:-------:allow\n"
+" group@:r-----a-R-c--s:-------:allow\n"
+" everyone@:r-----a-R-c--s:-------:allow\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1419
-msgid ""
-"At this point, traffic is flowing between the networks encapsulated in a gif "
-"tunnel but without any encryption. Next, use IPSec to encrypt traffic using "
-"pre-shared keys (PSK). Other than the IP addresses, [.filename]#/usr/local/"
-"etc/racoon/racoon.conf# on both gateways will be identical and look similar "
-"to:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1424
-#, no-wrap
-msgid ""
-"path pre_shared_key \"/usr/local/etc/racoon/psk.txt\"; #location of pre-shared key file\n"
-"log debug;\t#log verbosity setting: set to 'notify' when testing and debugging is complete\n"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1432
-#, no-wrap
-msgid ""
-"padding\t# options are not to be changed\n"
-"{\n"
-" maximum_length 20;\n"
-" randomize off;\n"
-" strict_check off;\n"
-" exclusive_tail off;\n"
-"}\n"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1442
-#, no-wrap
-msgid ""
-"timer\t# timing options. change as needed\n"
-"{\n"
-" counter 5;\n"
-" interval 20 sec;\n"
-" persend 1;\n"
-"# natt_keepalive 15 sec;\n"
-" phase1 30 sec;\n"
-" phase2 15 sec;\n"
-"}\n"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1448
-#, no-wrap
-msgid ""
-"listen\t# address [port] that racoon will listen on\n"
-"{\n"
-" isakmp 172.16.5.4 [500];\n"
-" isakmp_natt 172.16.5.4 [4500];\n"
-"}\n"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1461
-#, no-wrap
+#: documentation/content/en/books/handbook/security/_index.adoc:1654
msgid ""
-"remote 192.168.1.12 [500]\n"
-"{\n"
-" exchange_mode main,aggressive;\n"
-" doi ipsec_doi;\n"
-" situation identity_only;\n"
-" my_identifier address 172.16.5.4;\n"
-" peers_identifier address 192.168.1.12;\n"
-" lifetime time 8 hour;\n"
-" passive off;\n"
-" proposal_check obey;\n"
-"# nat_traversal off;\n"
-" generate_policy off;\n"
+"And the output should be similar to the following in case of using POSIX.1e "
+"ACLs:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1470
+#: documentation/content/en/books/handbook/security/_index.adoc:1663
#, no-wrap
msgid ""
-" proposal {\n"
-" encryption_algorithm blowfish;\n"
-" hash_algorithm md5;\n"
-" authentication_method pre_shared_key;\n"
-" lifetime time 30 sec;\n"
-" dh_group 1;\n"
-" }\n"
-"}\n"
+"# file: test\n"
+"# owner: freebsduser\n"
+"# group: freebsduser\n"
+"user::rw-\n"
+"group::r--\n"
+"other::r--\n"
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1479
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:1666
#, no-wrap
-msgid ""
-"sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any)\t# address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)\n"
-"{\t\t\t\t\t\t\t\t# $network must be the two internal networks you are joining.\n"
-" pfs_group 1;\n"
-" lifetime time 36000 sec;\n"
-" encryption_algorithm blowfish,3des;\n"
-" authentication_algorithm hmac_md5,hmac_sha1;\n"
-" compression_algorithm deflate;\n"
-"}\n"
+msgid "Working with ACLs"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1482
+#: documentation/content/en/books/handbook/security/_index.adoc:1669
msgid ""
-"For descriptions of each available option, refer to the manual page for [."
-"filename]#racoon.conf#."
+"man:setfacl[1] can be used to add, modify or remove ACLs from a file or "
+"directory."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1484
+#: documentation/content/en/books/handbook/security/_index.adoc:1672
msgid ""
-"The Security Policy Database (SPD) needs to be configured so that FreeBSD "
-"and racoon are able to encrypt and decrypt network traffic between the hosts."
+"As noted above, some arguments to man:setfacl[1] do not work with NFSv4 "
+"ACLs, and vice versa. This section covers how to execute the commands for "
+"POSIX ACLs and for NFSv4 ACLs and shows examples of both."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1487
-msgid ""
-"This can be achieved with a shell script, similar to the following, on the "
-"corporate gateway. This file will be used during system initialization and "
-"should be saved as [.filename]#/usr/local/etc/racoon/setkey.conf#."
+#: documentation/content/en/books/handbook/security/_index.adoc:1674
+msgid "For example, to set the mandatory elements of the POSIX.1e default ACL:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1495
+#: documentation/content/en/books/handbook/security/_index.adoc:1678
#, no-wrap
-msgid ""
-"flush;\n"
-"spdflush;\n"
-"# To the home network\n"
-"spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;\n"
-"spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;\n"
+msgid "% setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx directory\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1498
+#: documentation/content/en/books/handbook/security/_index.adoc:1681
msgid ""
-"Once in place, racoon may be started on both gateways using the following "
-"command:"
+"This other example sets read, write, and execute permissions for the file "
+"owner's POSIX.1e ACL entry and read and write permissions for group mail on "
+"file:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1502
+#: documentation/content/en/books/handbook/security/_index.adoc:1685
#, no-wrap
-msgid "# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log\n"
+msgid "% setfacl -m u::rwx,g:mail:rw file\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1505
-msgid "The output should be similar to the following:"
+#: documentation/content/en/books/handbook/security/_index.adoc:1688
+msgid "To do the same as in the previous example but in NFSv4 ACL:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1520
+#: documentation/content/en/books/handbook/security/_index.adoc:1692
#, no-wrap
-msgid ""
-"corp-gw# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf\n"
-"Foreground mode.\n"
-"2006-01-30 01:35:47: INFO: begin Identity Protection mode.\n"
-"2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon\n"
-"2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon\n"
-"2006-01-30 01:36:04: INFO: ISAKMP-SA established 172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a\n"
-"2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]\n"
-"2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)\n"
-"2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=47784998(0x2d92426)\n"
-"2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]\n"
-"2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b)\n"
-"2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)\n"
+msgid "% setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1524
+#: documentation/content/en/books/handbook/security/_index.adoc:1695
msgid ""
-"To ensure the tunnel is working properly, switch to another console and use "
-"man:tcpdump[1] to view network traffic using the following command. Replace "
-"`em0` with the network interface card as required:"
+"To remove all ACL entries except for the three required from file in "
+"POSIX.1e ACL:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1528
+#: documentation/content/en/books/handbook/security/_index.adoc:1699
#, no-wrap
-msgid "corp-gw# tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12\n"
+msgid "% setfacl -bn file\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1532
-msgid ""
-"Data similar to the following should appear on the console. If not, there "
-"is an issue and debugging the returned data will be required."
+#: documentation/content/en/books/handbook/security/_index.adoc:1702
+msgid "To remove all ACL entries in NFSv4 ACL:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1538
+#: documentation/content/en/books/handbook/security/_index.adoc:1706
#, no-wrap
-msgid ""
-"01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)\n"
-"01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xb)\n"
-"01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc)\n"
+msgid "% setfacl -b file\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1544
+#: documentation/content/en/books/handbook/security/_index.adoc:1709
msgid ""
-"At this point, both networks should be available and seem to be part of the "
-"same network. Most likely both networks are protected by a firewall. To "
-"allow traffic to flow between them, rules need to be added to pass packets. "
-"For the man:ipfw[8] firewall, add the following lines to the firewall "
-"configuration file:"
+"Refer to man:getfacl[1] and man:setfacl[1] for more information about the "
+"options available for these commands."
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1551
+#. type: Title ==
+#: documentation/content/en/books/handbook/security/_index.adoc:1711
#, no-wrap
-msgid ""
-"ipfw add 00201 allow log esp from any to any\n"
-"ipfw add 00202 allow log ah from any to any\n"
-"ipfw add 00203 allow log ipencap from any to any\n"
-"ipfw add 00204 allow log udp from any 500 to any\n"
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1556
-msgid ""
-"The rule numbers may need to be altered depending on the current host "
-"configuration."
+msgid "Capsicum"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1559
-msgid ""
-"For users of man:pf[4] or man:ipf[8], the following rules should do the "
-"trick:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1572
-#, no-wrap
+#: documentation/content/en/books/handbook/security/_index.adoc:1716
msgid ""
-"pass in quick proto esp from any to any\n"
-"pass in quick proto ah from any to any\n"
-"pass in quick proto ipencap from any to any\n"
-"pass in quick proto udp from any port = 500 to any port = 500\n"
-"pass in quick on gif0 from any to any\n"
-"pass out quick proto esp from any to any\n"
-"pass out quick proto ah from any to any\n"
-"pass out quick proto ipencap from any to any\n"
-"pass out quick proto udp from any port = 500 to any port = 500\n"
-"pass out quick on gif0 from any to any\n"
+"Capsicum is a lightweight OS capability and sandbox framework implementing a "
+"hybrid capability system model. Capabilities are unforgeable tokens of "
+"authority that can be delegated and must be presented to perform an action. "
+"Capsicum makes file descriptors into capabilities."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1575
-msgid ""
-"Finally, to allow the machine to start support for the VPN during system "
-"initialization, add the following lines to [.filename]#/etc/rc.conf#:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1582
-#, no-wrap
+#: documentation/content/en/books/handbook/security/_index.adoc:1719
msgid ""
-"ipsec_enable=\"YES\"\n"
-"ipsec_program=\"/usr/local/sbin/setkey\"\n"
-"ipsec_file=\"/usr/local/etc/racoon/setkey.conf\" # allows setting up spd policies on boot\n"
-"racoon_enable=\"yes\"\n"
+"Capsicum can be used for application and library compartmentalisation, the "
+"decomposition of larger bodies of software into isolated (sandboxed) "
+"components in order to implement security policies and limit the impact of "
+"software vulnerabilities."
msgstr ""
#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:1585
+#: documentation/content/en/books/handbook/security/_index.adoc:1721
#, no-wrap
-msgid "OpenSSH"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1590
-msgid ""
-"OpenSSH is a set of network connectivity tools used to provide secure access "
-"to remote machines. Additionally, TCP/IP connections can be tunneled or "
-"forwarded securely through SSH connections. OpenSSH encrypts all traffic to "
-"effectively eliminate eavesdropping, connection hijacking, and other network-"
-"level attacks."
+msgid "Process Accounting"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1592
+#: documentation/content/en/books/handbook/security/_index.adoc:1724
msgid ""
-"OpenSSH is maintained by the OpenBSD project and is installed by default in "
-"FreeBSD."
+"Process accounting is a security method in which an administrator may keep "
+"track of system resources used and their allocation among users, provide for "
+"system monitoring, and minimally track a user's commands."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1596
+#: documentation/content/en/books/handbook/security/_index.adoc:1729
msgid ""
-"When data is sent over the network in an unencrypted form, network sniffers "
-"anywhere in between the client and server can steal user/password "
-"information or data transferred during the session. OpenSSH offers a "
-"variety of authentication and encryption methods to prevent this from "
-"happening. More information about OpenSSH is available from http://www."
-"openssh.com/[http://www.openssh.com/]."
+"Process accounting has both positive and negative points. One of the "
+"positives is that an intrusion may be narrowed down to the point of entry. "
+"A negative is the amount of logs generated by process accounting, and the "
+"disk space they may require. This section walks an administrator through "
+"the basics of process accounting."
msgstr ""
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1600
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1733
msgid ""
-"This section provides an overview of the built-in client utilities to "
-"securely access other systems and securely transfer files from a FreeBSD "
-"system. It then describes how to configure a SSH server on a FreeBSD "
-"system. More information is available in the man pages mentioned in this "
-"chapter."
+"If more fine-grained accounting is needed, refer to crossref:audit[audit,"
+"Security Event Auditing]."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1601
+#: documentation/content/en/books/handbook/security/_index.adoc:1735
#, no-wrap
-msgid "Using the SSH Client Utilities"
+msgid "Enabling and Utilizing Process Accounting"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1605
+#: documentation/content/en/books/handbook/security/_index.adoc:1738
msgid ""
-"To log into a SSH server, use `ssh` and specify a username that exists on "
-"that server and the IP address or hostname of the server. If this is the "
-"first time a connection has been made to the specified server, the user will "
-"be prompted to first verify the server's fingerprint:"
+"Before using process accounting, it must be enabled using the following "
+"commands:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1614
+#: documentation/content/en/books/handbook/security/_index.adoc:1743
#, no-wrap
msgid ""
-"# ssh user@example.com\n"
-"The authenticity of host 'example.com (10.0.0.1)' can't be established.\n"
-"ECDSA key fingerprint is 25:cc:73:b5:b3:96:75:3d:56:19:49:d2:5c:1f:91:3b.\n"
-"Are you sure you want to continue connecting (yes/no)? yes\n"
-"Permanently added 'example.com' (ECDSA) to the list of known hosts.\n"
-"Password for user@example.com: user_password\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1620
-msgid ""
-"SSH utilizes a key fingerprint system to verify the authenticity of the "
-"server when the client connects. When the user accepts the key's "
-"fingerprint by typing `yes` when connecting for the first time, a copy of "
-"the key is saved to [.filename]#.ssh/known_hosts# in the user's home "
-"directory. Future attempts to login are verified against the saved key and "
-"`ssh` will display an alert if the server's key does not match the saved "
-"key. If this occurs, the user should first verify why the key has changed "
-"before continuing with the connection."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1623
-msgid ""
-"Recent versions of OpenSSH only accept SSHv2 connections. SSH protocol "
-"version 1 is obsolete."
+"# sysrc accounting_enable=yes\n"
+"# service accounting start\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1626
-msgid ""
-"Use man:scp[1] to securely copy a file to or from a remote machine. This "
-"example copies [.filename]#COPYRIGHT# on the remote system to a file of the "
-"same name in the current directory of the local system:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1634
-#, no-wrap
+#: documentation/content/en/books/handbook/security/_index.adoc:1749
msgid ""
-"# scp user@example.com:/COPYRIGHT COPYRIGHT\n"
-"Password for user@example.com: *******\n"
-"COPYRIGHT 100% |*****************************| 4735\n"
-"00:00\n"
-"#\n"
+"The accounting information is stored in files located in [.filename]#/var/"
+"account#, which is automatically created, if necessary, the first time the "
+"accounting service starts. These files contain sensitive information, "
+"including all the commands issued by all users. Write access to the files "
+"is limited to `root`, and read access is limited to `root` and members of "
+"the `wheel` group. To also prevent members of `wheel` from reading the "
+"files, change the mode of the [.filename]#/var/account# directory to allow "
+"access only by `root`."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1637
+#: documentation/content/en/books/handbook/security/_index.adoc:1754
msgid ""
-"Since the fingerprint was already verified for this host, the server's key "
-"is automatically checked before prompting for the user's password."
+"Once enabled, accounting will begin to track information such as CPU "
+"statistics and executed commands. All accounting logs are in a non-human "
+"readable format which can be viewed using man:sa[8]. If issued without any "
+"options, man:sa[8] prints information relating to the number of per-user "
+"calls, the total elapsed time in minutes, total CPU and user time in "
+"minutes, and the average number of I/O operations. Refer to man:sa[8] for "
+"the list of available options which control the output."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1642
-msgid ""
-"The arguments passed to `scp` are similar to `cp`. The file or files to "
-"copy is the first argument and the destination to copy to is the second. "
-"Since the file is fetched over the network, one or more of the file "
-"arguments takes the form `user@host:<path_to_remote_file>`. Be aware when "
-"copying directories recursively that `scp` uses `-r`, whereas `cp` uses `-R`."
+#: documentation/content/en/books/handbook/security/_index.adoc:1756
+msgid "To display the commands issued by users, use `lastcomm`."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1645
+#: documentation/content/en/books/handbook/security/_index.adoc:1758
msgid ""
-"To open an interactive session for copying files, use `sftp`. Refer to man:"
-"sftp[1] for a list of available commands while in an `sftp` session."
+"For example, this command prints out all usage of `ls` by `trhodes` on the "
+"`ttyp1` terminal:"
msgstr ""
-#. type: Title ====
-#: documentation/content/en/books/handbook/security/_index.adoc:1647
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1762
#, no-wrap
-msgid "Key-based Authentication"
+msgid "# lastcomm ls trhodes ttyp1\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1653
+#: documentation/content/en/books/handbook/security/_index.adoc:1765
msgid ""
-"Instead of using passwords, a client can be configured to connect to the "
-"remote machine using keys. To generate RSA authentication keys, use `ssh-"
-"keygen`. To generate a public and private key pair, specify the type of key "
-"and follow the prompts. It is recommended to protect the keys with a "
-"memorable, but hard to guess passphrase."
+"Many other useful options exist and are explained in man:lastcomm[1], man:"
+"acct[5], and man:sa[8]."
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1677
+#. type: Title ==
+#: documentation/content/en/books/handbook/security/_index.adoc:1767
#, no-wrap
-msgid ""
-"% ssh-keygen -t rsa\n"
-"Generating public/private rsa key pair.\n"
-"Enter file in which to save the key (/home/user/.ssh/id_rsa):\n"
-"Enter passphrase (empty for no passphrase): <.>\n"
-"Enter same passphrase again: <.>\n"
-"Your identification has been saved in /home/user/.ssh/id_rsa.\n"
-"Your public key has been saved in /home/user/.ssh/id_rsa.pub.\n"
-"The key fingerprint is:\n"
-"SHA256:54Xm9Uvtv6H4NOo6yjP/YCfODryvUU7yWHzMqeXwhq8 user@host.example.com\n"
-"The key's randomart image is:\n"
-"+---[RSA 2048]----+\n"
-"| |\n"
-"| |\n"
-"| |\n"
-"| . o.. |\n"
-"| .S*+*o |\n"
-"| . O=Oo . . |\n"
-"| = Oo= oo..|\n"
-"| .oB.* +.oo.|\n"
-"| =OE**.o..=|\n"
-"+----[SHA256]-----+\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1680
-msgid "Type a passphrase here. It can contain spaces and symbols."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1681
-msgid "Retype the passphrase to verify it."
+msgid "Resource Limits"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1684
-msgid ""
-"The private key is stored in [.filename]#~/.ssh/id_rsa# and the public key "
-"is stored in [.filename]#~/.ssh/id_rsa.pub#. The _public_ key must be "
-"copied to [.filename]#~/.ssh/authorized_keys# on the remote machine for key-"
-"based authentication to work."
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1693
+#: documentation/content/en/books/handbook/security/_index.adoc:1772
msgid ""
-"Many users believe that keys are secure by design and will use a key without "
-"a passphrase. This is _dangerous_ behavior. An administrator can verify "
-"that a key pair is protected by a passphrase by viewing the private key "
-"manually. If the private key file contains the word `ENCRYPTED`, the key "
-"owner is using a passphrase. In addition, to better secure end users, "
-"`from` may be placed in the public key file. For example, adding `from="
-"\"192.168.10.5\"` in front of the `ssh-rsa` prefix will only allow that "
-"specific user to log in from that IP address."
+"In FreeBSD, resource limits refer to the mechanisms that control and manage "
+"the allocation of various system resources to processes and users. These "
+"limits are designed to prevent a single process or user from consuming an "
+"excessive amount of resources, which could lead to performance degradation "
+"or system instability. Resource limits help ensure fair resource "
+"distribution among all active processes and users on the system."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1697
+#: documentation/content/en/books/handbook/security/_index.adoc:1774
msgid ""
-"The options and files vary with different versions of OpenSSH. To avoid "
-"problems, consult man:ssh-keygen[1]."
+"FreeBSD provides several methods for an administrator to limit the amount of "
+"system resources an individual may use."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1700
+#: documentation/content/en/books/handbook/security/_index.adoc:1778
msgid ""
-"If a passphrase is used, the user is prompted for the passphrase each time a "
-"connection is made to the server. To load SSH keys into memory and remove "
-"the need to type the passphrase each time, use man:ssh-agent[1] and man:ssh-"
-"add[1]."
+"The traditional method defines login classes by editing [.filename]#/etc/"
+"login.conf#. While this method is still supported, any changes require a "
+"multi-step process of editing this file, rebuilding the resource database, "
+"making necessary changes to [.filename]#/etc/master.passwd#, and rebuilding "
+"the password database. This can become time consuming, depending upon the "
+"number of users to configure."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1703
+#: documentation/content/en/books/handbook/security/_index.adoc:1781
msgid ""
-"Authentication is handled by `ssh-agent`, using the private keys that are "
-"loaded into it. `ssh-agent` can be used to launch another application like "
-"a shell or a window manager."
+"man:rctl[8] can be used to provide a more fine-grained method for "
+"controlling resource limits. This command supports more than user limits as "
+"it can also be used to set resource constraints on processes and jails."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1708
+#: documentation/content/en/books/handbook/security/_index.adoc:1783
msgid ""
-"To use `ssh-agent` in a shell, start it with a shell as an argument. Add "
-"the identity by running `ssh-add` and entering the passphrase for the "
-"private key. The user will then be able to `ssh` to any host that has the "
-"corresponding public key installed. For example:"
+"This section demonstrates both methods for controlling resources, beginning "
+"with the traditional method."
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1716
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:1785
#, no-wrap
-msgid ""
-"% ssh-agent csh\n"
-"% ssh-add\n"
-"Enter passphrase for key '/usr/home/user/.ssh/id_rsa': <.>\n"
-"Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/user/.ssh/id_rsa)\n"
-"%\n"
+msgid "Types of Resources"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1719
-msgid "Enter the passphrase for the key."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1723
-msgid ""
-"To use `ssh-agent` in Xorg, add an entry for it in [.filename]#~/.xinitrc#. "
-"This provides the `ssh-agent` services to all programs launched in Xorg. An "
-"example [.filename]#~/.xinitrc# might look like this:"
+#: documentation/content/en/books/handbook/security/_index.adoc:1788
+msgid "FreeBSD provides limits for various types of resources, including:"
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1727
+#. type: Block title
+#: documentation/content/en/books/handbook/security/_index.adoc:1789
#, no-wrap
-msgid "exec ssh-agent startxfce4\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1731
-msgid ""
-"This launches `ssh-agent`, which in turn launches XFCE, every time Xorg "
-"starts. Once Xorg has been restarted so that the changes can take effect, "
-"run `ssh-add` to load all of the SSH keys."
+msgid "Resource types"
msgstr ""
-#. type: Title ====
-#: documentation/content/en/books/handbook/security/_index.adoc:1733
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1792
#, no-wrap
-msgid "SSH Tunneling"
+msgid "Type"
msgstr ""
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1736
-msgid ""
-"OpenSSH has the ability to create a tunnel to encapsulate another protocol "
-"in an encrypted session."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1738
-msgid "The following command tells `ssh` to create a tunnel for telnet:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1743
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1794
#, no-wrap
-msgid ""
-"% ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com\n"
-"%\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1746
-msgid "This example uses the following options:"
+msgid "Description"
msgstr ""
-#. type: Labeled list
-#: documentation/content/en/books/handbook/security/_index.adoc:1747
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1795
#, no-wrap
-msgid "`-2`"
+msgid "CPU Time"
msgstr ""
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1749
-msgid "Forces `ssh` to use version 2 to connect to the server."
-msgstr ""
-
-#. type: Labeled list
-#: documentation/content/en/books/handbook/security/_index.adoc:1750
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1797
#, no-wrap
-msgid "`-N`"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1753
-msgid ""
-"Indicates no command, or tunnel only. If omitted, `ssh` initiates a normal "
-"session."
+msgid "Limits the amount of CPU time a process can consume"
msgstr ""
-#. type: Labeled list
-#: documentation/content/en/books/handbook/security/_index.adoc:1754
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1798
#, no-wrap
-msgid "`-f`"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1756
-msgid "Forces `ssh` to run in the background."
+msgid "Memory"
msgstr ""
-#. type: Labeled list
-#: documentation/content/en/books/handbook/security/_index.adoc:1757
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1800
#, no-wrap
-msgid "`-L`"
+msgid "Controls the amount of physical memory a process can use"
msgstr ""
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1759
-msgid "Indicates a local tunnel in _localport:remotehost:remoteport_ format."
-msgstr ""
-
-#. type: Labeled list
-#: documentation/content/en/books/handbook/security/_index.adoc:1760
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1801
#, no-wrap
-msgid "`user@foo.example.com`"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1762
-msgid "The login name to use on the specified remote SSH server."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1767
-msgid ""
-"An SSH tunnel works by creating a listen socket on `localhost` on the "
-"specified `localport`. It then forwards any connections received on "
-"`localport` via the SSH connection to the specified `remotehost:"
-"remoteport`. In the example, port `5023` on the client is forwarded to port "
-"`23` on the remote machine. Since port 23 is used by telnet, this creates "
-"an encrypted telnet session through an SSH tunnel."
+msgid "Open Files"
msgstr ""
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1769
-msgid ""
-"This method can be used to wrap any number of insecure TCP protocols such as "
-"SMTP, POP3, and FTP, as seen in the following examples."
-msgstr ""
-
-#. type: Block title
-#: documentation/content/en/books/handbook/security/_index.adoc:1770
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1803
#, no-wrap
-msgid "Create a Secure Tunnel for SMTP"
+msgid "Limits the number of files a process can have open simultaneously"
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1783
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1804
#, no-wrap
-msgid ""
-"% ssh -2 -N -f -L 5025:localhost:25 user@mailserver.example.com\n"
-"user@mailserver.example.com's password: *****\n"
-"% telnet localhost 5025\n"
-"Trying 127.0.0.1...\n"
-"Connected to localhost.\n"
-"Escape character is '^]'.\n"
-"220 mailserver.example.com ESMTP\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1786
-msgid ""
-"This can be used in conjunction with `ssh-keygen` and additional user "
-"accounts to create a more seamless SSH tunneling environment. Keys can be "
-"used in place of typing a password, and the tunnels can be run as a separate "
-"user."
+msgid "Processes"
msgstr ""
-#. type: Block title
-#: documentation/content/en/books/handbook/security/_index.adoc:1788
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1806
#, no-wrap
-msgid "Secure Access of a POP3 Server"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1794
-msgid ""
-"In this example, there is an SSH server that accepts connections from the "
-"outside. On the same network resides a mail server running a POP3 server. "
-"To check email in a secure manner, create an SSH connection to the SSH "
-"server and tunnel through to the mail server:"
+msgid "Controls the number of processes a user or a process can create"
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1799
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1807
#, no-wrap
-msgid ""
-"% ssh -2 -N -f -L 2110:mail.example.com:110 user@ssh-server.example.com\n"
-"user@ssh-server.example.com's password: ******\n"
+msgid "File Size"
msgstr ""
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1803
-msgid ""
-"Once the tunnel is up and running, point the email client to send POP3 "
-"requests to `localhost` on port 2110. This connection will be forwarded "
-"securely across the tunnel to `mail.example.com`."
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1809
+#, no-wrap
+msgid "Limits the maximum size of files that a process can create"
msgstr ""
-#. type: Block title
-#: documentation/content/en/books/handbook/security/_index.adoc:1805
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1810
#, no-wrap
-msgid "Bypassing a Firewall"
+msgid "Core Dumps"
msgstr ""
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1811
-msgid ""
-"Some firewalls filter both incoming and outgoing connections. For example, "
-"a firewall might limit access from remote machines to ports 22 and 80 to "
-"only allow SSH and web surfing. This prevents access to any other service "
-"which uses a port other than 22 or 80."
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1812
+#, no-wrap
+msgid "Controls whether processes are allowed to generate core dump files"
msgstr ""
-#. type: Plain text
+#. type: Table
#: documentation/content/en/books/handbook/security/_index.adoc:1813
-msgid ""
-"The solution is to create an SSH connection to a machine outside of the "
-"network's firewall and use it to tunnel to the desired service:"
+#, no-wrap
+msgid "Network Resources"
msgstr ""
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1818
+#. type: Table
+#: documentation/content/en/books/handbook/security/_index.adoc:1815
#, no-wrap
-msgid ""
-"% ssh -2 -N -f -L 8888:music.example.com:8000 user@unfirewalled-system.example.org\n"
-"user@unfirewalled-system.example.org's password: *******\n"
+msgid "Limits the amount of network resources (e.g., sockets) a process can use"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1821
-msgid ""
-"In this example, a streaming Ogg Vorbis client can now be pointed to "
-"`localhost` port 8888, which will be forwarded over to `music.example.com` "
-"on port 8000, successfully bypassing the firewall."
+#: documentation/content/en/books/handbook/security/_index.adoc:1818
+msgid "For a full listing of types see man:login.conf[5] and man:rctl[8]."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1823
+#: documentation/content/en/books/handbook/security/_index.adoc:1820
#, no-wrap
-msgid "Enabling the SSH Server"
+msgid "Configuring Login Classes"
msgstr ""
-#. type: delimited block = 4
+#. type: Plain text
#: documentation/content/en/books/handbook/security/_index.adoc:1826
msgid ""
-"In addition to providing built-in SSH client utilities, a FreeBSD system can "
-"be configured as an SSH server, accepting connections from other SSH clients."
+"In the traditional method, login classes and the resource limits to apply to "
+"a login class are defined in [.filename]#/etc/login.conf#. Each user "
+"account can be assigned to a login class, where `default` is the default "
+"login class. Each login class has a set of login capabilities associated "
+"with it. A login capability is a `_name_=_value_` pair, where _name_ is a "
+"well-known identifier and _value_ is an arbitrary string which is processed "
+"accordingly depending on the _name_."
msgstr ""
-#. type: delimited block = 4
+#. type: Plain text
#: documentation/content/en/books/handbook/security/_index.adoc:1828
-msgid "To see if sshd is operating, use the man:service[8] command:"
+msgid ""
+"The first step to configure a resource limit will be to open [.filename]#/"
+"etc/login.conf# by executing the following command:"
msgstr ""
#. type: delimited block . 4
#: documentation/content/en/books/handbook/security/_index.adoc:1832
#, no-wrap
-msgid "# service sshd status\n"
+msgid "# ee /etc/login.conf\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1835
+#: documentation/content/en/books/handbook/security/_index.adoc:1836
msgid ""
-"If the service is not running, add the following line to [.filename]#/etc/rc."
-"conf#."
+"Then locate the section for the user class to be modified. In this example, "
+"let's assume the user class is named `limited`, create it in case it not "
+"exists."
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1839
-#, no-wrap
-msgid "sshd_enable=\"YES\"\n"
-msgstr ""
-
-#. type: Plain text
#: documentation/content/en/books/handbook/security/_index.adoc:1842
-msgid ""
-"This will start sshd, the daemon program for OpenSSH, the next time the "
-"system boots. To start it now:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1846
#, no-wrap
-msgid "# service sshd start\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1850
msgid ""
-"The first time sshd starts on a FreeBSD system, the system's host keys will "
-"be automatically created and the fingerprint will be displayed on the "
-"console. Provide users with the fingerprint so that they can verify it the "
-"first time they connect to the server."
+"limited:\\ <.>\n"
+" :maxproc=50:\\ <.>\n"
+" :tc=default: <.>\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1852
-msgid ""
-"Refer to man:sshd[8] for the list of available options when starting sshd "
-"and a more complete discussion about authentication, the login process, and "
-"the various configuration files."
+#: documentation/content/en/books/handbook/security/_index.adoc:1845
+msgid "Name of the user class."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1854
+#: documentation/content/en/books/handbook/security/_index.adoc:1846
msgid ""
-"At this point, the sshd should be available to all users with a username and "
-"password on the system."
-msgstr ""
-
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1855
-#, no-wrap
-msgid "SSH Server Security"
+"Sets the maximum number of processes (maxproc) to 50 for users in the "
+"`limited` class."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1859
+#: documentation/content/en/books/handbook/security/_index.adoc:1847
msgid ""
-"While sshd is the most widely used remote administration facility for "
-"FreeBSD, brute force and drive by attacks are common to any system exposed "
-"to public networks. Several additional parameters are available to prevent "
-"the success of these attacks and will be described in this section."
+"Indicates that this user class inherits the default settings from the "
+"\"default\" class."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1862
+#: documentation/content/en/books/handbook/security/_index.adoc:1849
msgid ""
-"It is a good idea to limit which users can log into the SSH server and from "
-"where using the `AllowUsers` keyword in the OpenSSH server configuration "
-"file. For example, to only allow `root` to log in from `192.168.1.32`, add "
-"this line to [.filename]#/etc/ssh/sshd_config#:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1866
-#, no-wrap
-msgid "AllowUsers root@192.168.1.32\n"
+"After modifying the [.filename]#/etc/login.conf# file, run man:cap_mkdb[1] "
+"to generate the database that FreeBSD uses to apply these settings:"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1869
+#: documentation/content/en/books/handbook/security/_index.adoc:1856
msgid ""
-"To allow `admin` to log in from anywhere, list that user without specifying "
-"an IP address:"
+"man:chpass[1] can be used to change the class to the desired user executint "
+"the following command:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1873
+#: documentation/content/en/books/handbook/security/_index.adoc:1860
#, no-wrap
-msgid "AllowUsers admin\n"
+msgid "# chpass username\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1876
-msgid "Multiple users should be listed on the same line, like so:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1880
-#, no-wrap
-msgid "AllowUsers root@192.168.1.32 admin\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1883
+#: documentation/content/en/books/handbook/security/_index.adoc:1863
msgid ""
-"After making changes to [.filename]#/etc/ssh/sshd_config#, tell sshd to "
-"reload its configuration file by running:"
+"This will open a text editor, add the new `limited` class there as follows:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1887
+#: documentation/content/en/books/handbook/security/_index.adoc:1882
#, no-wrap
-msgid "# service sshd reload\n"
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1897
msgid ""
-"When this keyword is used, it is important to list each user that needs to "
-"log into this machine. Any user that is not specified in that line will be "
-"locked out. Also, the keywords used in the OpenSSH server configuration "
-"file are case-sensitive. If the keyword is not spelled correctly, including "
-"its case, it will be ignored. Always test changes to this file to make sure "
-"that the edits are working as expected. Refer to man:sshd_config[5] to "
-"verify the spelling and use of the available keywords."
+"#Changing user information for username.\n"
+"Login: username\n"
+"Password: $6$2H.419USdGaiJeqK$6kgcTnDadasdasd3YnlNZsOni5AMymibkAfRCPirc7ZFjjv\n"
+"DVsKyXx26daabdfqSdasdsmL/ZMUpdHiO0\n"
+"Uid [#]: 1001\n"
+"Gid [# or name]: 1001\n"
+"Change [month day year]:\n"
+"Expire [month day year]:\n"
+"Class: limited\n"
+"Home directory: /home/username\n"
+"Shell: /bin/sh\n"
+"Full Name: User &\n"
+"Office Location:\n"
+"Office Phone:\n"
+"Home Phone:\n"
+"Other information:\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1903
+#: documentation/content/en/books/handbook/security/_index.adoc:1886
msgid ""
-"In addition, users may be forced to use two factor authentication via the "
-"use of a public and private key. When required, the user may generate a key "
-"pair through the use of man:ssh-keygen[1] and send the administrator the "
-"public key. This key file will be placed in the [."
-"filename]#authorized_keys# as described above in the client section. To "
-"force the users to use keys only, the following option may be configured:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1907
-#, no-wrap
-msgid "AuthenticationMethods publickey\n"
+"Now, the user assigned to the `limited` class will have a maximum process "
+"limit of 50. Remember that this is just one example of setting a resource "
+"limit using the [.filename]#/etc/login.conf# file."
msgstr ""
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1915
+#. type: Plain text
+#: documentation/content/en/books/handbook/security/_index.adoc:1889
msgid ""
-"Do not confuse [.filename]#/etc/ssh/sshd_config# with [.filename]#/etc/ssh/"
-"ssh_config# (note the extra `d` in the first filename). The first file "
-"configures the server and the second file configures the client. Refer to "
-"man:ssh_config[5] for a listing of the available client settings."
+"Keep in mind that after making changes to the [.filename]#/etc/login.conf# "
+"file, the user needs to log out and log back in for the changes to take "
+"effect. Additionally, always exercise caution when editing system "
+"configuration files, especially when using privileged access."
msgstr ""
-#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:1918
+#. type: Title ===
+#: documentation/content/en/books/handbook/security/_index.adoc:1891
#, no-wrap
-msgid "Access Control Lists"
+msgid "Enabling and Configuring Resource Limits"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1922
+#: documentation/content/en/books/handbook/security/_index.adoc:1895
msgid ""
-"Access Control Lists (ACLs) extend the standard UNIX(R) permission model in "
-"a POSIX(R).1e compatible way. This permits an administrator to take "
-"advantage of a more fine-grained permissions model."
+"The man:rctl[8] system provides a more fine-grained way to set and manage "
+"resource limits for individual processes and users. It allows you to "
+"dynamically assign resource limits to specific processes or users, "
+"regardless of their user class."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1925
+#: documentation/content/en/books/handbook/security/_index.adoc:1897
msgid ""
-"The FreeBSD [.filename]#GENERIC# kernel provides ACL support for UFS file "
-"systems. Users who prefer to compile a custom kernel must include the "
-"following option in their custom kernel configuration file:"
+"The first step to use man:rctl[8] will be to enable it adding the following "
+"line to [.filename]#/boot/loader.conf# and reboot the system:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1929
+#: documentation/content/en/books/handbook/security/_index.adoc:1901
#, no-wrap
-msgid "options UFS_ACL\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1933
-msgid ""
-"If this option is not compiled in, a warning message will be displayed when "
-"attempting to mount a file system with ACL support. ACLs rely on extended "
-"attributes which are natively supported in UFS2."
+msgid "kern.racct.enable=1\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1935
+#: documentation/content/en/books/handbook/security/_index.adoc:1904
msgid ""
-"This chapter describes how to enable ACL support and provides some usage "
-"examples."
+"Then active the man:rctl[8] service and enable it executing by the following "
+"commands:"
msgstr ""
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1936
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:1909
#, no-wrap
-msgid "Enabling ACL Support"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1941
msgid ""
-"ACLs are enabled by the mount-time administrative flag, `acls`, which may be "
-"added to [.filename]#/etc/fstab#. The mount-time flag can also be "
-"automatically set in a persistent manner using man:tunefs[8] to modify a "
-"superblock ACLs flag in the file system header. In general, it is preferred "
-"to use the superblock flag for several reasons:"
+"# sysrc rctl_enable=\"YES\"\n"
+"# service rctl start\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1943
-msgid ""
-"The superblock flag cannot be changed by a remount using `mount -u` as it "
-"requires a complete `umount` and fresh `mount`. This means that ACLs cannot "
-"be enabled on the root file system after boot. It also means that ACL "
-"support on a file system cannot be changed while the system is in use."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1944
-msgid ""
-"Setting the superblock flag causes the file system to always be mounted with "
-"ACLs enabled, even if there is not an [.filename]#fstab# entry or if the "
-"devices re-order. This prevents accidental mounting of the file system "
-"without ACL support."
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1949
-msgid ""
-"It is desirable to discourage accidental mounting without ACLs enabled "
-"because nasty things can happen if ACLs are enabled, then disabled, then re-"
-"enabled without flushing the extended attributes. In general, once ACLs are "
-"enabled on a file system, they should not be disabled, as the resulting file "
-"protections may not be compatible with those intended by the users of the "
-"system, and re-enabling ACLs may re-attach the previous ACLs to files that "
-"have since had their permissions changed, resulting in unpredictable "
-"behavior."
+#: documentation/content/en/books/handbook/security/_index.adoc:1912
+msgid "Then man:rctl[8] may be used to set rules for the system."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1952
+#: documentation/content/en/books/handbook/security/_index.adoc:1914
msgid ""
-"File systems with ACLs enabled will show a plus (`+`) sign in their "
-"permission settings:"
+"Rule syntax (man:rctl.conf[5]) is controlled through the use of a subject, "
+"subject-id, resource, and action, as seen in this example rule:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1960
-#, no-wrap
-msgid ""
-"drwx------ 2 robert robert 512 Dec 27 11:54 private\n"
-"drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1\n"
-"drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2\n"
-"drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3\n"
-"drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1963
-msgid ""
-"In this example, [.filename]#directory1#, [.filename]#directory2#, and [."
-"filename]#directory3# are all taking advantage of ACLs, whereas [."
-"filename]#private# and [.filename]#public_html# are not."
-msgstr ""
-
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:1964
+#: documentation/content/en/books/handbook/security/_index.adoc:1918
#, no-wrap
-msgid "Using ACLs"
+msgid "subject:subject-id:resource:action=amount/per\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1968
+#: documentation/content/en/books/handbook/security/_index.adoc:1921
msgid ""
-"File system ACLs can be viewed using `getfacl`. For instance, to view the "
-"ACL settings on [.filename]#test#:"
+"For example to constrained the user to add no more than 10 processes execute "
+"the following command:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1978
+#: documentation/content/en/books/handbook/security/_index.adoc:1925
#, no-wrap
-msgid ""
-"% getfacl test\n"
-"\t#file:test\n"
-"\t#owner:1001\n"
-"\t#group:1001\n"
-"\tuser::rw-\n"
-"\tgroup::r--\n"
-"\tother::r--\n"
+msgid "# rctl -a user:username:maxproc:deny=10/user\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1983
+#: documentation/content/en/books/handbook/security/_index.adoc:1928
msgid ""
-"To change the ACL settings on this file, use `setfacl`. To remove all of "
-"the currently defined ACLs from a file or file system, include `-k`. "
-"However, the preferred method is to use `-b` as it leaves the basic fields "
-"required for ACLs to work."
+"To check the applied resource limits the man:rctl[8] command can be executed:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1987
+#: documentation/content/en/books/handbook/security/_index.adoc:1932
#, no-wrap
-msgid "% setfacl -k test\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1990
-msgid "To modify the default ACL entries, use `-m`:"
+msgid "# rctl\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:1994
+#: documentation/content/en/books/handbook/security/_index.adoc:1939
+#: documentation/content/en/books/handbook/security/_index.adoc:1947
#, no-wrap
-msgid "% setfacl -m u:trhodes:rwx,group:web:r--,o::--- test\n"
+msgid "user:username:maxproc:deny=10\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:1999
-msgid ""
-"In this example, there were no pre-defined entries, as they were removed by "
-"the previous command. This command restores the default options and assigns "
-"the options listed. If a user or group is added which does not exist on the "
-"system, an `Invalid argument` error will be displayed."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2001
+#: documentation/content/en/books/handbook/security/_index.adoc:1943
msgid ""
-"Refer to man:getfacl[1] and man:setfacl[1] for more information about the "
-"options available for these commands."
+"Rules will persist across reboots if they have been added to [.filename]#/"
+"etc/rctl.conf#. The format is a rule, without the preceding command. For "
+"example, the previous rule could be added as:"
msgstr ""
#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:2003
+#: documentation/content/en/books/handbook/security/_index.adoc:1950
#, no-wrap
msgid "Monitoring Third Party Security Issues"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2007
+#: documentation/content/en/books/handbook/security/_index.adoc:1954
msgid ""
"In recent years, the security world has made many improvements to how "
"vulnerability assessment is handled. The threat of system intrusion "
@@ -3960,7 +3964,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2012
+#: documentation/content/en/books/handbook/security/_index.adoc:1959
msgid ""
"Vulnerability assessment is a key factor in security. While FreeBSD "
"releases advisories for the base system, doing so for every third party "
@@ -3971,31 +3975,22 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2015
+#: documentation/content/en/books/handbook/security/_index.adoc:1962
msgid ""
"pkg polls a database for security issues. The database is updated and "
"maintained by the FreeBSD Security Team and ports developers."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2017
-msgid ""
-"Please refer to crossref:ports[pkgng-intro,instructions] for installing pkg."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2021
+#: documentation/content/en/books/handbook/security/_index.adoc:1964
msgid ""
"Installation provides man:periodic[8] configuration files for maintaining "
"the pkg audit database, and provides a programmatic method of keeping it "
-"updated. This functionality is enabled if "
-"`daily_status_security_pkgaudit_enable` is set to `YES` in man:periodic."
-"conf[5]. Ensure that daily security run emails, which are sent to "
-"``root``'s email account, are being read."
+"updated."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2023
+#: documentation/content/en/books/handbook/security/_index.adoc:1966
msgid ""
"After installation, and to audit third party utilities as part of the Ports "
"Collection at any time, an administrator may choose to update the database "
@@ -4003,62 +3998,68 @@ msgid ""
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2027
+#: documentation/content/en/books/handbook/security/_index.adoc:1970
#, no-wrap
-msgid "# pkg audit -F\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2030
-msgid ""
-"pkg displays messages any published vulnerabilities in installed packages:"
+msgid "% pkg audit -F\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2036
+#: documentation/content/en/books/handbook/security/_index.adoc:1985
#, no-wrap
msgid ""
-"Affected package: cups-base-1.1.22.0_1\n"
-"Type of problem: cups-base -- HPGL buffer overflow vulnerability.\n"
-"Reference: <https://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001020eed82.html>\n"
+"vulnxml file up-to-date\n"
+"chromium-116.0.5845.96_1 is vulnerable:\n"
+" chromium -- multiple vulnerabilities\n"
+" CVE: CVE-2023-4431\n"
+" CVE: CVE-2023-4427\n"
+" CVE: CVE-2023-4428\n"
+" CVE: CVE-2023-4429\n"
+" CVE: CVE-2023-4430\n"
+" WWW: https://vuxml.FreeBSD.org/freebsd/5fa332b9-4269-11ee-8290-a8a1599412c6.html\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2038
+#: documentation/content/en/books/handbook/security/_index.adoc:1994
#, no-wrap
-msgid "1 problem(s) in your installed packages found.\n"
+msgid ""
+"samba413-4.13.17_5 is vulnerable:\n"
+" samba -- multiple vulnerabilities\n"
+" CVE: CVE-2023-3347\n"
+" CVE: CVE-2023-34966\n"
+" CVE: CVE-2023-34968\n"
+" CVE: CVE-2022-2127\n"
+" CVE: CVE-2023-34967\n"
+" WWW: https://vuxml.FreeBSD.org/freebsd/441e1e1a-27a5-11ee-a156-080027f5fec9.html\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2040
+#: documentation/content/en/books/handbook/security/_index.adoc:1996
#, no-wrap
-msgid "You are advised to update or deinstall the affected package(s) immediately.\n"
+msgid "2 problem(s) in 2 installed package(s) found.\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2044
+#: documentation/content/en/books/handbook/security/_index.adoc:1999
msgid ""
"By pointing a web browser to the displayed URL, an administrator may obtain "
-"more information about the vulnerability. This will include the versions "
-"affected, by FreeBSD port version, along with other web sites which may "
-"contain security advisories."
+"more information about the vulnerability."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2046
+#: documentation/content/en/books/handbook/security/_index.adoc:2001
msgid ""
-"pkg is a powerful utility and is extremely useful when coupled with package:"
-"ports-mgmt/portmaster[]."
+"This will include the versions affected, by FreeBSD port version, along with "
+"other web sites which may contain security advisories."
msgstr ""
#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:2048
+#: documentation/content/en/books/handbook/security/_index.adoc:2003
#, no-wrap
msgid "FreeBSD Security Advisories"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2052
+#: documentation/content/en/books/handbook/security/_index.adoc:2007
msgid ""
"Like many producers of quality operating systems, the FreeBSD Project has a "
"security team which is responsible for determining the End-of-Life (EoL) "
@@ -4069,7 +4070,7 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2057
+#: documentation/content/en/books/handbook/security/_index.adoc:2012
msgid ""
"One task of the security team is to respond to reported security "
"vulnerabilities in the FreeBSD operating system. Once a vulnerability is "
@@ -4078,356 +4079,366 @@ msgid ""
"the details as a \"Security Advisory\". Security advisories are published "
"on the link:https://www.FreeBSD.org/security/advisories/[FreeBSD website] "
"and mailed to the {freebsd-security-notifications}, {freebsd-security}, and "
-"{freebsd-announce} mailing lists."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2059
-msgid "This section describes the format of a FreeBSD security advisory."
+"{freebsd-announce}."
msgstr ""
#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:2060
+#: documentation/content/en/books/handbook/security/_index.adoc:2013
#, no-wrap
msgid "Format of a Security Advisory"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2063
+#: documentation/content/en/books/handbook/security/_index.adoc:2016
msgid "Here is an example of a FreeBSD security advisory:"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2069
+#: documentation/content/en/books/handbook/security/_index.adoc:2021
#, no-wrap
msgid ""
-"=============================================================================\n"
"-----BEGIN PGP SIGNED MESSAGE-----\n"
"Hash: SHA512\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2073
+#: documentation/content/en/books/handbook/security/_index.adoc:2025
#, no-wrap
msgid ""
"=============================================================================\n"
-"FreeBSD-SA-14:04.bind Security Advisory\n"
+"FreeBSD-SA-23:07.bhyve Security Advisory\n"
" The FreeBSD Project\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2075
+#: documentation/content/en/books/handbook/security/_index.adoc:2027
#, no-wrap
-msgid "Topic: BIND remote denial of service vulnerability\n"
+msgid "Topic: bhyve privileged guest escape via fwctl\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2088
+#: documentation/content/en/books/handbook/security/_index.adoc:2037
#, no-wrap
msgid ""
-"Category: contrib\n"
-"Module: bind\n"
-"Announced: 2014-01-14\n"
-"Credits: ISC\n"
-"Affects: FreeBSD 8.x and FreeBSD 9.x\n"
-"Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)\n"
-" 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)\n"
-" 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)\n"
-" 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)\n"
-" 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)\n"
-" 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)\n"
-"CVE Name: CVE-2014-0591\n"
+"Category: core\n"
+"Module: bhyve\n"
+"Announced: 2023-08-01\n"
+"Credits: Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft\n"
+"Affects: FreeBSD 13.1 and 13.2\n"
+"Corrected: 2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE)\n"
+" 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)\n"
+" 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)\n"
+"CVE Name: CVE-2023-3494\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2092
+#: documentation/content/en/books/handbook/security/_index.adoc:2041
#, no-wrap
msgid ""
"For general information regarding FreeBSD Security Advisories,\n"
"including descriptions of the fields above, security branches, and the\n"
-"following sections, please visit <URL:http://security.FreeBSD.org/>.\n"
+"following sections, please visit <URL:https://security.FreeBSD.org/>.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2094
+#: documentation/content/en/books/handbook/security/_index.adoc:2043
#, no-wrap
msgid "I. Background\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2097
+#: documentation/content/en/books/handbook/security/_index.adoc:2049
#, no-wrap
msgid ""
-"BIND 9 is an implementation of the Domain Name System (DNS) protocols.\n"
-"The named(8) daemon is an Internet Domain Name Server.\n"
+"bhyve(8)'s fwctl interface provides a mechanism through which guest\n"
+"firmware can query the hypervisor for information about the virtual\n"
+"machine. The fwctl interface is available to guests when bhyve is run\n"
+"with the \"-l bootrom\" option, used for example when booting guests in\n"
+"UEFI mode.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2099
+#: documentation/content/en/books/handbook/security/_index.adoc:2051
+#, no-wrap
+msgid "bhyve is currently only supported on the amd64 platform.\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:2053
#, no-wrap
msgid "II. Problem Description\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2104
+#: documentation/content/en/books/handbook/security/_index.adoc:2059
#, no-wrap
msgid ""
-"Because of a defect in handling queries for NSEC3-signed zones, BIND can\n"
-"crash with an \"INSIST\" failure in name.c when processing queries possessing\n"
-"certain properties. This issue only affects authoritative nameservers with\n"
-"at least one NSEC3-signed zone. Recursive-only servers are not at risk.\n"
+"The fwctl driver implements a state machine which is executed when the\n"
+"guest accesses certain x86 I/O ports. The interface lets the guest copy\n"
+"a string into a buffer resident in the bhyve process' memory. A bug in\n"
+"the state machine implementation can result in a buffer overflowing when\n"
+"copying this string.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2106
+#: documentation/content/en/books/handbook/security/_index.adoc:2061
#, no-wrap
msgid "III. Impact\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2109
+#: documentation/content/en/books/handbook/security/_index.adoc:2067
#, no-wrap
msgid ""
-"An attacker who can send a specially crafted query could cause named(8)\n"
-"to crash, resulting in a denial of service.\n"
+"A malicious, privileged software running in a guest VM can exploit the\n"
+"buffer overflow to achieve code execution on the host in the bhyve\n"
+"userspace process, which typically runs as root. Note that bhyve runs\n"
+"in a Capsicum sandbox, so malicious code is constrained by the\n"
+"capabilities available to the bhyve process.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2111
+#: documentation/content/en/books/handbook/security/_index.adoc:2069
#, no-wrap
msgid "IV. Workaround\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2114
+#: documentation/content/en/books/handbook/security/_index.adoc:2072
#, no-wrap
msgid ""
-"No workaround is available, but systems not running authoritative DNS service\n"
-"with at least one NSEC3-signed zone using named(8) are not vulnerable.\n"
+"No workaround is available. bhyve guests that are executed without the\n"
+"\"-l bootrom\" option are unaffected.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2116
+#: documentation/content/en/books/handbook/security/_index.adoc:2074
#, no-wrap
msgid "V. Solution\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2118
+#: documentation/content/en/books/handbook/security/_index.adoc:2077
#, no-wrap
-msgid "Perform one of the following:\n"
+msgid ""
+"Upgrade your vulnerable system to a supported FreeBSD stable or\n"
+"release / security branch (releng) dated after the correction date.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2121
+#: documentation/content/en/books/handbook/security/_index.adoc:2079
#, no-wrap
-msgid ""
-"1) Upgrade your vulnerable system to a supported FreeBSD stable or\n"
-"release / security branch (releng) dated after the correction date.\n"
+msgid "Perform one of the following:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2123
+#: documentation/content/en/books/handbook/security/_index.adoc:2081
#, no-wrap
-msgid "2) To update your vulnerable system via a source code patch:\n"
+msgid "1) To update your vulnerable system via a binary patch:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2126
+#: documentation/content/en/books/handbook/security/_index.adoc:2085
#, no-wrap
msgid ""
-"The following patches have been verified to apply to the applicable\n"
-"FreeBSD release branches.\n"
+"Systems running a RELEASE version of FreeBSD on the amd64, i386, or\n"
+"(on FreeBSD 13 and later) arm64 platforms can be updated via the\n"
+"freebsd-update(8) utility:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2129
+#: documentation/content/en/books/handbook/security/_index.adoc:2088
#, no-wrap
msgid ""
-"a) Download the relevant patch from the location below, and verify the\n"
-"detached PGP signature using your PGP utility.\n"
+"# freebsd-update fetch\n"
+"# freebsd-update install\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2134
+#: documentation/content/en/books/handbook/security/_index.adoc:2090
+#: documentation/content/en/books/handbook/security/_index.adoc:2118
#, no-wrap
-msgid ""
-"[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]\n"
-"# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch\n"
-"# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc\n"
-"# gpg --verify bind-release.patch.asc\n"
+msgid "Restart all affected virtual machines.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2139
+#: documentation/content/en/books/handbook/security/_index.adoc:2092
#, no-wrap
-msgid ""
-"[FreeBSD 9.2-STABLE]\n"
-"# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch\n"
-"# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc\n"
-"# gpg --verify bind-stable-9.patch.asc\n"
+msgid "2) To update your vulnerable system via a source code patch:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2141
+#: documentation/content/en/books/handbook/security/_index.adoc:2095
#, no-wrap
-msgid "b) Execute the following commands as root:\n"
+msgid ""
+"The following patches have been verified to apply to the applicable\n"
+"FreeBSD release branches.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2144
+#: documentation/content/en/books/handbook/security/_index.adoc:2098
#, no-wrap
msgid ""
-"# cd /usr/src\n"
-"# patch < /path/to/patch\n"
+"a) Download the relevant patch from the location below, and verify the\n"
+"detached PGP signature using your PGP utility.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2147
+#: documentation/content/en/books/handbook/security/_index.adoc:2103
#, no-wrap
msgid ""
-"Recompile the operating system using buildworld and installworld as\n"
-"described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.\n"
+"[FreeBSD 13.2]\n"
+"# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch\n"
+"# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc\n"
+"# gpg --verify bhyve.13.2.patch.asc\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2149
+#: documentation/content/en/books/handbook/security/_index.adoc:2108
#, no-wrap
-msgid "Restart the applicable daemons, or reboot the system.\n"
+msgid ""
+"[FreeBSD 13.1]\n"
+"# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch\n"
+"# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc\n"
+"# gpg --verify bhyve.13.1.patch.asc\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2151
+#: documentation/content/en/books/handbook/security/_index.adoc:2110
#, no-wrap
-msgid "3) To update your vulnerable system via a binary patch:\n"
+msgid "b) Apply the patch. Execute the following commands as root:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2154
+#: documentation/content/en/books/handbook/security/_index.adoc:2113
#, no-wrap
msgid ""
-"Systems running a RELEASE version of FreeBSD on the i386 or amd64\n"
-"platforms can be updated via the man:freebsd-update[8] utility:\n"
+"# cd /usr/src\n"
+"# patch < /path/to/patch\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2157
+#: documentation/content/en/books/handbook/security/_index.adoc:2116
#, no-wrap
msgid ""
-"# freebsd-update fetch\n"
-"# freebsd-update install\n"
+"c) Recompile the operating system using buildworld and installworld as\n"
+"described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2159
+#: documentation/content/en/books/handbook/security/_index.adoc:2120
#, no-wrap
msgid "VI. Correction details\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2162
+#: documentation/content/en/books/handbook/security/_index.adoc:2123
#, no-wrap
msgid ""
-"The following list contains the correction revision numbers for each\n"
-"affected branch.\n"
+"This issue is corrected by the corresponding Git commit hash or Subversion\n"
+"revision number in the following stable and release branches:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2172
+#: documentation/content/en/books/handbook/security/_index.adoc:2130
#, no-wrap
msgid ""
-"Branch/path Revision\n"
+"Branch/path Hash Revision\n"
"- -------------------------------------------------------------------------\n"
-"stable/8/ r260646\n"
-"releng/8.3/ r260647\n"
-"releng/8.4/ r260647\n"
-"stable/9/ r260646\n"
-"releng/9.1/ r260647\n"
-"releng/9.2/ r260647\n"
+"stable/13/ 9fe302d78109 stable/13-n255918\n"
+"releng/13.2/ 2bae613e0da3 releng/13.2-n254625\n"
+"releng/13.1/ 87702e38a4b4 releng/13.1-n250190\n"
"- -------------------------------------------------------------------------\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2176
+#: documentation/content/en/books/handbook/security/_index.adoc:2133
#, no-wrap
msgid ""
-"To see which files were modified by a particular revision, run the\n"
-"following command, replacing NNNNNN with the revision number, on a\n"
-"machine with Subversion installed:\n"
+"Run the following command to see which files were modified by a\n"
+"particular commit:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2178
+#: documentation/content/en/books/handbook/security/_index.adoc:2135
#, no-wrap
-msgid "# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base\n"
+msgid "# git show --stat <commit hash>\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2180
+#: documentation/content/en/books/handbook/security/_index.adoc:2137
#, no-wrap
-msgid "Or visit the following URL, replacing NNNNNN with the revision number:\n"
+msgid "Or visit the following URL, replacing NNNNNN with the hash:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2182
+#: documentation/content/en/books/handbook/security/_index.adoc:2139
#, no-wrap
-msgid "<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>\n"
+msgid "<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2184
+#: documentation/content/en/books/handbook/security/_index.adoc:2142
#, no-wrap
-msgid "VII. References\n"
+msgid ""
+"To determine the commit count in a working tree (for comparison against\n"
+"nNNNNNN in the table above), run:\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2186
+#: documentation/content/en/books/handbook/security/_index.adoc:2144
#, no-wrap
-msgid "<URL:https://kb.isc.org/article/AA-01078>\n"
+msgid "# git rev-list --count --first-parent HEAD\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2188
+#: documentation/content/en/books/handbook/security/_index.adoc:2146
#, no-wrap
-msgid "<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591>\n"
+msgid "VII. References\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2192
+#: documentation/content/en/books/handbook/security/_index.adoc:2148
+#, no-wrap
+msgid "<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3494>\n"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/security/_index.adoc:2152
#, no-wrap
msgid ""
"The latest revision of this advisory is available at\n"
-"<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>\n"
+"<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07.bhyve.asc>\n"
"-----BEGIN PGP SIGNATURE-----\n"
msgstr ""
#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2207
+#: documentation/content/en/books/handbook/security/_index.adoc:2167
#, no-wrap
msgid ""
-"iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG\n"
-"ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO\n"
-"XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg\n"
-"ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG\n"
-"9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5\n"
-"fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua\n"
-"OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb\n"
-"zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag\n"
-"Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm\n"
-"067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq\n"
-"7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO\n"
-"UWWemqWuz3lAZuORQ9KX\n"
-"=OQzQ\n"
+"iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A\n"
+"Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K\n"
+"qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM\n"
+"cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K\n"
+"KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV\n"
+"fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb\n"
+"hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF\n"
+"NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip\n"
+"hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0\n"
+"drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0\n"
+"JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4\n"
+"LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI=\n"
+"=MlAY\n"
"-----END PGP SIGNATURE-----\n"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2210
+#: documentation/content/en/books/handbook/security/_index.adoc:2170
msgid "Every security advisory uses the following format:"
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2212
+#: documentation/content/en/books/handbook/security/_index.adoc:2172
msgid ""
"Each security advisory is signed by the PGP key of the Security Officer. The "
"public key for the Security Officer can be verified at crossref:"
@@ -4435,22 +4446,21 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2213
+#: documentation/content/en/books/handbook/security/_index.adoc:2173
msgid ""
"The name of the security advisory always begins with `FreeBSD-SA-` (for "
-"FreeBSD Security Advisory), followed by the year in two digit format (`14:"
-"`), followed by the advisory number for that year (`04.`), followed by the "
-"name of the affected application or subsystem (`bind`). The advisory shown "
-"here is the fourth advisory for 2014 and it affects BIND."
+"FreeBSD Security Advisory), followed by the year in two digit format (`23:"
+"`), followed by the advisory number for that year (`07.`), followed by the "
+"name of the affected application or subsystem (`bhyve`)."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2214
+#: documentation/content/en/books/handbook/security/_index.adoc:2174
msgid "The `Topic` field summarizes the vulnerability."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2215
+#: documentation/content/en/books/handbook/security/_index.adoc:2175
msgid ""
"The `Category` refers to the affected part of the system which may be one of "
"`core`, `contrib`, or `ports`. The `core` category means that the "
@@ -4461,15 +4471,15 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2216
+#: documentation/content/en/books/handbook/security/_index.adoc:2176
msgid ""
"The `Module` field refers to the component location. In this example, the "
-"`bind` module is affected; therefore, this vulnerability affects an "
+"`bhyve` module is affected; therefore, this vulnerability affects an "
"application installed with the operating system."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2217
+#: documentation/content/en/books/handbook/security/_index.adoc:2177
msgid ""
"The `Announced` field reflects the date the security advisory was published. "
"This means that the security team has verified that the problem exists and "
@@ -4477,21 +4487,21 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2218
+#: documentation/content/en/books/handbook/security/_index.adoc:2178
msgid ""
"The `Credits` field gives credit to the individual or organization who "
"noticed the vulnerability and reported it."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2219
+#: documentation/content/en/books/handbook/security/_index.adoc:2179
msgid ""
"The `Affects` field explains which releases of FreeBSD are affected by this "
"vulnerability."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2220
+#: documentation/content/en/books/handbook/security/_index.adoc:2180
msgid ""
"The `Corrected` field indicates the date, time, time offset, and releases "
"that were corrected. The section in parentheses shows each branch for which "
@@ -4503,19 +4513,19 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2221
+#: documentation/content/en/books/handbook/security/_index.adoc:2181
msgid ""
"The `CVE Name` field lists the advisory number, if one exists, in the public "
"http://cve.mitre.org[cve.mitre.org] security vulnerabilities database."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2222
+#: documentation/content/en/books/handbook/security/_index.adoc:2182
msgid "The `Background` field provides a description of the affected module."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2223
+#: documentation/content/en/books/handbook/security/_index.adoc:2183
msgid ""
"The `Problem Description` field explains the vulnerability. This can include "
"information about the flawed code and how the utility could be maliciously "
@@ -4523,21 +4533,21 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2224
+#: documentation/content/en/books/handbook/security/_index.adoc:2184
msgid ""
"The `Impact` field describes what type of impact the problem could have on a "
"system."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2225
+#: documentation/content/en/books/handbook/security/_index.adoc:2185
msgid ""
"The `Workaround` field indicates if a workaround is available to system "
-"administrators who cannot immediately patch the system ."
+"administrators who cannot immediately patch the system."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2226
+#: documentation/content/en/books/handbook/security/_index.adoc:2186
msgid ""
"The `Solution` field provides the instructions for patching the affected "
"system. This is a step by step tested and verified method for getting a "
@@ -4545,815 +4555,15 @@ msgid ""
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2227
+#: documentation/content/en/books/handbook/security/_index.adoc:2187
msgid ""
-"The `Correction Details` field displays each affected Subversion branch with "
-"the revision number that contains the corrected code."
+"The `Correction Details` field displays each affected Subversion or Git "
+"branch with the revision number that contains the corrected code."
msgstr ""
#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2228
+#: documentation/content/en/books/handbook/security/_index.adoc:2187
msgid ""
"The `References` field offers sources of additional information regarding "
"the vulnerability."
msgstr ""
-
-#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:2230
-#, no-wrap
-msgid "Process Accounting"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2233
-msgid ""
-"Process accounting is a security method in which an administrator may keep "
-"track of system resources used and their allocation among users, provide for "
-"system monitoring, and minimally track a user's commands."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2238
-msgid ""
-"Process accounting has both positive and negative points. One of the "
-"positives is that an intrusion may be narrowed down to the point of entry. "
-"A negative is the amount of logs generated by process accounting, and the "
-"disk space they may require. This section walks an administrator through "
-"the basics of process accounting."
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2242
-msgid ""
-"If more fine-grained accounting is needed, refer to crossref:audit[audit,"
-"Security Event Auditing]."
-msgstr ""
-
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:2244
-#, no-wrap
-msgid "Enabling and Utilizing Process Accounting"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2247
-msgid ""
-"Before using process accounting, it must be enabled using the following "
-"commands:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2252
-#, no-wrap
-msgid ""
-"# sysrc accounting_enable=yes\n"
-"# service accounting start\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2258
-msgid ""
-"The accounting information is stored in files located in [.filename]#/var/"
-"account#, which is automatically created, if necessary, the first time the "
-"accounting service starts. These files contain sensitive information, "
-"including all the commands issued by all users. Write access to the files "
-"is limited to `root`, and read access is limited to `root` and members of "
-"the `wheel` group. To also prevent members of `wheel` from reading the "
-"files, change the mode of the [.filename]#/var/account# directory to allow "
-"access only by `root`."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2263
-msgid ""
-"Once enabled, accounting will begin to track information such as CPU "
-"statistics and executed commands. All accounting logs are in a non-human "
-"readable format which can be viewed using `sa`. If issued without any "
-"options, `sa` prints information relating to the number of per-user calls, "
-"the total elapsed time in minutes, total CPU and user time in minutes, and "
-"the average number of I/O operations. Refer to man:sa[8] for the list of "
-"available options which control the output."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2266
-msgid ""
-"To display the commands issued by users, use `lastcomm`. For example, this "
-"command prints out all usage of `ls` by `trhodes` on the `ttyp1` terminal:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2270
-#, no-wrap
-msgid "# lastcomm ls trhodes ttyp1\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2273
-msgid ""
-"Many other useful options exist and are explained in man:lastcomm[1], man:"
-"acct[5], and man:sa[8]."
-msgstr ""
-
-#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:2275
-#, no-wrap
-msgid "Resource Limits"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2280
-msgid ""
-"FreeBSD provides several methods for an administrator to limit the amount of "
-"system resources an individual may use. Disk quotas limit the amount of "
-"disk space available to users. Quotas are discussed in crossref:"
-"disks[quotas,\"Disk Quotas\"]."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2285
-msgid ""
-"Limits to other resources, such as CPU and memory, can be set using either a "
-"flat file or a command to configure a resource limits database. The "
-"traditional method defines login classes by editing [.filename]#/etc/login."
-"conf#. While this method is still supported, any changes require a multi-"
-"step process of editing this file, rebuilding the resource database, making "
-"necessary changes to [.filename]#/etc/master.passwd#, and rebuilding the "
-"password database. This can become time consuming, depending upon the "
-"number of users to configure."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2288
-msgid ""
-"`rctl` can be used to provide a more fine-grained method for controlling "
-"resource limits. This command supports more than user limits as it can also "
-"be used to set resource constraints on processes and jails."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2290
-msgid ""
-"This section demonstrates both methods for controlling resources, beginning "
-"with the traditional method."
-msgstr ""
-
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:2292
-#, no-wrap
-msgid "Configuring Login Classes"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2298
-msgid ""
-"In the traditional method, login classes and the resource limits to apply to "
-"a login class are defined in [.filename]#/etc/login.conf#. Each user "
-"account can be assigned to a login class, where `default` is the default "
-"login class. Each login class has a set of login capabilities associated "
-"with it. A login capability is a `_name_=_value_` pair, where _name_ is a "
-"well-known identifier and _value_ is an arbitrary string which is processed "
-"accordingly depending on the _name_."
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2302
-msgid ""
-"Whenever [.filename]#/etc/login.conf# is edited, the [.filename]#/etc/login."
-"conf.db# must be updated by executing the following command:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2306
-#, no-wrap
-msgid "# cap_mkdb /etc/login.conf\n"
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2315
-msgid ""
-"Resource limits differ from the default login capabilities in two ways. "
-"First, for every limit, there is a _soft_ and _hard_ limit. A soft limit "
-"may be adjusted by the user or application, but may not be set higher than "
-"the hard limit. The hard limit may be lowered by the user, but can only be "
-"raised by the superuser. Second, most resource limits apply per process to "
-"a specific user."
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2318
-msgid ""
-"<<resource-limits>> lists the most commonly used resource limits. All of "
-"the available resource limits and capabilities are described in detail in "
-"man:login.conf[5]."
-msgstr ""
-
-#. type: Block title
-#: documentation/content/en/books/handbook/security/_index.adoc:2320
-#, no-wrap
-msgid "Login Class Resource Limits"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2324
-#, no-wrap
-msgid "Resource Limit"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2326
-#, no-wrap
-msgid "Description"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2327
-#, no-wrap
-msgid "coredumpsize"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2329
-#, no-wrap
-msgid "The limit on the size of a core file generated by a program is subordinate to other limits on disk usage, such as `filesize` or disk quotas. This limit is often used as a less severe method of controlling disk space consumption. Since users do not generate core files and often do not delete them, this setting may save them from running out of disk space should a large program crash."
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2330
-#, no-wrap
-msgid "cputime"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2332
-#, no-wrap
-msgid "The maximum amount of CPU time a user's process may consume. Offending processes will be killed by the kernel. This is a limit on CPU _time_ consumed, not the percentage of the CPU as displayed in some of the fields generated by `top` and `ps`."
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2333
-#, no-wrap
-msgid "filesize"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2335
-#, no-wrap
-msgid "The maximum size of a file the user may own. Unlike disk quotas (crossref:disks[quotas,\"Disk Quotas\"]), this limit is enforced on individual files, not the set of all files a user owns."
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2336
-#, no-wrap
-msgid "maxproc"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2338
-#, no-wrap
-msgid "The maximum number of foreground and background processes a user can run. This limit may not be larger than the system limit specified by `kern.maxproc`. Setting this limit too small may hinder a user's productivity as some tasks, such as compiling a large program, start lots of processes."
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2339
-#, no-wrap
-msgid "memorylocked"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2341
-#, no-wrap
-msgid "The maximum amount of memory a process may request to be locked into main memory using man:mlock[2]. Some system-critical programs, such as man:amd[8], lock into main memory so that if the system begins to swap, they do not contribute to disk thrashing."
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2342
-#, no-wrap
-msgid "memoryuse"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2344
-#, no-wrap
-msgid "The maximum amount of memory a process may consume at any given time. It includes both core memory and swap usage. This is not a catch-all limit for restricting memory consumption, but is a good start."
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2345
-#, no-wrap
-msgid "openfiles"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2347
-#, no-wrap
-msgid "The maximum number of files a process may have open. In FreeBSD, files are used to represent sockets and IPC channels, so be careful not to set this too low. The system-wide limit for this is defined by `kern.maxfiles`."
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2348
-#, no-wrap
-msgid "sbsize"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2350
-#, no-wrap
-msgid "The limit on the amount of network memory a user may consume. This can be generally used to limit network communications."
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2351
-#, no-wrap
-msgid "stacksize"
-msgstr ""
-
-#. type: Table
-#: documentation/content/en/books/handbook/security/_index.adoc:2352
-#, no-wrap
-msgid "The maximum size of a process stack. This alone is not sufficient to limit the amount of memory a program may use, so it should be used in conjunction with other limits."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2355
-msgid "There are a few other things to remember when setting resource limits:"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2357
-msgid ""
-"Processes started at system startup by [.filename]#/etc/rc# are assigned to "
-"the `daemon` login class."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2358
-msgid ""
-"Although the default [.filename]#/etc/login.conf# is a good source of "
-"reasonable values for most limits, they may not be appropriate for every "
-"system. Setting a limit too high may open the system up to abuse, while "
-"setting it too low may put a strain on productivity."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2359
-msgid ""
-"Xorg takes a lot of resources and encourages users to run more programs "
-"simultaneously."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2360
-msgid ""
-"Many limits apply to individual processes, not the user as a whole. For "
-"example, setting `openfiles` to `50` means that each process the user runs "
-"may open up to `50` files. The total amount of files a user may open is the "
-"value of `openfiles` multiplied by the value of `maxproc`. This also applies "
-"to memory consumption."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2362
-msgid ""
-"For further information on resource limits and login classes and "
-"capabilities in general, refer to man:cap.mkdb[1], man:getrlimit[2], and man:"
-"login.conf[5]."
-msgstr ""
-
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:2363
-#, no-wrap
-msgid "Enabling and Configuring Resource Limits"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2367
-msgid ""
-"The `kern.racct.enable` tunable must be set to a non-zero value. Custom "
-"kernels require specific configuration:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2372
-#, no-wrap
-msgid ""
-"options RACCT\n"
-"options RCTL\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2375
-msgid ""
-"Once the system has rebooted into the new kernel, `rctl` may be used to set "
-"rules for the system."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2377
-msgid ""
-"Rule syntax is controlled through the use of a subject, subject-id, "
-"resource, and action, as seen in this example rule:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2381
-#, no-wrap
-msgid "user:trhodes:maxproc:deny=10/user\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2386
-msgid ""
-"In this rule, the subject is `user`, the subject-id is `trhodes`, the "
-"resource, `maxproc`, is the maximum number of processes, and the action is "
-"`deny`, which blocks any new processes from being created. This means that "
-"the user, `trhodes`, will be constrained to no greater than `10` processes. "
-"Other possible actions include logging to the console, passing a "
-"notification to man:devd[8], or sending a sigterm to the process."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2390
-msgid ""
-"Some care must be taken when adding rules. Since this user is constrained "
-"to `10` processes, this example will prevent the user from performing other "
-"tasks after logging in and executing a `screen` session. Once a resource "
-"limit has been hit, an error will be printed, as in this example:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2396
-#, no-wrap
-msgid ""
-"% man test\n"
-" /usr/bin/man: Cannot fork: Resource temporarily unavailable\n"
-"eval: Cannot fork: Resource temporarily unavailable\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2400
-msgid ""
-"As another example, a jail can be prevented from exceeding a memory limit. "
-"This rule could be written as:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2404
-#, no-wrap
-msgid "# rctl -a jail:httpd:memoryuse:deny=2G/jail\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2408
-msgid ""
-"Rules will persist across reboots if they have been added to [.filename]#/"
-"etc/rctl.conf#. The format is a rule, without the preceding command. For "
-"example, the previous rule could be added as:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2413
-#, no-wrap
-msgid ""
-"# Block jail from using more than 2G memory:\n"
-"jail:httpd:memoryuse:deny=2G/jail\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2416
-msgid "To remove a rule, use `rctl` to remove it from the list:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2420
-#, no-wrap
-msgid "# rctl -r user:trhodes:maxproc:deny=10/user\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2424
-msgid ""
-"A method for removing all rules is documented in man:rctl[8]. However, if "
-"removing all rules for a single user is required, this command may be issued:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2428
-#, no-wrap
-msgid "# rctl -r user:trhodes\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2432
-msgid ""
-"Many other resources exist which can be used to exert additional control "
-"over various `subjects`. See man:rctl[8] to learn about them."
-msgstr ""
-
-#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:2434
-#, no-wrap
-msgid "Shared Administration with Sudo"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2440
-msgid ""
-"System administrators often need the ability to grant enhanced permissions "
-"to users so they may perform privileged tasks. The idea that team members "
-"are provided access to a FreeBSD system to perform their specific tasks "
-"opens up unique challenges to every administrator. These team members only "
-"need a subset of access beyond normal end user levels; however, they almost "
-"always tell management they are unable to perform their tasks without "
-"superuser access. Thankfully, there is no reason to provide such access to "
-"end users because tools exist to manage this exact requirement."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2447
-msgid ""
-"Up to this point, the security chapter has covered permitting access to "
-"authorized users and attempting to prevent unauthorized access. Another "
-"problem arises once authorized users have access to the system resources. "
-"In many cases, some users may need access to application startup scripts, or "
-"a team of administrators need to maintain the system. Traditionally, the "
-"standard users and groups, file permissions, and even the man:su[1] command "
-"would manage this access. And as applications required more access, as more "
-"users needed to use system resources, a better solution was required. The "
-"most used application is currently Sudo."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2451
-msgid ""
-"Sudo allows administrators to configure more rigid access to system commands "
-"and provide for some advanced logging features. As a tool, it is available "
-"from the Ports Collection as package:security/sudo[] or by use of the man:"
-"pkg[8] utility. To use the man:pkg[8] tool:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2455
-#, no-wrap
-msgid "# pkg install sudo\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2459
-msgid ""
-"After the installation is complete, the installed `visudo` will open the "
-"configuration file with a text editor. Using `visudo` is highly recommended "
-"as it comes with a built in syntax checker to verify there are no errors "
-"before the file is saved."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2463
-msgid ""
-"The configuration file is made up of several small sections which allow for "
-"extensive configuration. In the following example, web application "
-"maintainer, user1, needs to start, stop, and restart the web application "
-"known as _webservice_. To grant this user permission to perform these "
-"tasks, add this line to the end of [.filename]#/usr/local/etc/sudoers#:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2467
-#, no-wrap
-msgid "user1 ALL=(ALL) /usr/sbin/service webservice *\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2470
-msgid "The user may now start _webservice_ using this command:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2474
-#, no-wrap
-msgid "% sudo /usr/sbin/service webservice start\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2480
-msgid ""
-"While this configuration allows a single user access to the webservice "
-"service; however, in most organizations, there is an entire web team in "
-"charge of managing the service. A single line can also give access to an "
-"entire group. These steps will create a web group, add a user to this "
-"group, and allow all members of the group to manage the service:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2484
-#, no-wrap
-msgid "# pw groupadd -g 6001 -n webteam\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2487
-msgid ""
-"Using the same man:pw[8] command, the user is added to the webteam group:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2491
-#, no-wrap
-msgid "# pw groupmod -m user1 -n webteam\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2494
-msgid ""
-"Finally, this line in [.filename]#/usr/local/etc/sudoers# allows any member "
-"of the webteam group to manage _webservice_:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2498
-#, no-wrap
-msgid "%webteam ALL=(ALL) /usr/sbin/service webservice *\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2503
-msgid ""
-"Unlike man:su[1], Sudo only requires the end user password. This adds an "
-"advantage where users will not need shared passwords, a finding in most "
-"security audits and just bad all the way around."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2507
-msgid ""
-"Users permitted to run applications with Sudo only enter their own "
-"passwords. This is more secure and gives better control than man:su[1], "
-"where the `root` password is entered and the user acquires all `root` "
-"permissions."
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2515
-msgid ""
-"Most organizations are moving or have moved toward a two factor "
-"authentication model. In these cases, the user may not have a password to "
-"enter. Sudo provides for these cases with the `NOPASSWD` variable. Adding "
-"it to the configuration above will allow all members of the _webteam_ group "
-"to manage the service without the password requirement:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2519
-#, no-wrap
-msgid "%webteam ALL=(ALL) NOPASSWD: /usr/sbin/service webservice *\n"
-msgstr ""
-
-#. type: Title ===
-#: documentation/content/en/books/handbook/security/_index.adoc:2524
-#, no-wrap
-msgid "Logging Output"
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2531
-msgid ""
-"An advantage to implementing Sudo is the ability to enable session logging. "
-"Using the built in log mechanisms and the included sudoreplay command, all "
-"commands initiated through Sudo are logged for later verification. To "
-"enable this feature, add a default log directory entry, this example uses a "
-"user variable. Several other log filename conventions exist, consult the "
-"manual page for sudoreplay for additional information."
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2535
-#, no-wrap
-msgid "Defaults iolog_dir=/var/log/sudo-io/%{user}\n"
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2544
-msgid ""
-"This directory will be created automatically after the logging is "
-"configured. It is best to let the system create directory with default "
-"permissions just to be safe. In addition, this entry will also log "
-"administrators who use the sudoreplay command. To change this behavior, "
-"read and uncomment the logging options inside [.filename]#sudoers#."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2548
-msgid ""
-"Once this directive has been added to the [.filename]#sudoers# file, any "
-"user configuration can be updated with the request to log access. In the "
-"example shown, the updated _webteam_ entry would have the following "
-"additional changes:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2552
-#, no-wrap
-msgid "%webteam ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: /usr/sbin/service webservice *\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2556
-msgid ""
-"From this point on, all _webteam_ members altering the status of the "
-"_webservice_ application will be logged. The list of previous and current "
-"sessions can be displayed with:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2560
-#, no-wrap
-msgid "# sudoreplay -l\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2564
-msgid ""
-"In the output, to replay a specific session, search for the `TSID=` entry, "
-"and pass that to sudoreplay with no other options to replay the session at "
-"normal speed. For example:"
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2568
-#, no-wrap
-msgid "# sudoreplay user1/00/00/02\n"
-msgstr ""
-
-#. type: delimited block = 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2575
-msgid ""
-"While sessions are logged, any administrator is able to remove sessions and "
-"leave only a question of why they had done so. It is worthwhile to add a "
-"daily check through an intrusion detection system (IDS) or similar software "
-"so that other administrators are alerted to manual alterations."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2579
-msgid ""
-"The `sudoreplay` is extremely extendable. Consult the documentation for "
-"more information."
-msgstr ""
-
-#. type: Title ==
-#: documentation/content/en/books/handbook/security/_index.adoc:2581
-#, no-wrap
-msgid "Using doas as an alternative to sudo"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2584
-msgid ""
-"As an alternative to package:security/sudo[] package:security/doas[] can be "
-"used to provide the ability for users to get enhanced privileges."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2586
-msgid ""
-"The doas utility is available via the ports collection in package:security/"
-"doas[] or via the man:pkg[8] utility."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2588
-msgid ""
-"After the installation [.filename]#/usr/local/etc/doas.conf# must be "
-"configured to grant access for users for specific commands, or roles."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2590
-msgid ""
-"The simpliest entry could be the following, which grants local_user root "
-"permissions without asking for its password when executing the doas command."
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2594
-#, no-wrap
-msgid "permit nopass local_user as root\n"
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2597
-msgid "For more configuration examples, please read man:doas.conf[5]."
-msgstr ""
-
-#. type: Plain text
-#: documentation/content/en/books/handbook/security/_index.adoc:2599
-msgid ""
-"After the installation and configuration of the `doas` utility, a command "
-"can now be executed with enhanced privileges, like for example."
-msgstr ""
-
-#. type: delimited block . 4
-#: documentation/content/en/books/handbook/security/_index.adoc:2603
-#, no-wrap
-msgid "$ doas vi /etc/rc.conf\n"
-msgstr ""
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-11 01:41:17 +0000