Hello, I know some features that can give additional security isn't turned on due to because of the bad quality of the code in ports and some also decreases performance (or disables a feature, ex.: screenlock doesn't work if nosuid set, but if feature not used, nousid can be used).
I only know about these "security hardenings", hopefully all are ok (if not, please say/argue!): ================================================================== ln -s GJU /etc/malloc.conf ================================================================== Remove wxallowed from /etc/fstab ================================================================== echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf ================================================================== Remove all SUID and SGID permissions and all FS must have "nosuid". ================================================================== Add noexec, nodev where you can in fstab, but can be bypassed.. ================================================================== All filesystems that are only modified during software install and removal need to be read-only. They can be only rw if sw install/removal happens. ================================================================== Remove all files that is not needed for the machine to operate/do its purpose. ================================================================== echo "sysctl kern.securelevel=2" > /etc/rc.securelevel ================================================================== Make as many files immutable with "chflags schg filenamehere" as you can. ================================================================== If using X (so desktop) only use dangerous softwares (webbrowser, any viewer software: pdf, video, audio, torrent client, etc.) with another (limited) user! ================================================================== The purpose of this mail to find more... what are the other security features that are disabled in the default install? ----- ps.: it would be nice to have a feature in the default installer to install with full disc encryption :) we still have to escape to shell during install and ex.: install60.iso (S)hell dmesg | grep MB # or: sysctl hw.disknames dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 fdisk -iy sd0 disklabel -E sd0 a a enter enter RAID w q bioctl -c C -l /dev/sd0a -r 20000000 softraid0 # use a random high iteration number x > 10 000 000 exit Start install to the newly created bioctl/crypt raid device: sdX, where X is ex.: 2... with a random (but very high) number for iteration, afaik iteration only counts when typing in the password, much higher iteration would slow down brute-force attackers. ----- Many thanks.
