Hi, i just want to say that those security messures you describe here don't improve the security for every user or use case. Everybody should know exactly what he is doing bevore enabling or changing them. I think if you use such security messures you better should be able to help yourself if you have problems. Not every knob is meant to be pressed by a user, the system can get unstable.
Im writing this because this is misc@ and i think the title of your mail could confuse users without a deep understanding of the system. They could even end up with a less secure system because of workarounds they use to get back some convenience they lost due to some "security" messures they implemented which they don't fully understand. But its interessting to see how people try to improve their security, so please go on collecting ideas. BR Simon 2016-10-14 9:21 GMT+02:00, Peter Janos <peterjan...@mail.com>: > Hello, > > I know some features that can give additional security isn't turned on due > to > because of the bad quality of the code in ports and some also decreases > performance (or disables a feature, ex.: screenlock doesn't work if nosuid > set, but if feature not used, nousid can be used). > > I only know about these "security hardenings", hopefully all are ok (if > not, > please say/argue!): > > ================================================================== > ln -s GJU /etc/malloc.conf > ================================================================== > Remove wxallowed from /etc/fstab > ================================================================== > echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf > ================================================================== > Remove all SUID and SGID permissions and all FS must have "nosuid". > ================================================================== > Add noexec, nodev where you can in fstab, but can be bypassed.. > ================================================================== > All filesystems that are only modified during software install and removal > need to be read-only. > They can be only rw if sw install/removal happens. > ================================================================== > Remove all files that is not needed for the machine to operate/do its > purpose. > ================================================================== > echo "sysctl kern.securelevel=2" > /etc/rc.securelevel > ================================================================== > Make as many files immutable with "chflags schg filenamehere" as you can. > ================================================================== > If using X (so desktop) only use dangerous softwares (webbrowser, any > viewer > software: pdf, video, audio, torrent client, etc.) with another (limited) > user! > ================================================================== > > The purpose of this mail to find more... what are the other security > features > that are disabled in the default install? > > ----- > ps.: it would be nice to have a feature in the default installer to install > with full disc encryption :) we still have to escape to shell during > install > and ex.: > > install60.iso > (S)hell > dmesg | grep MB # or: sysctl hw.disknames > dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids > dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > fdisk -iy sd0 > disklabel -E sd0 > a a > enter > enter > RAID > w > q > bioctl -c C -l /dev/sd0a -r 20000000 softraid0 > # use a random high iteration number x > 10 000 000 > exit > Start install to the newly created bioctl/crypt raid device: sdX, where X > is > ex.: 2... > > with a random (but very high) number for iteration, afaik iteration only > counts when typing in the password, much higher iteration would slow down > brute-force attackers. > ----- > > Many thanks.
