Date: Sun, 27 Jul 2003 13:28:47 +0200 From: Socketd <db@traceroute.dk> To: freebsd-security@freebsd.org Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) Message-ID: <20030727132847.5adc6b07.db@traceroute.dk> In-Reply-To: <20030726235710.GD4105@cirb503493.alcatel.com.au> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sun, 27 Jul 2003 09:57:10 +1000 Peter Jeremy <PeterJeremy@optushome.com.au> wrote: > > But what files REALLY MUST have it ? > > There's no simple answer to this. It's a matter of going through each > file with setuid (or setgid) set, understanding why that file has the > set[gu]id bit and whether you need that functionality. Robert Watson is going through all the setuid files, to see which really need to be setuid. In -CURRENT he has removed the setuid bit from quota. Anyway I have been thinking about writing a program to make the default installation (with "extreme" security) even more secure. I have attached the configuration file, it should explain what the program can do. (not one line of code have been written yet). Btw setting noexec and nosuid on a mount point is a little redundante right? I mean since the user can't execute files, there is no point in also setting nosuid? Best regards Socketd ps: Please remember that the LockDown configuration file is only version 0.1, so nothing is final. [-- Attachment #2 --] # Lockdown configuration file # You can freely add you own options by using the following keywords: # define="" _text_ Works like C/C++'s #define # rc_conf="" Means the text will be added to /etc/rc.conf # sysctl="" The text will be added to /etc/sysctl.conf # kern="" The text will be added to your kernel configuration file # mount="" The text will be added to /etc/fstab # login_class="" "" The text will be added to the specified login class # file _mode_ "" _flags_ Will give the file the mode _mode_ and flags _flags_ # openssh="" The text will be added to /etc/ssh/sshd_config # Lockdown will not simply add the text to the files, it will search # the file to see if the options is already there and change it if needed. # If no match is found the text will be added. # Please specify a file to add the kernel options to. kern_file="/usr/src/sys/i386/conf/LOCKDOWN" # When restricting access to suid, gid and information files, # we use "define" to set the file mode. You can also write # the mode directly pr file basic. define="noWorld" "0007" define="disable" "7777" # Here are some exsamples of how to use the file options: # file 0007 "/etc/rc.conf" # file noWorld "/etc/rc.conf" # file noWorld "/etc/rc.conf" "sappnd,schg" # define="logFile" "sappnd,schg" # file noWorld "/etc/rc.conf" LogFile #################### # Mounting options # #################### # If the mount point exists, mount it with the specified options. # Please remember that /tmp has to be executable to "make world" # and if you need to jail a process in a partition, don't mount it with "nodev" mount="/tmp" "noexec, nodev, nosymfollow" mount="/var/tmp" "noexec, nodev, nosymfollow" mount="/home" "nosuid, nodev" mount="/usr/home" "nosuid, nodev" mount="/var" "nosuid, nodev" mount="/var/mail" "noexec, nodev" ######################## # /etc/rc.conf options # ######################## # This will just add some options to /etc/rc.conf rc_conf="enable_sendmail="NONE"" rc_conf="kern_securelevel_enable="YES"" rc_conf="kern_securelevel="3"" rc_conf="clear_tmp_enable="YES"" #rc_conf="update_motd="NO"" rc_conf="syslogd_flags="-ss"" //Uncomment this if this is a log server ################## # Stealth server # ################## # If this is a log server, firewall or gateway you can put it into stealth mode. # This is NOT recommended for normal server use. # Note: For a stealthier server you should also block some icmp request like: # PING, kajsdkasdhlkad #rc_conf="tcp_drop_synfin="YES"" #sysctl="net.inet.tcp.blackhole=2" #sysctl="net.inet.udp.blackhole=1" #kern="options IPSTEALTH" #kern="options TCP_DROP_SYNFIN" ###################### # Networking options # ###################### rc_conf="icmp_drop_redirect="YES"" rc_conf="icmp_log_redirect="YES"" rc_conf="log_in_vain="YES"" kern="options RANDOM_IP_ID" openssh="AllowGroups wheel" openssh="Protocol 2" # Creates /etc/ftpwelcome and add "Banner /etc/warning" to openssh. /etc/warning is a symlink to /etc/ftpwelcome set_warning="Blah blah blah, some warning." ####################### # Login Class options # ####################### login_class="default" "minpasswordlen=8" login_class="default" "mixpasswordcase=true" login_class="default" "uname=077" # Add crypt_default=blf in /etc/auth.conf and passwd_format=blf to default login.class use_blowfish="YES" ############## # Root Login # ############## no_direct_root_login="YES" # Set tty* in /etc/ttys to insecure password_protect_singleuser_mode="YES" # Set console to insecure in /etc/ttys ##################### # Restrict the user # ##################### allow_cron="NO" allow_at="NO" sysctl="security.bsd.see_other_uids=0" # Use kern.ps_showallprocs for 4.X ################## # Kernel options # ################## kern="options SC_NO_HISTORY" # Don't keep history, so there can't be scrolled kern="options SC_DISABLE_REBOOT" # Disable ctrl+alt+del #kern="options SC_DISABLE_DDBKEY" # Uncomment if using the kernel debugger ################################# # Restrict access to suid files # ################################# file disable "/bin/rcp" file noWorld "/sbin/mksnap_ffs" file noWorld "/sbin/ping" file noWorld "/sbin/ping6" file noWorld "/sbin/shutdown" file noWorld "/usr/bin/at" file noWorld "/usr/bin/atq" file noWorld "/usr/bin/atrm" file noWorld "/usr/bin/batch" file noWorld "/usr/bin/chpass" file noWorld "/usr/bin/chfn" file noWorld "/usr/bin/chsh" file noWorld "/usr/bin/ypchpass" file noWorld "/usr/bin/ypchfn" file noWorld "/usr/bin/ypchsh" file noWorld "/usr/bin/lock" file noWorld "/usr/bin/login" file noWorld "/usr/bin/opieinfo" file noWorld "/usr/bin/opiepasswd" file noWorld "/usr/bin/passwd" file noWorld "/usr/bin/yppasswd" file noWorld "/usr/bin/quota" file disable "/usr/bin/rlogin" file disable "/usr/bin/rsh" file noWorld "/usr/bin/su" file noWorld "/usr/bin/crontab" file noWorld "/usr/bin/lpq" file noWorld "/usr/bin/lpr" file noWorld "/usr/bin/lprm" file noWorld "/usr/libexec/pt_chown" file noWorld "/usr/sbin/mrinfo" file noWorld "/usr/sbin/mtrace" file noWorld "/usr/sbin/sliplogin" file noWorld "/usr/sbin/timedc" file noWorld "/usr/sbin/traceroute" file noWorld "/usr/sbin/traceroute6" file noWorld "/usr/sbin/ppp" file noWorld "/usr/sbin/pppd" ################################ # Restrict access to gid files # ################################ file noWorld "/usr/bin/fstat" file noWorld "/usr/bin/netstat" file noWorld "/usr/bin/vmstat" file noWorld "/usr/bin/wall" file noWorld "/usr/bin/write" file noWorld "/usr/bin/lpq" file noWorld "/usr/bin/lpr" file noWorld "/usr/bin/lprm" file noWorld "/usr/libexec/sendmail/sendmail" file noWorld "/usr/sbin/trpt" file noWorld "/usr/sbin/lpc" ######################################## # Restrict access to information files # ######################################## # if you change permissions on files also listed in /etc/newsyslog.conf, # Lockdown will also adjust /etc/newsyslog.conf accordingly file noWorld "/sbin/sysctl" file noWorld "/usr/bin/uname" file noWorld "/sbin/kldstat" #file noWorld "/usr/bin/netstat" #Uncomment if using 4.X file noWorld "/sbin/route" file noWorld "/usr/sbin/arp" file noWorld "/sbin/dmesg" file noWorld "/var/run/dmesg.boot" file noWorld "/etc/hosts" file noWorld "/etc/fstab" file noWorld "/etc/ssh/sshd_config" file noWorld "/etc/crontab" file noWorld "/etc/ftpusers" file noWorld "/etc/hosts.allow" file noWorld "/etc/host.conf" file noWorld "/etc/hosts.equiv" file noWorld "/etc/hosts.lpd" file noWorld "/etc/inetd.conf" file noWorld "/etc/login.access" file noWorld "/etc/login.conf" file noWorld "/etc/sysctl.conf" file noWorld "/etc/syslog.conf" file noWorld "/etc/ttys" file noWorld "/etc/rc.conf" file noWorld "/etc/mac.conf" file noWorld "/etc/group" file noWorld "/etc/passwd" file noWorld "/etc/newsyslog.conf" file 0007 "/etc/periodic/" file 0007 "/var/db/pkg/" file noWorld "/usr/sbin/pkg_version" file noWorld "/usr/sbin/pkg_info" file noWorld "/usr/bin/last" file noWorld "/usr/sbin/lastlogin" file noWorld "/sbin/ipfw" file noWorld "/sbin/mount" file noWorld "/usr/bin/users" file noWorld "/usr/bin/w" file noWorld "/usr/bin/who" file noWorld "/usr/bin/lastcomm" file noWorld "/usr/sbin/jls"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030727132847.5adc6b07.db>