Date: Fri, 17 Apr 1998 10:55:57 +0200 From: Philippe Regnauld <regnauld@deepo.prosa.dk> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel permissions Message-ID: <19980417105557.59439@deepo.prosa.dk> In-Reply-To: <Pine.BSF.3.96.980417013537.8952E-100000@trojanhorse.pr.watson.org>; from Robert Watson on Fri, Apr 17, 1998 at 01:45:29AM -0400 References: <199804170519.WAA12540@burka.rdy.com> <Pine.BSF.3.96.980417013537.8952E-100000@trojanhorse.pr.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson writes:
> Hardening Project. What I have in mind is a port in the ports collection
> that would "harden" the default FreeBSD base installation. It would apply
> schg flags, remove unnecessary read/write/etc access from standard
> binaries and config files, disable most daemons and inetd.conf entries,
> install a more-than-minimal ipfw config, perhaps enable some kernel
> settings, etc.
I'm all for this, and would be willing to test it.
While you're at it:
- include the hardening to _removing_ certain syscalls from the kernel
(see below)
- you could use the "ugly" dialog lib. to make a nice menu selection
(like the GS port) to enable/disable features:
[ ] Standard (definition)
[ ] Paranoid (definition)
[ ] X-Files
[X] Custom
[ ] Make kernel unreadable to world :-)
[X] Append-only /var ?
[...]
> The goal would be to move from an "open" system to one
> that might be more appropriate for a router or firewall machine in a less
> friendly network environment. For the paranoid, of course, it would be
> appropriate for every-day use :).
Yep.
> Does this seem like an interesting or useful proposal? When setting up a
> proxy server, I really want a minimal feature set enabled, although having
> the standard toolset available is always useful. The proxy user, however,
> should not even be able to send packets on irregular ports, and would be
> restricted by ipfw. Similarly, use of secure levels would allow us to
> significantly reduce the effects of any kind of compromise.
Suggestion: how difficult would it be to have ipfw(8) respect
the securelevel to, for example, refuse to flush / alter
the ipfw list ?
i.e.: all mods have to be tested before the securelevel is raised,
and once it is, only rebooting into single user on the console
allows you to change the filters.
> Some other thoughts I had were instructions for rolling a custom system CD
> + possibly a boot disk to create read-only machines for use as proxy
> servers or routers. Swap + MFS would be the only writable areas of the
> system, and neither of those would persist over boot.
We need write-protect notch on the hard-disks :-)
> environment. A number of the large scale UNIX machines I have seen go so
> far as to disable all setuid utilities (other than su) to prevent
> unauthorized use of the system.
Some off-the-shelf firewall packages, like BorderWare (based on BSDi)
uses a dual-kernel approach:
- an operational, network-aware kernel stripped of suspect
system calls (particularly the *id stuff)
- a fully functional "single-user" kernel with NO networking
to do the maintenance.
This is a tad straight-jacketed, but you get the idea (I hope).
> Anyhow, if there is sufficient interest in the project, I'd like to try
> and get it off the ground. Presumably, some changes might work their way
> back into the default distribution. If we lose no significant
> functionality, it cannot hurt to restrict priveledges. It may help us
> when those unpredicted vulnerabilities do turn up.
Better than a port: a separate set of tarballs in the dist:
harden.aa
harden.ab ...
? Anti-bloatists oblige.
--
-[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
«Pluto placed his bad dog at the entrance of Hades to keep the dead
IN and the living OUT! The archetypical corporate firewall?»
- S. Kelly Bootle, ("MYTHOLOGY", in Marutukku distrib)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980417105557.59439>