From d3fd9226e0695560a8155f899b0a4dfc095f3155 Mon Sep 17 00:00:00 2001 From: Xavier Beaudouin Date: Thu, 8 Aug 2024 16:43:40 +0200 Subject: [PATCH] Update --- freebsd-cis.md | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/freebsd-cis.md b/freebsd-cis.md index 28a89d7..7e51039 100644 --- a/freebsd-cis.md +++ b/freebsd-cis.md @@ -9,6 +9,17 @@ colorlinks: true toc: true toc-own-page: true titlepage: true +header-includes: +- | + ```{=latex} + \usepackage{awesomebox} + ``` +pandoc-latex-environment: + noteblock: [note] + tipblock: [tip] + warningblock: [warning] + cautionblock: [caution] + importantblock: [important] ... # Introduction @@ -59,9 +70,9 @@ done; ``` -# Chapter1. Patches and basic firewall +# Chapter 1. Patches and basic firewall -## Apply the latest OS patches +## 1.1. Apply the latest OS patches *Action:* @@ -81,7 +92,7 @@ freebsd-update install If output says `Run 'freebsd-update [options] fetch' first`, you will *NOT* need to reboot again your server. -## Enable SSH +## 1.2. Enable SSH *Action:* @@ -97,13 +108,13 @@ this package when the server starts. It will generate the first start of SSH the server public keys. -## Enable Firewall +## 1.3. Enable Firewall TODO: Do / Or not ? `pf` or `ipfw` ? # Chapter 2. Minimise boot services -## Set password on single user consoles +## 2.1. Set password on single user consoles *Action:* @@ -124,7 +135,7 @@ will need to have a root password set, otherwise and in case of failure to boot your system will be lost (for example, if root access can be given _only_ with `sudo` or `doas`). -## Set daemon umask +## 2.2. Set daemon umask *Action:* @@ -144,13 +155,13 @@ current `umask` settings. To modify any `umask` setting which differs from the a sed -i .pre -e 's/XXX/022/g' FILE ``` -Where `XXX` is the current umask setting and `FILEi` is the file with the offending `umask` setting. +Where `XXX` is the current umask setting and `FILE` is the file with the offending `umask` setting. -## Prevent `syslogd` from accepting messages from the network +## 2.3. Prevent `syslogd` from accepting messages from the network *Question:* -/Is this machine a log server or does it, for any reason, need to receive messages from other machines over the network?/ +Is this machine a log server or does it, for any reason, need to receive messages from other machines over the network? *Action:* @@ -168,11 +179,11 @@ The current action disable *also* the ability to send syslog into a central serv sysrc syslogd_flags="-s" ``` -## Disable `sendmail` server if possible +## 2.4. Disable `sendmail` server if possible *Question:* -/Is this server is an email server or relay for others hosts on the network or over in the Internet?/ +Is this server is an email server or relay for others hosts on the network or over in the Internet? *Action:* @@ -189,3 +200,6 @@ FreeBSD offers the ability to disable `sendmail` from listening for remote netwo Notice if you need to forward local mail into a central hub, you can use the `dma` agent on FreeBSD 14+ or use `mail/ssmtp` package instead. + + +