kiwi/freebsd-cis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
Xavier Beaudouin
2024-08-08 16:43:40 +02:00
parent 0ad106cdc8
commit d3fd9226e0
1 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
freebsd-cis.md
View File

@ -9,6 +9,17 @@ colorlinks: true
toc: true toc: true
toc-own-page: true toc-own-page: true
titlepage: true titlepage: true
header-includes:
- |
```{=latex}
\usepackage{awesomebox}
```
pandoc-latex-environment:
noteblock: [note]
tipblock: [tip]
warningblock: [warning]
cautionblock: [caution]
importantblock: [important]
... ...
# Introduction # Introduction
@ -61,7 +72,7 @@ done;
# Chapter 1. Patches and basic firewall # Chapter 1. Patches and basic firewall
## Apply the latest OS patches ## 1.1. Apply the latest OS patches
*Action:* *Action:*
@ -81,7 +92,7 @@ freebsd-update install
If output says `Run 'freebsd-update [options] fetch' first`, you will If output says `Run 'freebsd-update [options] fetch' first`, you will
*NOT* need to reboot again your server. *NOT* need to reboot again your server.
## Enable SSH ## 1.2. Enable SSH
*Action:* *Action:*
@ -97,13 +108,13 @@ this package when the server starts. It will generate the first start
of SSH the server public keys. of SSH the server public keys.
## Enable Firewall ## 1.3. Enable Firewall
TODO: Do / Or not ? `pf` or `ipfw` ? TODO: Do / Or not ? `pf` or `ipfw` ?
# Chapter 2. Minimise boot services # Chapter 2. Minimise boot services
## Set password on single user consoles ## 2.1. Set password on single user consoles
*Action:* *Action:*
@ -124,7 +135,7 @@ will need to have a root password set, otherwise and in case of failure to boot
your system will be lost (for example, if root access can be given _only_ with your system will be lost (for example, if root access can be given _only_ with
`sudo` or `doas`). `sudo` or `doas`).
## Set daemon umask ## 2.2. Set daemon umask
*Action:* *Action:*
@ -144,13 +155,13 @@ current `umask` settings. To modify any `umask` setting which differs from the a
sed -i .pre -e 's/XXX/022/g' FILE sed -i .pre -e 's/XXX/022/g' FILE
``` ```
Where `XXX` is the current umask setting and `FILEi` is the file with the offending `umask` setting. Where `XXX` is the current umask setting and `FILE` is the file with the offending `umask` setting.
## Prevent `syslogd` from accepting messages from the network ## 2.3. Prevent `syslogd` from accepting messages from the network
*Question:* *Question:*
/Is this machine a log server or does it, for any reason, need to receive messages from other machines over the network?/ Is this machine a log server or does it, for any reason, need to receive messages from other machines over the network?
*Action:* *Action:*
@ -168,11 +179,11 @@ The current action disable *also* the ability to send syslog into a central serv
sysrc syslogd_flags="-s" sysrc syslogd_flags="-s"
``` ```
## Disable `sendmail` server if possible ## 2.4. Disable `sendmail` server if possible
*Question:* *Question:*
/Is this server is an email server or relay for others hosts on the network or over in the Internet?/ Is this server is an email server or relay for others hosts on the network or over in the Internet?
*Action:* *Action:*
@ -189,3 +200,6 @@ FreeBSD offers the ability to disable `sendmail` from listening for remote netwo
Notice if you need to forward local mail into a central hub, you can use the `dma` agent on FreeBSD 14+ or use `mail/ssmtp` package instead. Notice if you need to forward local mail into a central hub, you can use the `dma` agent on FreeBSD 14+ or use `mail/ssmtp` package instead.