Update

README.md

@@ -1,3 +1,4 @@
 # freebsd-cis
 
-CIS FreeBSD
+CIS FreeBSD
+

build.sh

@@ -0,0 +1 @@
+pandoc "freebsd-cis.md" -o "freebsd-cis.pdf" --from markdown --template "../pandoc-latex-template/eisvogel.tex" --listings

freebsd-cis.md

@@ -0,0 +1,205 @@
+---
+title: "FreeBSD Security Guide"
+author: [Xavier Beaudouin, Klara Systems]
+date: "2024-08-08"
+keywords: [FreeBSD, security]
+book: true
+lang: "en"
+colorlinks: true
+toc: true
+toc-own-page: true
+titlepage: true
+header-includes:
+- |
+  ```{=latex}
+  \usepackage{awesomebox}
+  ```
+pandoc-latex-environment:
+  noteblock: [note]
+  tipblock: [tip]
+  warningblock: [warning]
+  cautionblock: [caution]
+  importantblock: [important]
+...
+
+# Introduction
+
+This guide has been written to update the CIS FreeBSD Benchmark guide
+uppon request from some Klara Systems customers.
+
+## FreeBSD version supported by this guide
+
+This guide assume you currently use FreeBSD 13.x or earlier. FreeBSD < 13.x
+is not covered by this guide and the actions listed here *may* not works
+as expected.
+
+## Root Shell Environment Assumed
+
+The action listed in this document are written with the assumption they
+will be executed by the  `root` user using the default shell on FreeBSD
+13.x or 14.x and without `noclobber` set.
+
+## Executing Actions
+
+The actions listed in this document are written with assumption that they
+will be executed in the order presented here. Some actions may need to be
+modified if the order is changed. Actions are written so they may be copied
+directly from this document into a `root` shell window with a "cut-and-paste"
+operation.
+
+## Reboot Required
+
+Rebooting the sytems is required after completing all of the acctions below
+in order do complete the re-configuration of the system. In many cases, the 
+changes made in the steps below will not take effect until reboot is 
+performed.
+
+## Backup Key Files
+
+Before performing the steps of this document, it is a good idea to make
+backup copies of critical configurations files that may get modified by 
+various items:
+
+```shell
+cp -r /etc /etc.old
+mv /etc/rc.conf /etc/rc.conf.pre
+for x in hostname dhclient firewall \
+filter pf route gateway atm static ifconfig;
+do grep $x /etc/rc.conf.pre >> /etc/rc.conf;
+done;
+```
+
+
+# Chapter 1. Patches and basic firewall
+
+## 1.1. Apply the latest OS patches
+
+*Action:*
+
+Update to latest patchlevel of FreeBSD version:
+
+```shell
+freebsd-update fetch && freebsd-update install && reboot
+```
+
+`freebsd-update` _may_ ask you to do again an `install` after rebooting the 
+server:
+
+```shell
+freebsd-update install
+```
+
+If output says `Run 'freebsd-update [options] fetch' first`, you will 
+*NOT* need to reboot again your server.
+
+## 1.2. Enable SSH
+
+*Action:*
+
+
+```shell
+sysrc sshd_enable="YES"
+```
+
+*Discussion:*
+
+FreeBSD include `OpenSSH` in the base system. The command permit to start
+this package when the server starts. It will generate the first start
+of SSH the server public keys.
+
+
+## 1.3. Enable Firewall
+
+TODO: Do / Or not ? `pf` or `ipfw` ?
+
+# Chapter 2. Minimise boot services
+
+## 2.1. Set password on single user consoles
+
+*Action:*
+
+```shell
+awk '($1 == "console") { $5 = "insecure" } { print }' /etc/ttys > /etc/ttys.new
+mv /etc/ttys.new /etc/ttys
+```
+
+*Dicussion:*
+
+When system is rebooted due to power failure or otherwise, administrators can
+issue `-s` flag to cause single user mode boot (or choose on the FreeBSD 
+boot menu). When the system boots into single user mode, they get prompted with
+unprotected root shell. So to protect system from unauthorized access in manner,
+the obove command sets the console to insecure, ultimately requiring `root` 
+password to be entered before the system may be accessed. *NOTICE* you
+will need to have a root password set, otherwise and in case of failure to boot
+your system will be lost (for example, if root access can be given _only_ with
+`sudo` or `doas`).
+
+## 2.2. Set daemon umask
+
+*Action:*
+
+```shell
+find /etc/ /usr/local/etc/rc.d/ | xargs grep 'umask'
+```
+
+*Discussion:*
+
+All daemons should run with an `022` umask setting, this will prevent their
+processes from creating world-writable files by default.
+The default setting for FreeBSD is always `022`, and in some extremely rare cases
+(such as scripts in the `/etc/periodic` directory or `/etc/rc.d/random`) the more restrictive `077 umaski` will be used. The commands above will reveal all
+current `umask` settings. To modify any `umask` setting which differs from the above, issue the following command:
+
+```shell
+sed -i .pre -e 's/XXX/022/g' FILE
+```
+
+Where `XXX` is the current umask setting and `FILE` is the file with the offending `umask` setting.
+
+## 2.3. Prevent `syslogd` from accepting messages from the network
+
+*Question:*
+
+Is this machine a log server or does it, for any reason, need to receive messages from other machines over the network?
+
+*Action:*
+
+```shell
+sysrc syslogd_flags="-ss"
+```
+
+*Discussion:*
+
+By default, the system logging daemon known as  `syslogd` will listen for log
+messages on port 514/udp. This is done without any authentication and thus is susceptible to denial of service attacks. A malicious user may also abuse this ability to fill up log files to such an extent that subsequent attacks may either unnoticeable or not logged at all. It maybe used also to send unwanted UDP traffic for a DDoS. 
+The current action disable *also* the ability to send syslog into a central server. If this is /needed/ you may use the following *instead*:
+
+```shell
+sysrc syslogd_flags="-s"
+```
+
+## 2.4. Disable `sendmail` server if possible
+
+*Question:*
+
+Is this server is an email server or relay for others hosts on the network or over in the Internet?
+
+*Action:*
+
+```shell
+sysrc sendmail_enable="NO"
+sysrc sendmail_submit_enable="NO"
+sysrc sendmail_outbound_enable="NO"
+sysrc sendmail_msp_queue_enable="NO"
+```
+
+*Discussion:*
+
+FreeBSD offers the ability to disable `sendmail` from listening for remote network connection. Even if the default configuration limits the possiblity to be open relay, usage of sendmail as a relay may not desirable and can be tricky to have secure setup. 
+Notice if you need to forward local mail into a central hub, you can use the `dma` agent on FreeBSD 14+ or use `mail/ssmtp` package instead.
+
+
+
+
+