Proper FreeBSD system hardning :)
(all for sysctl)
security.bsd.see_other_uids
security.bsd.see_other_gids
--> Don't show other users processes
security.bsd.unprivileged_read_msgbuf
--> Don't allow unprivileges to read kernel buffer (dmesg)
security.bsd.unprivileged_proc_debug
--> Don't allow unprivileged to use debugging
security.bsd.hardlink_check_uid
security.bsd.hardlink_check_gid
--> restrict hardlinks to same user/group
kern.elf64.aslr.enable
kern.elf32.aslr.enable
--> Enable kernel address randomization (ASLR)
security.bsd.unprivileged_mlock
--> Restrict unprivileged users from loading kernel modules
sysctl kern.securelevel=1
--> Cannot lower securelevel
--> Cannot write directly to mounted disks
--> Cannot write to /dev/mem or /dev/kmem
--> Cannot load/unload kernel modules
--> Cannot change firewall rules (if compiled with IPFIREWALL_STATIC)
--> System immutable and append-only file flags cannot be removed
This can make a FreeBSD system more secure, especially on multi-user systems. Securelevel ca even go higher, but those restrictions generally need care.
#runbsd #freebsd #security #hardening #goodpractice #devops #sysadmin
