Page MenuHomeFreeBSD

Handbook WG - Security
ClosedPublic

Authored by carlavilla on Aug 28 2023, 8:36 PM.
Tags
None
Referenced Files
F107999399: D41620.diff
Mon, Jan 20, 9:13 AM
Unknown Object (File)
Sat, Jan 18, 1:36 AM
Unknown Object (File)
Sat, Jan 18, 12:44 AM
Unknown Object (File)
Thu, Jan 16, 7:47 AM
Unknown Object (File)
Thu, Jan 9, 5:11 PM
Unknown Object (File)
Tue, Dec 31, 10:17 AM
Unknown Object (File)
Tue, Dec 31, 12:52 AM
Unknown Object (File)
Nov 21 2024, 2:52 PM

Details

Summary

Rework the Security chapter.

Changes:

  • Rework the Security Accounts section and put in there the sudo/doas section
  • Rework the Intrusion Detection System using mtree
  • Add new Secure levels section
  • Add new File flags section
  • Rework OpenSSH section
  • Rework OpenSSL section
  • Upgrade Access Control Lists section and add info about NFSv4 ACLs
  • Add capsicum section with a brief introduction and a naive example
  • Upgrade resource limits section
  • Upgrade FreeBSD Security Advisories section showing a current report

Removed VPN over IPSec, I think this fits better in a separated article (new article) or in the network services chapter.

Output:

https://people.freebsd.org/~carlavilla/handbook-wg/security.html
https://people.freebsd.org/~carlavilla/handbook-wg/vpn-ipsec-article.html

Diff Detail

Repository
R9 FreeBSD doc repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
documentation/content/en/books/handbook/security/_index.adoc
1855–1856

remove "that want" (classes don't want things)

1883
1907

This and the previous sentence are partly redundant.

1909

s/need/needs/, or s/need to/must/

1924

either add a comma or "by" before executing.

2032

The final "mailing lists" looks redundant when the list links are expanded. I'd just remove it.

documentation/content/en/books/handbook/security/_index.adoc
273–274

That was "reparse" not "repairs" before the spell autocorrect got it.

documentation/content/en/books/handbook/security/_index.adoc
6–7

We do use Kerberos in the cluster.

While our primary means of identifying committers is SSH keys, we use Kerberos for services that require a password: Bugzilla and SMTP. In principle, things like Phabricator and the wiki could/should also authenticate against Kerberos but they don't for Hysterical Raisins.

documentation/content/en/books/handbook/security/_index.adoc
87

Is there a separate article on IPSEC we can link to? That's still (very) relevant too.

160–161

I would remove mention of DES and MD5 here. While they are supported, they are strongly discouraged. Perhaps simply write "several algorithms (e.g. SHA256, SHA512, and Blowfish)" so this article remains accurate when we eventually add others.

428–430

Possibly mention freebsd-update IDS here?

508

We should really not be encouraging md5 or sha1 in 2023. The original example had sha256 digests. Can we update the current example accordingly?

documentation/content/en/books/handbook/security/_index.adoc
132

It has not yet been removed.

160–161

or "several algorithms, including SHA256, ..."

2207

Note that SAs still include Subversion details, as long as 12.x is supported.

Fixed some issues, I'm gonna upgrade the diff right now.

documentation/content/en/books/handbook/security/_index.adoc
132

Well, although the user toor has not been deleted yet, I like the idea that Ed has proposed, so we can save ourselves problems in the future when the user has been deleted.

428–430

I thought about putting it, but since the "final" idea is to remove freebsd-update I didn't put it

618–619

hmm, can you please provide a little paragraph with this info please?

628

Removed, np :)

702

TBH, no idea, maybe @emaste or @philip can help us.

707

FreeBSD marks it as enabled by default in the installer and the user decides if they _don't_ want it.
But by default, yes, you're right, it is enabled.

726

Sorry, wrong config property, and it's not enabled by default

763

No, seems not enabled by default (taken from the git repo https://cgit.freebsd.org/src/tree/crypto/openssh/sshd_config):

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

802
1591

hehehe, spanish word, sorry

1739

hmmm, can you please provide a paragraph to replace this one?

1855–1856

hahahaha, best comment ever ;)

2207

I've restored it, but we're a few months from the end of Subversion, I'll be back in the future to remove the reference.

carlavilla marked 8 inline comments as done.
carlavilla added inline comments.
documentation/content/en/books/handbook/security/_index.adoc
6–7

Ok, I restored the kerberos section, can you please take a look and tell me if there's something wrong?
To have a more pleasant reading, you can check it here https://docs.freebsd.org/en/books/handbook/security/#kerberos5

87

I just added it as an article, it's exactly the same as what we have now, you can check it out here: https://docs.freebsd.org/en/books/handbook/security/#ipsec

documentation/content/en/books/handbook/security/_index.adoc
132

Note that the toor example has been removed in main already in 70fec4c1c5799844f2269aade3e558535e3d2e79, so maybe this is a diff from an older commit?

documentation/content/en/books/handbook/security/_index.adoc
87

Aside, we should also have OpenVPN (DCO) and WireGuard docs.

119

"Security Accounts" sounds strange. Securing Accounts?

121–123

This seems overly verbose, probably only needs to be a sentence or two.

293

Should probably be a date in the future but not so far that it seems unreasonable.

303

True, but even administrators should limit their privileges when not needed, so we probably want to make reference to that concept as well.

367–368

Simpler: "This avoids sharing passwords, which is a poor practice."

377

I'm not sure how 2FA factors in, we probably just want to say "Sudo can be configured to permit ... by using NOPASSWD".

391

maybe "ported from OpenBSD"?

428

I think it's useful to leave "basic" or something similar in -- running mtree(8) can be useful but is fairly minimal.

428–430

that's true but freebsd-update will persist for at least 14 so I think it would be fine to include.
once we finally deprecate it we'll have to sweep the tree for freebsd-update references so it wouldn't be left behind accidentally

450

that's the same combination I have on my luggage!

it's certainly easier to match with later examples than 3483151339707503. we might want to add something like "represents the seed, and should be chosen randomly..." below

549

but now the user has a /bin/cat which doesn't match the mtree spec they've saved away, and would always get this complaint

maybe mention that we're presenting this as an example of what would be observed with a metadata change but suggest the user not do it on their real system?

or make a longer example starting with making a /tmp/mtree-experiment directory or so?

574–578

we should explain what is different between "permanently insecure mode" and "insecure mode"

630

More concise: File flags allow users to attach additional metadata or attributes to files and directories beyond basic permissions and ownership.

643

I don't think we need to repeat this right away, the above text is only a few sentences ago :)

675

more concise: remove "effectively"

690

We should provide some comment on choosing one or the other.

Maybe

As stated, this chapter will cover the base system version of OpenSSH. A version of OpenSSH is also available from the security/openssh-portable port or package, which ..."

but I'm not quite sure what to say about it. it may provide additional (configuration) options, and from time to time may be more up-to-date than the one in base

702

I think the text moved around, what does "this" refer to?

717

we should add a note about verifying the host key out of band

750

We should mention that public key auth is preferred over passwords.

752

strike "RSA"
also default key type is changing to ed25519
we should also describe FIDO security keys, however I'm fine with getting this document into the tree and iterating on it there

793–795

I would avoid this first sentence, probably just say something like "Keys should be protected by a passphrase. Using a key without a passphrase is dangerous[, because...]"

797

Start a new section for "from"
Also should explain authorized_keys for this.

806

I'd rather avoid a telnet example. Maybe a http example of something like 8080:localhost:80

909–914

It's not necessary to uncomment that line - the comments in sshd_config show the defaults, so

#PermitRootLogin no

indicates that root login is already not permitted by default. If you wanted root login you would need to change it to

#PermitRootLogin without-password

or

#PermitRootLogin yes

Note that OpenSSH upstream has without-password as the default, no is a change in FreeBSD's base system sshd

918
#MaxAuthTries 6

indicates default is 6

925

PubkeyAuthentication defaults to yes, so we should probably rephrase this. Mention that both pubkey and password authentication are enabled by default. To allow *only* pubkey (recommended), change

Note also that PasswordAuthentication defaults to no. By default passwords are handled via ChallengeResponseAuthentication and PAM. To disable passwords both must be no.

926

PermitEmptyPasswords already defaults to no

956

maybe "recommended" to verify? otherwise it may imply that it will not function without sshd -t

982

libcrypto is part of openssl and provides a lot of stuff
instead of "related cryptography standards required by them" I would use something like "and many cryptography routines" or something like that

994

it can also be used for bencmarking the crypto routines

1461

I think we should just call it "TCP wrappers" everywhere

1461

more concise: "TCP Wrappers is a host-based network access control system."

1464

what other layers?

1472–1479

yes for inetd-based services, but tcp wrappers are also used by e.g. sshd and do not involve inetd.

note that inetd_flags includes Ww by default

1520–1523

we should not document/encourage this support and should remove it from our tcp wrapper implementation

opened D41921 for that

1586

complexity may be unavoidable, but careful planning is required to ensure that the desired security properties are being provided

1691–1696

I'm not sure that too much detail about Capsicum belongs in the handbook. This introduction is good, but Capsicum details are only of use to application developers. So I would leave out the C source examples.

carlavilla added inline comments.
documentation/content/en/books/handbook/security/_index.adoc
87

Yes, the idea of moving it to an article is to later add WireGuard, etc. to that article

303

Done in a TIP section

752

Ok, I'll add the FIDO security keys after the 4th version of the handbook is done

793–795

I write it again, I think right now it's better :)

909–914

Removed then :)

918

Also removed.

926

Removed :)

1464

I removed the paragraph.

1472–1479

So, instead of "To enable TCP Wrapper in FreeBSD, execute :" put "To enable TCP Wrappers in FreeBSD for inetd execute:"?

1472–1479

Removed # sysrc inetd_flags="-Ww"

1691–1696

Done!

carlavilla marked 10 inline comments as done.

Fix @emaste comments

documentation/content/en/books/handbook/security/_index.adoc
1472–1479

Well, tcp wrappers is enabled by default in some 3rd party software (e.g. sshd) and by default in inetd, so there's no specific step that needs to be taken to "enable" it. We could mention that TCP Wrappers support is built-in to some applications (like sshd) and enabled by default settings for inetd.

carlavilla marked an inline comment as done.

Fix last comment from @emaste

This revision was not accepted when it landed; it landed in state Needs Review.Sep 27 2023, 4:57 PM
This revision was automatically updated to reflect the committed changes.