Page MenuHomeFreeBSD

Add new option to bsdinstall hardening menu to disable insecure console and update stack guard option
ClosedPublic

Authored by robak on Feb 21 2017, 9:48 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Nov 18, 2:59 PM
Unknown Object (File)
Mon, Nov 18, 2:44 PM
Unknown Object (File)
Mon, Nov 18, 2:36 PM
Unknown Object (File)
Mon, Nov 18, 12:34 PM
Unknown Object (File)
Oct 4 2024, 7:15 AM
Unknown Object (File)
Oct 2 2024, 3:14 AM
Unknown Object (File)
Sep 27 2024, 3:11 PM
Unknown Object (File)
Sep 18 2024, 3:23 PM
Subscribers

Details

Summary

By default, the console is set to insecure in /etc/ttys resulting in no password prompt when the OS is booted in single-user mode in result lowering the physical security of the default installation. This patch adds new bsdinstall option to hardening section that allows users to change this behaviour to more secure one. It is OFF by default, so that we could introduce it without POLA violation and change it to ON by default later on, with the goal of changing it in the base OS at the end.

Test Plan

Build yourself a bsdinstall with this patch, boot a machine, exit from installer, upload compiled patched bsdinstall version, run bsdinstall and pick the option in the hardening section. Verify the outcome after installation.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

robak retitled this revision from to Add new option to bsdinstall hardening menu to disable insecure console.
robak updated this object.
robak edited the test plan for this revision. (Show Details)
robak added reviewers: adrian, allanjude, emaste, nwhitehorn.
robak set the repository for this revision to rS FreeBSD src repository - subversion.

I am not sure turning this one on by default in the future makes much sense.

It is not actually providing any real security. I can boot off of the freebsd install cd and mount the filesystem and have root access. If you really want to secure physically the system, you'd have to encrypt the disk.

I am not sure turning this one on by default in the future makes much sense.

It is not actually providing any real security. I can boot off of the freebsd install cd and mount the filesystem and have root access. If you really want to secure physically the system, you'd have to encrypt the disk.

It all depends on how you look at it @allanjude. If you think of it as 'one fix to rule them all' then yes, you are right, it does nothing. However, security comes in layers and its the accumulation of layers is what makes the system hard enough to penetrate that in effect it becomes 'unpenetrable' (as in: the effort outweights the benefits for most attackers, of course). You could argue that one could simply boot the server from a CD and this does nothing, sure. But I could argue that if one doesn't have a CD handy or the machine doesn't have CD drive and its USB drives are disabled in the BIOS, then this does a world of difference. In the same manner I could argue that encrypting drives does nothing but a slow down, once you have obtained physical access to the machine, so on, so forth - this leads nowhere when seen as a single solution in separation to all others.

That's why I believe this should go in, and after a while should be switched to ON by default. This one, and a few more I've coming ;)

Some comments from @bapt:

08:20 <@bapt> robak: actually the best argument for you case if maybe of one has access to the serial console remotely
08:23 <@bapt> actually I even think that should be default on for releases
08:24 <@bapt> robak: changing default in 12.0 is ok

Related to Allan's point, nothing in the hardening menu should ever be turned on by default. If we want to change the system defaults, we should change the system defaults. Having the defaults be different depending on whether the installer is used to set up the system is a super bad idea and one I would object to vigorously.

No objections to this patch as such, however.

Can I have an approval or rejection here, please?

I'm happy with the option as long as it's off by default.

This revision is now accepted and ready to land.Apr 5 2017, 5:23 PM

@allanjude What are we going to do about this? Is bsdinstall change acceptable to you, or would you want me to create a patch for ttys instead? I'd like it to land already.

robak retitled this revision from Add new option to bsdinstall hardening menu to disable insecure console to Add new option to bsdinstall hardening menu to disable insecure console and update stack guard option.Jun 28 2017, 1:19 PM
robak edited edge metadata.

Update the stack guard option to new sysctl behaviour.

This revision now requires review to proceed.Jun 28 2017, 1:21 PM
This revision is now accepted and ready to land.Jul 3 2017, 7:40 AM
emaste added inline comments.
usr.sbin/bsdinstall/scripts/hardening
44 ↗(On Diff #30173)

"Set stack guard page ... to 512" is missing something.

Maybe make this "Increase stack guard size to 2MB"?

usr.sbin/bsdinstall/scripts/hardening
44 ↗(On Diff #30173)

Would 'Set stack guard page buffer size to 2MB' be OK?

This revision was automatically updated to reflect the committed changes.