I love freebsd for it's stabilty and such but I am on the verge of throwing in the towl when it comes to dealing with it's security.
First off lets look at what I do to setup a system... these are dedicated boxes in DC's with shell account user access.
Well Mr X loves his rootkit's so what do we do we start but cvs-up the latest stable edition right okay...
then we install our usuall stuff xinetd, liedentd, logcheck, denyhosts, ipfw ect.
oh now we gotta make it so those rootkits can't get in the system
chmod o-r /bin
chmod o-r /sbin
chmod o-r /etc
chmod o-r /var
chmod o-r /usr/sbin
chmod o-r /usr/bin
chmod o-r /usr/lib
chmod 500 /sbin/*
chmod go+rx /sbin/nologin
chmod o-r /usr/local/bin
chmod o-r /usr/local/sbin
chmod o-r /usr/local/lib
chmod o-r /usr/local/share
chmod 500 /usr/bin/at
chmod 500 /usr/bin/atq
chmod 500 /usr/bin/atrm
chmod 500 /usr/bin/batch
chmod o-rx /usr/bin/whereis
chmod 500 /usr/bin/btsockstat
chmod 500 /usr/bin/chfn
chmod 500 /usr/bin/chpass
chmod 500 /usr/bin/chsh
chmod 500 /usr/bin/cu
chmod 500 /usr/bin/doscmd
chmod 500 /usr/bin/finger
chmod 500 /usr/bin/fstat
chmod 500 /usr/bin/ipcs
chmod 500 /usr/bin/last
chmod 500 /usr/bin/logger
chmod 500 /usr/bin/lpq
chmod 500 /usr/bin/lpr
chmod 500 /usr/bin/lprm
chmod 500 /usr/bin/netstat
chmod g+s /usr/bin/man
chmod 500 /usr/bin/nfsstat
chmod 500 /usr/bin/rlogin
chmod 500 /usr/bin/rsh
chmod 500 /usr/bin/sockstat
chmod o-rx /usr/bin/su
chmod 500 /usr/bin/vmstat
chmod 500 /usr/bin/wall
chmod 500 /usr/sbin/arp
chmod 000 /usr/sbin/lpc
chmod 550 /usr/sbin/mptable
chmod 000 /usr/sbin/ppp
chmod 000 /usr/sbin/pppd
chmod 550 /usr/sbin/pstat
chmod g+s /usr/sbin/pstat
chmod 500 /usr/sbin/traceroute
chmod 500 /usr/sbin/traceroute6
chmod o-r /etc/login.conf
chmod o-r /etc/sysctl.conf
chmod o-r /etc/rc.conf
chmod o= /usr/bin/users
chmod o= /usr/bin/w
chmod o= /usr/bin/who
chmod o= /usr/bin/lastcomm
chmod o= /usr/sbin/jls
chmod o= /usr/bin/last
chmod o= /usr/sbin/lastlogin
chmod o= /usr/local/bin/nmap
chown root:kmem /usr/sbin/pstat
chown root:kmem /usr/bin/netstat
chown man:wheel /usr/bin/man
chgrp kmem /usr/sbin/iostat
chflags sappnd /bin
chflags sappnd /bin/*
chflags sappnd /sbin
chflags sappnd /sbin/*
chflags sappnd /usr/bin
chflags sappnd /usr/bin/*
chflags sappnd /usr/sbin
chflags sappnd /usr/sbin/*
chflags sappnd /boot/kernel
chflags sappnd /boot/kernel/*
mv /var/tmp/* /tmp/
rm -rf /var/tmp
ln -s /tmp /var/tmp
ect. ect.
I know I am skipping a bunch a crap, I am just trying to get a point across.
so now we reboot with kern.securelevel=1 ... God forbid if we go any higher than this, then ntpdate won't be able to sync the clocks with the timeserver correctly.
okay so now our shell users cannot manipulate any of the files. to help themselves gain root privileges.
Oh wait just got an email from https://bsdupdates.com/
that a security patch is available so let's truck on over a download it.
*crap*
now I gotta reboot in kern.securelevel=-1 and run: noschg
on the directories from before then install the update then re do the schg
and reboot in securelevel=1 again
or even worse we need to do a system upgrade that takes multiple reboots as it is.
make installworld and make installkernel gonna have a hay day if you dont go through all this...
Now you have a lot of pissed off clients because it took so long to get the system back up and running.
Oh and why did you have to reboot just to apply a patch?
While pulling my hair out with the trivia involved in FreeBSD's secuirty a friend points me towards MAC
at first network addresses pop into my head and I think he is a little crazy. He chuckles as he points me to the FreeBSD man pages MAC (Mandatory Access Control)
A trusted OS huh?
well I start to read up on it.... Something with a high level can can see down and something with a low level can see up blah blah blah my head starts to spin in circles.
So is it possible with MAC to make it so that a shell user can only modify files in their home directory? and only allow them to see files that are in their home directory? but still allowing them to change password and use make BitchX and the usual shell account features?
And at the same time allowing Root user to apply patches and do system upgrades without going through kernsecurelevel hell?
and if this is all true wouldn't it stop rootkits all together?
Or should we quit using this Operating system that the designers seem to not care what default directory permissions are set?
Wonder how hard of a task it would be to convince a datacenter to install OpenBSD to your server when it is not one of their supported operating systems.
I really could use people's input on this one let me know if I am going about this in the wrong way, or what I can do to make my life easier but still have a secure system god I hope MAC can do what it appears to do.
