tech-security: Re: NetBSD 1.5.2 default configuration

Subject: Re: NetBSD 1.5.2 default configuration
To: None <tech-security@netbsd.org>
From: None <xs@kittenz.org>
List: tech-security
Date: 02/03/2002 12:14:38
on Sun, Feb 03, 2002 at 10:57:16AM +0100, Wojciech Bojdol wrote:
> > As it runs with no port open, it's not that much of a problem.
> 
> But it could be when we open ports like ssh.
> 

How? inetd has no ports listening. So when you run sshd, it opens port 22.
inetd doesn't have this open, so there is no problem afaik.

> > > For example:
> > > 
> > > /bin/df is sgid operator - yet appears to operate fine without this.
> > 
> > This is so that you can run df on an unmounted filesystem
> 
> But only administrator or operator should do that.
> I think it's better to make special group for that and (as it would be run
> manually) make one df without suid and another with suid.
> The second one will have perms r-sr-x---, and will be in group operator.

I would still like any user to be able to df a mounted filesystem,
and your suggested permissions give df more privileges than it already has.
It's not setuid root, only setgid operator.

If a filesystem is unmounted, it's probably unmounted for a reason.
If the heads of the disk are ploughing into the disk's platters
it's possibly quite undesrable to allow users to read that disk at all.

> > This is for 'dump -n' to work.
> 
> Dump is another program that should be used only by people in group
> operator.

Well, dump works (mostly) without any special privileges, so there
isn't any real reason to restrict it to operator, imho.
Plus restricting it to operator and keeping it setgid tty sounds like
something that would make someone cry "give me ACLs!"


> I know that we can have fully-functional system or secure system and I'm
> working on a small script, that could make NetBSD more secure,
> but will take some of functionality.

It would be nice to have a good security vs. usability balance in the default
install.

> When you want to have secure system - You have only to run that script and
> perms for many files will be changed.
>
> First version of that script can be found at
> http://www.htcon.pl/~wojboj/securesystem

Couldn't mtree -U be used to do all of this? This would have the advantage
of also spotting when permissions strayed away from the hardened defaults.
And you could include checksums too..

I tend to do something like this (I apologise for the length):

Remove users bin, falken, ingres, news, operator, toor and uucp
Remove groups bin, dialer, guest, ingres, news, staff and wsrc

Removing news seems to break /etc/mtree/special, so fix that.

Run find / \( -nouser -o -nogroup \) -exec ls -ld {} \; and remove or
chown/chgrp appropriately

Edit /etc/newsyslog.conf and remove the aculog entry

unset[gu]id: /usr/bin/lpq /usr/bin/lpr /usr/bin/lprm /usr/bin/rlogin
             /usr/libexec/sendmail/sendmail /usr/sbin/ifmcstat /usr/sbin/lpc
             /usr/sbin/mrinfo /usr/sbin/mtrace /usr/sbin/pppd
             /usr/sbin/sliplogin /usr/sbin/timedc /usr/sbin/trpt
             /usr/sbin/trsp /bin/rcmd /sbin/ccdconfig /sbin/dump
             /sbin/dump_lfs /sbin/rdump /sbin/rdump_lfs /sbin/shutdown
             /usr/libexec/mail.local /usr/bin/login /bin/df
chgrp users: /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/batch
             /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh /usr/bin/crontab
             /usr/bin/lock /usr/bin/skeyinfo /usr/bin/skeyinit
             /usr/bin/passwd
chmod 4550: /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/batch
            /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh /usr/bin/crontab
            /usr/bin/lock /usr/bin/su /usr/sbin/traceroute /usr/sbin/traceroute6
            /sbin/ping /sbin/ping6 /usr/bin/skeyinfo /usr/bin/skeyinit
            /usr/bin/passwd

grep YES /etc/defaults/rc.conf
Disable anything not necessary by adding blah=NO in /etc/rc.conf

Edit /etc/mailer.conf to use postfix
mkdir /var/spool/postfix/etc
chmod 755 /var/spool/postfix/etc
cd /etc ; cp localtime services resolv.conf /var/spool/postfix/etc
chroot everything except pickup, qmgr and local in /etc/postfix/master.cf
Add postfix=YES to /etc/rc.conf
/etc/rc.d/postfix start

Run find / \( -perm -04000 -o -perm -02000 \) -exec ls -ld {} \; to see
If I missed anything.
Run find / -perm -00002 -exec ls -ld {} \; and remove as many
world writable directories as is acceptable.

mount /, /var and /tmp (if it's on a seperate filesystem to /)
with options nosuid and nocoredump

Add to /etc/sysctl.conf:
kern.logsigexit=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
net.inet.ip.forwsrcrt=0
net.inet.ip.allowsrcrt=0
net.inet6.icmp6.rediraccept=0
ddb.fromconsole=0
ddb.onpanic=0

No doubt this is flawed, but it makes me happier. :)