You are previewing Mastering FreeBSD and OpenBSD Security.
O'Reilly logo
Mastering FreeBSD and OpenBSD Security

Book Description

FreeBSD and OpenBSD are increasingly gaining traction in educational institutions, non-profits, and corporations worldwide because they provide significant security advantages over Linux. Although a lot can be said for the robustness, clean organization, and stability of the BSD operating systems, security is one of the main reasons system administrators use these two platforms. There are plenty of books to help you get a FreeBSD or OpenBSD system off the ground, and all of them touch on security to some extent, usually dedicating a chapter to the subject. But, as security is commonly named as the key concern for today's system administrators, a single chapter on the subject can't provide the depth of information you need to keep your systems secure. FreeBSD and OpenBSD are rife with security "building blocks" that you can put to use, and Mastering FreeBSD and OpenBSD Security shows you how. Both operating systems have kernel options and filesystem features that go well beyond traditional Unix permissions and controls. This power and flexibility is valuable, but the colossal range of possibilities need to be tackled one step at a time. This book walks you through the installation of a hardened operating system, the installation and configuration of critical services, and ongoing maintenance of your FreeBSD and OpenBSD systems. Using an application-specific approach that builds on your existing knowledge, the book provides sound technical information on FreeBSD and Open-BSD security with plenty of real-world examples to help you configure and deploy a secure system. By imparting a solid technical foundation as well as practical know-how, it enables administrators to push their server's security to the next level. Even administrators in other environments--like Linux and Solaris--can find useful paradigms to emulate. Written by security professionals with two decades of operating system experience, Mastering FreeBSD and OpenBSD Security features broad and deep explanations of how how to secure your most critical systems. Where other books on BSD systems help you achieve functionality, this book will help you more thoroughly secure your deployments.

Table of Contents

  1. Mastering FreeBSD and OpenBSD Security
  2. Preface
    1. Audience
    2. Assumptions This Book Makes
    3. Contents of This Book
      1. Part I: Security Foundation
      2. Part II: Deployment Situations
      3. Part III: Auditing and Incident Response
    4. Conventions Used in This Book
      1. Typographic Conventions
      2. Conventions in Examples
    5. Using Code Examples
    6. Comments and Questions
    7. Safari Enabled
    8. Acknowledgments
      1. Yanek Korff
      2. Paco Hope
      3. Bruce Potter
      4. Our Reviewers
      5. O’Reilly
  3. I. Security Foundation
    1. 1. The Big Picture
      1. What Is System Security?
        1. Confidentiality
        2. Integrity
        3. Availability
        4. Summary
      2. Identifying Risks
        1. Attacks
        2. Problems in Software
          1. Buffer overflows
          2. SQL injection
          3. Other software problems
          4. Protecting yourself
        3. Denial of Service Attacks
          1. Target: physical
          2. Target: network
          3. Target: application
          4. Protecting yourself
        4. Improper Configuration and Use
          1. Sloppy application configuration
          2. Protecting yourself
          3. Accounts and permissions
          4. Passwords and other account problems
        5. Network Versus Local Attacks
        6. Physical Security
        7. Summary
      3. Responding to Risk
        1. How Much Security?
          1. Risk and consequence
          2. Security versus functionality
        2. Choosing the Right Response
          1. Mitigate risk
          2. Accept risk
          3. Transfer risk
      4. Security Process and Principles
        1. Initial Configuration
        2. Ongoing Maintenance
        3. Auditing and Incident Response
      5. System Security Principles
        1. Apply Security Evenly
        2. Practice Defense in Depth
        3. Fail Safe
        4. Enforce Least Privilege
        5. Segregate Services
        6. Simplify
        7. Use Security Through Obscurity Wisely
        8. Doubt by Default
        9. Stay Up to Date
      6. Wrapping Up
      7. Resources
        1. General Security Resources
        2. General Security-Related Request for Comments (RFCs)
    2. 2. BSD Security Building Blocks
      1. Filesystem Protections
        1. Overview
        2. UFS Filesystem Flags
          1. Manipulating flags
          2. System immutable flag (schg)
          3. User immutable flag (uchg)
          4. Nodump flag (nodump)
          5. System append-only flag (sappnd)
          6. User append-only flag (uappnd)
          7. System no unlink flag (sunlnk)
          8. User no unlink flag (uunlnk)
          9. Opaque flag (opaque)
          10. Archived flag (arch)
        3. Common Uses of Flags
          1. Candidates for system immutable
          2. Candidates for append-only
          3. Finding files with flags
        4. POSIX Access Control Lists (FreeBSD Only)
          1. Enabling ACLs
            1. ACLs in /etc/fstab
            2. ACLs in the superblock
          2. Managing ACLs
      2. Tweaking a Running Kernel: sysctl
        1. Setting sysctl Values
        2. Kernel Security Level
          1. Level -1: “permanently insecure”
          2. Level 0: transitional security level
          3. Level 1: improved operational security
          4. Level 2: high security
          5. Level 3: network security
          6. Setting the securelevel for FreeBSD
          7. Setting the securelevel for OpenBSD
          8. Thoughts on using securelevel
        3. Other Security-Related Kernel Variables
          1. Random PIDs
          2. Controlling core dumps
          3. Reducing visibility in the network
          4. Dropping “synfins”
      3. The Basic Sandbox: chroot
        1. Creating a chroot Environment
        2. An Example: chrooting ntpd
        3. Finding Other Dependencies
          1. Sorting through kdump’s output
          2. Making device nodes
        4. Limitations of chroot
      4. Jail: Beyond chroot
        1. New Limitations
          1. Limited process interaction
          2. Limited access to network resources
          3. Devices and mknod
        2. Creating Jail Environments
          1. Building jails from source
          2. Installing from a distribution CD
        3. Launching Jails
          1. Fat jails as virtual machines
          2. Jail security options
          3. Managing jails
        4. Installing Software in Jail
          1. Make a builder jail
          2. Install from binary package
          3. Getting custom software installed in a jail
        5. NFS-Based Jails
          1. Creating a single NFS master jail
      5. Inherent Protections
        1. Fighting Buffer Overflows
          1. W^X memory protection
          2. ProPolice stack protection
        2. Cryptography
        3. Code Review
      6. OS Tuning
        1. maxusers: Basic Influence
        2. Increasing Maximum Values
        3. Network Buffering
      7. Wrapping Up
      8. Resources
    3. 3. Secure Installation and Hardening
      1. General Concerns
        1. What Are You Building?
          1. Workstation
          2. Workgroup server
          3. Infrastructure server
          4. Multipurpose system
        2. Media and Network
          1. To be networked or not to be networked
          2. Media verification
        3. Preexisting Vulnerabilities
        4. Slicing Up Your Filesystem
        5. XFree86
        6. Users and Passwords
        7. Summary
      2. Installing FreeBSD
        1. Preparing the Disk
        2. Choosing Distribution Sets
        3. Post-Installation Configuration
          1. Basic network configuration
          2. Network gateway
          3. inetd
          4. sshd
          5. Security profile (FreeBSD 4.x only)
          6. Anonymous FTP
          7. NFS
          8. Time zone
          9. Linux compatibility
          10. XFree86
          11. Packages
          12. Finishing up the install
      3. FreeBSD Hardening: Your First Steps
        1. Step 1: Configure sudo
        2. Step 2: Turn Off Unnecessary Services
        3. Step 3: Update Your System
          1. Getting the latest sources
          2. Kernel configuration
          3. Your first upgrade
        4. Step 4: Wrapping Up
      4. Installing OpenBSD
        1. Preparing the Disk
        2. Configuring Your Network
        3. Choosing Your Distribution Sets
        4. Activating sshd
        5. An Innocuous Question About X
        6. Finishing Up
      5. OpenBSD Hardening: Your First Steps
        1. Step 1: Create a User
        2. Step 2: Configure sudo
        3. Step 3: Turn Off Unnecessary Services
          1. sshd
          2. inetd
          3. Sendmail
        4. Step 4: Update Your System
        5. Step 5: Wrapping Up
      6. Post-Upgrade Hardening
        1. Configure Users and Groups
          1. Toor (FreeBSD only)
        2. Adjust Mount Options
        3. Lock Down sshd
          1. Password authentication
          2. Public key authentication
          3. Challenge response authentication
        4. Configure Basic Logging
        5. Create Login Banners
        6. Configure NTP
        7. Tune Your Kernel
        8. Set File Flags
        9. Local Security
          1. On the screen
          2. Adjust /etc/ttys
      7. Wrapping Up
      8. Resources
        1. FreeBSD
        2. OpenBSD
    4. 4. Secure Administration Techniques
      1. Access Control
        1. Controlling User Access
          1. Using a catchall primary group
          2. Project-based or role-based primary groups
          3. Per-user groups
          4. Login classes
          5. umasks
          6. The danger of ACLs (FreeBSD only)
        2. Controlling Administrator Access
          1. Disable and avoid clear-text access
          2. Connect using SSH
          3. Privileged access using ssh
        3. General sudo Configuration
          1. Avoid dangerous commands
          2. Use explicit paths
          3. Be very specific
          4. Use NOPASSWD sparingly
          5. Be realistic
        4. Comparing sudo and su
        5. Safeguard the Root Password
      2. Security in Everyday Tasks
        1. Installing Software
          1. Ports and packages
          2. Ports ownership
          3. Ports and base conflicts
          4. Multiple versions installed (FreeBSD only)
        2. Change Control
        3. Tracking Changes
        4. Data Recovery
          1. Data completeness
          2. Data confidentiality
          3. Data retention
          4. Filesystem access
          5. Network access
      3. Upgrading
        1. Patching Only
        2. Tracking Branches
          1. Tracking OpenBSD branches
          2. Tracking FreeBSD branches
      4. Security Vulnerability Response
        1. Keeping Abreast
        2. Security Advisory Response
          1. Categorization
          2. Severity assessment
          3. Response planning and execution
      5. Network Service Security
        1. inetd and tcpwrappers
        2. Network File System
          1. Implicit UID and GID trust
          2. NFS export control
          3. NFS network restrictions
        3. Network Information Services
          1. Password format compatibility
          2. Encrypted password exposure
          3. Limiting access to NIS maps
          4. On the client side
          5. When is NIS right for you?
        4. Secure File Distribution Using scp
          1. Initial setup
          2. Pushing files with passphrase authentication
          3. Pushing files without passphrase authentication
          4. An scp alternative
          5. Wrapping up
        5. The Importance of Time (NTP)
          1. Security
          2. Architecture
      6. Monitoring System Health
        1. Nagios
          1. Installation
          2. Configuration
          3. Installing NRPE
          4. Configuring Nagios with NRPE
          5. Fine-tuning
          6. Wrapping up
      7. Wrapping Up
      8. Resources
        1. Operating System
        2. System Monitoring
        3. General Security
  4. II. Deployment Situations
    1. 5. Creating a Secure DNS Server
      1. The Criticality of DNS
        1. Technical Risks Related to DNS
          1. Vulnerabilities in DNS software
          2. Zone misconfigurations
          3. Missing zone information
        2. Risks Related to DNS and Mail
        3. Risks Related to DNS Attacks
          1. Cache poisoning
          2. DNS spoofing
          3. Registration hijacking
        4. Responding to DNS-Based Risks
          1. Limit recursion
          2. Limit zone transfers
          3. Maintain your own zones
          4. Run secure, organization-wide recursion servers
          5. Separate caches from authoritative servers
        5. Summary
      2. DNS Software
        1. BIND 9
        2. djbdns
        3. Typical Architecture
        4. BIND Versus djbdns
          1. One process or many?
          2. Zone maintenance
          3. Dynamic updates
          4. Incremental zone transfers and notify
          5. Remote control
          6. Summary
      3. Installing BIND
        1. FreeBSD
      4. Installing djbdns
        1. Preliminaries
          1. Locating zone data
          2. Daemontools
          3. ucspi-tcp
          4. FreeBSD
          5. Installing on OpenBSD via source
          6. Installing on OpenBSD via unofficial ports
      5. Operating BIND
        1. Running BIND in chroot
          1. Make a filesystem
          2. Launch BIND from /etc/rc.conf
        2. Configuration Ideas
          1. Security restrictions
          2. Logging
          3. Using includes to separate permissions
        3. Managing BIND
        4. Transaction Signatures (TSIG)
          1. Cautions about using TSIG
          2. Practical uses for TSIG
      6. Operating djbdns
        1. Running tinydns
        2. Routine Maintenance
          1. The tinydns data file
          2. Load balancing
          3. Naming nameservers
      7. Wrapping Up
      8. Resources
        1. BIND Resources
        2. djbdns Resources
        3. Selected DNS-Related Requests for Comments (RFCs)
    2. 6. Building Secure Mail Servers
      1. Mail Server Attacks
        1. Operating System Level Attacks
        2. Illegitimate Mail Relaying
        3. Unwanted Mail
      2. Mail Architecture
        1. Protect the Operating System
        2. Avoid Being an Open Relay
        3. Stop Unwanted Mail
          1. Content filtering with SpamAssassin
          2. Arbitrary content filtering
          3. DNS real-time blacklists (RBLs)
      3. Mail and DNS
        1. Security Implications
      4. SMTP
        1. Envelope Versus Header
        2. Security Implications
          1. SMTP AUTH via SASL
          2. TLS
          3. SPF
          4. Message integrity, privacy, and non-repudiation
      5. Mail Server Configurations
        1. Null Client
        2. Internal Mail Server
        3. Mail Relay
        4. External Mail Server
      6. Sendmail
        1. Installation and Configuration
        2. Root Background
        3. The Configuration Files
        4. Overall Sendmail Security
          1. File and directory permissions
          2. Beware recipient programs
        5. Security-Related Configuration Options
          1. Arbitrary program restriction
          2. Don’t blame Sendmail
          3. Masquerade your domain
          4. Obfuscate greeting
          5. Permissions of transient files
          6. Privacy options
          7. Running sendmail as nonprivileged users
          8. Safe file environment
          9. Trusted user
          10. Trusted users
        6. Limiting Denial of Service Attacks
        7. Blocking Unwanted Mail
          1. Access database
          2. DNS blacklists
          3. Milters
          4. Arbitrary content filtering
          5. Virus protection
        8. Authentication and Encryption
          1. Installing Sendmail+SASL+TLS on FreeBSD
          2. Installing Sendmail+SASL+TLS on OpenBSD
          3. Configuring Sendmail with SASL+TLS
      7. Postfix
        1. Installation and Configuration: FreeBSD
        2. Installation and Configuration: OpenBSD
        3. Postfix Security Foundation
          1. Do one thing, do it well
          2. Understanding logging
          3. Chroot
          4. Configuration files
        4. Security-Related Configuration Options
          1. Arbitrary program restriction
          2. Masquerade your domain
          3. Obfuscate smtpd banner
          4. Disable unneeded commands
        5. Limiting Denial of Service Attacks
        6. Blocking Unwanted Mail
          1. Access table
          2. Arbitrary content filtering
          3. DNS blacklists
          4. Virus protection
        7. Authentication and Encryption
          1. Verifying Postfix+SASL+TLS installation
          2. Configuring Postfix with SASL+TLS
      8. qmail
      9. Mail Access
        1. Guidelines for Securing Mail Access—Internally
        2. Guidelines for Securing Mail Access—Externally
          1. Virtual private networks (VPN)
          2. Webmail
      10. Wrapping Up
      11. Resources
        1. MTA Software
        2. Spam Defense and Antivirus
        3. SMTP Security
        4. Mail Access Software
        5. Selected Mail-Related Request for Comments (RFCs)
    3. 7. Building a Secure Web Server
      1. Web Server Attacks
        1. Why You Care
        2. Specific Threats to Web Servers
          1. File and data disclosure
          2. Arbitrary program execution
          3. Application abuse
      2. Web Architecture
        1. Server Software Choices
      3. Apache
        1. Installing Apache
          1. FreeBSD
            1. Makefile options
            2. Recording your use of Apache 2
          2. OpenBSD
            1. Configure parameters
        2. Configuring Apache
          1. User overrides
          2. Protecting critical files
          3. Resisting denial of service
        3. Module Overview
          1. mod_cgi
          2. mod_php
            1. PHP and permissions
            2. mod_php Apache configuration
            3. PHP configuration
          3. mod_perl
          4. mod_include
          5. mod_dav
          6. mod_autoindex
          7. mod_info and mod_status
          8. mod_userdir
        4. Apache Best Practices
          1. Enable only modules you need
          2. Minimize information leaks
          3. Always separate HTML and CGI locations
          4. Protect sensitive configuration files
          5. Run CGI programs as normal users
            1. cgiwrap
            2. mod_suexec
          6. Summary
        5. Encrypting Web Traffic
          1. SSL and certificates
          2. Enabling SSL
          3. SSL, TLS, and cipher choice
          4. Restricting ciphers at the server
          5. CPU usage
      4. thttpd
        1. Installing thttpd
        2. Configuring thttpd
        3. Resisting Denial of Service
      5. Advanced Web Servers with Jails
        1. Using Jail or Chroot
          1. How many instances?
          2. Building and installing into a jail
          3. Finding and adding support files
          4. Launching httpd in chroot(8) on OpenBSD or FreeBSD
          5. Launching httpd in jail(8) on FreeBSD
        2. A Two-Tiered Architecture
          1. Configure the internal jails
          2. Configuring the external jail
          3. Jail versus chroot
        3. Advantages and Disadvantages
          1. Ultimate separation
          2. Performance
          3. Modularity
      6. Wrapping Up
      7. Resources
        1. Apache Resources
        2. thttpd Resources
        3. General Resources
        4. Selected Web-Related RFCs
    4. 8. Firewalls
      1. Firewall Architectures
        1. Bump in the Wire
        2. DMZ
        3. Spider
        4. Transparent
        5. Host
        6. High Availability
      2. Host Lockdown
      3. The Options: IPFW Versus PF
        1. IPFW
        2. PF
        3. Differences
      4. Basic IPFW Configuration
        1. Kernel Configuration
        2. Startup Configuration
        3. Firewall Configuration
          1. Optional arguments
          2. Required arguments
        4. Using the Firewall
      5. Basic PF Configuration
        1. Kernel and Startup Configuration
        2. PF in FreeBSD
        3. Firewall Configuration
        4. Using the Firewall
          1. Logging
      6. Handling Failure
        1. CARP
        2. CARP Configuration
        3. pfsync
      7. Wrapping Up
      8. Resources
    5. 9. Intrusion Detection
      1. No Magic Bullets
        1. Monitoring an IDS
        2. Responding to IDS Events
      2. IDS Architectures
        1. Host-Based IDS
        2. Network-Based IDS
        3. Log Analysis Versus IDS
        4. Honeypots Versus IDS
        5. Intrusion Prevention Systems
      3. NIDS on BSD
      4. Snort
        1. Sensor Hardware
        2. Host Lockdown
        3. Installing and Configuring Snort
        4. Containing Snort
        5. Storing Events in Flat Files
        6. Storing Events in MySQL
        7. Snort with PF
      5. ACID
        1. Installing ACID
        2. Configuring ACID
        3. Running ACID
      6. HIDS on BSD
        1. Osiris
        2. Installing and Configuring Osiris
        3. Running Osiris
      7. Wrapping Up
      8. Resources
  5. III. Auditing and Incident Response
    1. 10. Managing the Audit Trails
      1. System Logging
      2. Logging via syslogd
        1. syslog.conf Configuration
        2. Syslog Facilities
        3. Syslog Levels
        4. Program and Hostname Matching
        5. Syslog Actions
          1. Debugging syslogd
        6. Running syslogd
          1. Additional sockets
          2. syslogd on FreeBSD
          3. syslogd on OpenBSD
        7. syslogd Drawbacks
          1. Lack of access control
          2. Lack of reliability
          3. Lack of integrity or confidentiality
          4. Monolithic
        8. syslogd Replacements
          1. syslog-ng
          2. minirsyslogd
          3. msyslog
        9. Capturing Logs
      3. Securing a Loghost
        1. Benefits of a Loghost
        2. Loghost System Security
        3. Syslog Relay
          1. Syslog relay configuration
        4. Conclusion
      4. logfile Management
        1. newsyslog Overview
        2. Configuring Log Rotation
        3. Securing logfiles
      5. Automated Log Monitoring
        1. Automated Auditing Using logcheck
          1. Installation
          2. Configuration
          3. Drawbacks
        2. Automated Auditing Using swatch
          1. Installation
          2. Configuration
          3. Running swatch
          4. Catching new messages
        3. Ongoing Monitoring
      6. Automated Auditing Scripts
        1. OpenBSD’s Security Script
        2. FreeBSD’s Periodic Scripts
      7. Wrapping Up
      8. Resources
        1. Logging Tools
        2. Secure Transport Providers for Logging
        3. Log Monitoring
        4. Selected Logging-Related Request for Comments (RFCs)
    2. 11. Incident Response and Forensics
      1. Incident Response
        1. Preparation
          1. Identifying resources
          2. Training staff
          3. Creation of document templates
          4. Building your bag of tricks
        2. Incident Detection
        3. Incident Assessment
        4. Response
        5. Postmortem Analysis
      2. Forensics on BSD
        1. How Serious Are You?
        2. Online and Offline Analysis
        3. Things to Look For
          1. Changed files
          2. Added users
          3. Strange directories
          4. Unknown processes and LKMs
          5. Known rootkits and hacker tools
      3. Digging Deeper with the Sleuth Kit
        1. History of the Sleuth Kit
        2. Installing and Understanding TSK
        3. Using TSK
        4. Autopsy
      4. Wrapping Up
      5. Resources
  6. Index
  7. About the Authors
  8. Colophon
  9. Copyright