commit 32c50bddae608e2b240c026eddd23d54ace6f38f
parent 90fce41a0be6fe44deabfe93b1c4bda15d9c1266
Author: Chris Bracken <chris@bracken.jp>
Date: Sun, 5 Jun 2022 14:58:10 -0700
FreeBSD: describe security hardening options
Diffstat:
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/freebsd_install.md b/freebsd_install.md
@@ -27,13 +27,29 @@ FreeBSD installer.
install select 'no' for both. We can set this up later.
6. Set clock to UTC.
7. Enable `sshd`, `ntpd`, `powerd`, `dumpdev`.
-8. Clean `/tmp` on startup.
+8. Set security hardening options (see below).
9. Add user with `wheel` additional group.
Once these steps are done, select the option to drop into a console session to
complete a few additional steps.
+### Set security hardening options
+
+For an internet-facing server, it's worth locking it down. Use the following
+options:
+1. hide_uids
+2. hide_gids
+3. hide_jail
+4. read_msgbuf
+5. proc_debug
+6. random_pid
+7. clear_tmp
+8. disable_syslogd
+9. disable_ddtrace
+10. enable_aslr
+
+
### Set the console keyboard layout
The console keyboard layout can be temporarily changed using the `kbdcontrol`
