June 3rd, 2005, 11:57 PM
Intro to securing FreeBSD, part 5
After gore's first four parts, I'd like to contribute a little on the subject as well. So far, gore touched these topics:
[list=1][*]Part 1: Determine a security policy[*]Part 2: Password safety[*]Part 3: Using a centralized login system (Kerberos), using a secure shell (SSH instead of telnet), securing E-mail services[*]Part 4: Securing file transfer and securing your website-traffic[/list=1]
In this addition to gores set of introduction tutorials, I'll describe the usage of a few programs you could use to keep your installation of FreeBSD secure. I'll touch these topics:
- Subscribe to a mailinglist
- Keep your installation up to date (patch your kernel)
- Scan your ports regularly for bugs (portaudit)
- Check regularly for rootkits (ckrootkit)
If you feel like I missed something, please, contribute. If I made a mistake anywhere, please, correct me. If you think something could be done more effectively, please, tell us.
Ok, on with it. First of all: FreeBSD maintains a couple of web pages dedicated to the security of the OS. You'll find it at http://www.freebsd.org/security/. If you're interested in securing FreeBSD, have a look at that.
Subscribe to a mailinglist
There are a bunch of FreeBSD mailinglists available. Security-wise, three of them are interesting:
Security advisories are sent to this list. You'll find more on these security advisories in the FreeBSD handbook, paragraph 14.14.
Keep your installation up to date (patch your kernel)
A solution is given in most security advisories. Normally, these solutions tell you to patch your kernel (which you do with a couple of commands, which are listed in the advisory). Make sure you have the sources for your system available, and have enough free space left to compile the kernel (as a very rough guideline, reserve around 500MBs of space).
Another way of solving the security-leak is to upgrade your system. If you re-install your system, use the RELENG_4_11 or RELENG_5_4 (or whatever subversion number is appropriate) instead of RELENG_4 or RELENG_5 branch (You can set what branch to use in your cvsup supfile, for example). Using the RELENG_X_Y branch will give you a RELEASE-based system, with all the patches from the security advisories applied. You won't need to be running STABLE or CURRENT. Remember, those two are not as stable as RELEASE is (or should be). Read up on how to upgrade your system in the FreeBSD Manual. Chapter 8, 'Configuring The FreeBSD Kernel' and Chapter 19, 'The Cutting Edge' give you most information you'll need.
Scan your ports regularly for bugs (portaudit)
The above two suggestions help you to keep your base system up to date and secure. Apart from the OS itself, you're likely to have other applications installed. I myself use the ports collection to install most of the software I run.
Security issues that affect software from the ports collection are documented in a so called VuXML document (read up at http://www.vuxml.org/freebsd/) There's an application in the ports collection that uses this document to check your installed programs for security issues. If you install portaudit (cd /usr/ports/security/portaudit; make install clean;), you'll have a tool that checks your ports-installed applications on demand. You can run it from a shell without parameters to do a basic sweep. Checkout the man-pages for more information.
Apart from this, portaudit will include a section in the daily "security run output" E-mails (sent to root) telling you which, if any, ports have security issues. Something like this in your mail means you've got troubles:
Checking for packages with security vulnerabilities:
Affected package: portupgrade-20041226_1
Type of problem: portupgrade -- insecure temporary file handling vulnerability.
1 problem(s) in your installed packages found.
You are advised to update or deinstall the affected package(s) immediately.
Check regularly for root kits (ckrootkit)
Another application you could install is chrootkit. It's in the ports collection as well (/usr/ports/security/chkrootkit). chkrootkit checks your system for known root kits. Again, installing it is easy (cd /usr/ports/security/chkrootkit; make install clean; ). Usage is fairly simple as well. In its basic form, chkrootkit reports each check it makes. Add the -q option to the command will give you a lot less output. It should give you next to nothing if your machine is clean.
I use cron to run chkrootkit on a daily basis. As you can see, I've piped chkrootkit -q's output through grep that is configured to filter out any white lines. This way, I'm only mailed if chkrootkit actually finds something (before that, I'd get E-mails with a couple of blanc lines in them).
# have cron run chkrootkit at 2am. Email me only if there's relevant output.
2 0 * * * /usr/local/sbin/chkrootkit -q | grep '[^ ].'
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.