-
Notifications
You must be signed in to change notification settings - Fork 5
/
settings.ini
74 lines (60 loc) · 2.26 KB
/
settings.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
##########################################
# Settings file for harden-freebsd.py
#
# No section can be entirely commented out
# No section can be completely empty
# Harmless to re-run same settings
#
# Settings can be changed as many
# times as needed; re-run script.
#
##########################################
[STARTUP]
kern_securelevel_enable = "YES"
microcode_update_enable = "YES"
sendmail_enable = "NONE"
sendmail_outbound_enable = "NO"
sendmail_submit_enable = "NO"
sendmail_msp_queue_enable = "NO"
syslogd_flags = "-ss"
clear_tmp_enable = "YES"
icmp_drop_redirect = "YES"
inetd_enable = "NO"
portmap_enable = "NO"
update_motd = "NO"
pf_enable="YES"
pflog_enable="YES"
[SYSTEM]
kern.securelevel = 1
security.bsd.see_other_uids = 0
security.bsd.see_other_gids = 0
security.bsd.see_jail_proc = 0
security.bsd.unprivileged_read_msgbuf = 0
kern.randompid = 107
net.inet.ip.random_id = 1
net.inet.ip.redirect = 0
net.inet.tcp.always_keepalive = 0
net.inet.tcp.blackhole = 2
net.inet.udp.blackhole = 1
net.inet.tcp.path_mtu_discovery = 0
net.inet.icmp.drop_redirect = 1
net.inet6.icmp6.rediraccept = 0
net.inet.tcp.drop_synfin = 1
hw.mds_disable = 3
hw.spec_store_bypass_disable = 1
kern.elf64.allow_wx = 0
[KERNEL]
security.bsd.allow_destructive_dtrace = "0"
hw.ibrs_disable = "1"
[FILESEC]
lockout_other_group = chmod o= /etc/ftpusers /etc/group /etc/hosts /etc/hosts.allow /etc/hosts.equiv /etc/hosts.lpd /etc/inetd.conf /etc/login.access /etc/login.conf /etc/newsyslog.conf /etc/rc.conf /etc/ssh/sshd_config /etc/sysctl.conf /etc/syslog.conf /etc/ttys /etc/crontab /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/batch /var/log
lockdown_root = chmod 710 /root
[USERSEC]
set_cron_root_only = echo "root" | tee /var/cron/allow /var/at/at.allow > /dev/null
enable_harden_umask = sed -i .original3 's/umask=022/umask=027/g' /etc/login.conf
enable_blowfish_passwords = sed -i .original 's/passwd_format=sha512/passwd_format=blf/g' /etc/login.conf
enable_password_reset = sed -i .original 's/^default.*/& \n\t:passwordtime=120d:\\/' /etc/login.conf
reset_login = cap_mkdb /etc/login.conf
pkg_security_check = pkg audit -Fr > pkg-audit-report
[SCRIPT]
first_run = True