# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2025-11-08 16:17+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/books/handbook/security/_index.adoc:1 #, no-wrap msgid "Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must" msgstr "" #. type: YAML Front Matter: part #: documentation/content/en/books/handbook/security/_index.adoc:1 #, no-wrap msgid "Part III. System Administration" msgstr "" #. type: YAML Front Matter: title #: documentation/content/en/books/handbook/security/_index.adoc:1 #, no-wrap msgid "Chapter 16. Security" msgstr "" #. type: Title = #: documentation/content/en/books/handbook/security/_index.adoc:15 #, no-wrap msgid "Security" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:53 #, no-wrap msgid "Synopsis" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:56 msgid "" "Hundreds of standard practices have been authored about how to secure " "systems and networks, and as a user of FreeBSD, understanding how to protect " "against attacks and intruders is a must." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:59 msgid "" "In this chapter, several fundamentals and techniques will be discussed. The " "FreeBSD system comes with multiple layers of security, and many more third " "party utilities may be added to enhance security." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:61 msgid "This chapter covers:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:63 msgid "Basic FreeBSD system security concepts." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:64 msgid "The various crypt mechanisms available in FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:65 msgid "How to configure TCP Wrappers for use with man:inetd[8]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:66 msgid "How to set up Kerberos on FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:67 msgid "How to configure and use OpenSSH on FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:68 msgid "How to use OpenSSL on FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:69 msgid "How to use file system ACLs." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:70 msgid "" "How to use pkg to audit third party software packages installed from the " "Ports Collection." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:71 msgid "How to utilize FreeBSD security advisories." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:72 msgid "What Process Accounting is and how to enable it on FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:73 msgid "" "How to control user resources using login classes or the resource limits " "database." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:74 msgid "What is Capsicum and a basic example." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:76 msgid "" "Certain topics due to their complexity are found in dedicated chapters such " "as crossref:firewalls[firewalls,Firewalls], crossref:mac[mac,Mandatory " "Access Control] and articles like extref:{vpn-ipsec}[VPN over IPsec]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:78 #, no-wrap msgid "Introduction" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:83 msgid "" "Security is everyone's responsibility. A weak entry point in any system " "could allow intruders to gain access to critical information and cause havoc " "on an entire network. One of the core principles of information security is " "the CIA triad, which stands for the Confidentiality, Integrity, and " "Availability of information systems." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:86 msgid "" "The CIA triad is a bedrock concept of computer security as customers and " "users expect their data to be protected. For example, a customer expects " "that their credit card information is securely stored (confidentiality), " "that their orders are not changed behind the scenes (integrity), and that " "they have access to their order information at all times (availability)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:92 msgid "" "To provide CIA, security professionals apply a defense in depth strategy. " "The idea of defense in depth is to add several layers of security to prevent " "one single layer failing and the entire security system collapsing. For " "example, a system administrator cannot simply turn on a firewall and " "consider the network or system secure. One must also audit accounts, check " "the integrity of binaries, and ensure malicious tools are not installed. To " "implement an effective security strategy, one must understand threats and " "how to defend against them." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:95 msgid "" "What is a threat as it pertains to computer security? Threats are not " "limited to remote attackers who attempt to access a system without " "permission from a remote location. Threats also include employees, " "malicious software, unauthorized network devices, natural disasters, " "security vulnerabilities, and even competing corporations." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:99 msgid "" "Systems and networks can be accessed without permission, sometimes by " "accident, or by remote attackers, and in some cases, via corporate espionage " "or former employees. As a user, it is important to prepare for and admit " "when a mistake has led to a security breach and report possible issues to " "the security team. As an administrator, it is important to know of the " "threats and be prepared to mitigate them." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:105 msgid "" "When applying security to systems, it is recommended to start by securing " "the basic accounts and system configuration, and then to secure the network " "layer so that it adheres to the system policy and the organization's " "security procedures. Many organizations already have a security policy that " "covers the configuration of technology devices. The policy should include " "the security configuration of workstations, desktops, mobile devices, " "phones, production servers, and development servers. In many cases, " "standard operating procedures (SOPs) already exist. When in doubt, ask the " "security team." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:107 #, no-wrap msgid "Securing Accounts" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:110 msgid "" "Maintaining secure accounts in FreeBSD is crucial for data confidentiality, " "system integrity, and privilege separation, as it prevents unauthorized " "access, malware, and data breaches while ensuring compliance and protecting " "an organization's reputation." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:112 #, no-wrap msgid "Preventing Logins" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:116 msgid "" "In securing a system, a good starting point is an audit of accounts. " "Disable any accounts that do not need login access." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:120 msgid "" "Ensure that `root` has a strong password and that this password is not " "shared." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:123 msgid "To deny login access to accounts, two methods exist." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:125 msgid "" "The first is to lock the account, this example shows how to lock the `imani` " "account:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:129 #, no-wrap msgid "# pw lock imani\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:133 msgid "" "The second method is to prevent login access by changing the shell to " "[.filename]#/usr/sbin/nologin#. The man:nologin[8] shell prevents the " "system from assigning a shell to the user when they attempt to login." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:135 msgid "Only the superuser can change the shell for other users:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:139 #, no-wrap msgid "# chsh -s /usr/sbin/nologin imani\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:142 #, no-wrap msgid "Password Hashes" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:147 msgid "" "Passwords are a necessary evil of technology. When they must be used, they " "should be complex and a powerful hash mechanism should be used to encrypt " "the version that is stored in the password database. FreeBSD supports " "several algorithms, including SHA256, SHA512 and Blowfish hash algorithms in " "its `crypt()` library, see man:crypt[3] for details." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:149 msgid "" "The default of SHA512 should not be changed to a less secure hashing " "algorithm, but can be changed to the more secure Blowfish algorithm." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:154 msgid "" "Blowfish is not part of AES and is not considered compliant with any Federal " "Information Processing Standards (FIPS). Its use may not be permitted in " "some environments." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:158 msgid "" "To determine which hash algorithm is used to encrypt a user's password, the " "superuser can view the hash for the user in the FreeBSD password database. " "Each hash starts with a symbol which indicates the type of hash mechanism " "used to encrypt the password." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:165 msgid "" "If DES is used, there is no beginning symbol. For MD5, the symbol is `$`. " "For SHA256 and SHA512, the symbol is `$6$`. For Blowfish, the symbol is " "`$2a$`. In this example, the password for `imani` is hashed using the " "default SHA512 algorithm as the hash starts with `$6$`. Note that the " "encrypted hash, not the password itself, is stored in the password database:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:169 #, no-wrap msgid "# grep imani /etc/master.passwd\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:172 #: documentation/content/en/books/handbook/security/_index.adoc:188 #: documentation/content/en/books/handbook/security/_index.adoc:239 #: documentation/content/en/books/handbook/security/_index.adoc:447 #: documentation/content/en/books/handbook/security/_index.adoc:539 #: documentation/content/en/books/handbook/security/_index.adoc:702 #: documentation/content/en/books/handbook/security/_index.adoc:732 #: documentation/content/en/books/handbook/security/_index.adoc:766 #: documentation/content/en/books/handbook/security/_index.adoc:994 #: documentation/content/en/books/handbook/security/_index.adoc:1036 #: documentation/content/en/books/handbook/security/_index.adoc:1081 #: documentation/content/en/books/handbook/security/_index.adoc:1101 #: documentation/content/en/books/handbook/security/_index.adoc:1153 #: documentation/content/en/books/handbook/security/_index.adoc:1279 #: documentation/content/en/books/handbook/security/_index.adoc:1308 #: documentation/content/en/books/handbook/security/_index.adoc:1336 #: documentation/content/en/books/handbook/security/_index.adoc:1350 #: documentation/content/en/books/handbook/security/_index.adoc:1395 #: documentation/content/en/books/handbook/security/_index.adoc:1417 #: documentation/content/en/books/handbook/security/_index.adoc:1932 #: documentation/content/en/books/handbook/security/_index.adoc:1970 msgid "The output should be similar to the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:176 #, no-wrap msgid "imani:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:imani:/usr/home/imani:/bin/sh\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:179 msgid "The hash mechanism is set in the user's login class." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:181 msgid "" "The following command can be run to check which hash mechanism is currently " "being used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:185 #, no-wrap msgid "% grep passwd_format /etc/login.conf\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:192 #, no-wrap msgid ":passwd_format=sha512:\\\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:195 msgid "" "For example, to change the algorithm to Blowfish, modify that line to look " "like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:199 #, no-wrap msgid ":passwd_format=blf:\\\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:202 msgid "" "Then, man:cap_mkdb[1] must be executed to upgrade the login.conf database:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:206 #: documentation/content/en/books/handbook/security/_index.adoc:273 #: documentation/content/en/books/handbook/security/_index.adoc:1850 #, no-wrap msgid "# cap_mkdb /etc/login.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:210 msgid "" "Note that this change will not affect any existing password hashes. This " "means that all passwords should be re-hashed by asking users to run `passwd` " "in order to change their password." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:212 #, no-wrap msgid "Password Policy Enforcement" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:216 msgid "" "Enforcing a strong password policy for local accounts is a fundamental " "aspect of system security. In FreeBSD, password length, password strength, " "and password complexity can be implemented using built-in Pluggable " "Authentication Modules (PAM)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:219 msgid "" "This section demonstrates how to configure the minimum and maximum password " "length and the enforcement of mixed characters using the man:pam_passwdqc[8] " "module. This module is enforced when a user changes their password." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:221 msgid "" "To configure this module, become the superuser and uncomment the line " "containing `pam_passwdqc.so` in [.filename]#/etc/pam.d/passwd#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:223 msgid "Then, edit that line to match the password policy:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:227 #, no-wrap msgid "password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:230 msgid "The explanation of the parameters can be found in man:pam_passwdqc[8]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:232 msgid "" "Once this file is saved, a user changing their password will see a message " "similar to the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:236 #, no-wrap msgid "% passwd\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:244 #, no-wrap msgid "" "Changing local password for user\n" "Old Password:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:255 #, no-wrap msgid "" "You can now choose the new password.\n" "A valid password should be a mix of upper and lower case letters,\n" "digits and other characters. You can use a 12 character long\n" "password with characters from at least 3 of these 4 classes, or\n" "a 10 character long password containing characters from all the\n" "classes. Characters that form a common pattern are discarded by\n" "the check.\n" "Alternatively, if no one else can see your terminal now, you can\n" "pick this as your password: \"trait-useful&knob\".\n" "Enter new password:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:258 msgid "" "If a password that does not match the policy is entered, it will be rejected " "with a warning and the user will have an opportunity to try again, up to the " "configured number of retries." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:260 msgid "" "If the organization's policy requires passwords to expire, FreeBSD supports " "the `passwordtime` in the user's login class in [.filename]#/etc/login.conf#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:262 msgid "The `default` login class contains an example:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:266 #, no-wrap msgid "# :passwordtime=90d:\\\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:269 msgid "" "So, to set an expiry of 90 days for this login class, remove the comment " "symbol (#), save the edit, and execute the following command:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:276 msgid "" "To set the expiration on individual users, pass an expiration date or the " "number of days to expiry and a username to `pw`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:280 #, no-wrap msgid "# pw usermod -p 30-apr-2025 -n user\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:284 msgid "" "As seen here, an expiration date is set in the form of day, month, and " "year. For more information, see man:pw[8]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:286 #, no-wrap msgid "Shared Administration with sudo" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:292 msgid "" "System administrators often need the ability to grant enhanced permissions " "to users so they may perform privileged tasks. The idea that team members " "are provided access to a FreeBSD system to perform their specific tasks " "opens up unique challenges to every administrator. These team members only " "need a subset of access beyond normal end user levels; however, they almost " "always tell management they are unable to perform their tasks without " "superuser access. Thankfully, there is no reason to provide such access to " "end users because tools exist to manage this exact requirement." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:296 msgid "Even administrators should limit their privileges when not needed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:304 msgid "" "Up to this point, the security chapter has covered permitting access to " "authorized users and attempting to prevent unauthorized access. Another " "problem arises once authorized users have access to the system resources. " "In many cases, some users may need access to application startup scripts, or " "a team of administrators need to maintain the system. Traditionally, the " "standard users and groups, file permissions, and even the man:su[1] command " "would manage this access. And as applications required more access, as more " "users needed to use system resources, a better solution was required. The " "most used application is currently Sudo." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:307 msgid "" "Sudo allows administrators to configure more rigid access to system commands " "and provide for some advanced logging features. As a tool, it is available " "from the Ports Collection as package:security/sudo[] or by use of the " "man:pkg[8] utility." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:309 #: documentation/content/en/books/handbook/security/_index.adoc:389 msgid "Execute the following command to install it:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:313 #, no-wrap msgid "# pkg install sudo\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:317 msgid "" "After the installation is complete, the installed `visudo` will open the " "configuration file with a text editor. Using `visudo` is highly recommended " "as it comes with a built in syntax checker to verify there are no errors " "before the file is saved." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:321 msgid "" "The configuration file is made up of several small sections which allow for " "extensive configuration. In the following example, web application " "maintainer, user1, needs to start, stop, and restart the web application " "known as _webservice_. To grant this user permission to perform these " "tasks, add this line to the end of [.filename]#/usr/local/etc/sudoers#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:325 #, no-wrap msgid "user1 ALL=(ALL) /usr/sbin/service webservice *\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:328 msgid "The user may now start _webservice_ using this command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:332 #, no-wrap msgid "% sudo /usr/sbin/service webservice start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:338 msgid "" "While this configuration allows a single user access to the webservice " "service; however, in most organizations, there is an entire web team in " "charge of managing the service. A single line can also give access to an " "entire group. These steps will create a web group, add a user to this " "group, and allow all members of the group to manage the service:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:342 #, no-wrap msgid "# pw groupadd -g 6001 -n webteam\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:345 msgid "" "Using the same man:pw[8] command, the user is added to the webteam group:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:349 #, no-wrap msgid "# pw groupmod -m user1 -n webteam\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:352 msgid "" "Finally, this line in [.filename]#/usr/local/etc/sudoers# allows any member " "of the webteam group to manage _webservice_:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:356 #, no-wrap msgid "%webteam ALL=(ALL) /usr/sbin/service webservice *\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:360 msgid "" "Unlike man:su[1], man:sudo[8] only requires the end user password. This " "avoids sharing passwords, which is a poor practice." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:364 msgid "" "Users permitted to run applications with man:sudo[8] only enter their own " "passwords. This is more secure and gives better control than man:su[1], " "where the `root` password is entered and the user acquires all `root` " "permissions." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:369 msgid "" "Most organizations are moving or have moved toward a two factor " "authentication model. In these cases, the user may not have a password to " "enter." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:372 msgid "" "man:sudo[8] can be configured to permit two factor authentication model by " "using the `NOPASSWD` variable. Adding it to the configuration above will " "allow all members of the _webteam_ group to manage the service without the " "password requirement:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:376 #, no-wrap msgid "%webteam ALL=(ALL) NOPASSWD: /usr/sbin/service webservice *\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:380 #, no-wrap msgid "Shared Administration with Doas" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:384 msgid "" "man:doas[1] is a command-line utility ported from OpenBSD. It serves as an " "alternative to the widely used man:sudo[8] command in Unix-like systems." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:387 msgid "" "With doas, users can execute commands with elevated privileges, typically as " "the root user, while maintaining a simplified and security-conscious " "approach. Unlike man:sudo[8], doas emphasizes simplicity and minimalism, " "focusing on streamlined privilege delegation without an overwhelming array " "of configuration options." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:393 #, no-wrap msgid "# pkg install doas\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:396 msgid "" "After the installation [.filename]#/usr/local/etc/doas.conf# must be " "configured to grant access for users for specific commands, or roles." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:398 msgid "" "The simplest entry could be the following, which grants the user " "`local_user` with `root` permissions without asking for its password when " "executing the doas command." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:402 #, no-wrap msgid "permit nopass local_user as root\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:405 msgid "" "After the installation and configuration of the `doas` utility, a command " "can now be executed with enhanced privileges, for example:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:409 #, no-wrap msgid "$ doas vi /etc/rc.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:412 msgid "For more configuration examples, please read man:doas.conf[5]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:414 #, no-wrap msgid "Intrusion Detection System (IDS)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:418 msgid "" "Verification of system files and binaries is important because it provides " "the system administration and security teams information about system " "changes. A software application that monitors the system for changes is " "called an Intrusion Detection System (IDS)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:422 msgid "" "FreeBSD provides native support for a basic IDS system called man:mtree[8]. " "While the nightly security emails will notify an administrator of changes, " "the information is stored locally and there is a chance that a malicious " "user could modify this information in order to hide their changes to the " "system. As such, it is recommended to create a separate set of binary " "signatures and store them on a read-only, root-owned directory or, " "preferably, on a removable USB disk or remote server." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:424 msgid "It is also recommended to run `freebsd-update IDS` after each update." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:426 #, no-wrap msgid "Generating the Specification File" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:432 msgid "" "The built-in man:mtree[8] utility can be used to generate a specification of " "the contents of a directory. A seed, or a numeric constant, is used to " "generate the specification and is required to check that the specification " "has not changed. This makes it possible to determine if a file or binary " "has been modified. Since the seed value is unknown by an attacker, faking " "or checking the checksum values of files will be difficult to impossible." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:437 msgid "" "It is recommended to create specifications for the directories which contain " "binaries and configuration files, as well as any directories containing " "sensitive data. Typically, specifications are created for [.filename]#/" "bin#, [.filename]#/sbin#, [.filename]#/usr/bin#, [.filename]#/usr/sbin#, " "[.filename]#/usr/local/bin#, [.filename]#/etc#, and [.filename]#/usr/local/" "etc#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:440 msgid "" "The following example generates a set of `sha512` hashes, one for each " "system binary in [.filename]#/bin#, and saves those values to a hidden file " "in user's home directory, [.filename]#/home/user/.bin_chksum_mtree#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:444 #, no-wrap msgid "# mtree -s 123456789 -c -K cksum,sha512 -p /bin > /home/user/.bin_chksum_mtree\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:451 #, no-wrap msgid "mtree: /bin checksum: 3427012225\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:457 msgid "" "The `123456789` value represents the seed, and should be chosen randomly. " "This value should be remembered, *but not shared*." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:459 msgid "" "It is important to keep the seed value and the checksum output hidden from " "malicious users." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:462 #, no-wrap msgid "The Specification File Structure" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:466 msgid "" "The mtree format is a textual format that describes a collection of " "filesystem objects. Such files are typically used to create or verify " "directory hierarchies." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:468 msgid "" "An mtree file consists of a series of lines, each providing information " "about a single filesystem object. Leading whitespace is always ignored." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:470 msgid "" "The specification file created above will be used to explain the format and " "content:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:477 #, no-wrap msgid "" "# user: root <.>\n" "# machine: machinename <.>\n" "# tree: /bin <.>\n" "# date: Thu Aug 24 21:58:37 2023 <.>\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:492 #, no-wrap msgid "" "# .\n" "/set type=file uid=0 gid=0 mode=0555 nlink=1 flags=uarch <.>\n" ". type=dir mode=0755 nlink=2 time=1681388848.239523000 <.>\n" " \\133 nlink=2 size=12520 time=1685991378.688509000 \\\n" " cksum=520880818 \\\n" " sha512=5c1374ce0e2ba1b3bc5a41b23f4bbdc1ec89ae82fa01237f376a5eeef41822e68f1d8f75ec46b7bceb65396c122a9d837d692740fdebdcc376a05275adbd3471\n" " cat size=14600 time=1685991378.694601000 cksum=3672531848 \\ <.>\n" " sha512=b30b96d155fdc4795432b523989a6581d71cdf69ba5f0ccb45d9b9e354b55a665899b16aee21982fffe20c4680d11da4e3ed9611232a775c69f926e5385d53a2\n" " chflags size=8920 time=1685991378.700385000 cksum=1629328991 \\\n" " sha512=289a088cbbcbeb436dd9c1f74521a89b66643976abda696b99b9cc1fbfe8b76107c5b54d4a6a9b65332386ada73fc1bbb10e43c4e3065fa2161e7be269eaf86a\n" " chio size=20720 time=1685991378.706095000 cksum=1948751604 \\\n" " sha512=46f58277ff16c3495ea51e74129c73617f31351e250315c2b878a88708c2b8a7bb060e2dc8ff92f606450dbc7dd2816da4853e465ec61ee411723e8bf52709ee\n" " chmod size=9616 time=1685991378.712546000 cksum=4244658911 \\\n" " sha512=1769313ce08cba84ecdc2b9c07ef86d2b70a4206420dd71343867be7ab59659956f6f5a458c64e2531a1c736277a8e419c633a31a8d3c7ccc43e99dd4d71d630\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:495 msgid "User who created the specification." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:496 msgid "Machine's hostname." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:497 msgid "Directory path." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:498 msgid "The Date and time when the specification was created." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:499 msgid "" "`/set` special commands, defines some settings obtained from the files " "analyzed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:500 msgid "" "Refers to the parsed directory and indicates things like what type it is, " "its mode, the number of hard links, and the time in UNIX format since it was " "modified." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:501 msgid "" "Refers to the file and shows the size, time and a list of hashes to verify " "the integrity." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:503 #, no-wrap msgid "Verify the Specification file" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:506 msgid "" "To verify that the binary signatures have not changed, compare the current " "contents of the directory to the previously generated specification, and " "save the results to a file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:508 msgid "" "This command requires the seed that was used to generate the original " "specification:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:512 #: documentation/content/en/books/handbook/security/_index.adoc:529 #, no-wrap msgid "# mtree -s 123456789 -p /bin < /home/user/.bin_chksum_mtree >> /home/user/.bin_chksum_output\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:516 msgid "" "This should produce the same checksum for [.filename]#/bin# that was " "produced when the specification was created. If no changes have occurred to " "the binaries in this directory, the [.filename]#/home/" "user/.bin_chksum_output# output file will be empty." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:518 msgid "" "To simulate a change, change the date on [.filename]#/bin/cat# using " "man:touch[1] and run the verification command again:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:522 #, no-wrap msgid "# touch /bin/cat\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:525 msgid "Run the verification command again:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:532 msgid "And then check the content of the output file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:536 #, no-wrap msgid "# cat /root/.bin_chksum_output\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:543 #, no-wrap msgid "cat: modification time (Fri Aug 25 13:30:17 2023, Fri Aug 25 13:34:20 2023)\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:549 msgid "" "This is just an example of what would be displayed when executing the " "command, to show the changes that would occur in the metadata." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:552 #, no-wrap msgid "Secure levels" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:556 msgid "" "securelevel is a security mechanism implemented in the kernel. When the " "securelevel is positive, the kernel restricts certain tasks; not even the " "superuser (root) is allowed to do them." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:558 msgid "The securelevel mechanism limits the ability to:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:560 msgid "Unset certain file flags, such as `schg` (the system immutable flag)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:561 msgid "" "Write to kernel memory via [.filename]#/dev/mem# and [.filename]#/dev/kmem#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:562 msgid "Load kernel modules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:563 msgid "Alter firewall rules." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:565 #, no-wrap msgid "Secure Levels Definitions" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:569 msgid "" "The kernel runs with five different security levels. Any super-user process " "can raise the level, but no process can lower it." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:571 msgid "The security definitions are:" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/security/_index.adoc:572 #, no-wrap msgid "-1" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:575 #, no-wrap msgid "" "*Permanently insecure mode* - always run the system in insecure mode.\n" "This is the default initial value.\n" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/security/_index.adoc:576 #, no-wrap msgid "0" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:579 #, no-wrap msgid "" "*Insecure mode* - immutable and append-only flags may be turned off.\n" "All devices may be read or written subject to their permissions.\n" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/security/_index.adoc:580 #, no-wrap msgid "1" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:586 #, no-wrap msgid "" "*Secure mode* - the system immutable and system append-only flags may not be turned off;\n" "disks for mounted file systems, [.filename]#/dev/mem# and [.filename]#/dev/kmem# may not be opened for writing;\n" "[.filename]#/dev/io# (if the platform has it) may not be opened at all; kernel modules (see man:kld[4]) may not be loaded or unloaded.\n" "The kernel debugger may not be entered using the debug.kdb.enter sysctl.\n" "A panic or trap cannot be forced using the debug.kdb.panic, debug.kdb.panic_str and other sysctl's.\n" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/security/_index.adoc:587 #, no-wrap msgid "2" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:590 #, no-wrap msgid "" "*Highly secure mode* - same as secure mode, plus disks may not be opened for writing (except by man:mount[2]) whether mounted or not.\n" "This level precludes tampering with file systems by unmounting them, but also inhibits running man:newfs[8] while the system is multiuser.\n" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/security/_index.adoc:591 #, no-wrap msgid "3" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:593 #, no-wrap msgid "*Network secure mode* - same as highly secure mode, plus IP packet filter rules (see man:ipfw[8], man:ipfirewall[4] and man:pfctl[8]) cannot be changed and man:dummynet[4] or man:pf[4] configuration cannot be adjusted.\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:598 msgid "" "In summary, the key difference between `Permanently Insecure Mode` and " "`Insecure Mode` in FreeBSD secure levels is the degree of security they " "provide. `Permanently Insecure Mode` completely lifts all security " "restrictions, while `Insecure Mode` relaxes some restrictions but still " "maintains a level of control and security." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:601 #, no-wrap msgid "Modify Secure Levels" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:604 msgid "" "In order to change the securelevel of the system it is necessary to activate " "`kern_securelevel_enable` by executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:608 #, no-wrap msgid "# sysrc kern_securelevel_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:611 msgid "And set the value of `kern_securelevel` to the desired security level:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:615 #, no-wrap msgid "# sysrc kern_securelevel=2\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:618 msgid "" "To check the status of the securelevel on a running system execute the " "following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:622 #, no-wrap msgid "# sysctl -n kern.securelevel\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:626 msgid "" "The output contains the current value of the securelevel. If it is greater " "than 0, at least some of the securelevel's protections are enabled." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:628 #, no-wrap msgid "File flags" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:632 msgid "" "File flags allow users to attach additional metadata or attributes to files " "and directories beyond basic permissions and ownership. These flags provide " "a way to control various behaviors and properties of files without needing " "to resort to creating special directories or using extended attributes." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:635 msgid "" "File flags can be used to achieve different goals, such as preventing file " "deletion, making files append-only, synchronizing file updates, and more. " "Some commonly used file flags in FreeBSD include the \"immutable\" flag, " "which prevents modification or deletion of a file, and the \"append-only\" " "flag, which allows only data to be added to the end of a file but not " "modified or removed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:639 msgid "" "These flags can be managed using the man:chflags[1] command in FreeBSD, " "providing administrators and users with greater control over the behavior " "and characteristics of their files and directories. It is important to note " "that file flags are typically managed by root or users with appropriate " "privileges, as they can influence how files are accessed and manipulated. " "Some flags are available for the use of the file's owner, as described in " "man:chflags[1]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:641 #, no-wrap msgid "Work with File Flags" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:644 msgid "" "In this example, a file named [.filename]#~/important.txt# in user's home " "directory want to be protected against deletions." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:646 msgid "Execute the following command to set the `schg` file flag:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:650 #, no-wrap msgid "# chflags schg ~/important.txt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:653 msgid "" "When any user, including the `root` user, tries to delete the file, the " "system will display the message:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:657 #, no-wrap msgid "rm: important.txt: Operation not permitted\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:660 msgid "" "To delete the file, it will be necessary to delete the file flags of that " "file by executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:664 #, no-wrap msgid "# chflags noschg ~/important.txt\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:667 msgid "" "A list of supported file flags and their functionality can be found in " "man:chflags[1]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:669 #, no-wrap msgid "OpenSSH" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:674 msgid "" "OpenSSH is a set of network connectivity tools used to provide secure access " "to remote machines. Additionally, TCP/IP connections can be tunneled or " "forwarded securely through SSH connections. OpenSSH encrypts all traffic to " "eliminate eavesdropping, connection hijacking, and other network-level " "attacks." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:676 msgid "" "OpenSSH is maintained by the OpenBSD project and is installed by default in " "FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:679 msgid "" "When data is sent over the network in an unencrypted form, network sniffers " "anywhere in between the client and server can steal user/password " "information or data transferred during the session. OpenSSH offers a " "variety of authentication and encryption methods to prevent this from " "happening." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:681 msgid "" "More information about OpenSSH is available in the link:https://" "www.openssh.com/[web page]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:684 msgid "" "This section provides an overview of the built-in client utilities to " "securely access other systems and securely transfer files from a FreeBSD " "system. It then describes how to configure a SSH server on a FreeBSD system." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:689 msgid "" "As stated, this chapter will cover the base system version of OpenSSH. A " "version of OpenSSH is also available in the package:security/openssh-" "portable[], which provides additional configuration options and is updated " "with new features more regularly." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:691 #, no-wrap msgid "Using the SSH Client Utilities" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:695 msgid "" "To log into a SSH server, use man:ssh[1] and specify a username that exists " "on that server and the IP address or hostname of the server. If this is the " "first time a connection has been made to the specified server, the user will " "be prompted to first verify the server's fingerprint:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:699 #, no-wrap msgid "# ssh user@example.com\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:710 #, no-wrap msgid "" "The authenticity of host 'example.com (10.0.0.1)' can't be established.\n" "ECDSA key fingerprint is 25:cc:73:b5:b3:96:75:3d:56:19:49:d2:5c:1f:91:3b.\n" "Are you sure you want to continue connecting (yes/no)? yes\n" "Permanently added 'example.com' (ECDSA) to the list of known hosts.\n" "Password for user@example.com: user_password\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:716 msgid "" "SSH utilizes a key fingerprint system to verify the authenticity of the " "server when the client connects. When the user accepts the key's " "fingerprint by typing `yes` when connecting for the first time, a copy of " "the key is saved to [.filename]#~/.ssh/known_hosts# in the user's home " "directory. Future attempts to login are verified against the saved key and " "man:ssh[1] will display an alert if the server's key does not match the " "saved key. If this occurs, the user should first verify why the key has " "changed before continuing with the connection." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:720 msgid "How to perform this check is outside the scope of this chapter." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:723 msgid "Use man:scp[1] to securely copy a file to or from a remote machine." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:725 msgid "" "This example copies `COPYRIGHT` on the remote system to a file of the same " "name in the current directory of the local system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:729 #, no-wrap msgid "# scp user@example.com:/COPYRIGHT COPYRIGHT\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:737 #, no-wrap msgid "" "Password for user@example.com: *******\n" "COPYRIGHT 100% |*****************************| 4735\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:740 msgid "" "Since the fingerprint was already verified for this host, the server's key " "is automatically checked before prompting for the user's password." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:745 msgid "" "The arguments passed to man:scp[1] are similar to man:cp[1]. The file or " "files to copy is the first argument and the destination to copy to is the " "second. Since the file is fetched over the network, one or more of the file " "arguments takes the form `user@host:`. Be aware when " "copying directories recursively that man:scp[1] uses `-r`, whereas man:cp[1] " "uses `-R`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:747 msgid "To open an interactive session for copying files, use man:sftp[1]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:749 msgid "" "Refer to man:sftp[1] for a list of available commands while in an " "man:sftp[1] session." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:751 #, no-wrap msgid "Key-based Authentication" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:755 msgid "" "Instead of using passwords, a client can be configured to connect to the " "remote machine using keys. For security reasons, this is the preferred " "method." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:759 msgid "" "man:ssh-keygen[1] can be used to generate the authentication keys. To " "generate a public and private key pair, specify the type of key and follow " "the prompts. It is recommended to protect the keys with a memorable, but " "hard to guess passphrase." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:763 #, no-wrap msgid "% ssh-keygen -t rsa -b 4096\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:790 #, no-wrap msgid "" "Generating public/private rsa key pair.\n" "Enter file in which to save the key (/home/user/.ssh/id_rsa):\n" "Created directory '/home/user/.ssh/.ssh'.\n" "Enter passphrase (empty for no passphrase):\n" "Enter same passphrase again:\n" "Your identification has been saved in /home/user/.ssh/id_rsa.\n" "Your public key has been saved in /home/user/.ssh/id_rsa.pub.\n" "The key fingerprint is:\n" "SHA256:54Xm9Uvtv6H4NOo6yjP/YCfODryvUU7yWHzMqeXwhq8 user@host.example.com\n" "The key's randomart image is:\n" "+---[RSA 2048]----+\n" "| |\n" "| |\n" "| |\n" "| . o.. |\n" "| .S*+*o |\n" "| . O=Oo . . |\n" "| = Oo= oo..|\n" "| .oB.* +.oo.|\n" "| =OE**.o..=|\n" "+----[SHA256]-----+\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:794 msgid "" "The private key is stored in [.filename]#~/.ssh/id_rsa# and the public key " "is stored in [.filename]#~/.ssh/id_rsa.pub#. The _public_ key must be " "copied to [.filename]#~/.ssh/authorized_keys# on the remote machine for key-" "based authentication to work." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:798 msgid "" "Utilizing a passphrase for OpenSSH keys is a key security practice, " "providing an extra layer of protection against unauthorized access and " "enhancing overall cybersecurity." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:800 msgid "In case of loss or theft, this adds another layer of security." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:803 #, no-wrap msgid "SSH Tunneling" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:806 msgid "" "OpenSSH has the ability to create a tunnel to encapsulate another protocol " "in an encrypted session." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:808 msgid "The following command tells man:ssh[1] to create a tunnel:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:812 #, no-wrap msgid "% ssh -D 8080 user@example.com\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:815 msgid "This example uses the following options:" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/security/_index.adoc:816 #, no-wrap msgid "-D" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:818 msgid "Specifies a local \"dynamic\" application-level port forwarding." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/security/_index.adoc:819 #, no-wrap msgid "user@foo.example.com" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:821 msgid "The login name to use on the specified remote SSH server." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:823 msgid "" "An SSH tunnel works by creating a listen socket on `localhost` on the " "specified `localport`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:825 msgid "" "This method can be used to wrap any number of insecure TCP protocols such as " "SMTP, POP3, and FTP." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:826 #, no-wrap msgid "Enabling the SSH Server" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:829 msgid "" "In addition to providing built-in SSH client utilities, a FreeBSD system can " "be configured as an SSH server, accepting connections from other SSH clients." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:834 msgid "" "As stated, this chapter will cover the base system version of OpenSSH. " "Please *not* confuse with package:security/openssh-portable[], the version " "of OpenSSH that ships with the FreeBSD ports." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:837 msgid "" "In order to have the SSH Server enabled across reboots execute the following " "command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:841 #, no-wrap msgid "# sysrc sshd_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:844 msgid "Then execute the following command to enable the service:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:848 #, no-wrap msgid "# service sshd start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:852 msgid "" "The first time sshd starts on a FreeBSD system, the system's host keys will " "be automatically created and the fingerprint will be displayed on the " "console. Provide users with the fingerprint so that they can verify it the " "first time they connect to the server." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:854 msgid "" "Refer to man:sshd[8] for the list of available options when starting sshd " "and a complete discussion about authentication, the login process, and the " "various configuration files." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:856 msgid "" "At this point, the sshd should be available to all users with a username and " "password on the system." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:858 #, no-wrap msgid "Configuring publickey auth method" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:863 msgid "" "Configuring OpenSSH to use public key authentication enhances security by " "leveraging asymmetric cryptography for authentication. This method " "eliminates password-related risks, such as weak passwords or interception " "during transmission, while thwarting various password-based attacks. " "However, it's vital to ensure the private keys are well-protected to prevent " "unauthorized access." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:865 msgid "" "The first step will be to configure man:sshd[8] to use the required " "authentication method." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:867 msgid "" "Edit [.filename]#/etc/ssh/sshd_config# and uncomment the following " "configuration:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:871 #, no-wrap msgid "PubkeyAuthentication yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:875 msgid "" "Once the configuration is done, the users will have to send the system " "administrator their *public key* and these keys will be added in " "[.filename]#.ssh/authorized_keys#. The process for generating the keys is " "described in crossref:security[security-ssh-keygen, Key-based " "Authentication]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:877 msgid "Then restart the server executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:881 #: documentation/content/en/books/handbook/security/_index.adoc:952 #, no-wrap msgid "# service sshd reload\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:885 msgid "" "It is strongly recommended to follow the security improvements indicated in " "crossref:security[security-sshd-security-options, SSH Server Security " "Options]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:887 #, no-wrap msgid "SSH Server Security Options" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:890 msgid "" "While sshd is the most widely used remote administration facility for " "FreeBSD, brute force and drive by attacks are common to any system exposed " "to public networks." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:893 msgid "" "Several additional parameters are available to prevent the success of these " "attacks and will be described in this section. All configurations will be " "done in [.filename]#/etc/ssh/sshd_config#" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:899 msgid "" "Do not confuse [.filename]#/etc/ssh/sshd_config# with [.filename]#/etc/ssh/" "ssh_config# (note the extra `d` in the first filename). The first file " "configures the server and the second file configures the client. Refer to " "man:ssh_config[5] for a listing of the available client settings." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:903 msgid "" "By default, authentication can be done with both pubkey and password. To " "allow *only* pubkey authentication, *which is strongly recommended*, change " "the variable:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:907 #, no-wrap msgid "PasswordAuthentication no\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:911 msgid "" "It is a good idea to limit which users can log into the SSH server and from " "where using the `AllowUsers` keyword in the OpenSSH server configuration " "file. For example, to only allow `user` to log in from `192.168.1.32`, add " "this line to [.filename]#/etc/ssh/sshd_config#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:915 #, no-wrap msgid "AllowUsers user@192.168.1.32\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:918 msgid "" "To allow `user` to log in from anywhere, list that user without specifying " "an IP address:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:922 #, no-wrap msgid "AllowUsers user\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:925 msgid "Multiple users should be listed on the same line, like so:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:929 #, no-wrap msgid "AllowUsers root@192.168.1.32 user\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:932 msgid "" "After making all the changes, and before restarting the service, it is " "recommended to verify that the configuration made is correct by executing " "the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:936 #, no-wrap msgid "# sshd -t\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:940 msgid "" "If the configuration file is correct, no output will be shown. In case the " "configuration file is incorrect, it will show something like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:945 #, no-wrap msgid "" "/etc/ssh/sshd_config: line 3: Bad configuration option: sdadasdasdasads\n" "/etc/ssh/sshd_config: terminating, 1 bad configuration options\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:948 msgid "" "After making the changes and checking that the configuration file is " "correct, tell sshd to reload its configuration file by running:" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:955 #, no-wrap msgid "OpenSSL" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:958 msgid "" "OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer " "(SSL) and Transport Layer Security (TLS) network protocols and many " "cryptography routines." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:961 msgid "" "The openssl program is a command line tool for using the various " "cryptography functions of OpenSSL's crypto library from the shell. It can " "be used for" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:963 msgid "Creation and management of private keys, public keys and parameters" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:964 msgid "Public key cryptographic operations" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:965 msgid "Creation of X.509 certificates, CSRs and CRLs" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:966 msgid "Calculation of Message Digests" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:967 msgid "Encryption and Decryption with Ciphers" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:968 msgid "SSL/TLS Client and Server Tests" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:969 msgid "Handling of S/MIME signed or encrypted mail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:970 msgid "Time Stamp requests, generation and verification" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:971 msgid "Benchmarking the crypto routines" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:973 msgid "" "For more information about OpenSSL, read the free https://www.feistyduck.com/" "books/openssl-cookbook/[OpenSSL Cookbook]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:975 #, no-wrap msgid "Generating Certificates" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:978 msgid "" "OpenSSL supports the generation of certificates both to be validated by a " "link:https://en.wikipedia.org/wiki/Certificate_authority[CA] and for own use." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:985 msgid "" "Run the command man:openssl[1] to generate a valid certificate for a " "link:https://en.wikipedia.org/wiki/Certificate_authority[CA] with the " "following arguments. This command will create two files in the current " "directory. The certificate request, [.filename]#req.pem#, can be sent to a " "link:https://en.wikipedia.org/wiki/Certificate_authority[CA] which, will " "validate the entered credentials, sign the request, and return the signed " "certificate. The second file, [.filename]#cert.key#, is the private key for " "the certificate and should be stored in a secure location. If this falls in " "the hands of others, it can be used to impersonate the user or the server." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:987 #: documentation/content/en/books/handbook/security/_index.adoc:1029 msgid "Execute the following command to generate the certificate:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:991 #, no-wrap msgid "# openssl req -new -nodes -out req.pem -keyout cert.key -sha3-512 -newkey rsa:4096\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1016 #, no-wrap msgid "" "Generating a RSA private key\n" "..................................................................................................................................+++++\n" "......................................+++++\n" "writing new private key to 'cert.key'\n" "-----\n" "You are about to be asked to enter information that will be incorporated\n" "into your certificate request.\n" "What you are about to enter is what is called a Distinguished Name or a DN.\n" "There are quite a few fields but you can leave some blank\n" "For some fields there will be a default value,\n" "If you enter '.', the field will be left blank.\n" "-----\n" "Country Name (2 letter code) [AU]:ES\n" "State or Province Name (full name) [Some-State]:Valencian Community\n" "Locality Name (eg, city) []:Valencia\n" "Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company\n" "Organizational Unit Name (eg, section) []:Systems Administrator\n" "Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org\n" "Email Address []:user@FreeBSD.org\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1021 #, no-wrap msgid "" "Please enter the following 'extra' attributes\n" "to be sent with your certificate request\n" "A challenge password []:123456789\n" "An optional company name []:Another name\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1027 msgid "" "Alternately, if a signature from a link:https://en.wikipedia.org/wiki/" "Certificate_authority[CA] is not required, a self-signed certificate can be " "created. This will create two new files in the current directory: a private " "key file [.filename]#cert.key#, and the certificate itself, " "[.filename]#cert.crt#. These should be placed in a directory, preferably " "under [.filename]#/etc/ssl/#, which is readable only by `root`. Permissions " "of `0700` are appropriate for these files and can be set using `chmod`." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1033 #, no-wrap msgid "# openssl req -new -x509 -days 365 -sha3-512 -keyout /etc/ssl/private/cert.key -out /etc/ssl/certs/cert.crt\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1060 #, no-wrap msgid "" "Generating a RSA private key\n" "........................................+++++\n" "...........+++++\n" "writing new private key to '/etc/ssl/private/cert.key'\n" "Enter PEM pass phrase:\n" "Verifying - Enter PEM pass phrase:\n" "-----\n" "You are about to be asked to enter information that will be incorporated\n" "into your certificate request.\n" "What you are about to enter is what is called a Distinguished Name or a DN.\n" "There are quite a few fields but you can leave some blank\n" "For some fields there will be a default value,\n" "If you enter '.', the field will be left blank.\n" "-----\n" "Country Name (2 letter code) [AU]:ES\n" "State or Province Name (full name) [Some-State]:Valencian Community\n" "Locality Name (eg, city) []:Valencia\n" "Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company\n" "Organizational Unit Name (eg, section) []:Systems Administrator\n" "Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org\n" "Email Address []:user@FreeBSD.org\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1063 #, no-wrap msgid "Configuring the FIPS Provider" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1070 msgid "" "With the import of OpenSSL 3 into the base system (on FreeBSD 14 and later), " "its new concept of provider modules was introduced in the system. Besides " "the default provider module built-in to the library, the _legacy_ module " "implements the now optional deprecated cryptography algorithms, while the " "_fips_ module restricts the OpenSSL implementation to the cryptography " "algorithms present in the link:https://en.wikipedia.org/wiki/" "Federal_Information_Processing_Standards[FIPS] set of standards. This part " "of OpenSSL receives link:https://www.openssl.org/docs/fips.html[particular " "care], including a link:https://www.openssl.org/news/fips-cve.html[list of " "relevant security issues], and is subject to the link:https://github.com/" "openssl/openssl/blob/master/README-FIPS.md[FIPS 140 validation process] on a " "regular basis. The link:https://www.openssl.org/source/[list of FIPS " "validated versions] is also available. This allows users to ensure FIPS " "compliance in their use of OpenSSL." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1074 msgid "" "Importantly, the man:fips_module[7] is protected by an additional security " "measure, preventing its use without passing an integrity check. This check " "can be setup by the local system administrator, allowing every user of " "OpenSSL 3 to load this module. When not configured correctly, the FIPS " "module is expected to fail as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1078 #: documentation/content/en/books/handbook/security/_index.adoc:1150 #, no-wrap msgid "# echo test | openssl aes-128-cbc -a -provider fips -pbkdf2\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1090 #, no-wrap msgid "" "aes-128-cbc: unable to load provider fips\n" "Hint: use -provider-path option or OPENSSL_MODULES environment variable.\n" "00206124D94D0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:crypto/openssl/providers/fips/self_test.c:275:\n" "00206124D94D0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:crypto/openssl/providers/fips/self_test.c:373:\n" "00206124D94D0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:crypto/openssl/providers/fips/fipsprov.c:707:\n" "00206124D94D0000:error:078C0105:common libcrypto routines:provider_init:init fail:crypto/openssl/crypto/provider_core.c:932:name=fips\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1094 msgid "" "The check can be configured through the creation of a file in [.filename]#/" "etc/ssl/fipsmodule.cnf#, which will then be referenced in OpenSSL's main " "configuration file [.filename]#/etc/ssl/openssl.cnf#. OpenSSL provides the " "man:openssl-fipsinstall[1] utility to help with this process, which can be " "used as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1098 #, no-wrap msgid "# openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out /etc/ssl/fipsmodule.cnf\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1105 #, no-wrap msgid "INSTALL PASSED\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1108 msgid "" "The [.filename]#/etc/ssl/openssl.cnf# should then be modified, in order to:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1110 msgid "Include the [.filename]#/etc/ssl/fipsmodule.cnf# file generated above," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1111 msgid "Expose the FIPS module for possible use," msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1112 msgid "And explicitly activate the default module." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1123 #, no-wrap msgid "" "[...]\n" "# For FIPS\n" "# Optionally include a file that is generated by the OpenSSL fipsinstall\n" "# application. This file contains configuration data required by the OpenSSL\n" "# fips provider. It contains a named section e.g. [fips_sect] which is\n" "# referenced from the [provider_sect] below.\n" "# Refer to the OpenSSL security policy for more information.\n" ".include /etc/ssl/fipsmodule.cnf\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1125 #, no-wrap msgid "[...]\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1132 #, no-wrap msgid "" "# List of providers to load\n" "[provider_sect]\n" "default = default_sect\n" "# The fips section name should match the section name inside the\n" "# included fipsmodule.cnf.\n" "fips = fips_sect\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1143 #, no-wrap msgid "" "# If no providers are activated explicitly, the default one is activated implicitly.\n" "# See man 7 OSSL_PROVIDER-default for more details.\n" "#\n" "# If you add a section explicitly activating any other provider(s), you most\n" "# probably need to explicitly activate the default provider, otherwise it\n" "# becomes unavailable in openssl. As a consequence applications depending on\n" "# OpenSSL may not work correctly which could lead to significant system\n" "# problems including inability to remotely access the system.\n" "[default_sect]\n" "activate = 1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1146 msgid "" "With this done, it should be possible to confirm that the FIPS module is " "effectively available and working:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1159 #, no-wrap msgid "" "enter AES-128-CBC encryption password:\n" "Verifying - enter AES-128-CBC encryption password:\n" "U2FsdGVkX18idooW6e3LqWeeiKP76kufcOUClh57j8U=\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1162 msgid "" "This procedure has to be repeated every time the FIPS module is modified, " "e.g., after performing system updates, or after applying security fixes " "affecting OpenSSL in the base system." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:1164 #, no-wrap msgid "Kerberos" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1170 msgid "" "Kerberos is a network authentication protocol which was originally created " "by the Massachusetts Institute of Technology (MIT) as a way to securely " "provide authentication across a potentially hostile network. The Kerberos " "protocol uses strong cryptography so that both a client and server can prove " "their identity without sending any unencrypted secrets over the network. " "Kerberos can be described as an identity-verifying proxy system and as a " "trusted third-party authentication system. After a user authenticates with " "Kerberos, their communications can be encrypted to assure privacy and data " "integrity." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1174 msgid "" "The only function of Kerberos is to provide the secure authentication of " "users and servers on the network. It does not provide authorization or " "auditing functions. It is recommended that Kerberos be used with other " "security methods which provide authorization and audit services." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1182 msgid "" "The current version of the protocol is version 5, described in RFC 4120. " "Several free implementations of this protocol are available, covering a wide " "range of operating systems. MIT continues to develop their Kerberos " "package. It is commonly used in the US as a cryptography product, and has " "historically been subject to US export regulations. In FreeBSD, MITKerberos " "is available as the package:security/krb5[] package or port. The Heimdal " "Kerberos implementation was explicitly developed outside of the US to avoid " "export regulations. The Heimdal Kerberos distribution is included in the " "base FreeBSD installation, and another distribution with more configurable " "options is available as package:security/heimdal[] in the Ports Collection." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1185 msgid "" "In Kerberos users and services are identified as \"principals\" which are " "contained within an administrative grouping, called a \"realm\". A typical " "user principal would be of the form `_user_@_REALM_` (realms are " "traditionally uppercase)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1187 msgid "" "This section provides a guide on how to set up Kerberos using the Heimdal " "distribution included in FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1189 msgid "" "For purposes of demonstrating a Kerberos installation, the name spaces will " "be as follows:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1191 msgid "The DNS domain (zone) will be `example.org`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1192 msgid "The Kerberos realm will be `EXAMPLE.ORG`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:1197 msgid "" "Use real domain names when setting up Kerberos, even if it will run " "internally. This avoids DNS problems and assures inter-operation with other " "Kerberos realms." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1199 #, no-wrap msgid "Setting up a Heimdal KDC" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1205 msgid "" "The Key Distribution Center (KDC) is the centralized authentication service " "that Kerberos provides, the \"trusted third party\" of the system. It is " "the computer that issues Kerberos tickets, which are used for clients to " "authenticate to servers. As the KDC is considered trusted by all other " "computers in the Kerberos realm, it has heightened security concerns. " "Direct access to the KDC should be limited." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1207 msgid "" "While running a KDC requires few computing resources, a dedicated machine " "acting only as a KDC is recommended for security reasons." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1209 msgid "To begin, install the package:security/heimdal[] package as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1213 #, no-wrap msgid "# pkg install heimdal\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1216 msgid "Next, update [.filename]#/etc/rc.conf# using `sysrc` as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1221 #, no-wrap msgid "" "# sysrc kdc_enable=yes\n" "# sysrc kadmind_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1224 msgid "Next, edit [.filename]#/etc/krb5.conf# as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1236 #, no-wrap msgid "" "[libdefaults]\n" " default_realm = EXAMPLE.ORG\n" "[realms]\n" " EXAMPLE.ORG = {\n" "\tkdc = kerberos.example.org\n" "\tadmin_server = kerberos.example.org\n" " }\n" "[domain_realm]\n" " .example.org = EXAMPLE.ORG\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1240 msgid "" "In this example, the KDC will use the fully-qualified hostname " "`kerberos.example.org`. The hostname of the KDC must be resolvable in the " "DNS." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1243 msgid "" "Kerberos can also use the DNS to locate KDCs, instead of a `[realms]` " "section in [.filename]#/etc/krb5.conf#. For large organizations that have " "their own DNS servers, the above example could be trimmed to:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1250 #, no-wrap msgid "" "[libdefaults]\n" " default_realm = EXAMPLE.ORG\n" "[domain_realm]\n" " .example.org = EXAMPLE.ORG\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1253 msgid "With the following lines being included in the `example.org` zone file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1261 #, no-wrap msgid "" "_kerberos._udp IN SRV 01 00 88 kerberos.example.org.\n" "_kerberos._tcp IN SRV 01 00 88 kerberos.example.org.\n" "_kpasswd._udp IN SRV 01 00 464 kerberos.example.org.\n" "_kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org.\n" "_kerberos IN TXT EXAMPLE.ORG\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:1266 msgid "" "In order for clients to be able to find the Kerberos services, they _must_ " "have either a fully configured [.filename]#/etc/krb5.conf# or a minimally " "configured [.filename]#/etc/krb5.conf# _and_ a properly configured DNS " "server." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1272 msgid "" "Next, create the Kerberos database which contains the keys of all principals " "(users and hosts) encrypted with a master password. It is not required to " "remember this password as it will be stored in [.filename]#/var/heimdal/m-" "key#; it would be reasonable to use a 45-character random password for this " "purpose. To create the master key, run `kstash` and enter a password:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1276 #, no-wrap msgid "# kstash\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1284 #, no-wrap msgid "" "Master key: xxxxxxxxxxxxxxxxxxxxxxx\n" "Verifying password - Master key: xxxxxxxxxxxxxxxxxxxxxxx\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1290 msgid "" "Once the master key has been created, the database should be initialized. " "The Kerberos administrative tool man:kadmin[8] can be used on the KDC in a " "mode that operates directly on the database, without using the " "man:kadmind[8] network service, as `kadmin -l`. This resolves the chicken-" "and-egg problem of trying to connect to the database before it is created. " "At the `kadmin` prompt, use `init` to create the realm's initial database:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1296 #, no-wrap msgid "" "# kadmin -l\n" "kadmin> init EXAMPLE.ORG\n" "Realm max ticket life [unlimited]:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1301 msgid "" "Lastly, while still in `kadmin`, create the first principal using `add`. " "Stick to the default options for the principal for now, as these can be " "changed later with `modify`. Type `?` at the prompt to see the available " "options." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1305 #, no-wrap msgid "kadmin> add tillman\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1318 #, no-wrap msgid "" "Max ticket life [unlimited]:\n" "Max renewable life [unlimited]:\n" "Principal expiration time [never]:\n" "Password expiration time [never]:\n" "Attributes []:\n" "Password: xxxxxxxx\n" "Verifying password - Password: xxxxxxxx\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1321 msgid "Next, start the KDC services by running:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1326 #, no-wrap msgid "" "# service kdc start\n" "# service kadmind start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1329 msgid "" "While there will not be any kerberized daemons running at this point, it is " "possible to confirm that the KDC is functioning by obtaining a ticket for " "the principal that was just created:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1333 #, no-wrap msgid "% kinit tillman\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1340 #, no-wrap msgid "tillman@EXAMPLE.ORG's Password:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1343 msgid "Confirm that a ticket was successfully obtained using `klist`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1347 #, no-wrap msgid "% klist\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1355 #, no-wrap msgid "" "Credentials cache: FILE:/tmp/krb5cc_1001\n" "\tPrincipal: tillman@EXAMPLE.ORG\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1358 #, no-wrap msgid "" " Issued Expires Principal\n" "Aug 27 15:37:58 2013 Aug 28 01:37:58 2013 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1361 msgid "The temporary ticket can be destroyed when the test is finished:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1365 #, no-wrap msgid "% kdestroy\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1367 #, no-wrap msgid "Configuring a Server to Use Kerberos" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1371 msgid "" "The first step in configuring a server to use Kerberos authentication is to " "ensure that it has the correct configuration in [.filename]#/etc/" "krb5.conf#. The version from the KDC can be used as-is, or it can be " "regenerated on the new system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1380 msgid "" "Next, create [.filename]#/etc/krb5.keytab# on the server. This is the main " "part of \"Kerberizing\" a service - it corresponds to generating a secret " "shared between the service and the KDC. The secret is a cryptographic key, " "stored in a \"keytab\". The keytab contains the server's host key, which " "allows it and the KDC to verify each others' identity. It must be " "transmitted to the server in a secure fashion, as the security of the server " "can be broken if the key is made public. Typically, the [.filename]#keytab# " "is generated on an administrator's trusted machine using `kadmin`, then " "securely transferred to the server, e.g., with man:scp[1]; it can also be " "created directly on the server if that is consistent with the desired " "security policy. It is very important that the keytab is transmitted to the " "server in a secure fashion: if the key is known by some other party, that " "party can impersonate any user to the server! Using `kadmin` on the server " "directly is convenient, because the entry for the host principal in the KDC " "database is also created using `kadmin`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1384 msgid "" "Of course, `kadmin` is a kerberized service; a Kerberos ticket is needed to " "authenticate to the network service, but to ensure that the user running " "`kadmin` is actually present (and their session has not been hijacked), " "`kadmin` will prompt for the password to get a fresh ticket. The principal " "authenticating to the kadmin service must be permitted to use the `kadmin` " "interface, as specified in [.filename]#/var/heimdal/kadmind.acl#. See the " "section titled \"Remote administration\" in `info heimdal` for details on " "designing access control lists. Instead of enabling remote `kadmin` access, " "the administrator could securely connect to the KDC via the local console or " "man:ssh[1], and perform administration locally using `kadmin -l`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1388 msgid "" "After installing [.filename]#/etc/krb5.conf#, use `add --random-key` in " "`kadmin`. This adds the server's host principal to the database, but does " "not extract a copy of the host principal key to a keytab. To generate the " "keytab, use `ext` to extract the server's host principal key to its own " "keytab:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1392 #: documentation/content/en/books/handbook/security/_index.adoc:1414 #, no-wrap msgid "# kadmin\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1406 #, no-wrap msgid "" "kadmin> add --random-key host/myserver.example.org\n" "Max ticket life [unlimited]:\n" "Max renewable life [unlimited]:\n" "Principal expiration time [never]:\n" "Password expiration time [never]:\n" "Attributes []:\n" "kadmin> ext_keytab host/myserver.example.org\n" "kadmin> exit\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1410 msgid "" "Note that `ext_keytab` stores the extracted key in [.filename]#/etc/" "krb5.keytab# by default. This is good when being run on the server being " "kerberized, but the `--keytab _path/to/file_` argument should be used when " "the keytab is being extracted elsewhere:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1422 #, no-wrap msgid "" "kadmin> ext_keytab --keytab=/tmp/example.keytab host/myserver.example.org\n" "kadmin> exit\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1426 msgid "" "The keytab can then be securely copied to the server using man:scp[1] or a " "removable media. Be sure to specify a non-default keytab name to avoid " "inserting unneeded keys into the system's keytab." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1431 msgid "" "At this point, the server can read encrypted messages from the KDC using its " "shared key, stored in [.filename]#krb5.keytab#. It is now ready for the " "Kerberos-using services to be enabled. One of the most common such services " "is man:sshd[8], which supports Kerberos via the GSS-API. In [.filename]#/" "etc/ssh/sshd_config#, add the line:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1435 #, no-wrap msgid "GSSAPIAuthentication yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1438 msgid "" "After making this change, man:sshd[8] must be restarted for the new " "configuration to take effect: `service sshd restart`." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1439 #, no-wrap msgid "Configuring a Client to Use Kerberos" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1443 msgid "" "As it was for the server, the client requires configuration in [.filename]#/" "etc/krb5.conf#. Copy the file in place (securely) or re-enter it as needed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1448 msgid "" "Test the client by using `kinit`, `klist`, and `kdestroy` from the client to " "obtain, show, and then delete a ticket for an existing principal. Kerberos " "applications should also be able to connect to Kerberos enabled servers. If " "that does not work but obtaining a ticket does, the problem is likely with " "the server and not with the client or the KDC. In the case of kerberized " "man:ssh[1], GSS-API is disabled by default, so test using `ssh -o " "GSSAPIAuthentication=yes _hostname_`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1450 msgid "" "When testing a Kerberized application, try using a packet sniffer such as " "`tcpdump` to confirm that no sensitive information is sent in the clear." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1453 msgid "" "Various Kerberos client applications are available. With the advent of a " "bridge so that applications using SASL for authentication can use GSS-API " "mechanisms as well, large classes of client applications can use Kerberos " "for authentication, from Jabber clients to IMAP clients." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1458 msgid "" "Users within a realm typically have their Kerberos principal mapped to a " "local user account. Occasionally, one needs to grant access to a local user " "account to someone who does not have a matching Kerberos principal. For " "example, `tillman@EXAMPLE.ORG` may need access to the local user account " "`webdevelopers`. Other principals may also need access to that local " "account." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1461 msgid "" "The [.filename]#.k5login# and [.filename]#.k5users# files, placed in a " "user's home directory, can be used to solve this problem. For example, if " "the following [.filename]#.k5login# is placed in the home directory of " "`webdevelopers`, both principals listed will have access to that account " "without requiring a shared password:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1466 #, no-wrap msgid "" "tillman@example.org\n" "jdoe@example.org\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1469 msgid "Refer to man:ksu[1] for more information about [.filename]#.k5users#." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1470 #, no-wrap msgid "MIT Differences" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1474 msgid "" "The major difference between the MIT and Heimdal implementations is that " "`kadmin` has a different, but equivalent, set of commands and uses a " "different protocol. If the KDC is MIT, the Heimdal version of `kadmin` " "cannot be used to administer the KDC remotely, and vice versa." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1478 msgid "" "Client applications may also use slightly different command line options to " "accomplish the same tasks. Following the instructions at http://web.mit.edu/" "Kerberos/www/[http://web.mit.edu/Kerberos/www/] is recommended. Be careful " "of path issues: the MIT port installs into [.filename]#/usr/local/# by " "default, and the FreeBSD system applications run instead of the MIT versions " "if `PATH` lists the system directories first." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1480 msgid "" "When using MIT Kerberos as a KDC on FreeBSD, execute the following commands " "to add the required configurations to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1488 #, no-wrap msgid "" "# sysrc kdc_program=\"/usr/local/sbin/krb5kdc\"\n" "# sysrc kadmind_program=\"/usr/local/sbin/kadmind\"\n" "# sysrc kdc_flags=\"\"\n" "# sysrc kdc_enable=\"YES\"\n" "# sysrc kadmind_enable=\"YES\"\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1490 #, no-wrap msgid "Kerberos Tips, Tricks, and Troubleshooting" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1493 msgid "" "When configuring and troubleshooting Kerberos, keep the following points in " "mind:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1495 msgid "" "When using either Heimdal or MITKerberos from ports, ensure that the `PATH` " "lists the port's versions of the client applications before the system " "versions." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1496 msgid "" "If all the computers in the realm do not have synchronized time settings, " "authentication may fail. crossref:network-servers[network-ntp,“Clock " "Synchronization with NTP”] describes how to synchronize clocks using NTP." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1497 msgid "" "If the hostname is changed, the `host/` principal must be changed and the " "keytab updated. This also applies to special keytab entries like the `HTTP/` " "principal used for Apache's package:www/mod_auth_kerb[]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1498 msgid "" "All hosts in the realm must be both forward and reverse resolvable in DNS " "or, at a minimum, exist in [.filename]#/etc/hosts#. CNAMEs will work, but " "the A and PTR records must be correct and in place. The error message for " "unresolvable hosts is not intuitive: `Kerberos5 refuses authentication " "because Read req failed: Key table entry not found`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1499 msgid "" "Some operating systems that act as clients to the KDC do not set the " "permissions for `ksu` to be setuid `root`. This means that `ksu` does not " "work. This is a permissions problem, not a KDC error." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1500 msgid "" "With MITKerberos, to allow a principal to have a ticket life longer than the " "default lifetime of ten hours, use `modify_principal` at the man:kadmin[8] " "prompt to change the `maxlife` of both the principal in question and the " "`krbtgt` principal. The principal can then use `kinit -l` to request a " "ticket with a longer lifetime." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1501 msgid "" "When running a packet sniffer on the KDC to aid in troubleshooting while " "running `kinit` from a workstation, the Ticket Granting Ticket (TGT) is sent " "immediately, even before the password is typed. This is because the Kerberos " "server freely transmits a TGT to any unauthorized request. However, every " "TGT is encrypted in a key derived from the user's password. When a user " "types their password, it is not sent to the KDC, it is instead used to " "decrypt the TGT that `kinit` already obtained. If the decryption process " "results in a valid ticket with a valid time stamp, the user has valid " "Kerberos credentials. These credentials include a session key for " "establishing secure communications with the Kerberos server in the future, " "as well as the actual TGT, which is encrypted with the Kerberos server's own " "key. This second layer of encryption allows the Kerberos server to verify " "the authenticity of each TGT." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1502 msgid "" "Host principals can have a longer ticket lifetime. If the user principal has " "a lifetime of a week but the host being connected to has a lifetime of nine " "hours, the user cache will have an expired host principal and the ticket " "cache will not work as expected." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1503 msgid "" "When setting up [.filename]#krb5.dict# to prevent specific bad passwords " "from being used as described in man:kadmind[8], remember that it only " "applies to principals that have a password policy assigned to them. The " "format used in [.filename]#krb5.dict# is one string per line. Creating a " "symbolic link to [.filename]#/usr/share/dict/words# might be useful." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1504 #, no-wrap msgid "Mitigating Kerberos Limitations" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1509 msgid "" "Since Kerberos is an all or nothing approach, every service enabled on the " "network must either be modified to work with Kerberos or be otherwise " "secured against network attacks. This is to prevent user credentials from " "being stolen and re-used. An example is when Kerberos is enabled on all " "remote shells but the non-Kerberized POP3 mail server sends passwords in " "plain text." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1514 msgid "" "The KDC is a single point of failure. By design, the KDC must be as secure " "as its master password database. The KDC should have absolutely no other " "services running on it and should be physically secure. The danger is high " "because Kerberos stores all passwords encrypted with the same master key " "which is stored as a file on the KDC." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1518 msgid "" "A compromised master key is not quite as bad as one might fear. The master " "key is only used to encrypt the Kerberos database and as a seed for the " "random number generator. As long as access to the KDC is secure, an " "attacker cannot do much with the master key." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1521 msgid "" "If the KDC is unavailable, network services are unusable as authentication " "cannot be performed. This can be alleviated with a single master KDC and " "one or more slaves, and with careful implementation of secondary or fall-" "back authentication using PAM." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1526 msgid "" "Kerberos allows users, hosts and services to authenticate between " "themselves. It does not have a mechanism to authenticate the KDC to the " "users, hosts, or services. This means that a trojaned `kinit` could record " "all user names and passwords. File system integrity checking tools like " "package:security/tripwire[] can alleviate this." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1527 #, no-wrap msgid "Resources and Further Information" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1530 msgid "" "http://www.faqs.org/faqs/Kerberos-faq/general/preamble.html[The Kerberos FAQ]" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1531 msgid "" "http://web.mit.edu/Kerberos/www/dialogue.html[Designing an Authentication " "System: a Dialog in Four Scenes]" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1532 msgid "" "https://www.ietf.org/rfc/rfc4120.txt[RFC 4120, The Kerberos Network " "Authentication Service (V5)]" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1533 msgid "http://web.mit.edu/Kerberos/www/[MIT Kerberos home page]" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1534 msgid "" "https://github.com/heimdal/heimdal/wiki[Heimdal Kerberos project wiki page]" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:1536 #, no-wrap msgid "TCP Wrappers" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1541 msgid "" "TCP Wrappers is a host-based network access control system. By intercepting " "incoming network requests before they reach the actual network service, TCP " "Wrappers assess whether the source IP address is permitted or denied access " "based on predefined rules in configuration files." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1544 msgid "" "However, while TCP Wrappers provide basic access control, they should not be " "considered a substitute for more robust security measures. For " "comprehensive protection, it's recommended to use advanced technologies like " "firewalls, along with proper user authentication practices and intrusion " "detection systems." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1546 #, no-wrap msgid "Initial Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1550 msgid "" "TCP Wrappers are enabled by default in man:inetd[8]. So the first step will " "be to enable man:inetd[8] executing the following commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1555 #, no-wrap msgid "" "# sysrc inetd_enable=\"YES\"\n" "# service inetd start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1558 msgid "Then, properly configure [.filename]#/etc/hosts.allow#." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:1563 msgid "" "Unlike other implementations of TCP Wrappers, the use of " "[.filename]#hosts.deny# is deprecated in FreeBSD. All configuration options " "should be placed in [.filename]#/etc/hosts.allow#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1567 msgid "" "In the simplest configuration, daemon connection policies are set to either " "permit or block, depending on the options in [.filename]#/etc/hosts.allow#. " "The default configuration in FreeBSD is to allow all connections to the " "daemons started with inetd." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1571 msgid "" "Basic configuration usually takes the form of `daemon : address : action`, " "where `daemon` is the daemon which inetd started, `address` is a valid " "hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and " "`action` is either `allow` or `deny`. TCP Wrappers uses a first rule match " "semantic, meaning that the configuration file is scanned from the beginning " "for a matching rule. When a match is found, the rule is applied and the " "search process stops." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1573 msgid "" "For example, to allow POP3 connections via the package:mail/qpopper[] " "daemon, the following lines should be appended to [.filename]#/etc/" "hosts.allow#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1578 #, no-wrap msgid "" "# This line is required for POP3 connections:\n" "qpopper : ALL : allow\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1581 msgid "Whenever this file is edited, restart inetd:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1585 #, no-wrap msgid "# service inetd restart\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1588 #, no-wrap msgid "Advanced Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1596 msgid "" "TCP Wrappers provides advanced options to allow more control over the way " "connections are handled. In some cases, it may be appropriate to return a " "comment to certain hosts or daemon connections. In other cases, a log entry " "should be recorded or an email sent to the administrator. Other situations " "may require the use of a service for local connections only. This is all " "possible through the use of configuration options known as wildcards, " "expansion characters, and external command execution. To learn more about " "wildcards and their associated functionality, refer to man:hosts_access[5]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:1598 #, no-wrap msgid "Access Control Lists" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1603 msgid "" "Access Control Lists (ACLs) extend traditional UNIX(R) file permissions by " "allowing fine-grained access control for users and groups on a per-file or " "per-directory basis. Each ACL entry defines a user or group and the " "associated permissions, such as read, write, and execute. FreeBSD provides " "commands like man:getfacl[1] and man:setfacl[1] to manage ACLs." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1606 msgid "" "ACLs are useful in scenarios requiring more specific access control than " "standard permissions, commonly used in multi-user environments or shared " "hosting. However, complexity may be unavoidable, but careful planning is " "required to ensure that the desired security properties are being provided" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:1611 msgid "" "FreeBSD supports the implementation of NFSv4 ACLs in both UFS and OpenZFS. " "Please note that some arguments to the man:setfacl[1] command only work with " "POSIX ACLs and others in NFSv4 ACLs." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1614 #, no-wrap msgid "Enabling ACL Support in UFS" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1617 msgid "" "ACLs are enabled by the mount-time administrative flag, `acls`, which may be " "added to [.filename]#/etc/fstab#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1619 msgid "" "Therefore it will be necessary to access [.filename]#/etc/fstab# and in the " "options section add the `acls` flag as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1624 #, no-wrap msgid "" "# Device Mountpoint FStype Options Dump Pass#\n" "/dev/ada0s1a / ufs rw,acls 1 1\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1627 #, no-wrap msgid "Get ACLs information" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1630 msgid "" "It is possible to check the ACLs of a file or a directory using " "man:getfacl[1]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1632 msgid "" "For example, to view the ACL settings on [.filename]#~/test# file execute " "the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1636 #, no-wrap msgid "% getfacl test\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1639 msgid "" "The output should be similar to the following in case of using NFSv4 ACLs:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1648 #, no-wrap msgid "" "# file: test\n" "# owner: freebsduser\n" "# group: freebsduser\n" " owner@:rw-p--aARWcCos:-------:allow\n" " group@:r-----a-R-c--s:-------:allow\n" " everyone@:r-----a-R-c--s:-------:allow\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1651 msgid "" "And the output should be similar to the following in case of using POSIX.1e " "ACLs:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1660 #, no-wrap msgid "" "# file: test\n" "# owner: freebsduser\n" "# group: freebsduser\n" "user::rw-\n" "group::r--\n" "other::r--\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1663 #, no-wrap msgid "Working with ACLs" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1666 msgid "" "man:setfacl[1] can be used to add, modify or remove ACLs from a file or " "directory." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1669 msgid "" "As noted above, some arguments to man:setfacl[1] do not work with NFSv4 " "ACLs, and vice versa. This section covers how to execute the commands for " "POSIX ACLs and for NFSv4 ACLs and shows examples of both." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1671 msgid "For example, to set the mandatory elements of the POSIX.1e default ACL:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1675 #, no-wrap msgid "% setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx directory\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1678 msgid "" "This other example sets read, write, and execute permissions for the file " "owner's POSIX.1e ACL entry and read and write permissions for group mail on " "file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1682 #, no-wrap msgid "% setfacl -m u::rwx,g:mail:rw file\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1685 msgid "To do the same as in the previous example but in NFSv4 ACL:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1689 #, no-wrap msgid "% setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1692 msgid "" "To remove all ACL entries except for the three required from file in " "POSIX.1e ACL:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1696 #, no-wrap msgid "% setfacl -bn file\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1699 msgid "To remove all ACL entries in NFSv4 ACL:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1703 #, no-wrap msgid "% setfacl -b file\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1706 msgid "" "Refer to man:getfacl[1] and man:setfacl[1] for more information about the " "options available for these commands." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:1708 #, no-wrap msgid "Capsicum" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1713 msgid "" "Capsicum is a lightweight OS capability and sandbox framework implementing a " "hybrid capability system model. Capabilities are unforgeable tokens of " "authority that can be delegated and must be presented to perform an action. " "Capsicum makes file descriptors into capabilities." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1716 msgid "" "Capsicum can be used for application and library compartmentalisation, the " "decomposition of larger bodies of software into isolated (sandboxed) " "components in order to implement security policies and limit the impact of " "software vulnerabilities." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:1718 #, no-wrap msgid "Process Accounting" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1721 msgid "" "Process accounting is a security method in which an administrator may keep " "track of system resources used and their allocation among users, provide for " "system monitoring, and minimally track a user's commands." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1726 msgid "" "Process accounting has both positive and negative points. One of the " "positives is that an intrusion may be narrowed down to the point of entry. " "A negative is the amount of logs generated by process accounting, and the " "disk space they may require. This section walks an administrator through " "the basics of process accounting." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/security/_index.adoc:1730 msgid "" "If more fine-grained accounting is needed, refer to " "crossref:audit[audit,Security Event Auditing]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1732 #, no-wrap msgid "Enabling and Utilizing Process Accounting" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1735 msgid "" "Before using process accounting, it must be enabled using the following " "commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1740 #, no-wrap msgid "" "# sysrc accounting_enable=yes\n" "# service accounting start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1746 msgid "" "The accounting information is stored in files located in [.filename]#/var/" "account#, which is automatically created, if necessary, the first time the " "accounting service starts. These files contain sensitive information, " "including all the commands issued by all users. Write access to the files " "is limited to `root`, and read access is limited to `root` and members of " "the `wheel` group. To also prevent members of `wheel` from reading the " "files, change the mode of the [.filename]#/var/account# directory to allow " "access only by `root`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1751 msgid "" "Once enabled, accounting will begin to track information such as CPU " "statistics and executed commands. All accounting logs are in a non-human " "readable format which can be viewed using man:sa[8]. If issued without any " "options, man:sa[8] prints information relating to the number of per-user " "calls, the total elapsed time in minutes, total CPU and user time in " "minutes, and the average number of I/O operations. Refer to man:sa[8] for " "the list of available options which control the output." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1753 msgid "To display the commands issued by users, use `lastcomm`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1755 msgid "" "For example, this command prints out all usage of `ls` by `trhodes` on the " "`ttyp1` terminal:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1759 #, no-wrap msgid "# lastcomm ls trhodes ttyp1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1762 msgid "" "Many other useful options exist and are explained in man:lastcomm[1], " "man:acct[5], and man:sa[8]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:1764 #, no-wrap msgid "Resource Limits" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1769 msgid "" "In FreeBSD, resource limits refer to the mechanisms that control and manage " "the allocation of various system resources to processes and users. These " "limits are designed to prevent a single process or user from consuming an " "excessive amount of resources, which could lead to performance degradation " "or system instability. Resource limits help ensure fair resource " "distribution among all active processes and users on the system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1771 msgid "" "FreeBSD provides several methods for an administrator to limit the amount of " "system resources an individual may use." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1775 msgid "" "The traditional method defines login classes by editing [.filename]#/etc/" "login.conf#. While this method is still supported, any changes require a " "multi-step process of editing this file, rebuilding the resource database, " "making necessary changes to [.filename]#/etc/master.passwd#, and rebuilding " "the password database. This can become time consuming, depending upon the " "number of users to configure." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1778 msgid "" "man:rctl[8] can be used to provide a more fine-grained method for " "controlling resource limits. This command supports more than user limits as " "it can also be used to set resource constraints on processes and jails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1780 msgid "" "This section demonstrates both methods for controlling resources, beginning " "with the traditional method." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1782 #, no-wrap msgid "Types of Resources" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1785 msgid "FreeBSD provides limits for various types of resources, including:" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/security/_index.adoc:1786 #, no-wrap msgid "Resource types" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1789 #, no-wrap msgid "Type" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1791 #, no-wrap msgid "Description" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1792 #, no-wrap msgid "CPU Time" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1794 #, no-wrap msgid "Limits the amount of CPU time a process can consume" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1795 #, no-wrap msgid "Memory" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1797 #, no-wrap msgid "Controls the amount of physical memory a process can use" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1798 #, no-wrap msgid "Open Files" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1800 #, no-wrap msgid "Limits the number of files a process can have open simultaneously" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1801 #, no-wrap msgid "Processes" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1803 #, no-wrap msgid "Controls the number of processes a user or a process can create" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1804 #, no-wrap msgid "File Size" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1806 #, no-wrap msgid "Limits the maximum size of files that a process can create" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1807 #, no-wrap msgid "Core Dumps" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1809 #, no-wrap msgid "Controls whether processes are allowed to generate core dump files" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1810 #, no-wrap msgid "Network Resources" msgstr "" #. type: Table #: documentation/content/en/books/handbook/security/_index.adoc:1812 #, no-wrap msgid "Limits the amount of network resources (e.g., sockets) a process can use" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1815 msgid "For a full listing of types see man:login.conf[5] and man:rctl[8]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1817 #, no-wrap msgid "Configuring Login Classes" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1823 msgid "" "In the traditional method, login classes and the resource limits to apply to " "a login class are defined in [.filename]#/etc/login.conf#. Each user " "account can be assigned to a login class, where `default` is the default " "login class. Each login class has a set of login capabilities associated " "with it. A login capability is a `_name_=_value_` pair, where _name_ is a " "well-known identifier and _value_ is an arbitrary string which is processed " "accordingly depending on the _name_." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1825 msgid "" "The first step to configure a resource limit will be to open [.filename]#/" "etc/login.conf# by executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1829 #, no-wrap msgid "# ee /etc/login.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1833 msgid "" "Then locate the section for the user class to be modified. In this example, " "let's assume the user class is named `limited`, create it in case it does " "not exist." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1839 #, no-wrap msgid "" "limited:\\ <.>\n" " :maxproc=50:\\ <.>\n" " :tc=default: <.>\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1842 msgid "Name of the user class." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1843 msgid "" "Sets the maximum number of processes (maxproc) to 50 for users in the " "`limited` class." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1844 msgid "" "Indicates that this user class inherits the default settings from the " "\"default\" class." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1846 msgid "" "After modifying the [.filename]#/etc/login.conf# file, run man:cap_mkdb[1] " "to generate the database that FreeBSD uses to apply these settings:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1853 msgid "" "man:chpass[1] can be used to change the class to the desired user by " "executing the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1857 #, no-wrap msgid "# chpass username\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1860 msgid "" "This will open a text editor, add the new `limited` class there as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1879 #, no-wrap msgid "" "#Changing user information for username.\n" "Login: username\n" "Password: $6$2H.419USdGaiJeqK$6kgcTnDadasdasd3YnlNZsOni5AMymibkAfRCPirc7ZFjjv\n" "DVsKyXx26daabdfqSdasdsmL/ZMUpdHiO0\n" "Uid [#]: 1001\n" "Gid [# or name]: 1001\n" "Change [month day year]:\n" "Expire [month day year]:\n" "Class: limited\n" "Home directory: /home/username\n" "Shell: /bin/sh\n" "Full Name: User &\n" "Office Location:\n" "Office Phone:\n" "Home Phone:\n" "Other information:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1883 msgid "" "Now, the user assigned to the `limited` class will have a maximum process " "limit of 50. Remember that this is just one example of setting a resource " "limit using the [.filename]#/etc/login.conf# file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1886 msgid "" "Keep in mind that after making changes to the [.filename]#/etc/login.conf# " "file, the user needs to log out and log back in for the changes to take " "effect. Additionally, always exercise caution when editing system " "configuration files, especially when using privileged access." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:1888 #, no-wrap msgid "Enabling and Configuring Resource Limits" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1892 msgid "" "The man:rctl[8] system provides a more fine-grained way to set and manage " "resource limits for individual processes and users. It allows dynamically " "assigning resource limits to specific processes or users, regardless of " "their user class." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1894 msgid "" "The first step to use man:rctl[8] will be to enable it adding the following " "line to [.filename]#/boot/loader.conf# and reboot the system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1898 #, no-wrap msgid "kern.racct.enable=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1901 msgid "" "Then enable and start the man:rctl[8] service by executing the following " "commands:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1906 #, no-wrap msgid "" "# sysrc rctl_enable=\"YES\"\n" "# service rctl start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1909 msgid "Then man:rctl[8] may be used to set rules for the system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1911 msgid "" "Rule syntax (man:rctl.conf[5]) is controlled through the use of a subject, " "subject-id, resource, and action, as seen in this example rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1915 #, no-wrap msgid "subject:subject-id:resource:action=amount/per\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1918 msgid "" "For example to constrained the user to add no more than 10 processes execute " "the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1922 #, no-wrap msgid "# rctl -a user:username:maxproc:deny=10/user\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1925 msgid "" "To check the applied resource limits the man:rctl[8] command can be executed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1929 #, no-wrap msgid "# rctl\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1936 #: documentation/content/en/books/handbook/security/_index.adoc:1944 #, no-wrap msgid "user:username:maxproc:deny=10\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1940 msgid "" "Rules will persist across reboots if they have been added to [.filename]#/" "etc/rctl.conf#. The format is a rule, without the preceding command. For " "example, the previous rule could be added as:" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:1947 #, no-wrap msgid "Monitoring Third Party Security Issues" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1951 msgid "" "In recent years, the security world has made many improvements to how " "vulnerability assessment is handled. The threat of system intrusion " "increases as third party utilities are installed and configured for " "virtually any operating system available today." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1956 msgid "" "Vulnerability assessment is a key factor in security. While FreeBSD " "releases advisories for the base system, doing so for every third party " "utility is beyond the FreeBSD Project's capability. There is a way to " "mitigate third party vulnerabilities and warn administrators of known " "security issues. A FreeBSD add on utility known as pkg includes options " "explicitly for this purpose." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1959 msgid "" "pkg polls a database for security issues. The database is updated and " "maintained by the FreeBSD Security Team and ports developers." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1961 msgid "" "Installation provides man:periodic[8] configuration files for maintaining " "the pkg audit database, and provides a programmatic method of keeping it " "updated." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1963 msgid "" "After installation, and to audit third party utilities as part of the Ports " "Collection at any time, an administrator may choose to update the database " "and view known vulnerabilities of installed packages by invoking:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1967 #, no-wrap msgid "% pkg audit -F\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1982 #, no-wrap msgid "" "vulnxml file up-to-date\n" "chromium-116.0.5845.96_1 is vulnerable:\n" " chromium -- multiple vulnerabilities\n" " CVE: CVE-2023-4431\n" " CVE: CVE-2023-4427\n" " CVE: CVE-2023-4428\n" " CVE: CVE-2023-4429\n" " CVE: CVE-2023-4430\n" " WWW: https://vuxml.FreeBSD.org/freebsd/5fa332b9-4269-11ee-8290-a8a1599412c6.html\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1991 #, no-wrap msgid "" "samba413-4.13.17_5 is vulnerable:\n" " samba -- multiple vulnerabilities\n" " CVE: CVE-2023-3347\n" " CVE: CVE-2023-34966\n" " CVE: CVE-2023-34968\n" " CVE: CVE-2022-2127\n" " CVE: CVE-2023-34967\n" " WWW: https://vuxml.FreeBSD.org/freebsd/441e1e1a-27a5-11ee-a156-080027f5fec9.html\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:1993 #, no-wrap msgid "2 problem(s) in 2 installed package(s) found.\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1996 msgid "" "By pointing a web browser to the displayed URL, an administrator may obtain " "more information about the vulnerability." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:1998 msgid "" "This will include the versions affected, by FreeBSD port version, along with " "other web sites which may contain security advisories." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/security/_index.adoc:2000 #, no-wrap msgid "FreeBSD Security Advisories" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2004 msgid "" "Like many producers of quality operating systems, the FreeBSD Project has a " "security team which is responsible for determining the End-of-Life (EoL) " "date for each FreeBSD release and to provide security updates for supported " "releases which have not yet reached their EoL. More information about the " "FreeBSD security team and the supported releases is available on the " "link:https://www.FreeBSD.org/security[FreeBSD security page]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2009 msgid "" "One task of the security team is to respond to reported security " "vulnerabilities in the FreeBSD operating system. Once a vulnerability is " "confirmed, the security team verifies the steps necessary to fix the " "vulnerability and updates the source code with the fix. It then publishes " "the details as a \"Security Advisory\". Security advisories are published " "on the link:https://www.FreeBSD.org/security/advisories/[FreeBSD website] " "and mailed to the {freebsd-security-notifications}, {freebsd-security}, and " "{freebsd-announce}." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/security/_index.adoc:2010 #, no-wrap msgid "Format of a Security Advisory" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2013 msgid "Here is an example of a FreeBSD security advisory:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2018 #, no-wrap msgid "" "-----BEGIN PGP SIGNED MESSAGE-----\n" "Hash: SHA512\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2022 #, no-wrap msgid "" "=============================================================================\n" "FreeBSD-SA-23:07.bhyve Security Advisory\n" " The FreeBSD Project\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2024 #, no-wrap msgid "Topic: bhyve privileged guest escape via fwctl\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2034 #, no-wrap msgid "" "Category: core\n" "Module: bhyve\n" "Announced: 2023-08-01\n" "Credits: Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft\n" "Affects: FreeBSD 13.1 and 13.2\n" "Corrected: 2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE)\n" " 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)\n" " 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)\n" "CVE Name: CVE-2023-3494\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2038 #, no-wrap msgid "" "For general information regarding FreeBSD Security Advisories,\n" "including descriptions of the fields above, security branches, and the\n" "following sections, please visit .\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2040 #, no-wrap msgid "I. Background\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2046 #, no-wrap msgid "" "bhyve(8)'s fwctl interface provides a mechanism through which guest\n" "firmware can query the hypervisor for information about the virtual\n" "machine. The fwctl interface is available to guests when bhyve is run\n" "with the \"-l bootrom\" option, used for example when booting guests in\n" "UEFI mode.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2048 #, no-wrap msgid "bhyve is currently only supported on the amd64 platform.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2050 #, no-wrap msgid "II. Problem Description\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2056 #, no-wrap msgid "" "The fwctl driver implements a state machine which is executed when the\n" "guest accesses certain x86 I/O ports. The interface lets the guest copy\n" "a string into a buffer resident in the bhyve process' memory. A bug in\n" "the state machine implementation can result in a buffer overflowing when\n" "copying this string.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2058 #, no-wrap msgid "III. Impact\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2064 #, no-wrap msgid "" "A malicious, privileged software running in a guest VM can exploit the\n" "buffer overflow to achieve code execution on the host in the bhyve\n" "userspace process, which typically runs as root. Note that bhyve runs\n" "in a Capsicum sandbox, so malicious code is constrained by the\n" "capabilities available to the bhyve process.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2066 #, no-wrap msgid "IV. Workaround\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2069 #, no-wrap msgid "" "No workaround is available. bhyve guests that are executed without the\n" "\"-l bootrom\" option are unaffected.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2071 #, no-wrap msgid "V. Solution\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2074 #, no-wrap msgid "" "Upgrade your vulnerable system to a supported FreeBSD stable or\n" "release / security branch (releng) dated after the correction date.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2076 #, no-wrap msgid "Perform one of the following:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2078 #, no-wrap msgid "1) To update your vulnerable system via a binary patch:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2082 #, no-wrap msgid "" "Systems running a RELEASE version of FreeBSD on the amd64, i386, or\n" "(on FreeBSD 13 and later) arm64 platforms can be updated via the\n" "freebsd-update(8) utility:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2085 #, no-wrap msgid "" "# freebsd-update fetch\n" "# freebsd-update install\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2087 #: documentation/content/en/books/handbook/security/_index.adoc:2115 #, no-wrap msgid "Restart all affected virtual machines.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2089 #, no-wrap msgid "2) To update your vulnerable system via a source code patch:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2092 #, no-wrap msgid "" "The following patches have been verified to apply to the applicable\n" "FreeBSD release branches.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2095 #, no-wrap msgid "" "a) Download the relevant patch from the location below, and verify the\n" "detached PGP signature using your PGP utility.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2100 #, no-wrap msgid "" "[FreeBSD 13.2]\n" "# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch\n" "# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc\n" "# gpg --verify bhyve.13.2.patch.asc\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2105 #, no-wrap msgid "" "[FreeBSD 13.1]\n" "# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch\n" "# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc\n" "# gpg --verify bhyve.13.1.patch.asc\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2107 #, no-wrap msgid "b) Apply the patch. Execute the following commands as root:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2110 #, no-wrap msgid "" "# cd /usr/src\n" "# patch < /path/to/patch\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2113 #, no-wrap msgid "" "c) Recompile the operating system using buildworld and installworld as\n" "described in .\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2117 #, no-wrap msgid "VI. Correction details\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2120 #, no-wrap msgid "" "This issue is corrected by the corresponding Git commit hash or Subversion\n" "revision number in the following stable and release branches:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2127 #, no-wrap msgid "" "Branch/path Hash Revision\n" "- -------------------------------------------------------------------------\n" "stable/13/ 9fe302d78109 stable/13-n255918\n" "releng/13.2/ 2bae613e0da3 releng/13.2-n254625\n" "releng/13.1/ 87702e38a4b4 releng/13.1-n250190\n" "- -------------------------------------------------------------------------\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2130 #, no-wrap msgid "" "Run the following command to see which files were modified by a\n" "particular commit:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2132 #, no-wrap msgid "# git show --stat \n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2134 #, no-wrap msgid "Or visit the following URL, replacing NNNNNN with the hash:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2136 #, no-wrap msgid "\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2139 #, no-wrap msgid "" "To determine the commit count in a working tree (for comparison against\n" "nNNNNNN in the table above), run:\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2141 #, no-wrap msgid "# git rev-list --count --first-parent HEAD\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2143 #, no-wrap msgid "VII. References\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2145 #, no-wrap msgid "\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2149 #, no-wrap msgid "" "The latest revision of this advisory is available at\n" "\n" "-----BEGIN PGP SIGNATURE-----\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/security/_index.adoc:2164 #, no-wrap msgid "" "iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A\n" "Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K\n" "qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM\n" "cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K\n" "KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV\n" "fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb\n" "hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF\n" "NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip\n" "hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0\n" "drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0\n" "JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4\n" "LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI=\n" "=MlAY\n" "-----END PGP SIGNATURE-----\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2167 msgid "Every security advisory uses the following format:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2169 msgid "" "Each security advisory is signed by the PGP key of the Security Officer. The " "public key for the Security Officer can be verified at " "crossref:pgpkeys[pgpkeys,OpenPGP Keys]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2170 msgid "" "The name of the security advisory always begins with `FreeBSD-SA-` (for " "FreeBSD Security Advisory), followed by the year in two digit format " "(`23:`), followed by the advisory number for that year (`07.`), followed by " "the name of the affected application or subsystem (`bhyve`)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2171 msgid "The `Topic` field summarizes the vulnerability." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2172 msgid "" "The `Category` refers to the affected part of the system which may be one of " "`core`, `contrib`, or `ports`. The `core` category means that the " "vulnerability affects a core component of the FreeBSD operating system. The " "`contrib` category means that the vulnerability affects software included " "with FreeBSD, such as BIND. The `ports` category indicates that the " "vulnerability affects software available through the Ports Collection." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2173 msgid "" "The `Module` field refers to the component location. In this example, the " "`bhyve` module is affected; therefore, this vulnerability affects an " "application installed with the operating system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2174 msgid "" "The `Announced` field reflects the date the security advisory was published. " "This means that the security team has verified that the problem exists and " "that a patch has been committed to the FreeBSD source code repository." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2175 msgid "" "The `Credits` field gives credit to the individual or organization who " "noticed the vulnerability and reported it." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2176 msgid "" "The `Affects` field explains which releases of FreeBSD are affected by this " "vulnerability." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2177 msgid "" "The `Corrected` field indicates the date, time, time offset, and releases " "that were corrected. The section in parentheses shows each branch for which " "the fix has been merged, and the version number of the corresponding release " "from that branch. The release identifier itself includes the version number " "and, if appropriate, the patch level. The patch level is the letter `p` " "followed by a number, indicating the sequence number of the patch, allowing " "users to track which patches have already been applied to the system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2178 msgid "" "The `CVE Name` field lists the advisory number, if one exists, in the public " "http://cve.mitre.org[cve.mitre.org] security vulnerabilities database." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2179 msgid "The `Background` field provides a description of the affected module." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2180 msgid "" "The `Problem Description` field explains the vulnerability. This can include " "information about the flawed code and how the utility could be maliciously " "used." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2181 msgid "" "The `Impact` field describes what type of impact the problem could have on a " "system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2182 msgid "" "The `Workaround` field indicates if a workaround is available to system " "administrators who cannot immediately patch the system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2183 msgid "" "The `Solution` field provides the instructions for patching the affected " "system. This is a step by step tested and verified method for getting a " "system patched and working securely." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2184 msgid "" "The `Correction Details` field displays each affected Subversion or Git " "branch with the revision number that contains the corrected code." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/security/_index.adoc:2184 msgid "" "The `References` field offers sources of additional information regarding " "the vulnerability." msgstr ""