securing the kernel

[Rob]

There's a little bit on kernel options in the security(7) manpage, but
many of the 'hardening' steps are outside of the kernel.

You can add ICMP_BANDLIM to the kernel config, as well as options for
ipfirewall(4). My /etc/sysctl.conf has the entries

  net.inet.tcp.blackhole=2
  net.inet.udp.blackhole=1

to slow down portscans - see blackhole(4). You might also want to look
at runlevels in the init(8) manpage, though they work better on servers.

Of course, turn off any network stuff you don't need - inetd(8) and
portmap(8) can be disabled in /etc/rc.conf. If you run named(8), use the
flags recommended in /etc/defaults/rc.conf and run it non-root.

I haven't got any untrusted local users, so most of my focus is on
network-based problems. I would certainly recommend
/usr/ports/security/sudo as a replacement for su(8). It has much better
control over who does what.

----- Original Message -----
From: "pat bey" <phaza7 at yahoo.com>
To: "Max" <max_mail at exe.farlep.net>
Cc: <mrspock at esfm.ipn.mx>; <freebsd-questions at freebsd.org>
Sent: Thursday, May 01, 2003 1:59 AM
Subject: securing the kernel


> I'm fairly new to missing with the kernel and was wandering what are
some good options to add to it to help secure it from remote and local
attackers. Of the options in Lint I don't know which are the most secure
I haven't found any documents yet besides man and the handbook.  Just
looking for opinions
>
> Suppressed minds have no Freedom of Choice
>
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
>