OpenBSD is locked down by default. Here are a few extra steps that can be taken.
Harden malloc
OpenBSD ’s malloc(3) performs many checks by default. Further checks can be enabled as follows:
# Under OpenBSD 6.4 or earlier
$ doas ln -s CFGU /etc/malloc.conf
# Under OpenBSD 6.5 or later
$ doas sysctl -w vm.malloc_conf=CFGU
Accounting
Accounting provides a log of all commands run, via lastcomm(1)
and
summarise via sa(8)
.
Furthermore, the daily crontab(5)
uses accounting to check for abnormal exits and reports it.
$ doas rcctl enable accounting
Disable sshd password authentication and root login
Edit /etc/ssh/sshd_config and replace:
# PasswordAuthentication yes
# PermitRootLogin prohibit-password
with
PasswordAuthentication no
PermitRootLogin no
sysctl tuning
Add to /etc/sysctl.conf:
ddb.panic=0
machdep.allowaperture=0
Generate mtree checksum files
security(8)
will regularly check for file modifications if current values
are recorded in /etc/mtree.
The following script will generate these files for common binaries and libraries.
#!/bin/sh
set -e
update=1
for path in /bin /sbin /usr/bin /usr/sbin /usr/lib /usr/libexec /usr/mdec /usr/share/relink; do
name=$(echo $path | cut -d/ -f2- | tr / .)
fname=/etc/mtree/$name.secure
tokens=type,uid,gid,mode,nlink,size,link,sha256digest
filters=""
if [ $path = /usr/share/relink ]
then
filters="s/\([[:space:]]bsd\)[[:space:]].*/\1 gid=21 mode=0770/; \
s/\([[:space:]]newbsd.gdb\)[[:space:]].*/\1 gid=21 mode=0770/; \
s/\([[:space:]]gap.link\)[[:space:]].*/\1 mode=0660/; \
s/\([[:space:]]lorder\)[[:space:]].*/\1 mode=0660/; \
s/\([[:space:]]gap\.o\)[[:space:]].*/\1 gid=21 mode=0770/; \
s/\([[:space:]]relink\.log\)[[:space:]].*/\1 mode=0640/"
elif [ $path = /usr/libexec ]
then
filters="s/\([[:space:]]ld\.so\)[[:space:]].*/\1 mode=0444/; \
s/\([[:space:]]ld\.so\.save\)[[:space:]].*/\1 mode=0444/"
elif [ $path = /usr/lib ]
then
filters="s/\([[:space:]]libc\.so\.[0-9.]*\)[[:space:]].*/\1/; \
s/\([[:space:]]libcrypto\.so\.[0-9.]*\)[[:space:]].*/\1/"
fi
if [ ! -e $fname -o $update -eq 1 ]
then
echo filters: $filters
mtree -cx -p $path -k $tokens | \
egrep -v '^#[[:space:]]*(machine|user|date):' | \
sed -e :a -e '/\\$/N; s/\\\n//; ta' | \
sed -e "$filters" | \
tee $fname.new >/dev/null
diff -u $fname $fname.new || true
rm $fname || true
mv $fname.new $fname
echo update $fname
fi
done
chown root:wheel /etc/mtree/*.secure
chmod 640 /etc/mtree/*.secure
sha256 /etc/mtree/*.secure
For a recently patched OpenBSD 7.1, I have:
SHA256 (/etc/mtree/bin.secure) = e0d668dceebecbea6b905bb0581fbc3fdc2c36edc3627133b3b7b9b5b5b0ec63
SHA256 (/etc/mtree/sbin.secure) = d94493d3731196456c18f5b457b630ae5ffc44f3c7dac99aa24dfe21ac05a273
SHA256 (/etc/mtree/usr.bin.secure) = 6c3fa02d2dbeb2460e7d9e6083a5c11f21ad5b63cdf247291fb388fbc6c14196
SHA256 (/etc/mtree/usr.lib.secure) = 9684cd5ca149a2f0947a78da4b00625bdce9bc60f0ec599509a188305fdcb298
SHA256 (/etc/mtree/usr.libexec.secure) = 3786adf0fc340ad5b3b1c8e5fcd85a12e55f77db82a7b1aaadcf042113eb2c27
SHA256 (/etc/mtree/usr.mdec.secure) = da40d43c064bf0c90b01c03153e7fb48145cea16d8326d2daecf87f45a669282
SHA256 (/etc/mtree/usr.sbin.secure) = a5617c1be149df70cce1ef51e2e3c1901134a75db132de1b495cb0baadd76e42
SHA256 (/etc/mtree/usr.share.relink.secure) = 9322a7874f615543da1485bb70462b6839b79566e6acf83f4b49395efb6d6f7a
Note: these checksums are comparable across hosts but not architectures; the above is for amd64.
To check manually
for file in /etc/mtree/*.secure
do
path=$(awk '/tree:/ {print $3; exit}' <$file)
echo checking $path
doas mtree -p $path -f $file
done
Audit
Run a standard suite of sanity checks:
$ doas pkg_add lynis
$ doas lynis audit system