https://github.com/wravoc/harden-ghostbsd

Implements a broad, cohesive group of hardening settings for GhostBSD. Any directive can be set, re-set, for administering, tuning, and jails. Zenbleed workaround, Downfall info.
https://github.com/wravoc/harden-ghostbsd

bsd cybersecurity downfall ghostbsd hardening security-automation security-tools vulnerability-assessment vulnerability-detection zenbleed

Last synced: 2 days ago
JSON representation

Implements a broad, cohesive group of hardening settings for GhostBSD. Any directive can be set, re-set, for administering, tuning, and jails. Zenbleed workaround, Downfall info.

• Host: GitHub
• URL: https://github.com/wravoc/harden-ghostbsd
• Owner: wravoc
• License: other
• Created: 2023-08-24T19:34:32.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2023-08-29T01:31:29.000Z (about 1 year ago)
• Last Synced: 2023-08-29T08:00:33.858Z (about 1 year ago)
• Topics: bsd, cybersecurity, downfall, ghostbsd, hardening, security-automation, security-tools, vulnerability-assessment, vulnerability-detection, zenbleed
• Language: Python
• Homepage: https://www.quadhelion.engineering
• Size: 6.71 MB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: Changelog.md
  • License: LICENSE.md
  • Security: docs/SECURITY.md

Awesome Lists containing this project

README

        
# Harden GhostBSD 

![](images/harden-ghostbsd-preview.png)

Any directive can be set and re-set with a customizable `settings.ini` for administering, tuning, and easier jail management. All existing entries in all confs will remain untouched unless they are modified in the settings file.

This script is also targeted to new users of GhostBSD so that they may leverage years of security contributions by the entire BSD community across all spectra, implemented on thier system in seconds.

Each of the security settings was researched, assessed, and chosen as a set of mitigations for maximizing threat reduction while minimizing restriction of system capability and availability.

---

## Known Incompatibilities (Insecure)

* **Firefox, Chromium** explicity uses shared memory, conflicts with `kern.elf64.allow_wx`

* Linux Binary Compatability, nginx, VirtualBox shared folders, conflicts with `kern.securelevel`

## Verified Compatible

* **Workstation**: Librewolf, Evolution, RhythmBox, VLC, Abiword, Pluma, Gimp, Inkscape, Spacemacs, Git

* **Server**: Apache, OpenSMTPD, MariaDB `have_dynamic_loading=YES`

---

## Includes

* Desktop Wallpapers as a special gift to users of the Software

* Directory (Hier)archy Visual Map, PDF, in /docs

---

## FreeBSD Security Advisories

### Remote denial of service in IPv6 fragment reassembly

* `net.inet6.ip6.maxfrags = 0` [(*)](https://www.freebsd.org/security/advisories/FreeBSD-SA-23:06.ipv6.asc)

    * **Official FreeBSD Security Advisory Workaround** 

    * If using pf to scrub framents you do **not** need this workaround

    * Add the directive above to `[SYSTEM} settings.ini` if not using pf scrub, and until you can safely patch the system

### Downfall Intel CPU Vulnerability

* https://downfall.page/

    * Computing devices based on Intel Core processors from the 6th Skylake to (including) the 11th Tiger Lake generation are affected.

    * [Vulnerability Checker](https://github.com/flowyroll/downfall/tree/main/POC/gds_spy)

    * **Mitigation**: Intel Microcode Update Expected 

---

## New Features in 3.0.1

* ZenBleed Workaround with CPU microcode updating

* CPU microcode updating enabled in anticipation of Zenbleed and Downfall Patches

*Full [Changelog](Changelog.md)*

## Addtional Software

* Scripts included to verify the implementation. Run before and after the repo Software.

    * Kernel vulnerablity diagnosis provided by [Stéphane Lesimple's](https://github.com/speed47) spectre-meltdown-checker

        * `chmod 750 spectre-meltdown-checker.sh`

        * You should only be left with the MCEPSC, Machine Check Exception on Page Size Change Vulnerability, [CVE-2018-12207](https://www.freebsd.org/security/advisories/FreeBSD-SA-19:25.mcepsc.asc)

    * MMAP, MProtect vulnerability diagnosis provided by [u/zabolekar](https://www.reddit.com/r/BSD/comments/10isrl3/notes_about_mmap_mprotect_and_wx_on_different_bsd/)

        * `cc mmap_protect.c` 

        * `./a.out`

        * You should have two successes

## Zenbleed Workaround

* **Overview**

    * [Security Engineer's Discovery & Write-Up](https://lock.cmpxchg8b.com/zenbleed.html)

    * [Affects AMD Zen 2 Chipset Family](https://nakedsecurity.sophos.com/2023/07/26/zenbleed-how-the-quest-for-cpu-performance-could-put-your-passwords-at-risk/)

    * Mitigation/workaround suggested by discovering Security Engineer **will not work in Virtual Machines**

    * AMD has patched the Rome family, server oriented series, of CPU's but all others are expected in December of 2023.

    * The command to manually verify the chicken-bit has been set is `cpucontrol -m "0xc0011029" /dev/cpuctl0`

    * AMD Threadripper Pros are currently not being detected

### Zenbleed Workaround Features

* Sets the Model Specific Register chicken-bit exactly as suggested by the discovering Security Engineer

* Patches the latest AMD microcode from [Platomov's GitHub Repository](https://github.com/platomav/CPUMicrocodes/tree/master/AMD) if available for your Zen2 CPU, currently, only "Rome" series as of August 11, 2023.

* If in a Virtual Machine, check for EPYC Rome series CPU and apply AMD patch and exit if not Rome, as there is no other patch available yet and Hypervisor disallows the workaround.

* Only if a Zenbleed vulnerable CPU is detected a CPU chicken-bit is be set every boot via a provided rc script

* Prompts to make a reminder to remove the script using `at` to create a file called `REMINDER-AMD-Zenbleed-Removal` in home directory on the 2023 December Solstice

### Execute

* `chmod 750 zenbleed-workaround.csh`

* `sudo ./zenbleed-workaround.csh`

### Arguments

* `./zenbleed-workaround.csh clean` removes the CPU microcode/firmware utilities as a security measure once Zenbleed patching is complete

    * Do not use `clean` if you still need the workaround on baremetal as it uses cpucontrol.

* `./zenbleed-workaround.csh remove` removes the rc script for performance reasons or once the patch is applied from AMD in Decemeber 2023. 

    * In the case of an AMD Zenbleed fully patched CPU, follow `remove` with `clean` for security purposes.

---

## Main Features

* Makes backups of `rc.conf`, `sysctl.conf`, `login.conf`, and `loader.conf` on first run

* Sets passwords to blowfish encryption

* Sets passwords to expire at 120 days

* Disables sendmail completely

* Removes `other` write permissions from key system files and folders

* Allows only root for `cron` and `at`

* Primitive flag verification catches simple errors

* Modularizable within other tools

* Automate any shell script

* System Logging to `/var/log/messages` and Script Logging to `/var/log/harden-freebsd.log`

* Pretty prints color output of script execution to console while running

## Requirements

* GhostBSD 23.06.01

* Python 3.9.16

## Installation

**WARNING: Once kernel level 1 is set by this script, you will not be able to modify these confs again with this script until it is set to -1 and rebooted!**

* Set `kernlevel = -1` if you want to test various setting groups with your applications and network

* Customize `settings.ini`  to whatever is needed, the script will change the directive to your flag

* Set permissions `chmod 750 harden-ghostbsd.py` to prevent shell injection from another account or process

* Set permissions `chmod 640 settings.ini` to prevent shell injection from another account or process

* No `settings.ini` section can be entirely commented out nor be completely empty

* `sudo ./harden-ghostbsd.py`

## Conf File Verification

`kern.vty = "vt"`

This script does primitive verification of the confs flags in strict accordance with system man. Many online tutorials even on the FreeBSD family of websites do not use the proper syntax. Check the log for any validation failures. Use proper syntax, remove the syntax checking lines 241-261, or rewrite the regular expression to make a new check suitable for you.

* For `/etc/sysctl.conf` the script checks for no quotes

* For `/boot/loader.conf` the script strictly verifies syntax from man and `/boot/defaults/loader.conf` syntax

    * All directives in these sister confs must be in quotes

If you do get stuck in read-only single-user mode and need to correct a configuration file then use:

```sh

zfs set readonly=off zroot

zfs mount -a

```

## Customization

#### 64bit vs 32bit

Most tunable mitigations for 64bit are already included by default in GhostBSD 13.1 so 32bit directives were included for coverage. I can see no affect from setting the 32bit mitigations on 64bit systems, they are simply ignored. For clarity on unknown hardware, hardware mode, VM, or cloud use the following commands:

* CPU: `sysctl hw.model hw.machine hw.ncpu`

* Bits: `getconf LONG_BIT`

#### Backups

The very first time the script is run it will make copies of `rc.conf`, `sysctl.conf`, `login.conf`, and `loader.conf` named `rc.conf.original` etc. If you've already done this yourself you may want to rename or move those files.

If you would like you can set `settings.ini` section `[SCRIPT]`option `first_run` to `True` with capital `T` to make new backups at any time after you've renamed the original backups or the script will overwrite them.

#### Chmod-ability

The set of files needed to be secure changed and changed throughout testing and so it ended up as a shell command but an error checked function was provided for the administrator programmer to use instead of appending to the long list in `settings.ini` section `[FILESEC]` if you wish or to work with other software.

Those files are:

`etc/ftpusers /etc/group /etc/hosts /etc/hosts.allow /etc/hosts.equiv /etc/hosts.lpd /etc/inetd.conf /etc/login.access /etc/login.conf /etc/newsyslog.conf /etc/rc.conf /etc/ssh/sshd_config /etc/sysctl.conf etc/syslog.conf /etc/ttys /etc/crontab /usr/bin/crontab /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/batch /var/log`

#### Secure Password Settings

The newly applied settings will not take affect until you reset your password.

## Automatic Jail Lockdown/Management Strategies

1. Set the correct paths to jailed confs in `harden-ghostbsd.py` lines 32-38 and run for each jail.

2. Copy software to `/root` and have jail start this script at reboot and all settings will be updated upon next reboot. To update all jails simply copy `settings.ini` with your own copy script to all appropriate locations for uptake. 

`crontab -e`

`@reboot /path/to/harden-ghostbsd.py`

3. Have all jails pointing to the same rc script via `exec.start` and set paths in the script pointing to the same location modified by the script paths. 

4. Add new jail specific entires to `settings.ini [SYSTEM]` section for sysctl.conf udpate

   - `security.jail.* = 0`

5. Use mutiple copies of the script and settings.ini for each jail

6. Put it in your template

---

## Setting Descriptors

**Startup**

* `kern_securelevel_enable = "YES"`

    * Enable access to other than permanently insecure modes

* `microcode_update_enable = "YES"`

    * Allow CPU microcode/firmware updates

* Disable Sendmail

* `syslogd_flags="-ss"`

    * Disallow syslogd to bind to a network socket

* `clear_tmp_enable = "YES"`

    * Clear the /tmp directory on reboot

* `icmp_drop_redirect="YES"`

    * Disallow redirection of ICMP (ping, echo)

* `inetd_enable = "NO"`

    * Disallow Network File System to share directories over the network

* `portmap_enable = "NO"`

    * Disallow portmapping since Network File Systems is disallowed

* `update_motd = "NO"`

    * Disallow computer system details from being added to /etc/motd on system reboot

**System**

* `kern.securelevel = 1` [(*)](https://man.freebsd.org/cgi/man.cgi?securelevel)

    * The system immutable and system append-only flags may

	   not be turned off; disks for	mounted	file systems, /dev/mem and

	   /dev/kmem may not be	opened for writing; /dev/io (if	your platform

	   has it) may not be opened at	all; kernel modules (see kld(4)) may

	   not be loaded or unloaded.  The kernel debugger may not be entered

	   using the debug.kdb.enter sysctl.  A	panic or trap cannot be	forced

	   using the debug.kdb.panic, debug.kdb.panic_str and other sysctl's.

* `security.bsd.see_other_uids = 0`

    * Disallow users from seeing information about processes that are being run by another user (UID)

* `security.bsd.see_other_gids = 0` [(*)](https://docs.freebsd.org/en/books/handbook/mac/#mac-policies)

    * Disallow users from seeing information about processes that are being run by another group (GID)

* `security.bsd.see_jail_proc = 0` (Sysctl MIB Entry `sysctl -a | grep security.bsd`)

    * Disallow non-root users from seeing processes in jail

* `security.bsd.unprivileged_read_msgbuf = 0` (Sysctl MIB Entry `sysctl -a | grep security.bsd`)

    * Disallow non-root users from reading system message buffer

* `security.bsd.stack_guard_page=1` (Java Stack Vulnerability Mitigation [(*)](https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt))

* `kern.randompid = 107` [(*)](https://wiki.freebsd.org/DevSummit/201308/Security)

    * Force kernel to randomize process ID's using above salt value instead of sequential

* `net.inet.ip.random_id = 1`

    * Randomize IP packet ID

* `net.inet.ip.redirect = 0` 

    * Disallow ICMP host redirects

* `net.inet.tcp.always_keepalive = 0`

    * Disallow keeping open idle TCP connections

* `net.inet.tcp.blackhole = 2` +(UDP)[(*)](https://man.freebsd.org/cgi/man.cgi?query=blackhole)

    * Packets that are received on a closed port will not initiate a reply

* `net.inet.tcp.path_mtu_discovery = 0` [(*)](https://man.freebsd.org/cgi/man.cgi?query=tcp&sektion=4)

    * Disallows TCP to determine the minimum MTU size on any network that is currently in the path between two hosts

* `net.inet.icmp.drop_redirect = 1`

    * Pairs with rc.conf startup, as once enabled, it is then set

* `hw.mds_disable = 3` [(*)](https://www.kernel.org/doc./html/latest/arch/x86/mds.html)

    * Enable Microarchitectural Data Sampling Mitigation version `VERW`

    * Change value to `3` (AUTO) if using a Hypervisor without MDS Patch

* `hw.spec_store_bypass_disable = 1` [(*)](https://handwiki.org/wiki/Speculative_Store_Bypass)

    * Disallow Speculative Bypass used by Spectre and Meltdown

* `kern.elf64.allow_wx = 0` [(*)](https://www.ibm.com/docs/en/aix/7.2?topic=memory-understanding-mapping)

    * Disallow write and execute for shared memory

**Kernel**

* `security.bsd.allow_destructive_dtrace = "0"`

    * Disallow DTrace to terminate proccesses

    * Test DTrace hardening: Using all 3 commands should result in `Permission denied` or `Destructive actions not allowed`:

    * `dtrace -wn 'tcp:::connect-established { @[args[3]->tcps_raddr] = count(); }'`

    * `dtrace -wqn tick-1sec'{system("date")}'`

    * `dtrace -qn tick-1sec'{system("date")}'`

* `hw.ibrs_disable = "3"` [(*)](https://wiki.freebsd.org/SpeculativeExecutionVulnerabilities)

    * Prevent Spectre and Meltdown CPU Vulnerabilities, 3 for AUTO

* `kern.elf32.aslr.stack = "3"` [(*)](https://wiki.freebsd.org/AddressSpaceLayoutRandomization)

    * Address space layout randomization is used to increase the difficulty of performing a buffer overflow attack

    * 64bit is enabled by default in 13.2 so you can set this to 0 for 64bit processors or remove

* `kern.elf32.aslr.pie_enable = "1"`

    * Enable ASLR for Position-Independent Executables (PIE) binaries

---

## License Summary

### Software

Non-Commercial usage, retain and forward author and license data. Modify existing code as needed up to 25% while allowing unlimited new additions. The Software may use or be used by other software.

### Digital Art

All Original Digital Artists recieve automatic Copyright. 

* Supplemental License [here](digital%20art/Quadhelion%20Engineering%20Universal%20Digital%20Art%20License.md)

* Eric Turgeon via the GhostBSD Operating System and the GhostBSD Team meet the terms of Non-Commercial and are thus granted License.

## Security Guidelines

Since this Software uses shell commands it is required to place it in a secure directory with permissions on the **parent** directory to have no permissions for `other` /all/world group to write or *execute* and **no network access**. 

Please follow [these guidelines](/docs/SECURITY.md) should you find a vulnerability not addressed in the audit.

## Statement of Security: 

* **Risk** - Low

* **Impact** - Medium

This script has no networking, accesses no sockets, and uses only standard libraries.

Although this script is using `subprocess.run(shell=True)` the only possibility of shell injection is from the paths customized by the Licensee or unauthorized access to the filesystem the script resides on in order to perform unauthorized modifications to `settings.ini`or the Software which is not a vulnerability of the Software. 

### Latest Development Version

[Quadhelion Engineering Code Repository](https://got.quadhelion.engineering)

![quadhelion engineering logo](images/quadhelionEngineeringIcon.jpg)