Secure Kernel Source

From FreeBSDwiki
Jump to: navigation, search

Secure Kernel Source

The following are things you can do in the kernel source to tighten up security. You can prefix statements with # to make it a comment to disable it or delete the statement all together.

At the top the file is the following statement.

options INET6

Ipv6 is a developmental protocol, if you are not testing this protocol on purpose, it should be disabled.

Followed by Memory disk root option. This allows a operating system to be placed into memory and run.

option MD_Root

A few lines down are the network filesystem options. Comment these out to disable them.

options NFSLOCKD
options NFS_ROOT

Comment out the following option because you disabled Ipv6 earlier.

device faith


Add the following statement.

Adds support for ignoring TCP packets with SYN+FIN. This prevents nmap from identifying the TCP/IP stack.

Enables icmp error response bandwidth limiting. This will help protect from D.O.S. packet attacks.

options RANDOM_IP_ID
Causes the ID field in IP packets to be randomized instead of incremented by 1 with each packet generated. This closes a minor information leak which allows remote observers to determine the rate of packet generation on the machine by watching the counter.

options NO_LKM
Ddisable FBSD ability to dynamically load kernel modules.

If you do not have a printer cabled off the parallel port of this PC then disable these options.

device ppc
device ppbus
device lpt
device plip
device ppi

If you are not copying this system to other PCs with different hardware, then besides the security benefit you can also reduce the time it takes to compile the kernel by removing all unused device drivers. Review your /var/run/dmesg.boot log messages to see which devices you are really using and only keep those. Comment out all the others. Do not delete the following device; it is used by most NICs but does not show up in dmesg as used.

device miibus

Personal tools