FreeBSD - a lesson in poor defaults?

[Steve Clement]

Dear List,

Not sure this has been shared here:

https://vez.mrsk.me/freebsd-defaults.txt

Some good points, others not so…

Nevertheless a good read and food for thought and discussion.

Sincerely,

--
Steve Clement
https://www.twitter.com/SteveClement
mailto:st...@localhost.lu
.lu: +352 20 333 55 65

[Miroslav Lachman]

Steve Clement wrote on 07/13/2016 09:38:
> Dear List,
>
> Not sure this has been shared here:
>
> https://vez.mrsk.me/freebsd-defaults.txt
>
> Some good points, others not so…
>
> Nevertheless a good read and food for thought and discussion.

I read it in the past and I think some things are easily fixable on
FreeBSD release side and should be fixed. Some things we modified on our
installs.

Miroslav Lachman

_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"

[Slawa Olhovchenkov]

On Wed, Jul 13, 2016 at 09:38:59AM +0200, Steve Clement wrote:

> Dear List,
>
> Not sure this has been shared here:
>
> https://vez.mrsk.me/freebsd-defaults.txt
>
> Some good points, others not so…
>
> Nevertheless a good read and food for thought and discussion.

Most points is just inconvenience w/o security.
IMHO, yes.

[Dan Lukes]

On 13.7.2016 9:38, Steve Clement wrote:
> https://vez.mrsk.me/freebsd-defaults.txt

This document is based on premise I can't agree with. I will not dispute
each argument in the document, but there are two main ideas.

Features compiled in and features turned on by default.

According features compiled in ...

I'm administrator responsible for a computer configuration.

If OpenSSH devs have publicly said threads are too risky and won't be
added, I'm hearing their opinion and taking them seriously, but final
decision shall be mine.

I wish I will be allowed to decide I wish to use threads, NONE cipher
and so on.

In short, no features should be removed/disabled at compiled time
because if "security" (assuming the "insecure" feature can be disabled
by configuration).

According features turned on by default ...

To say true, I don't care them so much. Performance, backward
compatibility and security require trade offs all the time. There are no
generic answers.

I assume the virgin installed system will be ready to be remotely
configured (e.g. sshd running, no firewall).

Particular system needs to be tuned according local environment, goal
and requirements. Thus I don't care install-time defaults so much.


Just $0.02 ...

Dan

[Steve Clement]

By default, IMHO, a system should resist a standard install on a public ip address without being owned within the hour.

If you need hardening, you should always check and know your system.
Especially if something says “secure by default”.
Wonder how HardenedBSD is doing these days… https://wiki.freebsd.org/Hardening

You do want to protect your basic users from themselves to a certain extent.

The SSL mess is a mess, but libreSSL hasn’t been spared either.

Nevertheless I am sure that the Core Security team is having regular discussions on some defaults.

If we can assume that this About blob from the FreeBSD site is it’s mission statement:

“””” https://www.freebsd.org/about.html
What is FreeBSD?
FreeBSD is an operating system for a variety of platforms which focuses on features, speed, and stability. It is derived from BSD, the version of UNIX® developed at the University of California, Berkeley. It is developed and maintained by a large community.
“”””

The rant is not that justified baring in mind the versatility of FreeBSD.

Sincerely,

Steve

[Simon Krenz]

IMHO I can agree with most of the statements written down in this text. I can not understand why I need ntpd or sendmail activated in default installations. If I want to setup a time server or a mail server with further abilities I can install them later on. Most of the installations don't need such features. I don't think that the majority of servers do need threaded AES-CTR or NONE ciphers also. For me a installation should be a minimum set of features and a secure one as well. For all further things I need to know what I want and can install them. This has nothing to do with:

>If you need hardening, you should always check and know your system.

because also if you don't need hardening you should always check and know your system.

>I assume the virgin installed system will be ready to be remotely
>configured (e.g. sshd running, no firewall).

This will be as well with minimum sshd configuration and firewall activated.

>If we can assume that this About blob from the FreeBSD site is it’s mission statement: “””” >https://www.freebsd.org/about.html What is FreeBSD? FreeBSD is an operating system for a variety of >platforms which focuses on features, speed, and stability. It is derived from BSD, the version of >UNIX® deve…

And thats the problem, there is no word about security in this mission statement, but maybe it should be there in the actual word.

Just my 2 cents

[RW via freebsd-security]

On Wed, 13 Jul 2016 12:25:21 +0200 (CEST)
Simon Krenz wrote:

> IMHO I can agree with most of the statements written down in this
> text. I can not understand why I need ntpd or sendmail activated in
> default installations.

ntpd isn't activated by default.

[Dan Lukes]

On 13.7.2016 13:29, RW via freebsd-security wrote:
>> why I need ntpd or sendmail activated in default installations.

> ntpd isn't activated by default.

Also, it's somewhat imperfect to claim "sedmail activated" here. There's
submission server running on localhost:25 by default only.

Just to avoid confusions ...

Dan