jas- · September 27, 2015 23:48
diff --git a/.bashrc b/.bashrc
 # Hostname
 h=`hostname`

 # Command to read input & mask it
 cmd='read -sp "Enter password: " pass'

 # Path to aide integrity tool
 a="/usr/bin/aide"
 # Path to aide policy database
 adb="/var/lib/aide"

 # Path to tripwire integrity tool
 t="/usr/sbin/tripwire"
 # Path to tripwire policy database
 tdb="/var/lib/tripwire/"

 # Path to GnuGPG
 g="/usr/bin/gpg"

 # Path to stored encrypted policy files
 pt="/boot/.tools/audit/tripwire"
 pa="/boot/.tools/audit/aide"

 # Aide update policy baseline (decrypt, update database, encrypt & remove old)
 alias aide-update="$g --symmetric --cipher-algo aes256 -o $adb/aide.db.gz $pa/aide.db.new.gz.gpg && $a --update && $g --symmetric --cipher-algo aes256 -o $pa/aide.db.new.gz.gpg $adb/aide.db.new.gz && rm $adb/aide.db.*"

 # Aide check policy (decrypt, check database & remove)
 alias aide-check="$g --symmetric --cipher-algo aes256 -o $adb/aide.db.new.gz $pa/aide.db.new.gz.gpg && $a --init && $a --check && rm /var/lib/aide/aide.db.new.gz"

 # Initial setup of encrypted db & config for tripwire
 alias tripwire-save="$cmd; echo '${pass}'|$g --yes --batch --passphrase-fd 0 --symmetric --cipher-algo aes256 -o $pt/$h.twd.gpg $tdb/$h.twd"

 # Tripwire update policy baseline (disable high security mode, update policy, encrypt & remove old)
 alias tripwire-update="$cmd; echo '${pass}'|$g --yes --no-tty --batch --passphrase-fd 0 --decrypt -o $tdb/$h.twd $pt/$h.twd.gpg && $t -m p --secure-mode low /etc/tripwire/twpol.txt; echo '${pass}'|$g --yes --no-tty --batch --passphrase-fd 0 --symmetric --cipher-algo aes256 -o $pt/$h.twd.gpg $tdb/$h.twd; rm -fv $tdb/*.twd*"

 # Tripwire check policy (decrypt, check database & remove)
 alias tripwire-check="$cmd; echo '${pass}'|$g --yes --no-tty --batch --passphrase-fd 0 --decrypt -o $tdb/$h.twd $pt/$h.twd.gpg && $t --check; rm -fv $tdb/*.twd*"

 # Tripwire review report
 alias tripwire-report="twprint -m r --twrfile $1"
diff --git a/ipfw.conf b/ipfw.conf
 #!/bin/sh

 # Default options
 ipfw="/sbin/ipfw "
 adp="fxp0"

 # This machines IP
 me=""

 # Allowed DNS server(s)
 dns1=""
 dns2=""

 # Allowed SSH host(s)
 allowed1=""
 allowed2=""

 # Allowed SMTP host(s)
 allowed3=""

 # Flush current rules
 $ipfw -f flush

 # Bypass if previous state ok
 $ipfw add 00010 check-state

 # Divert all to suricata first
 #$ipfw add 00020 divert 8000 ip from any to any

 #### Loopback ####
 $ipfw add 00021 allow all from any to any via lo0
 $ipfw add 00022 deny all from any to 127.0.0.0/8
 $ipfw add 00023 deny all from 127.0.0.0/8 to any
 $ipfw add 00024 deny tcp from any to any frag

 #### ALL OUTBOUND RULES ####

 # DNS allowed rules
 $ipfw add 00500 allow tcp from $me to $dns1 53 out via $adp setup keep-state
 $ipfw add 00510 allow udp from $me to $dns1 53 out via $adp keep-state
 $ipfw add 00520 allow tcp from $me to $dns2 53 out via $adp setup keep-state
 $ipfw add 00530 allow udp from $me to $dns2 53 out via $adp keep-state

 # Allow ping out
 $ipfw add 00600 allow icmp from $me to any out via $adp keep-state

 # Allow whois out
 $ipfw add 00610 allow tcp from $me to any 43 out via $adp setup keep-state

 # Allow sshd out
 $ipfw add 00700 allow tcp from $me to any 22 out via $adp setup keep-state

 # Allow http/https out
 $ipfw add 00710 allow tcp from $me to any 80 out via $adp setup keep-state
 $ipfw add 00720 allow tcp from $me to any 443 out via $adp setup keep-state

 # Allow emails out
 $ipfw add 00730 allow tcp from $me to $allowed3 25 out via $adp

 # Log all other attempts out
 $ipfw add 00800 deny log all from all to any out via $adp

 #### ALL INBOUND RULES ####

 # Deny all inbound from non-routeable address blocks
 $ipfw add 00900 deny log all from 192.169.0.0/16 to any in via $adp
 $ipfw add 00910 deny log all from 172.16.0.0/12 to any in via $adp
 $ipfw add 00920 deny log all from 10.0.0.0/8 to any in via $adp
 $ipfw add 00930 deny log all from 127.0.0.0/8 to any in via $adp
 $ipfw add 00940 deny log all from 0.0.0.0/8 to any in via $adp
 $ipfw add 00950 deny log all from 169.254.0.0/16 to any in via $adp
 $ipfw add 00960 deny log all from 192.0.2.0/24 to any in via $adp
 $ipfw add 00970 deny log all from 204.152.64.0/23 to any in via $adp
 $ipfw add 00980 deny log all from 224.0.0.0/3 to any in via $adp

 # Deny public pings
 $ipfw add 01000 deny log icmp from any to $me in via $adp

 # Deny ident(s)
 $ipfw add 01100 deny log tcp from any to $me 113 in via $adp

 # Drop netbios packets
 $ipfw add 01200 deny log tcp from any to $me 137 in via $adp
 $ipfw add 01210 deny log tcp from any to $me 138 in via $adp
 $ipfw add 01220 deny log tcp from any to $me 139 in via $adp
 $ipfw add 01230 deny log tcp from any to $me 81 in via $adp

 # Drop late arrivals
 $ipfw add 01300 deny log all from any to $me frag in via $adp

 # Deny ACK packets no matching the dynamic rule table
 $ipfw add 01400 deny log tcp from any to $me established in via $adp

 # Allow configured host(s) to use SSH
 $ipfw add 01500 allow tcp from $allowed1 to $me 22 in via $adp keep-state
 $ipfw add 01510 allow tcp from $allowed2 to $me 22 in via $adp keep-state

 # Allowed SMTP in
 $ipfw add 01520 allow tcp from $allowed3 to $me 25 in via $adp keep-state

 # Reject & log all others
 $ipfw add 01600 deny log all from any to any in via $adp
 $ipfw add 01700 deny log all from any to any
diff --git a/rc.conf b/rc.conf
 # Network configuration
 hostname=""
 ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"
 defaultrouter="xxx.xxx.xxx.xxx"

 # Enabled services
 sshd_enable="YES"
 powerd_enable="YES"
 syslogd_flags="-ss"

 # Disabled services
 sendmail_enable="NONE"
 portmap_enable="NO"
 inetd_enable="NO"

 # Disable ipv6
 ip6addrctl_enable="NO"
 ip6addrctl_policy="ipv4_prefer"
 ipv6_net_interfaces="NONE"
 ipv6_activate_all_interfaces="NO"

 # Security level
 kern_securelevel_enable="YES"
 kern_securelevel=3

 # Clear /tmp on boot
 clear_tmp_enable="YES"

 # Network hardening
 icmp_drop_redirect="YES"
 icmp_log_redirect="YES"
 log_in_vain="YES"
 tcp_drop_synfin="YES"

 # Firewall settings
 firewall_enable="YES"
 firewall_script="/etc/ipfw.conf"
 firewall_type="client"
 firewall_quiet="NO"
 firewall_logging="YES"

 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
diff --git a/sysctl.conf b/sysctl.conf
 # Kernel sysctl configuration file
 #
 # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
 # sysctl.conf(5) for more details.

 # Controls IP packet forwarding (enabled for NAT host only network)
 net.ipv4.ip_forward = 1
 #net.ipv4.conf.all.forwarding = 0
 #net.ipv4.conf.all.mc_forwarding = 0

 # Controls source route verification
 net.ipv4.conf.default.rp_filter = 1
 net.ipv4.all.default.rp_filter = 1

 # Do not accept source routing
 net.ipv4.conf.default.accept_source_route = 0

 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0

 # Controls whether core dumps will append the PID to the core filename.
 # Useful for debugging multi-threaded applications.
 kernel.core_uses_pid = 1

 # controls use of tcp syncookies
 net.ipv4.tcp_synack_retries = 2

 # Disable redirects, not a router
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.accept_redirects=0

 # log malformed
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1

 # ignore icmp echo and timestamps
 net.ipv4.icmp_echo_ignore_broadcasts = 1

 # disable tcp timestamps
 net.ipv4.tcp_timestamps = 0

 # prevent syn floods
 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_max_syn_backlog = 1280

 # prevent ipv6 redirects
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.all.send_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0

 # prevent ipv6 router
 net.ipv6.conf.default.router_solicitations = 0

 # learn prefix in router advertisements
 net.ipv6.conf.default.accept_ra_pinfo = 0

 # disable hop limits from router
 net.ipv6.conf.default.accept_ra_defrtr = 0

 # disable auto conf
 net.ipv6.conf.default.autoconf = 0

 # disable neighbor solicitations
 net.ipv6.conf.default.dad_transmits = 0

 # set max ipv6
 net.ipv6.conf.dfault.max_addresses = 1

 # set kernel exec shield
 kernel.exec-shield = 1
 kernel.randomize_va_space = 1

 # Disable netfilter on bridges.
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0

 # Enable kernel exec shield
 kernel.exec-shield = 1
 kernel.randomize_va_space = 1

 # Disable sysrq
 kernel.sysrq = 0

 # Disable questionable icmp's
 net.inet.icmp.bmcastecho = 0
 net.inet.icmp.rediraccept = 0
 net.inet.ip.accept_sourceroute = 0
 net.inet.ip.redirect = 0
 net.inet.ip.sourceroute = 0
	# Hostname
	h=`hostname`

	# Command to read input & mask it
	cmd='read -sp "Enter password: " pass'

	# Path to aide integrity tool
	a="/usr/bin/aide"
	# Path to aide policy database
	adb="/var/lib/aide"

	# Path to tripwire integrity tool
	t="/usr/sbin/tripwire"
	# Path to tripwire policy database
	tdb="/var/lib/tripwire/"

	# Path to GnuGPG
	g="/usr/bin/gpg"

	# Path to stored encrypted policy files
	pt="/boot/.tools/audit/tripwire"
	pa="/boot/.tools/audit/aide"

	# Aide update policy baseline (decrypt, update database, encrypt & remove old)
	alias aide-update="$g --symmetric --cipher-algo aes256 -o $adb/aide.db.gz $pa/aide.db.new.gz.gpg && $a --update && $g --symmetric --cipher-algo aes256 -o $pa/aide.db.new.gz.gpg $adb/aide.db.new.gz && rm $adb/aide.db.*"

	# Aide check policy (decrypt, check database & remove)
	alias aide-check="$g --symmetric --cipher-algo aes256 -o $adb/aide.db.new.gz $pa/aide.db.new.gz.gpg && $a --init && $a --check && rm /var/lib/aide/aide.db.new.gz"

	# Initial setup of encrypted db & config for tripwire
	alias tripwire-save="$cmd; echo '${pass}'\|$g --yes --batch --passphrase-fd 0 --symmetric --cipher-algo aes256 -o $pt/$h.twd.gpg $tdb/$h.twd"

	# Tripwire update policy baseline (disable high security mode, update policy, encrypt & remove old)
	alias tripwire-update="$cmd; echo '${pass}'\|$g --yes --no-tty --batch --passphrase-fd 0 --decrypt -o $tdb/$h.twd $pt/$h.twd.gpg && $t -m p --secure-mode low /etc/tripwire/twpol.txt; echo '${pass}'\|$g --yes --no-tty --batch --passphrase-fd 0 --symmetric --cipher-algo aes256 -o $pt/$h.twd.gpg $tdb/$h.twd; rm -fv $tdb/.twd"

	# Tripwire check policy (decrypt, check database & remove)
	alias tripwire-check="$cmd; echo '${pass}'\|$g --yes --no-tty --batch --passphrase-fd 0 --decrypt -o $tdb/$h.twd $pt/$h.twd.gpg && $t --check; rm -fv $tdb/.twd"

	# Tripwire review report
	alias tripwire-report="twprint -m r --twrfile $1"
	#!/bin/sh

	# Default options
	ipfw="/sbin/ipfw "
	adp="fxp0"

	# This machines IP
	me=""

	# Allowed DNS server(s)
	dns1=""
	dns2=""

	# Allowed SSH host(s)
	allowed1=""
	allowed2=""

	# Allowed SMTP host(s)
	allowed3=""

	# Flush current rules
	$ipfw -f flush

	# Bypass if previous state ok
	$ipfw add 00010 check-state

	# Divert all to suricata first
	#$ipfw add 00020 divert 8000 ip from any to any

	#### Loopback ####
	$ipfw add 00021 allow all from any to any via lo0
	$ipfw add 00022 deny all from any to 127.0.0.0/8
	$ipfw add 00023 deny all from 127.0.0.0/8 to any
	$ipfw add 00024 deny tcp from any to any frag

	#### ALL OUTBOUND RULES ####

	# DNS allowed rules
	$ipfw add 00500 allow tcp from $me to $dns1 53 out via $adp setup keep-state
	$ipfw add 00510 allow udp from $me to $dns1 53 out via $adp keep-state
	$ipfw add 00520 allow tcp from $me to $dns2 53 out via $adp setup keep-state
	$ipfw add 00530 allow udp from $me to $dns2 53 out via $adp keep-state

	# Allow ping out
	$ipfw add 00600 allow icmp from $me to any out via $adp keep-state

	# Allow whois out
	$ipfw add 00610 allow tcp from $me to any 43 out via $adp setup keep-state

	# Allow sshd out
	$ipfw add 00700 allow tcp from $me to any 22 out via $adp setup keep-state

	# Allow http/https out
	$ipfw add 00710 allow tcp from $me to any 80 out via $adp setup keep-state
	$ipfw add 00720 allow tcp from $me to any 443 out via $adp setup keep-state

	# Allow emails out
	$ipfw add 00730 allow tcp from $me to $allowed3 25 out via $adp

	# Log all other attempts out
	$ipfw add 00800 deny log all from all to any out via $adp

	#### ALL INBOUND RULES ####

	# Deny all inbound from non-routeable address blocks
	$ipfw add 00900 deny log all from 192.169.0.0/16 to any in via $adp
	$ipfw add 00910 deny log all from 172.16.0.0/12 to any in via $adp
	$ipfw add 00920 deny log all from 10.0.0.0/8 to any in via $adp
	$ipfw add 00930 deny log all from 127.0.0.0/8 to any in via $adp
	$ipfw add 00940 deny log all from 0.0.0.0/8 to any in via $adp
	$ipfw add 00950 deny log all from 169.254.0.0/16 to any in via $adp
	$ipfw add 00960 deny log all from 192.0.2.0/24 to any in via $adp
	$ipfw add 00970 deny log all from 204.152.64.0/23 to any in via $adp
	$ipfw add 00980 deny log all from 224.0.0.0/3 to any in via $adp

	# Deny public pings
	$ipfw add 01000 deny log icmp from any to $me in via $adp

	# Deny ident(s)
	$ipfw add 01100 deny log tcp from any to $me 113 in via $adp

	# Drop netbios packets
	$ipfw add 01200 deny log tcp from any to $me 137 in via $adp
	$ipfw add 01210 deny log tcp from any to $me 138 in via $adp
	$ipfw add 01220 deny log tcp from any to $me 139 in via $adp
	$ipfw add 01230 deny log tcp from any to $me 81 in via $adp

	# Drop late arrivals
	$ipfw add 01300 deny log all from any to $me frag in via $adp

	# Deny ACK packets no matching the dynamic rule table
	$ipfw add 01400 deny log tcp from any to $me established in via $adp

	# Allow configured host(s) to use SSH
	$ipfw add 01500 allow tcp from $allowed1 to $me 22 in via $adp keep-state
	$ipfw add 01510 allow tcp from $allowed2 to $me 22 in via $adp keep-state

	# Allowed SMTP in
	$ipfw add 01520 allow tcp from $allowed3 to $me 25 in via $adp keep-state

	# Reject & log all others
	$ipfw add 01600 deny log all from any to any in via $adp
	$ipfw add 01700 deny log all from any to any
	# Network configuration
	hostname=""
	ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"
	defaultrouter="xxx.xxx.xxx.xxx"

	# Enabled services
	sshd_enable="YES"
	powerd_enable="YES"
	syslogd_flags="-ss"

	# Disabled services
	sendmail_enable="NONE"
	portmap_enable="NO"
	inetd_enable="NO"

	# Disable ipv6
	ip6addrctl_enable="NO"
	ip6addrctl_policy="ipv4_prefer"
	ipv6_net_interfaces="NONE"
	ipv6_activate_all_interfaces="NO"

	# Security level
	kern_securelevel_enable="YES"
	kern_securelevel=3

	# Clear /tmp on boot
	clear_tmp_enable="YES"

	# Network hardening
	icmp_drop_redirect="YES"
	icmp_log_redirect="YES"
	log_in_vain="YES"
	tcp_drop_synfin="YES"

	# Firewall settings
	firewall_enable="YES"
	firewall_script="/etc/ipfw.conf"
	firewall_type="client"
	firewall_quiet="NO"
	firewall_logging="YES"

	# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
	dumpdev="NO"
	# Kernel sysctl configuration file
	#
	# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
	# sysctl.conf(5) for more details.

	# Controls IP packet forwarding (enabled for NAT host only network)
	net.ipv4.ip_forward = 1
	#net.ipv4.conf.all.forwarding = 0
	#net.ipv4.conf.all.mc_forwarding = 0

	# Controls source route verification
	net.ipv4.conf.default.rp_filter = 1
	net.ipv4.all.default.rp_filter = 1

	# Do not accept source routing
	net.ipv4.conf.default.accept_source_route = 0

	# Controls the System Request debugging functionality of the kernel
	kernel.sysrq = 0

	# Controls whether core dumps will append the PID to the core filename.
	# Useful for debugging multi-threaded applications.
	kernel.core_uses_pid = 1

	# controls use of tcp syncookies
	net.ipv4.tcp_synack_retries = 2

	# Disable redirects, not a router
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.accept_redirects=0

	# log malformed
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.conf.default.log_martians = 1

	# ignore icmp echo and timestamps
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# disable tcp timestamps
	net.ipv4.tcp_timestamps = 0

	# prevent syn floods
	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_max_syn_backlog = 1280

	# prevent ipv6 redirects
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv6.conf.all.send_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# prevent ipv6 router
	net.ipv6.conf.default.router_solicitations = 0

	# learn prefix in router advertisements
	net.ipv6.conf.default.accept_ra_pinfo = 0

	# disable hop limits from router
	net.ipv6.conf.default.accept_ra_defrtr = 0

	# disable auto conf
	net.ipv6.conf.default.autoconf = 0

	# disable neighbor solicitations
	net.ipv6.conf.default.dad_transmits = 0

	# set max ipv6
	net.ipv6.conf.dfault.max_addresses = 1

	# set kernel exec shield
	kernel.exec-shield = 1
	kernel.randomize_va_space = 1

	# Disable netfilter on bridges.
	net.bridge.bridge-nf-call-ip6tables = 0
	net.bridge.bridge-nf-call-iptables = 0
	net.bridge.bridge-nf-call-arptables = 0

	# Enable kernel exec shield
	kernel.exec-shield = 1
	kernel.randomize_va_space = 1

	# Disable sysrq
	kernel.sysrq = 0

	# Disable questionable icmp's
	net.inet.icmp.bmcastecho = 0
	net.inet.icmp.rediraccept = 0
	net.inet.ip.accept_sourceroute = 0
	net.inet.ip.redirect = 0
	net.inet.ip.sourceroute = 0