%includes; ]> &header;

This guide attempts to document some of the tips and tricks used by many FreeBSD security experts for securing systems and writing secure code. It is designed to help you learn about the various ways of protecting a FreeBSD system against outside attacks and how to recover from such attacks if and when they should happen. It also lists the various ways in which the systems programmer can become more security conscious so he will less likely introduce security holes in the first place.

We welcome your comments on the contents and correctness of this page. Please send email to the FreeBSD Security Officers if you have changes you'd like to see here.

The FreeBSD security officer

As FreeBSD takes security seriously, there is a security officer who is the focal point for security related communications. The security officers' main task is to send out advisories when there are known security holes so FreeBSD users will be able to keep their systems secure. The security officer also communicates with the various CERTs around the world to give them information about vulnerabilities within FreeBSD and to receive information about new ones. As such, the security officer is a member of FIRST, the Forum of Incident Response and Security Teams.

When you contact the security officer about sensitive matters, please use our PGP key to encrypt your message.

FreeBSD security related information

If you want to stay up to date on FreeBSD security, you can subscribe yorself to one of the following mailing lists:

freebsd-security		General security related discussion
freebsd-security-notification	Security notifications (moderated mailing list)

Send mail to majordomo@FreeBSD.ORG with

     subscribe <listname>  [<optional address>]

in the body of the message in order to subscribe yourself.

Publications of the FreeBSD security officer can also be found on ftp://ftp.freebsd.org/pub/FreeBSD/CERT/

Handbook?

FreeBSD security advisories:

FreeBSD provides security advisories. The advisories will cover recent releases of FreeBSD. The security advisories will cover these releases:

the most recent official release of FreeBSD,
FreeBSD-current,
FreeBSD-stable, when 2 releases are based on it.
the previous FreeBSD-stable in case the new stable does not yet have 2 releases based on it.

At this time, security advisories are available for:

FreeBSD 2.2.6
FreeBSD-current
FreeBSD-stable

Older releases will not be actively maintained.

You are encouraged to upgrade to one of the supported releases.

An advisory will be sent out when a security hole exists that is either being actively abused (as indicated to us via reports from end users or CERT like organizations), or when the security hole is public knowledge (e.g. because a report has been posted to a public mailing list).

Like all development efforts, security fixes are first brought into the FreeBSD-current branch. After a couple of days, the fix will be retrofitted into the covered FreeBSD-stable branch(es). Then an advisory will be sent out.

Advisories will be sent to the following FreeBSD mailing lists:

FreeBSD-security-notifications
FreeBSD-security
FreeBSD-announce

Advisories will always be signed using the FreeBSD security-officer PGP key

Advisories and patches are archived at our FTP site.

What to do when you detect a security compromise

determine the level of security breack
What privilege did the attack get? That of another user or more (up to root privileges)?
determine the part of the system that is not in its original state anymore
What software has been tampered with? You may decide to re-install the operating system from a safe medium, or you might have MD5 checksums of the original software with which you can check your system. The tripwire package keeps MD5 checksums. Be aware that tripwire might be tampered with as well.
find out how the breakin was done
Via a well-known security bug? A misconfiguration? When it's a new bug, warn the FreeBSD Security Officer.
fix the hole(s)
Install new software that fixes the problems. If you aren't able to get a fix quickly, you can temporarily disable remote access to your system.

Other questions you may ask yourself are:

Who do I warn? You can contact the security officer, or even the local authorities. The choice is up to you.
Do I want to trace the person responsible? By not fixing the hole right away, you have a chance to catch the cracker. Then again, you have the chance the cracker wipes your disk. The choice is up to you.

How to secure a FreeBSD system

There are several steps involved in securing a FreeBSD system, or in fact any UNIX system.

Security Do's and Don'ts for Programmers

Other usefull security information:

The COAST archive Contains a huge collection of security related material.
The COAST Security hotlist This page is THE place to start looking for security related material. It contains hundreds of usefull security pointers. Everything you always wanted to know about security...and more...
The various CERTs (e.g. www.cert.org and www.auscert.org.au)
Mailing lists: Bugtraq, BOS

&footer