Security
BSD systems have a long history of attention to detail regarding security, and are often considered the most secure systems in the enterprise. However, security is as much a function of good system administration as it is good code. The BSDP candidate must be able to configure various security features on a BSD system, maintain them over time, and know how to assess the security of a BSD system.
3.2.1. Raise or lower security level.
Importance: 3.7, Frequency: 1.9, Bloom: K,C,A
Concept:
BSD systems have the capability to change their operational security through a facility known as securelevels. The name of the secureleves and their effects vary by BSD system.
BSDP candidates should understand the nature of higher security level environments and should be able to modify the current security level.
Practical:
sysctl(8), init(8)
DragonFly BSD, FreeBSD: security(7)
NetBSD: secmodel(9)
OpenBSD: securelevel(7)
Estimated Time:
5 minutes to be able to configure the security level of the system according to a specification.
3.2.2. Configure system to deny local root logins.
Importance: 4.1, Frequency: 2.0, Bloom: K,C,A
Concept:
Due to the elevated permissions of the root (superuser) account, many security policies disallow the practice of logging in as the root user.
BSDP candidates should be familiar with how BSD systems perform console and serial logins, and should be able to configure the system to deny root logins from these types of devices.
Practical:
login(1), login.conf(5), getty(8), gettytab(5), init(8), ttys(5)
DragonFly BSD, FreeBSD, OpenBSD: fbtab(5)
DragonFly BSD, FreeBSD, NetBSD: login.access(5)
Estimated Time:
15 minutes to configure the system to deny root logins according to a specification.
3.2.3. Configure support for an alternative authentication mechanism.
Importance: 3.5, Frequency: 1.8, Bloom: K,C,A
Concept:
BSD systems provide either the Pluggable Authentication Model (PAM) or the BSD Authentication libraries in order to supplement the traditional Unix authentication model.
BSDP candidates should understand the authentication framework for their BSD of choice and know how to configure a BSD system to use alternate authentication methods.
Practical:
DragonFly BSD, FreeBSD, NetBSD: pam(3), pam.conf(5)
OpenBSD: authenticate(3), bsd_auth(3)
Estimated Time:
15 minutes to configure and test alternative authentication according to a specification.
3.2.4. Understand how ACLs augment traditional Unix permissions.
Importance: 3.4, Frequency: 2.0, Bloom: K,C
Concept:
Some filesystems support Access Control Lists (ACLs). These provide extensions that allow for the use of fine grained discretionary and mandatory access control by the system administrator.
BSDP candidates should have an understanding of how ACLs extend basic Unix permissions and be able to recognize a correct usage of ACL entries.
Practical:
FreeBSD: setfacl(1), getfacl(1), acl(3), getextattr(8), setextattr(8), acl(9), extattr(9), lsextattr(8)
Estimated Time:
5 minutes to review a file's ACL entry.
3.2.5. Change the flags on sensitive files.
Importance: 3.9, Frequency: 2.3, Bloom: K,C,A
Concept:
File flags provide extended attributes that allow the administrator to control certain operations such as making files undeleteable. By setting certain flags, the system administrator can exercise greater control over files than is possible with simple Unix-style permissions.
BSDP candidates should understand the effects of each flag and be able to configure file flags.
Practical:
chflags(1), ls(1)
Estimated Time:
5 minutes to change file flags according to a specification.
3.2.6. Configure SSH to restrict or allow logins.
Importance: 4.3, Frequency: 2.4, Bloom: K,A
Concept:
Many security policies require the administrator to deny or permit specific users the ability to login over the network using the SSH protocol.
BSDP candidates should know how to configure sshd(8) to deny or permit specified users or network addresses. In addition, candidates should be familiar with the various settings available for SSH logins.
Practical:
sshd_config(4), sshd(8)
Estimated Time:
15 minutes to configure and test SSH logins according to a specification.
3.2.7. Configure a Network Intrusion Detection System.
Importance: 3.7, Frequency: 1.8, Bloom: K,C,A
Concept:
A Network Intrusion Detection System (NIDS) listens to network traffic and raises an alert when certain traffic is detected.
BSDP candidates should be able to install and configure a NIDS that can watch for and display network traffic.
Practical:
software of choice from packages/pkgsrc
Estimated Time:
30 minutes to configure, implement, and test a simple NIDS according to a specification.
3.2.8. Configure and use sudo.
Importance: 4.0, Frequency: 2.8, Bloom: K,A
Concept:
sudo(8) allows a user to run commands as another user .The sudoers(5) file contains details on which users can run specific commands, and under what conditions. sudo(8) is helpful where certain privileged programs must be run by unprivileged users.
BSDP candidates should be familiar with setting up sudo and configuring the sudoers file to permit programs to be run according to a specification.
Practical:
sudo from packages/pkgsrc when not installed by default
sudo(8), sudoers(5), visudo(8)
Estimated Time:
15 minutes to create, implement and test a working sudo configuration according to a specification.
3.2.9. Download and pply security patches.
Importance: 4.7, Frequency: 3.1, Bloom: K,C,A
Concept:
Security advisories are released by a BSD project whenever a flaw or bug is discovered in supported software. The technical details of the advisories vary between the projects, but each advisory contains instructions on how to fix the specific problem.
BSDP candidates should be familiar with implementing the instructions within security advisories, including how to download and apply software patches and recompile the affected software.
Practical:
make(1), patch(1)
FreeBSD: freebsd-update(8)
NetBSD: cvs(1), build.sh
Estimated Time:
10 minutes to perform the instructions within a specified security advisory.
3.2.10. Scan and review open ports.
Importance: 4.0, Frequency: 2.8, Bloom: K,A
Concept:
Daemons that listen on the network for incoming connections do so by opening a socket on a specific port. While these sockets are actively listening, the ports are considered "open" and ready to serve requests.
BSDP candidates should be able to use common security tools to scan a local or a remote system for open ports.
Practical:
software of choice from packages/pkgsrc
netstat(1)
DragonFly BSD, FreeBSD, NetBSD: sockstat(1)
Estimated Time:
15 minutes to scan a host for open ports according to a specification.
3.2.11. Generate self-signed certificates.
Importance: 3.7, Frequency: 1.9, Bloom: K,C,A
Concept:
Self-signed certificates are useful in software testing and in limited use deployments of secured systems.
BSDP candidates should understand the certification deployment framework and be able to configure a Certificate Authority according to a specification. Candidates should then be able to use that Authority to sign certificates.
Practical:
openssl(1)
DragonFly BSD, FreeBSD: verify(1), x509(1), CA.pl(1), ca(1), req(1)
NetBSD: openssl.cnf(5), openssl_ca(1), and related openssl_*(1) utilities
Estimated Time:
45 minutes to set up a Certificate Authority and use that Authority to generate and verify a self-signed certificate according to a specification.
3.2.12. Scan a password file for weak passwords.
Importance: 3.6, Frequency: 2.2, Bloom: K,A
Concept:
Some security policies require periodic scanning of the password database to ensure that users are complying with the password policy.
BSDP candidates should be aware of the legal and moral obligations involved in password scanning and, as required by their employment duties, know how to perform both a dictionary and brute force password cracking exercise.
Practical:
software of choice from packages/pkgsrc
passwd(5), master.passwd(5)
Estimated Time:
20 minutes to configure and review the results from a dictionary scan.
3.2.13. Configure kernel to prevent ability to perform network sniffing.
Importance: 3.4, Frequency: 1.5, Bloom: K,A
Concept:
The Berkeley Packet Filter (bpf) enables a BSD system to acquire and process packets directly off the network interface and is necessary to perform network packet sniffing on a BSD system.
BSDP candidates should know how to disable the operation of bpf on their BSD system of choice.
Practical:
bpf(4)
Estimated Time:
5 minutes to configure a kernel without bpf.
3.2.14. Configure a firewall to act as an authentication gateway.
Importance: 3.5, Frequency: 1.6, Bloom: K,C,A
Concept:
An authentication gateway is one that permits traffic to pass after a valid authentication mechanism approves the flow. Once authentication is successful, predetermined rules are applied to the traffic flow.
BSDP candidates should be able to configure an authentication gateway.
Practical:
software of choice from packages/pkgsrc
pf(4), pfctl(8), authpf(8), pf.conf(5)
Estimated Time:
30 minutes to configure and test an authentication gateway according to a specification.
3.2.15. Configure a firewall for greylisting or blacklisting.
Importance: 3.7, Frequency: 2.1, Bloom: K,C,A
Concept:
System administrators can configure a firewall to recognize when suspicious traffic occurs and to block the offending network or host temporarily (greylisting) or permanently (blacklisting).
BSDP candidates should be able to configure their BSD firewall of choice to recognize a traffic pattern designated as suspicious and restrict the source temporarily or permanently.
Practical:
software of choice from packages/pkgsrc
pf(4), pfctl(8), pf.conf(5)
DragonFly BSD, FreeBSD: ipfw(8)
Estimated Time:
20 minutes to configure and test a firewall to greylist or blacklist traffic according to a specification.
3.2.16. Configure a firewall to deny multiple connection attempts from an attacker.
Importance: 4.0, Frequency: 2.4, Bloom: K,C,A
Concept:
In the case of multiple connection attempts, network traffic is considered to be malicious when the number of connection attempts exceeds a predetermined threshold.
BSDP candidates should be able to configure their BSD firewall of choice to deny connection attempts that exceed a connection threshold.
Practical:
pf(4), pfctl(8), pf.conf(5)
DragonFly BSD, FreeBSD: ipfw(8)
Estimated Time:
20 minutes to configure and test the denial of connection attempts according to a specification.
3.2.17. Configure a firewall with custom packet filtering rules.
Importance: 4.3, Frequency: 2.7, Bloom: K,C,A
Concept:
Configuring a firewall to permit and deny traffic is a common system administration task. Traffic is often constrained by security policies that restrict traffic flows to those officially approved.
BSDP candidates should be able to configure their BSD firewall of choice to permit and deny traffic based on a specification.
Practical:
30 minutes to configure, and test a firewall rule set based on a specification.
pf(4), pfctl(8), pf.conf(5)
DragonFly BSD, FreeBSD: ipfw(8)
Estimated Time:
20 minutes to configure and test firewall rules according to a specification.
3.2.18. Configure TCP wrappers.
Importance: 3.4, Frequency: 1.9, Bloom: K,C,A
Concept:
TCP wrappers allows a system administrator to exercise fine grained control over remote access to network services.
BSDP candidates should understand the capabilities offered by TCP wrappers and be able to configure the system to allow or deny remote users access to specific services.
Practical:
inetd(8), inetd.conf(5), hosts_access(5), hosts_options(5)
Estimated Time:
20 minutes to configure and test a system to use TCP wrappers according to a specification.
3.2.19. Configure a file integrity checking utility.
Importance: 3.5, Frequency: 2.0, Bloom: K,C,A
Concept:
BSD systems have integrity checking utilities present in the base system. These utilities can be used to produce MD5, SHA, and RIPE hashes of individual files, directories, or whole filesystems.
BSDP candidates should be able to produce file integrity hash collections and use those hashes to determine if there have been any changes to file content or file attributes.
Practical:
software of choice from packages/pkgsrc
mtree(8), cksum(1), stat(1)
Estimated Time:
20 minutes to create a hash collection according to a specification and to detect changes to file content or attributes.
3.2.20. Configure One-Time Passwords (OTP).
Importance: 3.0, Frequency: 1.5, Bloom: K,C,A
Concept:
One Time Passwords (OTP) restrict users from reusing the same password for subsequent authentication. This significantly reduces the chance that an attacker can gain access by reusing another user's password. OTP utilizes S/KEY (RFC 2289) to secure the password against replay attacks.
BSDP candidates should know how to configure and test OTP.
Practical:
DragonFly BSD, FreeBSD: opie(4), opiekeys(5), opieaccess(5), opiekey(1), opieinfo(1), opiepasswd(1)
NetBSD, OpenBSD: skey(1), skeyaudit(1), skeyinfo(1), skeyinit(1)
Estimated Time:
30 minutes to configure and test OTP.
3.2.21. Configure a password policy.
Importance: 3.5, Frequency: 1.6, Bloom: K,C,A
Concept: NOTE: the wording of this objective was simplified.
Many security policies require require the use of advanced controls on password usage.
Given a specification, BSDP candidates should be able to configure a password policy. Possible specifications include: login backoff delay, number of login attempts, allowable login times, and minimum password length.
Practical:
software of choice from packages/pkgsrc
login.conf(5)
DragonFly BSD, FreeBSD: pam_passwdqc(8), pam.conf(5)
Estimated Time:
20 minutes to configure a password policy according to a specification.
3.2.22. Utilize daily security checks to monitor system for common security threats.
Importance: 4.3, Frequency: 3.3, Bloom: K,A
Concept:
BSD systems provide a set of scripts and programs that perform security monitoring on a periodic basis. The scripts examine files and perform operations to gather relevant security information which is provided to the administrator in a daily email summary.
BSDP candidates should be familiar with the location and use of these monitoring scripts and be able to configure them to be turned on or off.
Practical:
DragonFly BSD, FreeBSD: periodic(8), periodic.conf(5), security(7)
NetBSD: security.conf(5)
OpenBSD: security(8)
Estimated Time:
15 minutes to attend to the security email and enable or disable monitoring scripts according to a specification.
50. Install and configure a Kerberos server.
Importance: 2.7, Frequency: 1.2, Bloom: K,F,C
Concept: dru@ is anyone using Kerberos anymore?
@@@jpb: recommend removing this objective : removed and shaded- jpb
Practical:
Estimated Time:
3.2.23. Configure an IPSec VPN.
Importance: 3.3, Frequency: 1.2, Bloom: K,C,A
Concept:
IPSec is a set of protocols- ESP (for Encapsulating Security Payload), AH (for Authentication Header), and IPComp (for IP Payload Compression Protocol)- that provide security services for IP packets.
BSDP candidates should understand the differences between IPSec transport and tunnel modes. Candidates should also be able to configure an IPSec Virtual Private Network (VPN) in tunnel mode between two networks.
Practical:
software of choice from packages/pkgsrc
sysctl(7) or (8), ipsec(4)
DragonFly BSD, FreeBSD: setkey(8), ipsec_set_policy(3)
NetBSD: racoon(8), setkey(8), racoon.conf(5)
OpenBSD: enc(4), pf.conf(5), ipsecctl(8), isakmpd(8)
Estimated Time:
45 minutes to configure, setup, and test an IPsec VPN according to a specification.
3.2.24. Configure process accounting or security event auditing.
Importance: 3.9, Frequency: 2.2, Bloom: K,F,C
Concept: NOTE: wording modified so applies to all BSDs
BSD systems provide various facilities for determining activity on a system. Process accounting provides statistics on system resources and their allocation among users. Security event auditing, available on FreeBSD only, provides more fine-grained logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access.
BSDP candidates should be familiar with the accounting and auditing capabilities provided by their BSD of choice and be able to configure the system to collect, process, and report on notifications.
Practical:
sa(8), lastcomm(1), acct(5), ac(8), accton(8)
FreeBSD: audit(4), audit_class(5), audit_control(5), audit_event(5), audit_warn(5), auditd(8), audit(8)
Estimated Time:
30 minutes to configure accounting or auditing according to a specification.