You forgot one item: Don't file bug reports to the project, because your system is too far away from what the developers use & maintain; and we cannot diagnose the failure conditions you have inadvertently created.
So, if you are willing to accept that limitation -- knock yourself out. Change anything you want. But do NOT tell us what bothers you, until you repeat the problem on a *stock install*. We simply cannot accept the cost of becoming fixit buddies for everyone's private mistake. It's like fixing the printer at grandma's house. It's not our job. > I know some features that can give additional security isn't turned on due to > because of the bad quality of the code in ports and some also decreases > performance (or disables a feature, ex.: screenlock doesn't work if nosuid > set, but if feature not used, nousid can be used). > > I only know about these "security hardenings", hopefully all are ok (if not, > please say/argue!): > Â > ================================================================== > ln -s GJU /etc/malloc.conf > ================================================================== > Remove wxallowed from /etc/fstab > ================================================================== > echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf > ================================================================== > Remove all SUID and SGID permissions and all FS must have "nosuid". > ================================================================== > Add noexec, nodev where you can in fstab, but can be bypassed.. > ================================================================== > All filesystems that are only modified during software install and removal > need to be read-only. > They can be only rw if sw install/removal happens. > ================================================================== > Remove all files that is not needed for the machine to operate/do its > purpose. > ================================================================== > echo "sysctl kern.securelevel=2" > /etc/rc.securelevel > ================================================================== > Make as many files immutable with "chflags schg filenamehere" as you can. > ================================================================== > If using X (so desktop) only use dangerous softwares (webbrowser, any viewer > software: pdf, video, audio, torrent client, etc.) with another (limited) > user! > ================================================================== > > The purpose of this mail to find more... what are the other security features > that are disabled in the default install? > Â > ----- > ps.: it would be nice to have a feature in the default installer to install > with full disc encryption :) we still have to escape to shell during install > and ex.: > > install60.iso > (S)hell > dmesg | grep MB # or: sysctl hw.disknames > dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids > dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > fdisk -iy sd0 > disklabel -E sd0 > a a > enter > enter > RAID > w > q > bioctl -c C -l /dev/sd0a -r 20000000 softraid0 > # use a random high iteration number x > 10 000 000 > exit > Start install to the newly created bioctl/crypt raid device: sdX, where X is > ex.: 2... > > with a random (but very high) number for iteration, afaik iteration only > counts when typing in the password, much higher iteration would slow down > brute-force attackers. > ----- > > Many thanks.
