#!/bin/sh
##################################################################
##################################################################
#
# The OpenBSD System Hardening Script (DRAFT)
# net_wayfarer - March, 2020
#
# This software is released under the Berkeley Software Distribution 0-clause Licence.
#
##################################################################
##################################################################
#
# Portions of this script was based on The FreeBSD System Hardening Script
# David Childers - 15 February, 2010
#
# Script is released under the Attribution-ShareAlike version 3.0 Licence.
# www.creativecommons.org/licenses/by-sa/3.0/
#
# Link: https://jonlabelle.com/snippets/view/shell/freebsd-system-hardening-script
# Article: http://www.bsdguides.org/2005/hardening-freebsd/
#
##################################################################
#
# Sections of the script that are marked with bold face type require additional steps to be
# performed. If these additional steps are not completed, then the changes initiated by this
# script will not function properly.
#
##################################################################
##################################################################
#
# This script can be used with either an i386 or amd64 computer.
#
##################################################################
##################################################################
#
# /etc/installurl must exist, otherwise the system cannot be updated against any new updates.
# A list of mirrors can be found at https://www.openbsd.org/ftp.html.
echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl
# Alternatively, one can scrape an up-to-date list of HTTPS mirrors using the following typed
# method, and must uncomment at least one of the following https:// prefixed lines.
# ftp -o - "https://www.openbsd.org/build/mirrors.dat" 2>/dev/null | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' | tee /etc/installurl 2>&1 >/dev/null
#
##################################################################
##################################################################
#
# syspatch is a way to apply security patches on OpenBSD. It should be executed immediately to prevent
# exposing installed operating system from any outstanding security flaws.
#
/usr/sbin/syspatch
#
# Run syspatch as a crontab every few hours or so to further prevent any recently published patches from
# being ignored.
crontab -l | { cat; echo "37\t1\t*\t*\t*\t /usr/sbin/syspatch"; } | crontab -
#
##################################################################
##################################################################
#
# OpenSMTPD faced two security issues in 2020. This is years after OpenBSD 6.6 was released. Therefore,
# all installed softwares should be upgraded if there's new version available.
#
pkg_add -u
#
##################################################################
##################################################################
#
# The file rc.conf contains descriptive information about the local host name, configuration details for
# any potential network interfaces and which services should be started up at system initial boot time.
#
# Since OpenBSD 5.7 uses rcctl to configure and control daemons and services, and is recommended to
# Use this software as opposed to manually editing /etc/rc.conf which will be overwritten. It is best
# to call rcctl directly, instead of scripting the config files accordingly.
#
# sndiod is not needed in server environments.
rcctl disable sndiod
rcctl stop sndiod
# process accounting should be enabled to prevent potentially malicious software from being daemonised
# in the background, and to go unchecked. This may also help with optimising ulimit down the track
echo "accounting=YES" | tee -a /etc/rc.conf.local 2>&1 >/dev/null
#
# compress core dumps which will save storage space at the expense of CPU and memory
echo "savecore_flags=-z" | tee -a /etc/rc.conf.local 2>&1 >/dev/null
#
##################################################################
##################################################################
#
# The /tmp directory should be cleared at startup to ensure that any malicious code that may have
# entered into the temp file is removed. This will be set as a crontab under root account.
# This is already a default in OpenBSD as of 6.6, no need to implement this.
#
#rm -rf /tmp/* &>/dev/null
#crontab -l | { cat; echo "@reboot rm -rf /tmp/*"; } | crontab -
#
##################################################################
##################################################################
#
# Disable computer system details from being read in /etc/motd on system reboot.
#
chmod o= /etc/motd
crontab -l | { cat; echo "@reboot chmod o= /etc/motd"; } | crontab -
#
##################################################################
##################################################################
#
# The sysctl.conf file allows you to configure various aspects of a OpenBSD machine. This includes many
# advanced options of the TCP/IP stack and virtual memory system that can dramatically improve
# performance.
#
# The majority of the following sysctl adjustments are commented out, mainly due to the fact that OpenBSD
# has these disabled by default.
#
# ICMP Redirect messages can be used by attackers to redirect traffic and should be ignored.
#
# sysctl -w net.inet.icmp.rediraccept=0
# echo 'net.inet.icmp.rediraccept=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#
# This will discover dead connections and clear them.
#
sysctl -w net.inet.tcp.always_keepalive=1
echo 'net.inet.tcp.always_keepalive=1' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#
# The TCP/IP Stack is what controls the communication of the computer on a data network.
#
# Disable ICMP broadcast echo activity. This could allow the computer to be used as part of a Smurf
# attack.
# sysctl -w net.inet.icmp.bmcastecho=0
# echo 'net.inet.icmp.bmcastecho=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#
# Disable ICMP routing redirects. This could allow the computer to have its routing table corrupted by an
# attacker.
#
sysctl -w net.inet.ip.redirect=0
echo 'net.inet.ip.redirect=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
sysctl -w net.inet6.ip6.redirect=0
echo 'net.inet6.ip6.redirect=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#
# Disable ICMP broadcast probes. This could allow an attacker to reverse engineer details of your
# network infrastructure.
#
# sysctl -w net.inet.icmp.maskrepl=0
# echo 'net.inet.icmp.maskrepl=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#
# Disable IP source routing. This could allow attackers to spoof IP addresses that you normally trust as
# internal hosts.
#
# sysctl -w net.inet.ip.sourceroute=0
# echo 'net.inet.ip.sourceroute=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#################################################################
#################################################################
#
# PF has the ability to filter packets in ways that are handled separately to FreeBSD's ipfw along with sysctl.
# The following must be part of your /etc/pf.conf as PF rules can vary from setup to setup. Adjust the following
# pf rules accordingly.
##########
##########
##
## (#indicates a typed command.)
##
##
## Normalise incoming network packets by means of reassembling fragmented packets and removing ambiguity.
## https://home.nuug.no/~peter/pf/en/scrub.html
## https://serverfault.com/questions/412083/openbsd-pf-match-in-all-scrub-no-df-causes-https-to-be-unreachable-on-mobile
## https://man.openbsd.org/i386/pf.conf#TRAFFIC_NORMALISATION
##
## # match in all scrub (no-df random-id reassemble tcp)
##
## Enabling blackholes for UDP and TCP will drop all packets that are received on a closed port and will not
## give a reply. The following is a two part process and must be implemented to achieve the desired effect.
##
##
## By default, openbsd drops packets, https://www.openbsd.org/faq/pf/options.html
## # set block-policy drop
##
## We do not send out any reset (RST) packets back, especially if the ports are closed.
## https://www.openbsd.org/faq/pf/filter.html#defdeny
## # block all
##
## Under no circumstances should this PF section be deemed as complete. A seasoned system administrator
## will know how to write a proper firewall configuration tailored to their network, as each and every
## network is unique in their own ways. However, the following below are some general recommended
## reading on writing a proper firewall configuration. Do not simply just copy and paste rules into your own
## machine. Do take time in reading up and consulting the various information that are available in both free
## and paid (book) forms.
##
## # https://harrykar.blogspot.com/2010/07/openbsd-packet-filteringpf.html
## # http://daemonforums.org/showthread.php?t=8419
##
##################################################################
##################################################################
#
# Disable users from having access to configuration files.
#
chmod o= /etc/fstab
chmod o= /etc/ftpusers
chmod o= /etc/group
chmod o= /etc/hosts
# chmod o= /etc/hosts.allow
# chmod o= /etc/hosts.equiv
# chmod o= /etc/hosts.lpd
# chmod o= /etc/inetd.conf
# chmod o= /etc/login.access
chmod o= /etc/login.conf
chmod o= /etc/newsyslog.conf
chmod o= /etc/rc.conf
chmod o= /etc/ssh/sshd_config
chmod o= /etc/sysctl.conf
chmod o= /etc/syslog.conf
chmod o= /etc/ttys
#
##################################################################
##################################################################
#
# Enable root as the only account with the ability to schedule jobs.
#
echo "root" > /var/cron/cron.allow
chmod 600 /var/cron/cron.allow
echo "root" > /var/cron/at.allow
chmod 600 /var/cron/at.allow
chmod o= /etc/crontab
chmod o= /usr/bin/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch
#
##################################################################
##################################################################
#
# Secure the root directory contents to prevent viewing. OpenBSD defaults this to 700
#
# chmod 700 /root
#
##################################################################
##################################################################
#
# Disable user from having access to the system log file directory.
#
chmod o= /var/log
#
##################################################################
##################################################################
#
# Merge all temporary file directories.
#
# A single directory should be used for temporary files, not two.
# The /var/tmp directory will be replaced with a link to /tmp.
#
# The contents of the /var/tmp directory remain after a reboot. The contents of the /tmp directory do not.
#
# OpenBSD 6.6 already has this set by default.
#
# mv /var/tmp/* /tmp/
# rm -rf /var/tmp
# ln -s /tmp /var/tmp
#
##################################################################
##################################################################
#
# Privacy bits.
#
# Strip off the ability to see other people's sessions.
chmod o= /var/run/utmp
crontab -l | { cat; echo "@reboot chmod o= /var/run/utmp"; } | crontab -
#
# Strip off the ability to being able to enumerate the list of previously logged in users and their IPs.
chmod o= /var/log/wtmp*
mv /etc/newsyslog.conf /etc/newsyslog.conf.orig ; sed 's/644/640' /etc/newsyslog.conf.orig > /etc/newsyslog.conf
#
# Restrict users from being able to access tools normally used diagnostic purposes, as this can be abused.
chmod o= /sbin
chmod o= /usr/sbin
chmod o= /usr/local/sbin
#
# Strip sbin paths for unprivileged users.
mkdir /etc/skel.orig/
mv /etc/skel/.profile /etc/skel.orig/.profile
sed 's/\/sbin://g ; s/\/usr\/usr/\/usr/ ; s/\/usr\/local\/u/\/u/' /etc/skel.orig/.profile > /etc/skel/.profile
mv /etc/skel/.cshrc /etc/skel.orig/.cshrc
sed 's/\ \/sbin// ; s/sbin\,// ; s/local\/sbin\,//' /etc/skel.orig/.cshrc > /etc/skel/.cshrc
mv /etc/login.conf /etc/login.conf.orig
sed 's/\/usr\sbin\ \/sbin// ; s/\ \/usr\/local\/sbin.*/\:\\/' /etc/login.conf.orig > /etc/login.conf
## At this point you may want to consider about replicating the default login and renaming it to something else
## Like trusted, and give it the paths that does not have sbin stripped out.
#
# Restrict users from being able to access tools normally used system maintenance, as this can be abused.
mv /usr/bin/fstat /usr/sbin && ln -s /usr/sbin/fstat /usr/bin/fstat && chmod -h 550 /usr/bin/fstat
mv /usr/bin/netstat /usr/sbin && ln -s /usr/sbin/netstat /usr/bin/netstat && chmod -h 550 /usr/bin/netstat
mv /usr/bin/logger /usr/sbin && ln -s /usr/sbin/logger /usr/bin/logger && chmod -h 550 /usr/bin/logger
chmod o= /usr/sbin/*
#
# Restrict users from seeing processes that does not belong to them.
# http://openbsd-archive.7691.n7.nabble.com/Patch-to-hide-processes-from-people-td382607.html