#!/bin/sh

# Shortcuts for often used commands
sshd="/usr/local/bin/editfile /etc/ssh/sshd_config"
rc="/usr/local/bin/editfile /etc/rc.conf"
auth="/usr/local/bin/editfile /etc/auth.conf"
sysctl="/usr/local/bin/editfile /etc/sysctl.conf"
fstab="/usr/local/bin/editfstab"
ttys="/usr/local/bin/editttys"
login="/usr/local/bin/editlogin"
kern="/usr/local/bin/editkernel /usr/src/sys/i386/conf/some_kernel_file"

noworld="/bin/chmod o="
disable="/bin/chmod ugo="

####################
# Mounting options #
####################
# If the mount point exists, add the specified options.
# Please remember that /tmp has to be executable to "make world"
# and if you need to jail a process in a partition, don't mount it with "nodev"

${fstab} /tmp		+noexec,nosuid,nodev,nosymfollow
${fstab} /var/tmp	+noexec,nosuid,nodev,nosymfollow
${fstab} /home		+noexec,nosuid,nodev
${fstab} /usr/home	+noexec,nosuid,nodev
${fstab} /var		+nosuid,nodev
${fstab} /var/mail	+noexec,nodev,nosuid

########################
# Build a debug kernel #
########################
#${kern}   options         DDB
#${kern}   makeoptions     DEBUG=-g
#${kern}   options         DDB_UNATTENDED
#${kern}   options         SC_DISABLE_DDBKEY
#Remember that your swap partition must be larger than you amount of ram!
#${rc} dumpdev=\"YOUR_SWAP\"     #Read /etc/fstab or run swapinfo
#${rc} dumpdir=\"/var/crash\"

########################
# /etc/rc.conf options #
########################
# This will just add some options to /etc/rc.conf
${rc} sendmail_enable=\"NONE\"
${rc} kern_securelevel_enable=\"YES\"
${rc} kern_securelevel=\"1\"
${rc} portmap_enable=\"NO\"
${rc} inetd_enable=\"NO\"
${rc} clear_tmp_enable=\"YES\"
${rc} update_motd=\"NO\"
${rc} syslogd_flags=\"-ss\"          #Comment this if this is a log server (or change it)

##################
# Stealth server #
##################
# If this is a log server, firewall or gateway you can put it into stealth mode.
# This is NOT recommended for normal server use.
# Note: For a stealthier server you should also block some icmp request like:
# Echo, Time and Netmask requests
#${rc} tcp_drop_synfin=\"YES\"
#${sysctl} net.inet.tcp.blackhole=2
#${sysctl} net.inet.udp.blackhole=1
#${kern}   options IPSTEALTH
#${kern}   options TCP_DROP_SYNFIN

######################
# Networking options #
######################
${rc} icmp_drop_redirect=\"YES\"
${rc} icmp_log_redirect=\"YES\"
${rc} log_in_vain=\"YES\"
${kern}    options RANDOM_IP_ID
${sshd}    AllowGroups wheel
${sshd}    Protocol 2

#######################
# Login Class options #
#######################
${login} default minpasswordlen=8
${login} default mixpasswordcase=true
${login} default umask=077
# Encryption of passwords
${auth} crypt_default=blf
${login} default passwd_format=blf

##############
# Root Login #
##############
${ttys} console insecure
${ttys} tty insecure

#####################
# Restrict the user #
#####################
#Don't allow users to use cron
if test ! -f /var/cron/allow
then
	/usr/bin/touch /var/cron/allow
fi
#Don't allow users to use at
if test ! -f var/at/at.allow
then
	/usr/bin/touch /var/at/at.allow
fi

${sysctl} security.bsd.see_other_uids=0      # Use kern.ps_showallprocs for 4.X

##################
# Kernel options #
##################
#${kern} options    SC_NO_HISTORY             # Don't keep history, so there can't be scrolled
#${kern} options    SC_DISABLE_REBOOT         # Disable ctrl+alt+del

#################################
# Restrict access to suid files #
#################################
${disable} /bin/rcp
${noworld} /sbin/mksnap_ffs
${noworld} /sbin/ping
${noworld} /sbin/ping6
${noworld} /sbin/shutdown
${noworld} /usr/bin/at
${noworld} /usr/bin/atq
${noworld} /usr/bin/atrm
${noworld} /usr/bin/batch
${noworld} /usr/bin/chpass
${noworld} /usr/bin/chfn
${noworld} /usr/bin/chsh
${noworld} /usr/bin/ypchpass
${noworld} /usr/bin/ypchfn
${noworld} /usr/bin/ypchsh
${noworld} /usr/bin/lock
${noworld} /usr/bin/login
${noworld} /usr/bin/opieinfo
${noworld} /usr/bin/opiepasswd
${noworld} /usr/bin/passwd
${noworld} /usr/bin/yppasswd
${noworld} /usr/bin/quota
${disable} /usr/bin/rlogin
${disable} /usr/bin/rsh
${noworld} /usr/bin/su
${noworld} /usr/bin/crontab
${noworld} /usr/bin/lpq
${noworld} /usr/bin/lpr
${noworld} /usr/bin/lprm
${noworld} /usr/libexec/pt_chown
${noworld} /usr/sbin/mrinfo
${noworld} /usr/sbin/mtrace
${noworld} /usr/sbin/sliplogin
${noworld} /usr/sbin/timedc
${noworld} /usr/sbin/traceroute
${noworld} /usr/sbin/traceroute6
${noworld} /usr/sbin/ppp
${noworld} /usr/sbin/pppd

################################
# Restrict access to gid files #
################################
${noworld} /usr/bin/fstat
${noworld} /usr/bin/netstat
${noworld} /usr/bin/vmstat
${noworld} /usr/bin/wall
${noworld} /usr/bin/write
${noworld} /usr/bin/lpq
${noworld} /usr/bin/lpr
${noworld} /usr/bin/lprm
${noworld} /usr/libexec/sendmail/sendmail
${noworld} /usr/sbin/trpt
${noworld} /usr/sbin/lpc

########################################
# Restrict access to information files #
########################################
${noworld} /sbin/sysctl
${noworld} /usr/bin/uname
${noworld} /sbin/kldstat
#${noworld} /usr/bin/netstat               #Uncomment if using 4.X
${noworld} /sbin/route
${noworld} /usr/sbin/arp
${noworld} /sbin/dmesg
${noworld} /var/run/dmesg.boot
${noworld} /etc/hosts
${noworld} /etc/fstab
${noworld} /etc/ssh/sshd_config
${noworld} /etc/crontab
${noworld} /etc/ftpusers
${noworld} /etc/hosts.allow
${noworld} /etc/host.conf
${noworld} /etc/hosts.equiv
${noworld} /etc/hosts.lpd
${noworld} /etc/inetd.conf
${noworld} /etc/login.access
${noworld} /etc/login.conf
${noworld} /etc/sysctl.conf
${noworld} /etc/syslog.conf
${noworld} /etc/ttys
${noworld} /etc/rc.conf
${noworld} /etc/mac.conf
${noworld} /etc/group
${noworld} /etc/passwd
${noworld} /etc/newsyslog.conf
${noworld} /etc/periodic/
${noworld} /var/db/pkg/
${noworld} /usr/sbin/pkg_version
${noworld} /usr/sbin/pkg_info
${noworld} /usr/bin/last
${noworld} /usr/sbin/lastlogin
${noworld} /sbin/ipfw
${noworld} /sbin/mount
${noworld} /usr/bin/users
${noworld} /usr/bin/w
${noworld} /usr/bin/who
${noworld} /usr/bin/lastcomm
${noworld} /usr/sbin/jls
${noworld} /home/
${noworld} /var/mail/
${noworld} /var/log/
