そろそろ、基本となる部分が固まってきたので、FreeBSD用のTemplateを作成してみる。

Template用のIP Addressを確保する

• templateは、必要に応じて起動し、updateを行う必要がある。
• 普段はshutdownしておく

XenServer上にtemplate用VMを構築し、FreeBSDをInstallする

• FilesystemはZFSにする
• 有効にするサービスはsshdだけ
  • dumpdevはOffで良い
  • ntpdはchronyを使うのでOffで良い
• System Hardeningは全部Onにする
  • Hide processes running as other users
    • security.bsd.see_other_uids on /etc/sysctl.conf
  • Hide processes running as other groups
    • security.bsd.see_other_gids on /etc/sysctl.conf
  • Disable reading kernel message buffer for unprivileged users
    • security.bsd.unprivileged_read_msgbuf on /etc/sysctl.conf
  • Disable process debugging facilities for unprivileged users
    • security.bsd.unprivileged_proc_debug on /etc/sysctl.conf
  • Randomize the PID of newly created processes
    • kern.randompid on /etc/sysctl.conf
  • Insert stack guard page ahed of the growable segments
    • security.bsd.stack_guard_page on /etc/sysctl.conf
  • Clean the /tmp filesystem on system startup
    • clear_tmp_enable=“YES” on /etc/rc.conf
  • Disable opening Syslogd network socket (disable remote logging)
    • syslogd_flags=“-ss” on /etc/rc.conf
  • Disable Sendmail services
    • sendmail_enable=“NONE” on /etc/rc.conf
• 絶対に必要なAccountを作成しておく
  • 自分や構成管理用ツールの使うアカウント、vulsアカウントなど

/etc/rc.confを編集する

• XenServerの場合、TSO等の機能は切るべき
• ifconfig_xn0=“inet 192.0.2.1/24 -rxcsum -txcsum -tso -lro” などとする
• 共通となる様々な設定をここで記載するのは良いこと

• root@tmpl:/etc # cat /etc/rc.conf
  #
  # System Run Configuration
  #
  
  # Host Information
  hostname="tmpl"
  keymap="jp"
  dumpdev="NO"
  
  # Boot/Shutdown
  clear_tmp_enable="YES"
  rcshutdown_timeout="30"
  
  # Filesystem
  tmpmfs="YES"
  tmpsize="128m"
  tmpmfs_flags="-S"
  zfs_enable="YES"
  zfsd_enable="YES"
  
  # Network
  #cloned_interfaces=""
  
  ifconfig_xn0="inet 192.0.2.1/24 -rxcsum -txcsum -tso -lro
  
  route_private10=" -net 10.0.0.0/8     127.0.0.1 -blackhole"
  route_private172="-net 172.16.0.0/12  127.0.0.1 -blackhole"
  route_private192="-net 192.168.0.0/16 127.0.0.1 -blackhole"
  
  static_routes="private10 private172 private192"
  defaultrouter="192.0.2.254"
  
  gateway_enable="NO"
  
  icmp_bmcastecho="NO"
  icmp_drop_redirect="YES"
  icmp_log_redirect="YES"
  ip6addrctl_enable="NO"
  ip6addrctl_policy="ipv4_prefer"
  ipv6_activate_all_interfaces="NO"
  ipv6_network_interfaces="NO"
  tcp_drop_synfin="YES"
  
  # NFS
  rpc_lockd_enable="YES"
  rpc_statd_enable="YES"
  rpcbind_enable="YES"
  nfs_client_enable="YES"
  autofs_enable="YES"
  
  # pf
  pf_enable="NO"
  pflog_enable="NO"
  
  # Audit
  accounting_enable="YES"
  
  # Userland
  syslogd_flags="-ss"
  syslogd_oomprotect="YES"
  blacklistd_enable="NO"
  blacklistd_flags=""
  sendmail_enable="NONE"
  sshd_enable="YES"
  root@tmpl:/etc # 
  

/boot/loader.confを編集する

• 起動時設定の編集

• carp_load="YES"
  
  kern.geom.label.disk_ident.enable="0"
  kern.geom.label.gptid.enable="0"
  vfs.zfs.min_auto_ashift=12
  zfs_load="YES"
  
  # for OpenSSL/AES-NI
  cryptodev_load="YES"
  aesni_load="YES"
  
  # for All servers
  kern.maxusers=1024
  kern.ipc.nmbclusters=65536
  
  # for NGiNX
  aio_load="YES"
  accf_data_load="YES"
  accf_http_load="YES"
  net.inet.tcp.syncache.hashsize=1024
  net.inet.tcp.syncache.bucketlimit=100
  net.inet.tcp.tcbhashsize=4096
  
  # for squid
  kern.ipc.msgmnb=8192
  kern.ipc.msgssz=64
  kern.ipc.msgtql=2048

/etc/sysctl.confを編集する

• Kernel Parameterの設定

• # $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
  #
  #  This file is read when going to multi-user and its contents piped thru
  #  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
  #
  
  # Uncomment this to prevent users from seeing information about processes that
  # are being run under another UID.
  security.bsd.see_other_uids=0
  security.bsd.see_other_gids=0
  security.bsd.unprivileged_read_msgbuf=0
  security.bsd.unprivileged_proc_debug=0
  kern.randompid=4042
  security.bsd.stack_guard_page=1
  
  # Enable CARP
  #net.inet.carp.allow=1
  #net.inet.carp.preempt=1
  #net.inet.carp.log=1
  #net.inet.carp.arpbalance=0
  
  # IP Tuning
  net.inet.ip.portrange.randomized=0
  net.inet.ip.portrange.first=1024
  net.inet.ip.portrange.last=65535
  
  # ICMP Tuning
  net.inet.icmp.icmplim=3000
  
  # TCP Tuning
  net.inet.tcp.msl=1000
  net.inet.tcp.finwait2_timeout=3000
  net.inet.tcp.nolocaltimewait=1
  net.inet.tcp.fast_finwait2_recycle=1
  net.inet.tcp.syncookies=1
  net.inet.tcp.recvspace=8192
  net.inet.tcp.blackhole=2
  net.inet.tcp.tso=0
  
  # for HTTP
  kern.ipc.somaxconn=16384
  kern.ipc.maxsockets=65536
  kern.ipc.maxsockbuf=4194304
  kern.maxfiles=16384
  kern.maxfilesperproc=1024
  
  # ARP cache timeout
  #net.link.ether.inet.max_age=97
  
  ### NFS parameters
  vfs.nfsd.server_min_nfsvers=3

ssh関連の設定を行う

• Passwordによる認証をOffにする

• *** sshd_config.orig	Tue Aug 15 19:55:21 2017
  --- sshd_config	Tue Aug 15 19:56:39 2017
  ***************
  *** 15,20 ****
  --- 15,21 ----
    # FreeBSD has a few additional options.
    
    #Port 22
  + Port xxxxxx
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
  ***************
  *** 77,82 ****
  --- 78,84 ----
    
    # Change to no to disable PAM authentication
    #ChallengeResponseAuthentication yes
  + ChallengeResponseAuthentication no
    
    # Kerberos options
    #KerberosAuthentication no
  ***************
  *** 116,121 ****
  --- 118,124 ----
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
  + UseDNS no
    #PidFile /var/run/sshd.pid
    #MaxStartups 10:30:100
    #PermitTunnel no

• loginするユーザーの公開鍵を設置する
  • /home/user/.ssh を作成し、そこに、authorized_keysを「必ず」設置すること

/etc/freebsd-update.confを編集

• 自前のUpdate用Proxy Serverがある場合、ServerName フィールドにProxy Serverを記載する

pkgコマンドをインストール

• pkg install pkg
• 自前のpkg用Proxy Serverを設置している場合、mkdir -p /usr/local/etc/pkg/reposを作成し、FreeBSD.confを作成

• # $FreeBSD: releng/10.2/etc/pkg/FreeBSD.conf 285830 2015-07-23 23:31:40Z gjb $
  #
  # To disable this repository, instead of modifying or removing this file,
  # create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
  #
  #   mkdir -p /usr/local/etc/pkg/repos
  #   echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
  #
  
  FreeBSD: {
  #  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
    url: "pkg+http://some.where.example.com/${ABI}/latest",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/share/keys/pkg",
    enabled: yes
  }

/usr/local/etc/newsyslog.conf.dを作成

/etc/periodic.conf.localを作成

• # Daily options
  daily_show_badconfig="YES"
  
  daily_clean_disks_enable="YES"
  daily_clean_tmps_enable="YES"
  daily_accounting_compress="YES"
  daily_accounting_flags=-q
  daily_accounting_save=7
  daily_status_zfs_enable="YES"
  daily_scrub_zfs_enable="NO"
  
  # Weekly options
  weekly_noid_enable="NO"
  
  # Monthly options
  
  # Security options
  security_show_badconfig="YES"
  security_status_noamd="YES"
  
  # Disable sendmail specific tasks
  daily_clean_hoststat_enable="NO"
  daily_status_mail_rejects_enable="NO"
  daily_status_include_submit_mailq="NO"
  daily_submit_queuerun="NO"

/etc/newsyslog.confを編集

• 基本的に、毎日0時にファイルを更新する。過去記録は７つ。

/etc/fstabにprocfsを追加

• 本当に必要かどうかには議論があるが、bashが必要な場合があるので足しておく

• proc                    /proc   procfs  rw              0       0

• 必須Packageを追加する
  • chrony, postfix-current, sudo, xe-guest-utilities
  • pkg install -y xe-guest-utilities sudo chrony postfix-current
  • chrony.confを修正

    • *** /usr/local/etc/chrony.conf.sample	Sun Aug 13 11:09:49 2017
      --- /usr/local/etc/chrony.conf	Tue Aug 15 20:52:24 2017
      ***************
      *** 30,39 ****
        ! server foo.example.net iburst
        ! server bar.example.net iburst
        ! server baz.example.net iburst
        
        # This is a reasonable default setting to have on in typical cases for
        # a workstation with a full-time internet connection:
      ! pool 0.freebsd.pool.ntp.org iburst
         
        #######################################################################
        ### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK
      --- 30,41 ----
        ! server foo.example.net iburst
        ! server bar.example.net iburst
        ! server baz.example.net iburst
      + server 192.0.2.254 iburst
      + server 192.0.2.253 iburst
        
        # This is a reasonable default setting to have on in typical cases for
        # a workstation with a full-time internet connection:
      ! ! pool 0.freebsd.pool.ntp.org iburst
         
        #######################################################################
        ### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK

/usr/local/etc/sudores.dにファイルを作成

• /usr/local/etc/sudoers.d/vuls

  vuls        ALL=(root)      NOPASSWD: /usr/bin/yum, /bin/echo

• /usr/local/etc/sudoers.d/idempotence

  idempotence ALL=(root)      NOPASSWD: ALL

必須のPackageを起動時に起動する設定を投入

• /etc/rc.conf.localに記述

• #
  # Local Run Configiguration.
  #
  
  xenguest_enable="YES"
  chronyd_enable="YES"
  
  # Mail Configuration
  postfix_enable="YES"

不要なZFS Dataset を削除する

• zfs destroy zroot/usr/ports
• zfs destroy zroot/usr/src

freebsd-update fetch installを実行して最新の状態にする