Interesting New PortsFor those faithful readers who were starting to wonder when the next article in this column would appear, I'm back. BSD Hacks is finally finished.
In today's article, I'd like to demonstrate some useful utilities that recently arrived in the ports collection. I usually discover these from FreshPorts, which keeps statistics on which ports have been added in the last 24 hours, 48 hours, week, fortnight, and month.
However, I first learned about sysutils/pkg_cutleaves from Richard Bejtlich's weblog. Richard
has the uncanny ability of keeping abreast of my three favorite subjects:
FreeBSD, the ports collection, and security.
If you use portupgrade to keep your ports up-to-date, consider
adding pkg_cutleaves to your repertoire. This interactive Perl
script searches your ports database for "leaves," or software that isn't a
dependency of any other installed program. This gives you the opportunity to
clean your drive of those orphaned programs you no longer use or were
dependencies of software you've since uninstalled.
Once you've built the port from /usr/ports/sysutils/pkg_cutleaves, take a minute to read man
pkg_cutleaves. Then, as the superuser:
# pkg_cutleaves
Package 1 of 73:
AbiWord2-2.0.5 - An open-source, cross-platform WYSIWYG word processor
AbiWord2-2.0.5 - [keep]/(d)elete/(f)lush marked pkgs/(a)bort? k
** Keeping AbiWord2-2.0.5.On this particular system, I have 250 installed ports, of which 73 are
entirely independent. pkg_cutleaves will show each of these and
will pause while I decide to keep or remove the port. I've chosen to keep
AbiWord2, as well as the next 6 XFree86 related ports.
Package 8 of 73:
apache-ant-1.6.1 - Java- and XML-based build tool, conceptually similar to make
apache-ant-1.6.1 - [keep]/(d)elete/(f)lush marked pkgs/(a)bort? d
** Marking apache-ant-1.6.1 for removal.However, I've chosen to delete apache-ant since I have a vague
memory of it being a dependency of some application I've long ago uninstalled.
I'll carry on until I've made a decision on each of the 73 ports. Once I'm
finished, pkg_delete will carry out the requested deletions. In
this example, I've chosen to delete 25 ports:
Package 73 of 73:
zip-2.3_1 - Create/update ZIP files compatible with pkzip
zip-2.3_1 - [keep]/(d)elete/(f)lush marked pkgs/(a)bort? k
** Keeping zip-2.3_1.
Deleting apache-ant-1.6.1 (package 1 of 25).
---> Deinstalling 'apache-ant-1.6.1'
[Updating the pkgdb <format:bdb1_btree> in /var/db/pkg ... - 250
packages found (-1 +0) (...) done]When these deletions complete, pkg_cutleaves reprocesses the
ports database to see if any of those deletions resulted in new leaf
packages:
Go on with new leaf packages ((y)es/[no])? yThis process will continue until I've dealt with all leaves. At that point it will provide a summary of the uninstalled packages:
Didn't find any new leaves, exiting.
** Deinstalled packages:
apache-ant-1.6.1
<snip>
** Number of deinstalled packages: 53The next time you run pkg_cutleaves, it will ask you again
about the ports you chose to keep. In my example, that would be AbiWord2 and
those XFree86 ports. If you know you want to keep these and find it irritating
to confirm this every time, create a file called
/usr/local/etc/pkg_leaves.exclude containing the names of those
ports you wish to keep:
AbiWord2
XFree86Remember to include the x (exclude) switch:
# pkg_cutleaves -x This tells pkg_cutleaves to read your exclude file. For those
occasions when you don't want it to read your exclude file, don't include that
switch.
|
Related Reading BSD Hacks |
The next new port is for those of you who enjoy BOFH humor. If that strikes your funny bone, you can add BOFH-style fortunes to your system by installing
/usr/ports/misc/fortune-mod-bofh.
Once installed, try a random fortune:
% fortune /usr/local/share/games/fortune/bofh
BOFH excuse #419:
overflow error in /dev/nullIf you'd like these fortunes to appear randomly with the rest of your fortunes, copy them into the system fortune directory as the superuser:
# cp /usr/local/share/games/fortune/bofh* /usr/share/games/fortune/Once you've copied over the BOFH files, you can specify you'd like a BOFH fortune by typing:
% fortune bofhThis is many keystrokes shorter than the previous incantation.
Finally, if you're a Futurama fan, repeat the above for the
/usr/ports/misc/fortune-mod-futurama port:
# cd /usr/ports/misc/fortune-mod-futurama
# make install clean
# cp /usr/local/share/games/fortune/futurama* /usr/share/games/fortune/
# exit
% fortune futurama
Fry: I want to see the edge of the universe.
Amy: Ooh, that sounds cool.
Zoidberg: It's funny. You live in the universe but you
never do these things 'til someone comes to visit.It's funny that this fortune made me wistful for a Douglas Adams fortune. A
quick Google search located that there is indeed a fortune-hitchhiker project. Download fortune-hitchhiker.tgz, then:
# tar xzvf fortune-hitchhiker.tgz
# cp fortune-hitchhiker/hitchhiker* /usr/share/games/fortune
# exit
% fortune hitchhiker
"'You know,' said Arthur, 'it's at times like this, when
I'm trapped in a Vogon airlock with a man from Betelgeuse,
and about to die from asphyxiation in deep space that I
really wish I'd listened to what my mother told me when I
was young.'
'Why, what did she tell you?'
'I don't know, I didn't listen.'"
-- Arthur coping with certain death as best as he could.Perhaps another Hitchhiker fan will add this to the ports collection so it will show up in the new section at FreshPorts.
The next port intrigued me as it's named after one of my favorite childhood literary characters:
# cd /usr/ports/textproc/queequeg
# make install cleanThis will install the qq Python script, which can run against
any text, LaTeX, or HTML file, like so:
% qq filenameThe Queequeg project is still in its beta stages. Its goal is to help the non-native English writer match a singular or plural noun to the correct verb conjugation. At this point, the project developers are still working on filtering out false positives so the resulting output may still be too frustrating for those who lack a solid command of English grammar. However, if English grammar is your forté and you have some time to donate, this project is looking for beta testers. If it matures, it will be an excellent tool for non-English developers to easily create manpages in natural English.
|
The final port I'd like to demonstrate is found in
/usr/ports/security/lockdown. I was originally skeptical since this
port is a script designed to harden or increase the security of a FreeBSD
system. I tend to shy away from such promises, as hardening a system definitely
doesn't fit into the one-size-fits-all category.
However, Daniel Blankensteiner has done an excellent job in creating a totally configurable script that allows you to apply a set of custom configurations. An administrator could easily create a separate configuration file suited to each of his systems. Not only is the configuration file easy to apply, it supplies a concrete record of changes applied to a newly installed or upgraded system.
Once you've installed the port, familiarize yourself with man
lockdown -- it summarizes the various configuration options contained
within the script configuration file.
Then:
# cp /usr/local/etc/lockdown.conf.sample /usr/local/etc/lockdown.confNote: If you're planning on making configuration files for multiple systems,
include the hostname of the system in the name of the copied over configuration
file. This way, you can store multiple configuration files in a central
location. When you actually use the lockdown utility, you can use the desired
configuration file by specifying its name with the -f switch.
Open the copied-over file in your favorite editor. You'll find that this
file is very well commented, with many sample hardening changes to get you
started. For example, here's a section on tightening up
/etc/fstab to mount your partitions securely:
####################
# Mounting options #
####################
# If the mount point exists, mount it with the specified options.
# Please remember that /tmp has to be executable to "make world"
# and if you need to jail a process in a partition, don't mount it with
"nodev"
mount /tmp rw,noexec,nosuid,nodev,nosymfollow
mount /var/tmp rw,noexec,nosuid,nodev,nosymfollow
mount /home rw,noexec,nosuid,nodev
mount /usr/home rw,noexec,nosuid,nodev
mount /var rw,nosuid,nodev
mount /var/mail rw,noexec,nodev,nosuidIf these mount options are new to you, see the -o section of
man mount. You'll also find the FreeBSD
Security How-To very useful when determining which options are suited to
your environment:
The next section allows you to set your /etc/rc.conf options
and gives some ideas to get you started. See man rc.conf for each
possible option.
########################
# /etc/rc.conf options #
########################
# This will just add some options to /etc/rc.conf
rc_conf enable_sendmail="NONE"
rc_conf kern_securelevel_enable="YES"
rc_conf portmap_enable="NO"
rc_conf inetd_enable="NO"
rc_conf kern_securelevel="3"
rc_conf clear_tmp_enable="YES"
#rc_conf update_motd="NO"
rc_conf syslogd_flags="-ss" # Comment this if this is a
# log server (or change it)The next section allows you to create a stealth server:
##################
# Stealth server #
##################
# If this is a log server, firewall or gateway you can put it into
# stealth mode.
# This is NOT recommended for normal server use.
# Note: For a stealthier server you should also block some icmp request
# like:
# Echo, Time and Netmask requests
#rc_conf tcp_drop_synfin="YES"
#sysctl net.inet.tcp.blackhole=2
#sysctl net.inet.udp.blackhole=1
#kern options IPSTEALTH
#kern options TCP_DROP_SYNFINSecuring FreeBSD discussed these options and many of those that follow in greater detail.
The next section allows you to set various networking configurations:
######################
# Networking options #
######################
rc_conf icmp_drop_redirect="YES"
rc_conf icmp_log_redirect="YES"
rc_conf log_in_vain="YES"
kern options RANDOM_IP_ID
openssh AllowGroups wheel
openssh Protocol 2
set_warning "
Warning
I blah blah blah blah
and then some"Those last options configure SSH. See Configuring SSH for more details.
Next, you have the opportunity to customize /etc/login.conf:
#######################
# Login Class options #
#######################
login_class default minpasswordlen=8
login_class default mixpasswordcase=true
login_class default uname=077
# Encryption of passwords
auth_conf crypt_default=blf
login_class default passwd_format=blfThen, /etc/ttys:
##############
# Root Login #
##############
allow_direct_root_login NO # Set tty* in /etc/ttys to
# insecure
password_protect_singleuser_mode YES # Set console to insecure
# in /etc/ttysThere are user-specific options:
#####################
# Restrict the user #
#####################
allow_cron NO
allow_at NO
sysctl security.bsd.see_other_uids=0 # Use kern.ps_showallprocs
# for 4.XAs well as kernel options:
##################
# Kernel options #
##################
kern options SC_NO_HISTORY # Don't keep history, so
# there can't be scrolled
kern options SC_DISABLE_REBOOT # Disable ctrl+alt+del
#kern options SC_DISABLE_DDBKEY # Uncomment if using the
# kernel debuggerFinally, there is an entire section for permissions and file flags:
#################################
# Restrict access to suid files #
#################################
# If you want /somefile to have:
# Permissions 0000
# User root
# Group wheel
# Flags uappnd and schg
# Just write:
# file /somefile p: 0000 u: root g: wheel f: uappnd,schg
file /bin/rcp p: disable
file /sbin/mksnap_ffs p: noWorld
file /sbin/ping p: noWorld
<snip long list of files>
################################
# Restrict access to gid files #
################################
file /usr/bin/fstat p: noWorld
file /usr/bin/netstat p: noWorld
file /usr/bin/vmstat p: noWorld
file /usr/bin/wall p: noWorld
file /usr/bin/write p: noWorld
file /usr/bin/lpq p: noWorld
file /usr/bin/lpr p: noWorld
file /usr/bin/lprm p: noWorld
file /usr/libexec/sendmail/sendmail p: noWorld
file /usr/sbin/trpt p: noWorld
file /usr/sbin/lpc p: noWorld
########################################
# Restrict access to information files #
########################################
# if you change permissions on files also listed in /etc/newsyslog.conf,
# Lockdown will also adjust /etc/newsyslog.conf accordingly
file /sbin/sysctl p: noWorld
file /usr/bin/uname p: noWorld
file /sbin/kldstat p: noWorld
#file /usr/bin/netstat p: noWorld #Uncomment if using 4.X
file /sbin/route p: noWorld
<snip long list of files>I was very pleased with the comprehensiveness of the configuration file and how easy it is to make my own changes. If you wish to suggest additional sections to the file, Daniel is open to suggestions. See his site for contact information.
Also, I'm open to suggestions for future articles you'd like to see in this series. Drop me a line if there is a port or a feature of FreeBSD that you'd like to see demonstrated.
Finally, if you live in North America, mark May 13-16 on your calendar and see if you can find a way to make it to Ottawa, Ontario, Canada. Yes, BSDCan is fast approaching and there is an amazing lineup of presenters. Here's your chance to meet with other FreeBSD users and to put faces to those names you see at the FreeBSD site and on the mailing lists. I'll be manning the registration desk and look forward to seeing you there. We'll also try to have copies of BSD Hacks available.
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Return to the BSD DevCenter.
Copyright © 2007 O'Reilly Media, Inc.