https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294167

This is far from my area of expertise so any additional comments there on what the Handbook should include would be welcome. Obviously there will be some hardening requirements for personal laptops that are different to hardening for servers and vice versa, which makes structuring the chapter a bit tricky. In fact one of my complaints in the PR is that advice which should be drilled into all users, like taking note of FreeBSD Security Advisories, is at the very bottom of a long page - anybody who reads that far will have to get past a lot of material only relevant for more specialist use cases.

https://docs.freebsd.org/en/books/handbook/security/

1. Use ZFS. Unless you are severely memory constrained, ZFS is the sane choice. I even use ZFS for single disk installations.

2. Set a ZFS refreservation to prevent the disk from filling up completely. ZFS does NOT like full disks.

zfs create -o refreservation=<5-10 percent of total pool space> <poolname>/reserved\n

3. Enable automagick ZFS scrubbing:

sysrc -f /etc/periodic.conf daily_scrub_zfs_enable=YES
sysrc -f /etc/periodic.conf daily_scrub_zfs_default_threshold=7

4. My "standard" set of sysctl.conf settings, most of these can be set during installation. Most of them are security oriented, the last one is because the ZFS default is almost always too low.

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
vfs.zfs.vdev.min_auto_ashift=12

5. enable jumbo frames, sizing is card dependent, and changes if I am using VLANs or not. But I aim for interfaces that are directly speaking IP to have an MTU of 9000, because damn near everything supports that.

ex:

ifconfig_ix0="up mtu 9100 ... "
create_args_vlan1005="vlan 1005 vlandev ix0 mtu 9000 ... "

6. Disable various NIC offloading capabilities. I have never seen them work well under load. Your mileage may vary, and admittedly I haven't retested this since probably 13.something-RELEASE, but I was getting an order of magnitude better performance with it all switched off:

ifconfig_ix0="... -rxcsum -rxcsum6 -txcsum -txcsum6 -tso -lro -vlanhwtag -vlanhwtso -vlanhwcsum -mextpg

7. Disable password authentication in /etc/ssh/sshd_config:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

7. Install rocinante, and bastille if this is going to be a jail host. I try to keep my base systems fairly lean.

• https://docs.freebsd.org/en/books/handbook/security/
• https://github.com/wravoc/harden-freebsd (comments at https://forums.freebsd.org/threads/my-freebsd-hardening-script.89523/)
• https://www.freebsdsoftware.org/blog/hardening-freebsd-server/
• https://vez.mrsk.me/freebsd-defaults
• https://hardenedbsd.org/content/about