NIST Checklist Logo
NIST Security Configuration Checklists Repository
BETA
Browse Repository by
   Product Category
   Vendor
   Submitting
Organization

Our Sponsor
white space white space

FreeBSD Benchmark

Name FreeBSD Benchmark
Version Version 1.0.5
Status Final
Creation Date 2005-10-21
Revision Date 2005-10-21
Product Category Operating System
Vendor FreeBSD Project
Product FreeBSD
Product Version FreeBSD Versions 4.8 and above
Product Role Server operating system, desktop operating system
Checklist Summary This document provides recommendations for securing FreeBSD operating systems. This benchmark document covers FreeBSD version 4.8 and later for both servers and desktops. Desktop systems typically have different security expectations than server-class systems. In an effort to facilitate use of this benchmark on these different classes of machines, shaded text has been used to indicate questions and/or actions that are typically not applicable to desktop systems in a large enterprise environment. These shaded items may be skipped on these desktop platforms.
Known Issues The actions listed in this document are written with the assumption that they will be executed in the order presented here. Some actions may need to be modified if the order is changed. Actions are written so they may be copied directly from this document into a root shell window with a "cut-and-paste" operation. The actions listed in this document are written with the assumption that they will be executed by the root user running the /sbin.sh shell and without noclobber set. Before performing the steps of this benchmark, it is a good idea to make backup copies of critical configuration files that may get modified by various benchmark items.
Target Audience Unix system and network administrators
Target Operational Environment Enterprise
Checklist Installation Tools Not Available.
Rollback Capability Not Available.
Testing Information Not Available.
NIAP/CMVP Status  
Regulatory Compliance   
Comments, Warnings, Disclaimer, Miscellaneous
 Refer to Known Issues.
Disclaimer Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind.
Product Support  
Submitting Organization/Authors The Center for Internet Security (CIS)
Point of Contact Freebsd-feedback@lists.cisecurity.org
Sponsor  
Licensing

Commercial use license

EDUCAUSE Member license

US Federal, state and local government agency license
Checklist Homepage http://www.cisecurity.org/
Download Package http://www.cisecurity.org/sub_form.html
Integrity sha1 (CIS_FreeBSD_Benchmark_v1.0.5.pdf) =
7f69347de51c558182b4e404ff8cbbb0793fc72f

sha256 (CIS_FreeBSD_Benchmark_v1.0.5.pdf) =
ec44630e83b8468260dc8f7458947ceba5954b7
ed6bd6821313b4e7d5a556aa4
Change History

Version 1.0.4: 2004-08-11
Version 1.0.5: 2005-10-21
Dependency/Requirement  
References Free benchmark documents and security tools for various OS platforms and applications:
http://www.cisecurity.org/

Pre-compiled software packages for various OS platforms:
ftp://ftp.cisecurity.org/

Patches and related documentation:
http://www.FreeBSD.org/security/

The FreeBSD documentation project:
http://www.FreeBSD.org/docs.html/

The TrustedBSD Project:
http://www.TrustedBSD.org/

The FreeBSD security manual page: http://www.freebsd.org/cgi/man.cgi?query=
security&manpath=FreeBSD+5.2-current&format=html

Primary source for information on NTP:
http://www.ntp.org/

Information on MIT Kerberos:
http://web.mit.edu/kerberos/www/

Apache "Security Tips" document:
http://httpd.apache.org/docs-2.0/misc/security_tips.html/

Information on Sendmail and DNS:
http://www.sendmail.org/

The FreeBSD ports collection:
http://www.FreeBSD.org/ports/

OpenSSH (secure encrypted network logins):
http://www.openssh.org/

TCP Wrappers source distribution and documentation:
ftp://ftp.porcupine.org/

PortSentry (monitors unused network ports for unauthorized access): http://www.psionic.com/products/portsentry.html/

Open Source Sendmail (email server) distributions:
ftp://ftp.sendmail.org/

LPRng (Open Source replacement printing system for Unix): http://www.lprng.org/

Tripwire (free and commercial file system integrity checking software):
http://www.tripwire.com/products/tripwire_asr/
http://www.tripwire.org/

sudo (provides fine-grained access controls for superuser activity):
http://www.courtesan.com/sudo/

Nessus (free remote security scanner):
http://www.nessus.org/

Common UNIX Printing System (CUPS):
http://www.cups.org/
NIST Identifier 1046


NIST and the checklist submitter do not guarantee or warrant the checklist's accuracy or completeness. NIST is not responsible for loss, damage, or problems that may be caused by using the checklist.

Last updated: November 17, 2006
Page created: October 28, 2004
Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to checklists@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration