Skip to content

✨ freebsd: add time-synchronization and pkg signature-verification checks#2917

Open
tas50 wants to merge 3 commits into
mainfrom
freebsd-timesync-pkgsig
Open

✨ freebsd: add time-synchronization and pkg signature-verification checks#2917
tas50 wants to merge 3 commits into
mainfrom
freebsd-timesync-pkgsig

Conversation

@tas50

@tas50 tas50 commented Jun 20, 2026

Copy link
Copy Markdown
Member

What

Adds two new hardening checks to mondoo-freebsd-security, porting control patterns that landed for Linux and Nutanix in the last two weeks (time synchronization, package signature verification) but had no FreeBSD coverage (grep confirmed zero NTP/chrony and zero pkg-signature checks in the policy).

1. mondoo-freebsd-security-time-synchronization-is-enabled — impact 60

Asserts a time daemon is enabled and running:

service("ntpd").enabled && service("ntpd").running ||
service("openntpd").enabled && service("openntpd").running ||
service("chronyd").enabled && service("chronyd").running

FreeBSD ships ntpd in the base system but does not enable it by default. Clock sync underpins log/forensic correlation, Kerberos/cert validity, and audit-trail integrity. Anchored to mondoo-freebsd-security-firewall-is-enabled (impact 60).

2. mondoo-freebsd-security-pkg-signature-verification-is-enabled — impact 80

Asserts the base FreeBSD pkg repo enforces fingerprint signatures:

file("/etc/pkg/FreeBSD.conf").content.contains(/signature_type:\s*"fingerprints"/)

Downgrading signature_type to "none" disables verification, opening a supply-chain/MITM path to root-level code at install. Anchored down from aslr-is-enabled (impact 90) into the 80–89 band. The audit: step shows how to confirm the effective per-repo value via pkg -vv.

Compliance tags

Verified per-framework against the enterprise framework definitions — not copied from neighbors. Highlights:

  • Time sync → ISO 27001:2022 a-8-17 (Clock synchronization), NIST 800-53 sc-45 (System Time Synchronization), NIST 800-171 3-3-7, PCI DSS 4 10.6.1, CSA CCM log-06, BSI sys-1-5-a7. false where no control fits (DORA, HIPAA, NIS2, CSF 1/2, SOC2, VDA-ISA).
  • pkg signatures → NIST 800-53 cm-14 (Signed Components), ISO 27001:2022 a-8-19, NIST CSF1 pr-ds-6, CSF2 id-ra-09, NIST 800-171 3-4-8, NIS2 21-2-d (Supply chain). false where no control fits.

Notes

  • OS policy → cli / sh / ansible remediation (no Terraform variants, consistent with siblings).
  • Policy version bumped 1.0.41.1.0.
  • cnspec policy lint content/mondoo-freebsd-security.mql.yamlvalid policy bundle. (The remediation CLI validator does not cover FreeBSD's sysrc/pkg.)

🤖 Generated with Claude Code

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured FreeBSD security checks for time synchronization and pkg signature verification; one MQL operator-precedence concern.

Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Test Results

  1 files  ±0   44 suites  ±0   1m 34s ⏱️ -5s
854 tests ±0  853 ✅ ±0  1 💤 ±0  0 ❌ ±0 
855 runs  ±0  854 ✅ ±0  1 💤 ±0  0 ❌ ±0 

Results for commit c83446d. ± Comparison against base commit 5c0d2f3.

♻️ This comment has been updated with latest results.

@tas50

tas50 commented Jun 20, 2026

Copy link
Copy Markdown
Member Author

Addressed both review points in the latest commit:

  1. Operator precedence (time-sync): rather than add parentheses (MQL's && already binds tighter than ||, and the grouped form isn't the idiom here), I rewrote it to an unambiguous list form that removes the question entirely:
    ["ntpd", "openntpd", "chronyd"].any(service(_).enabled && service(_).running)
    
  2. pkg custom repos: good catch — the check now also scans /usr/local/etc/pkg/repos/*.conf and fails if any custom repo sets signature_type: "none", so an unsigned custom repo can't slip past the base-repo check. Broadened the desc Scope note accordingly.

@mondoo-code-review mondoo-code-review Bot dismissed their stale review June 20, 2026 14:53

Superseded by new review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured FreeBSD security checks for time synchronization and pkg signature verification, with one MQL query concern.

Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
@tas50

tas50 commented Jun 20, 2026

Copy link
Copy Markdown
Member Author

Addressed the two latest comments:

  • /etc/pkg/FreeBSD.conf may not exist: added an .exists guard — file("/etc/pkg/FreeBSD.conf").exists && file(...).content.contains(...) — so a missing file on a minimal/custom install fails cleanly rather than erroring. (Matches the established idiom used in the Linux/macOS policies.)
  • pubkey vs none intent: documented in desc. Both fingerprints (the official repo default) and pubkey are real verification mechanisms, so the custom-repo condition intentionally rejects only signature_type: "none". Also noted that an omitted signature_type defaults to no verification, so each custom repo should declare a type explicitly.

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured FreeBSD security checks; one MQL query has a logic concern worth verifying.

Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
@tas50

tas50 commented Jun 20, 2026

Copy link
Copy Markdown
Member Author

/review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured FreeBSD security checks; one MQL query has a logic concern worth verifying.

Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
@tas50 tas50 requested a review from syrull June 20, 2026 15:02
@tas50 tas50 force-pushed the freebsd-timesync-pkgsig branch from dfb679c to 52455e9 Compare June 21, 2026 04:07

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured FreeBSD security checks for time sync and pkg signature verification; one MQL query concern.

Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
@tas50 tas50 force-pushed the freebsd-timesync-pkgsig branch from 52455e9 to 27cd443 Compare June 23, 2026 00:32

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured FreeBSD security checks; one MQL query has a logic issue worth addressing.

Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
@tas50 tas50 force-pushed the freebsd-timesync-pkgsig branch from 27cd443 to f4fb540 Compare June 26, 2026 20:45
@mondoo-code-review mondoo-code-review Bot dismissed their stale review June 26, 2026 20:45

Superseded by new review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured FreeBSD security checks; one MQL query has a logic concern worth verifying.

Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
@tas50 tas50 force-pushed the freebsd-timesync-pkgsig branch from f4fb540 to 1fc1235 Compare June 26, 2026 21:16

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured FreeBSD security checks for time sync and pkg signature verification; one MQL query concern.

Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
Comment thread content/mondoo-freebsd-security.mql.yaml
tas50 and others added 3 commits June 29, 2026 10:22
…ecks

Two new hardening checks for the FreeBSD security policy, porting patterns
that landed for Linux/Nutanix in the last two weeks:

- time-synchronization-is-enabled: asserts a time daemon (ntpd/openntpd/
  chronyd) is enabled and running. Clock sync underpins log/forensic
  correlation, Kerberos/cert validity, and audit-trail integrity; FreeBSD
  ships ntpd in the base system but does not enable it by default.
- pkg-signature-verification-is-enabled: asserts the base FreeBSD pkg repo
  enforces fingerprint signature verification, rejecting tampered or
  MITM'd packages.

Compliance tags verified per-framework against the enterprise framework
definitions (false where no control genuinely fits). Policy version bumped
1.0.4 -> 1.1.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kg coverage

- time-sync: rewrite the daemon check as
  `["ntpd","openntpd","chronyd"].any(service(_).enabled && service(_).running)`
  to remove any &&/|| precedence ambiguity (reviewer concern) without
  relying on parenthesized grouping.
- pkg signatures: also scan custom repo configs under
  /usr/local/etc/pkg/repos/*.conf and fail if any sets signature_type "none",
  closing the gap where the base-repo-only check could miss an unsigned
  custom repo. Documented the broadened scope in desc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address review:
- Add a file(...).exists guard so a missing /etc/pkg/FreeBSD.conf fails
  cleanly instead of erroring on minimal/custom installs.
- Document intent in desc: both fingerprints and pubkey are valid
  verification mechanisms, so the custom-repo condition rejects only
  signature_type "none"; note an omitted type defaults to no verification,
  so each custom repo should declare one explicitly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@tas50 tas50 force-pushed the freebsd-timesync-pkgsig branch from 1fc1235 to c83446d Compare June 29, 2026 17:22

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured FreeBSD security checks; one MQL query has a logic gap worth addressing.

@@ -3,7 +3,7 @@
policies:
- uid: mondoo-freebsd-security
name: Mondoo FreeBSD Security

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 suggestion — Version bump from 1.0.4 → 1.1.0 is appropriate for new checks. No issue here, just noting it's correct.

Comment on lines +5378 to +5379

To confirm the effective per-repository setting across all configured repositories, run:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warning — The MQL query for pkg signature verification is two independent statements:

file("/etc/pkg/FreeBSD.conf").exists && file("/etc/pkg/FreeBSD.conf").content.contains(/signature_type:\s*"fingerprints"/)
files.find(from: "/usr/local/etc/pkg/repos", regex: "[.]conf$", type: "file").list.all(content.contains(/signature_type:\s*"none"/) == false)

The second statement (custom repos) is not joined to the first with &&, so depending on MQL evaluation semantics, these may be evaluated as two separate assertions rather than a single conjunctive check. If MQL treats bare top-level statements as implicit AND this is fine, but if it only reports the result of the last statement, the base-repo check is silently ignored.

Please confirm that two separate top-level statements in MQL are indeed conjunctive. If not, join them with && (you may need to wrap across lines).


If the `FreeBSD` repository block sets `signature_type: "fingerprints"`, the check passes. If it sets `signature_type: "none"`, verification is disabled and the check fails.

To confirm the effective per-repository setting across all configured repositories, run:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warning — The custom-repo check rejects signature_type: "none" but the docs note that an omitted signature_type also defaults to no verification. The current regex signature_type:\s*"none" won't catch a repo file that simply omits the directive entirely. Consider adding a positive check that every custom repo file does contain a signature_type declaration, e.g.:

files.find(...).list.all(
  content.contains(/signature_type:/) &&
  content.contains(/signature_type:\s*"none"/) == false
)

This aligns the check with the docs' own recommendation: "ensure every custom repo declares a verification type explicitly."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant