✨ freebsd: add time-synchronization and pkg signature-verification checks#2917
✨ freebsd: add time-synchronization and pkg signature-verification checks#2917tas50 wants to merge 3 commits into
Conversation
|
Addressed both review points in the latest commit:
|
|
Addressed the two latest comments:
|
|
/review |
dfb679c to
52455e9
Compare
52455e9 to
27cd443
Compare
27cd443 to
f4fb540
Compare
f4fb540 to
1fc1235
Compare
…ecks Two new hardening checks for the FreeBSD security policy, porting patterns that landed for Linux/Nutanix in the last two weeks: - time-synchronization-is-enabled: asserts a time daemon (ntpd/openntpd/ chronyd) is enabled and running. Clock sync underpins log/forensic correlation, Kerberos/cert validity, and audit-trail integrity; FreeBSD ships ntpd in the base system but does not enable it by default. - pkg-signature-verification-is-enabled: asserts the base FreeBSD pkg repo enforces fingerprint signature verification, rejecting tampered or MITM'd packages. Compliance tags verified per-framework against the enterprise framework definitions (false where no control genuinely fits). Policy version bumped 1.0.4 -> 1.1.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kg coverage - time-sync: rewrite the daemon check as `["ntpd","openntpd","chronyd"].any(service(_).enabled && service(_).running)` to remove any &&/|| precedence ambiguity (reviewer concern) without relying on parenthesized grouping. - pkg signatures: also scan custom repo configs under /usr/local/etc/pkg/repos/*.conf and fail if any sets signature_type "none", closing the gap where the base-repo-only check could miss an unsigned custom repo. Documented the broadened scope in desc. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address review: - Add a file(...).exists guard so a missing /etc/pkg/FreeBSD.conf fails cleanly instead of erroring on minimal/custom installs. - Document intent in desc: both fingerprints and pubkey are valid verification mechanisms, so the custom-repo condition rejects only signature_type "none"; note an omitted type defaults to no verification, so each custom repo should declare one explicitly. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1fc1235 to
c83446d
Compare
| @@ -3,7 +3,7 @@ | |||
| policies: | |||
| - uid: mondoo-freebsd-security | |||
| name: Mondoo FreeBSD Security | |||
There was a problem hiding this comment.
🔵 suggestion — Version bump from 1.0.4 → 1.1.0 is appropriate for new checks. No issue here, just noting it's correct.
|
|
||
| To confirm the effective per-repository setting across all configured repositories, run: |
There was a problem hiding this comment.
🟡 warning — The MQL query for pkg signature verification is two independent statements:
file("/etc/pkg/FreeBSD.conf").exists && file("/etc/pkg/FreeBSD.conf").content.contains(/signature_type:\s*"fingerprints"/)
files.find(from: "/usr/local/etc/pkg/repos", regex: "[.]conf$", type: "file").list.all(content.contains(/signature_type:\s*"none"/) == false)
The second statement (custom repos) is not joined to the first with &&, so depending on MQL evaluation semantics, these may be evaluated as two separate assertions rather than a single conjunctive check. If MQL treats bare top-level statements as implicit AND this is fine, but if it only reports the result of the last statement, the base-repo check is silently ignored.
Please confirm that two separate top-level statements in MQL are indeed conjunctive. If not, join them with && (you may need to wrap across lines).
|
|
||
| If the `FreeBSD` repository block sets `signature_type: "fingerprints"`, the check passes. If it sets `signature_type: "none"`, verification is disabled and the check fails. | ||
|
|
||
| To confirm the effective per-repository setting across all configured repositories, run: |
There was a problem hiding this comment.
🟡 warning — The custom-repo check rejects signature_type: "none" but the docs note that an omitted signature_type also defaults to no verification. The current regex signature_type:\s*"none" won't catch a repo file that simply omits the directive entirely. Consider adding a positive check that every custom repo file does contain a signature_type declaration, e.g.:
files.find(...).list.all(
content.contains(/signature_type:/) &&
content.contains(/signature_type:\s*"none"/) == false
)
This aligns the check with the docs' own recommendation: "ensure every custom repo declares a verification type explicitly."
What
Adds two new hardening checks to
mondoo-freebsd-security, porting control patterns that landed for Linux and Nutanix in the last two weeks (time synchronization, package signature verification) but had no FreeBSD coverage (grepconfirmed zero NTP/chrony and zero pkg-signature checks in the policy).1.
mondoo-freebsd-security-time-synchronization-is-enabled— impact 60Asserts a time daemon is enabled and running:
FreeBSD ships
ntpdin the base system but does not enable it by default. Clock sync underpins log/forensic correlation, Kerberos/cert validity, and audit-trail integrity. Anchored tomondoo-freebsd-security-firewall-is-enabled(impact 60).2.
mondoo-freebsd-security-pkg-signature-verification-is-enabled— impact 80Asserts the base FreeBSD pkg repo enforces fingerprint signatures:
Downgrading
signature_typeto"none"disables verification, opening a supply-chain/MITM path to root-level code at install. Anchored down fromaslr-is-enabled(impact 90) into the 80–89 band. Theaudit:step shows how to confirm the effective per-repo value viapkg -vv.Compliance tags
Verified per-framework against the enterprise framework definitions — not copied from neighbors. Highlights:
a-8-17(Clock synchronization), NIST 800-53sc-45(System Time Synchronization), NIST 800-1713-3-7, PCI DSS 410.6.1, CSA CCMlog-06, BSIsys-1-5-a7.falsewhere no control fits (DORA, HIPAA, NIS2, CSF 1/2, SOC2, VDA-ISA).cm-14(Signed Components), ISO 27001:2022a-8-19, NIST CSF1pr-ds-6, CSF2id-ra-09, NIST 800-1713-4-8, NIS221-2-d(Supply chain).falsewhere no control fits.Notes
cli/sh/ansibleremediation (no Terraform variants, consistent with siblings).1.0.4→1.1.0.cnspec policy lint content/mondoo-freebsd-security.mql.yaml→ valid policy bundle. (The remediation CLI validator does not cover FreeBSD'ssysrc/pkg.)🤖 Generated with Claude Code