-
Notifications
You must be signed in to change notification settings - Fork 38
✨ freebsd: add time-synchronization and pkg signature-verification checks #2917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,7 @@ | |
| policies: | ||
| - uid: mondoo-freebsd-security | ||
| name: Mondoo FreeBSD Security | ||
|
mondoo-code-review[bot] marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
tas50 marked this conversation as resolved.
tas50 marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔵 suggestion — Version bump from 1.0.4 → 1.1.0 is appropriate for new checks. No issue here, just noting it's correct. |
||
| version: 1.0.4 | ||
| version: 1.1.0 | ||
| license: BUSL-1.1 | ||
| tags: | ||
| mondoo.com/category: security | ||
|
|
@@ -124,6 +124,16 @@ policies: | |
| asset.platform == "freebsd" | ||
| checks: | ||
| - uid: mondoo-freebsd-security-firewall-is-enabled | ||
| - title: System Services | ||
| filters: | | ||
| asset.platform == "freebsd" | ||
| checks: | ||
| - uid: mondoo-freebsd-security-time-synchronization-is-enabled | ||
| - title: Software Integrity | ||
| filters: | | ||
| asset.platform == "freebsd" | ||
| checks: | ||
| - uid: mondoo-freebsd-security-pkg-signature-verification-is-enabled | ||
| scoring_system: highest impact | ||
| queries: | ||
| - uid: mondoo-freebsd-security-aslr-is-enabled | ||
|
|
@@ -5231,3 +5241,216 @@ queries: | |
| name: ipfw | ||
| state: started | ||
| ``` | ||
| - uid: mondoo-freebsd-security-time-synchronization-is-enabled | ||
| title: Ensure a time synchronization daemon is enabled | ||
| impact: 60 | ||
| tags: | ||
| compliance/bsi-sys-1-5: bsi-sys-1-5-a7 | ||
| compliance/csa-cloud-controls-matrix-4: cloud-controls-matrix-4-log-06 | ||
| compliance/dora: false | ||
| compliance/hipaa: false | ||
| compliance/iso-27001-2022: iso-27001-2022-a-8-17 | ||
| compliance/nis-2: false | ||
|
mondoo-code-review[bot] marked this conversation as resolved.
|
||
| compliance/nist-csf-1: false | ||
|
tas50 marked this conversation as resolved.
|
||
| compliance/nist-csf-2: false | ||
| compliance/nist-sp-800-53-rev5: nist-sp-800-53-rev5-sc-45 | ||
| compliance/nist-sp-800-171: nist-sp-800-171--3-3-7 | ||
| compliance/pci-dss-4: pcidss-requirement-10-6-1 | ||
| compliance/soc2-2017: false | ||
| compliance/vda-isa-5: false | ||
| mql: | | ||
| ["ntpd", "openntpd", "chronyd"].any(service(_).enabled && service(_).running) | ||
| docs: | ||
| refs: | ||
| - url: https://man.freebsd.org/cgi/man.cgi?query=ntpd&sektion=8 | ||
| title: FreeBSD ntpd(8) | ||
| desc: | | ||
|
mondoo-code-review[bot] marked this conversation as resolved.
|
||
| This check verifies that a time synchronization daemon is enabled and running. FreeBSD ships `ntpd` in the base system, but it is not enabled by default; OpenNTPD and chrony are available as alternatives from packages. | ||
|
mondoo-code-review[bot] marked this conversation as resolved.
tas50 marked this conversation as resolved.
|
||
|
|
||
| **Why this matters** | ||
|
|
||
| - **Log and forensic correlation:** Accurate clocks let events from multiple hosts be lined up on a single timeline. Skewed clocks make it impossible to reconstruct the true order of events during an incident investigation. | ||
| - **Kerberos and certificate validity:** Kerberos authentication rejects tickets when clocks drift beyond a few minutes, and TLS certificate `notBefore`/`notAfter` checks depend on a correct system time. A drifting clock breaks authentication and can cause valid certificates to be rejected or expired ones to be accepted. | ||
| - **Audit-trail integrity:** Time stamps on audit and system logs are only trustworthy when the clock is synchronized to an authoritative source, which is a prerequisite for many compliance regimes. | ||
| audit: | | ||
| To verify that a time synchronization daemon is active, run the following commands: | ||
|
|
||
| ```bash | ||
| service ntpd status | ||
| sysrc -n ntpd_enable | ||
| ``` | ||
|
|
||
| If `service ntpd status` reports the service is running and `ntpd_enable` is `YES`, the check passes. If you run OpenNTPD or chrony instead, check the equivalent service and rc.conf variable (`service openntpd status` / `sysrc -n openntpd_enable`, or `service chronyd status` / `sysrc -n chronyd_enable`). If no time synchronization daemon is enabled and running, the check fails. | ||
| remediation: | ||
| - id: cli | ||
| desc: | | ||
| **Using the CLI** | ||
|
|
||
| Enable and start `ntpd` from the base system. The `ntpd_sync_on_start` option steps the clock at startup so large initial offsets are corrected immediately rather than slewed slowly: | ||
|
|
||
| ```bash | ||
| sysrc ntpd_enable="YES" | ||
| sysrc ntpd_sync_on_start="YES" | ||
| service ntpd start | ||
| ``` | ||
| - id: sh | ||
| desc: | | ||
| **Using a Shell Script** | ||
|
|
||
| ```sh | ||
| #!/bin/sh | ||
| set -e | ||
|
|
||
| echo "Enabling time synchronization daemon (ntpd)..." | ||
| sysrc ntpd_enable="YES" | ||
| sysrc ntpd_sync_on_start="YES" | ||
| service ntpd start 2>/dev/null || service ntpd onestart 2>/dev/null || true | ||
|
|
||
| echo "ntpd enabled and started." | ||
| ``` | ||
| - id: ansible | ||
| desc: | | ||
| To enable a time synchronization daemon using Ansible: | ||
|
|
||
| 1. Add the following tasks to a playbook targeting the FreeBSD host. | ||
| 2. Run the playbook. | ||
|
|
||
| ```yaml | ||
| - name: Enable ntpd in rc.conf | ||
| community.general.sysrc: | ||
| name: "{{ item.name }}" | ||
| value: "{{ item.value }}" | ||
| loop: | ||
| - { name: ntpd_enable, value: 'YES' } | ||
| - { name: ntpd_sync_on_start, value: 'YES' } | ||
|
|
||
| - name: Start the ntpd service | ||
| ansible.builtin.service: | ||
| name: ntpd | ||
| state: started | ||
| ``` | ||
| - uid: mondoo-freebsd-security-pkg-signature-verification-is-enabled | ||
| title: Ensure pkg repository signature verification is enabled | ||
| impact: 80 | ||
| tags: | ||
| compliance/bsi-sys-1-5: false | ||
| compliance/csa-cloud-controls-matrix-4: false | ||
| compliance/dora: false | ||
| compliance/hipaa: false | ||
| compliance/iso-27001-2022: iso-27001-2022-a-8-19 | ||
| compliance/nis-2: nis-2-21-2-d | ||
| compliance/nist-csf-1: nist-csf-1-pr-ds-6 | ||
| compliance/nist-csf-2: nist-csf-2-id-ra-09 | ||
| compliance/nist-sp-800-53-rev5: nist-sp-800-53-rev5-cm-14 | ||
| compliance/nist-sp-800-171: nist-sp-800-171--3-4-8 | ||
| compliance/pci-dss-4: false | ||
| compliance/soc2-2017: false | ||
| compliance/vda-isa-5: false | ||
| mql: | | ||
| file("/etc/pkg/FreeBSD.conf").exists && file("/etc/pkg/FreeBSD.conf").content.contains(/signature_type:\s*"fingerprints"/) | ||
|
tas50 marked this conversation as resolved.
tas50 marked this conversation as resolved.
|
||
| files.find(from: "/usr/local/etc/pkg/repos", regex: "[.]conf$", type: "file").list.all(content.contains(/signature_type:\s*"none"/) == false) | ||
| docs: | ||
| refs: | ||
| - url: https://man.freebsd.org/cgi/man.cgi?query=pkg.conf&sektion=5 | ||
| title: FreeBSD pkg.conf(5) | ||
| desc: | | ||
| This check verifies that the base FreeBSD pkg repository enforces fingerprint-based signature verification, so that tampered or man-in-the-middle-modified packages are rejected at install time. The default `/etc/pkg/FreeBSD.conf` sets `signature_type: "fingerprints"`; downgrading it to `"none"` disables verification entirely. | ||
|
|
||
| **Why this matters** | ||
|
|
||
| - **Supply-chain integrity:** Packages are downloaded from a network mirror. Without signature verification, an attacker who controls a mirror or sits on the network path can substitute a malicious package that runs with root privileges during installation. | ||
| - **Tamper detection:** Fingerprint verification checks each package against trusted signing keys, so any modification to the package contents in transit or at rest on the mirror causes the install to fail rather than silently proceed. | ||
| - **Trusted provenance:** Enforcing signatures guarantees that installed software originates from the official FreeBSD signing infrastructure rather than an unverified source. | ||
|
|
||
|
mondoo-code-review[bot] marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
|
||
| **Scope** | ||
|
|
||
| This check inspects the base repository configuration in `/etc/pkg/FreeBSD.conf` **and** any custom repository definitions under `/usr/local/etc/pkg/repos/*.conf`. It fails if `/etc/pkg/FreeBSD.conf` is missing or no longer enforces `signature_type: "fingerprints"` for the official repository, or if a custom repo explicitly disables verification with `signature_type: "none"`. | ||
|
|
||
| FreeBSD's `pkg` supports two verification mechanisms — `fingerprints` (the official repository's default, validated against the keys in `/usr/share/keys/pkg`) and `pubkey` — and both provide signature enforcement. The custom-repo condition therefore rejects only `signature_type: "none"`; a custom repo using `fingerprints` or `pubkey` is accepted. Because an omitted `signature_type` defaults to no verification, ensure every custom repo declares a verification type explicitly. The audit step shows how to confirm the effective setting across all configured repositories with `pkg -vv`. | ||
| audit: | | ||
| To verify that signature verification is enabled for the base repository, inspect its configuration: | ||
|
|
||
| ```bash | ||
| cat /etc/pkg/FreeBSD.conf | ||
| ``` | ||
|
mondoo-code-review[bot] marked this conversation as resolved.
|
||
|
|
||
| If the `FreeBSD` repository block sets `signature_type: "fingerprints"`, the check passes. If it sets `signature_type: "none"`, verification is disabled and the check fails. | ||
|
|
||
| To confirm the effective per-repository setting across all configured repositories, run: | ||
|
Comment on lines
+5378
to
+5379
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟡 warning — The MQL query for pkg signature verification is two independent statements: The second statement (custom repos) is not joined to the first with Please confirm that two separate top-level statements in MQL are indeed conjunctive. If not, join them with There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟡 warning — The custom-repo check rejects This aligns the check with the docs' own recommendation: "ensure every custom repo declares a verification type explicitly." |
||
|
|
||
|
mondoo-code-review[bot] marked this conversation as resolved.
tas50 marked this conversation as resolved.
|
||
| ```bash | ||
| pkg -vv | grep -i signature_type | ||
|
mondoo-code-review[bot] marked this conversation as resolved.
|
||
| ``` | ||
|
|
||
|
mondoo-code-review[bot] marked this conversation as resolved.
|
||
| Every active repository should report `signature_type = "fingerprints"`. A repository reporting `"none"` accepts unsigned packages and the check fails. | ||
|
mondoo-code-review[bot] marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
|
||
| remediation: | ||
| - id: cli | ||
| desc: | | ||
| **Using the CLI** | ||
|
|
||
| 1. Restore fingerprint verification for the base repository by editing `/etc/pkg/FreeBSD.conf` so the `FreeBSD` block contains: | ||
|
|
||
| ```ini | ||
| signature_type: "fingerprints", | ||
| fingerprints: "/usr/share/keys/pkg" | ||
| ``` | ||
|
|
||
| 2. Ensure the fingerprint keys are present. They ship with the base system under `/usr/share/keys/pkg`: | ||
|
|
||
| ```bash | ||
| ls /usr/share/keys/pkg/trusted | ||
| ``` | ||
|
|
||
| If the directory is missing or empty, reinstall the keys from your FreeBSD source tree or restore them from a known-good host before re-running `pkg update`. | ||
| - id: sh | ||
| desc: | | ||
| **Using a Shell Script** | ||
|
|
||
| ```sh | ||
| #!/bin/sh | ||
| set -e | ||
|
|
||
| CONF=/etc/pkg/FreeBSD.conf | ||
|
|
||
| echo "Restoring pkg signature verification..." | ||
| if grep -q 'signature_type:[[:space:]]*"none"' "$CONF" 2>/dev/null; then | ||
| sed -i '' 's/signature_type:[[:space:]]*"none"/signature_type: "fingerprints"/' "$CONF" | ||
| echo "signature_type set to fingerprints in $CONF." | ||
| fi | ||
|
|
||
| if [ ! -d /usr/share/keys/pkg/trusted ]; then | ||
| echo "WARNING: /usr/share/keys/pkg/trusted is missing; restore the fingerprint keys before running pkg update." >&2 | ||
| fi | ||
|
|
||
| echo "pkg signature verification configured." | ||
| ``` | ||
| - id: ansible | ||
| desc: | | ||
| To restore pkg signature verification using Ansible: | ||
|
|
||
| 1. Add the following tasks to a playbook targeting the FreeBSD host. | ||
| 2. Run the playbook. | ||
|
|
||
| ```yaml | ||
| - name: Enforce fingerprint signature verification for the base repository | ||
| ansible.builtin.lineinfile: | ||
| path: /etc/pkg/FreeBSD.conf | ||
| regexp: '^\s*signature_type:' | ||
| line: ' signature_type: "fingerprints",' | ||
|
|
||
| - name: Ensure the fingerprints path is configured | ||
| ansible.builtin.lineinfile: | ||
| path: /etc/pkg/FreeBSD.conf | ||
| regexp: '^\s*fingerprints:' | ||
| line: ' fingerprints: "/usr/share/keys/pkg"' | ||
|
|
||
| - name: Confirm the trusted fingerprint keys are present | ||
| ansible.builtin.stat: | ||
| path: /usr/share/keys/pkg/trusted | ||
| register: pkg_keys | ||
|
|
||
| - name: Fail when the fingerprint keys are missing | ||
| ansible.builtin.fail: | ||
| msg: "/usr/share/keys/pkg/trusted is missing; restore the fingerprint keys before running pkg update." | ||
| when: not pkg_keys.stat.exists | ||
| ``` | ||
Uh oh!
There was an error while loading. Please reload this page.