#!/bin/sh
##################################################################
##################################################################
#
#     The OpenBSD System Hardening Script (DRAFT)
#     net_wayfarer - March, 2020
#
#     This software is released under the Berkeley Software Distribution 0-clause Licence.
#     
##################################################################
##################################################################
#
#     Portions of this script was based on The FreeBSD System Hardening Script
#     David Childers - 15 February, 2010
#
#     Script is released under the Attribution-ShareAlike version 3.0 Licence.
#     www.creativecommons.org/licenses/by-sa/3.0/
#
#     Link: https://jonlabelle.com/snippets/view/shell/freebsd-system-hardening-script
#     Article: http://www.bsdguides.org/2005/hardening-freebsd/
#
##################################################################
#
#     Sections of the script that are marked with bold face type require additional steps to be
#     performed.  If these additional steps are not completed, then the changes initiated by this
#     script will not function properly.
#
##################################################################
##################################################################
#
#     This script can be used with either an i386 or amd64 computer.
#
##################################################################
##################################################################
#
#      /etc/installurl must exist, otherwise the system cannot be updated against any new updates.
#      A list of mirrors can be found at https://www.openbsd.org/ftp.html.
echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl
#      Alternatively, one can scrape an up-to-date list of HTTPS mirrors using the following typed
#      method, and must uncomment at least one of the following https:// prefixed lines.
# ftp -o - "https://www.openbsd.org/build/mirrors.dat" 2>/dev/null | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' | tee /etc/installurl 2>&1 >/dev/null
#
##################################################################
##################################################################
#
#      syspatch is a way to apply security patches on OpenBSD. It should be executed immediately to prevent
#      exposing installed operating system from any outstanding security flaws.
#
/usr/sbin/syspatch
#
#      Run syspatch as a crontab every few hours or so to further prevent any recently published patches from
#      being ignored.
crontab -l | { cat; echo "37\t1\t*\t*\t*\t /usr/sbin/syspatch"; } | crontab -
#
##################################################################
##################################################################
#
#     OpenSMTPD faced two security issues in 2020. This is years after OpenBSD 6.6 was released. Therefore,
#     all installed softwares should be upgraded if there's new version available.
#
pkg_add -u 
#
##################################################################
##################################################################
#
#      The file rc.conf contains descriptive information about the local host name, configuration details for
#      any potential network interfaces and which services should be started up at system initial boot time.
#
#      Since OpenBSD 5.7 uses rcctl to configure and control daemons and services, and is recommended to 
#      Use this software as opposed to manually editing /etc/rc.conf which will be overwritten. It is best
#      to call rcctl directly, instead of scripting the config files accordingly.
#
#      sndiod is not needed in server environments.
rcctl disable sndiod
rcctl stop sndiod
#      process accounting should be enabled to prevent potentially malicious software from being daemonised
#      in the background, and to go unchecked. This may also help with optimising ulimit down the track
echo "accounting=YES" | tee -a /etc/rc.conf.local 2>&1 >/dev/null
#
#      compress core dumps which will save storage space at the expense of CPU and memory
echo "savecore_flags=-z" | tee -a /etc/rc.conf.local 2>&1 >/dev/null
#
##################################################################
##################################################################
#
#      The /tmp directory should be cleared at startup to ensure that any malicious code that may have
#      entered into the temp file is removed. This will be set as a crontab under root account.
#      This is already a default in OpenBSD as of 6.6, no need to implement this.
#
#rm -rf /tmp/* &>/dev/null
#crontab -l | { cat; echo "@reboot rm -rf /tmp/*"; } | crontab -
#
##################################################################
##################################################################
#
#       Disable computer system details from being read in /etc/motd on system reboot.
#
chmod o= /etc/motd
crontab -l | { cat; echo "@reboot chmod o= /etc/motd"; } | crontab -
#
##################################################################
##################################################################
#
#      The sysctl.conf file allows you to configure various aspects of a OpenBSD machine. This includes many
#      advanced options of the TCP/IP stack and virtual memory system that can dramatically improve
#      performance.
#
#      The majority of the following sysctl adjustments are commented out, mainly due to the fact that OpenBSD
#      has these disabled by default.
#
#      ICMP Redirect messages can be used by attackers to redirect traffic and should be ignored.
#
# sysctl -w net.inet.icmp.rediraccept=0
# echo 'net.inet.icmp.rediraccept=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#
#      This will discover dead connections and clear them.
#
sysctl -w net.inet.tcp.always_keepalive=1
echo 'net.inet.tcp.always_keepalive=1' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#
#      The TCP/IP Stack is what controls the communication of the computer on a data network.
#
#      Disable ICMP broadcast echo activity.  This could allow the computer to be used as part of a Smurf
#      attack.
# sysctl -w net.inet.icmp.bmcastecho=0
# echo 'net.inet.icmp.bmcastecho=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#
#      Disable ICMP routing redirects.  This could allow the computer to have its routing table corrupted by an
#      attacker.
#
sysctl -w net.inet.ip.redirect=0
echo 'net.inet.ip.redirect=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
sysctl -w net.inet6.ip6.redirect=0
echo 'net.inet6.ip6.redirect=0' | tee -a  /etc/sysctl.conf 2>&1 >/dev/null
#
#     Disable ICMP broadcast probes.  This could allow an attacker to reverse engineer details of your
#     network infrastructure.
#
# sysctl -w net.inet.icmp.maskrepl=0
# echo 'net.inet.icmp.maskrepl=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#
#     Disable IP source routing.  This could allow attackers to spoof IP addresses that you normally trust as
#     internal hosts.
#
# sysctl -w net.inet.ip.sourceroute=0
# echo 'net.inet.ip.sourceroute=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
#################################################################
#################################################################
#
#    PF has the ability to filter packets in ways that are handled separately to FreeBSD's ipfw along with sysctl.
#    The following must be part of your /etc/pf.conf as PF rules can vary from setup to setup. Adjust the following
#    pf rules accordingly.
##########
##########
##
##     (#indicates a typed command.)
##
##
##   Normalise incoming network packets by means of reassembling fragmented packets and removing ambiguity.
##   https://home.nuug.no/~peter/pf/en/scrub.html
##   https://serverfault.com/questions/412083/openbsd-pf-match-in-all-scrub-no-df-causes-https-to-be-unreachable-on-mobile
##   https://man.openbsd.org/i386/pf.conf#TRAFFIC_NORMALISATION
##
##   # match in all scrub (no-df random-id reassemble tcp)
##
##   Enabling blackholes for UDP and TCP will drop all packets that are received on a closed port and will not
##   give a reply. The following is a two part process and must be implemented to achieve the desired effect.
##
##
##   By default, openbsd drops packets, https://www.openbsd.org/faq/pf/options.html
##   # set block-policy drop
##
##    We do not send out any reset (RST) packets back, especially if the ports are closed.
##    https://www.openbsd.org/faq/pf/filter.html#defdeny
##   # block all
##
##   Under no circumstances should this PF section be deemed as complete. A seasoned system administrator
##   will know how to write a proper firewall configuration tailored to their network, as each and every 
##   network is unique in their own ways. However, the following below are some general recommended
##   reading on writing a proper firewall configuration. Do not simply just copy and paste rules into your own
##   machine. Do take time in reading up and consulting the various information that are available in both free
##   and paid (book) forms.
##
##  # https://harrykar.blogspot.com/2010/07/openbsd-packet-filteringpf.html
##  # http://daemonforums.org/showthread.php?t=8419
##
##################################################################
##################################################################
#
#     Disable users from having access to configuration files.
#
chmod o= /etc/fstab
chmod o= /etc/ftpusers
chmod o= /etc/group
chmod o= /etc/hosts
# chmod o= /etc/hosts.allow
# chmod o= /etc/hosts.equiv
# chmod o= /etc/hosts.lpd
# chmod o= /etc/inetd.conf
# chmod o= /etc/login.access
chmod o= /etc/login.conf
chmod o= /etc/newsyslog.conf
chmod o= /etc/rc.conf
chmod o= /etc/ssh/sshd_config
chmod o= /etc/sysctl.conf
chmod o= /etc/syslog.conf
chmod o= /etc/ttys
#
##################################################################
##################################################################
#
#      Enable root as the only account with the ability to schedule jobs.
#
echo "root" > /var/cron/cron.allow
chmod 600 /var/cron/cron.allow
echo "root" > /var/cron/at.allow
chmod 600 /var/cron/at.allow
chmod o= /etc/crontab
chmod o= /usr/bin/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch
#
##################################################################
##################################################################
#
#     Secure the root directory contents to prevent viewing. OpenBSD defaults this to 700
#
# chmod 700 /root
#
##################################################################
##################################################################
#
#     Disable user from having access to the system log file directory.
#
chmod o= /var/log
#
##################################################################
##################################################################
#
#     Merge all temporary file directories.
#
#     A single directory should be used for temporary files, not two.
#     The /var/tmp directory will be replaced with a link to /tmp.
#
#     The contents of the /var/tmp directory remain after a reboot.  The contents of the /tmp directory do not.
#
#     OpenBSD 6.6 already has this set by default.
#
# mv /var/tmp/* /tmp/
# rm -rf /var/tmp
# ln -s /tmp /var/tmp
#
##################################################################
##################################################################
#
#     Privacy bits.
#
#     Strip off the ability to see other people's sessions.
chmod o= /var/run/utmp
crontab -l | { cat; echo "@reboot chmod o= /var/run/utmp"; } | crontab -
#
#     Strip off the ability to being able to enumerate the list of previously logged in users and their IPs.
chmod o= /var/log/wtmp*
mv /etc/newsyslog.conf /etc/newsyslog.conf.orig ; sed 's/644/640' /etc/newsyslog.conf.orig > /etc/newsyslog.conf
#
#    Restrict users from being able to access tools normally used diagnostic purposes, as this can be abused.
chmod o= /sbin
chmod o= /usr/sbin
chmod o= /usr/local/sbin
#
#    Strip sbin paths for unprivileged users.
mkdir /etc/skel.orig/
mv /etc/skel/.profile /etc/skel.orig/.profile
sed 's/\/sbin://g ; s/\/usr\/usr/\/usr/ ; s/\/usr\/local\/u/\/u/' /etc/skel.orig/.profile > /etc/skel/.profile
mv /etc/skel/.cshrc /etc/skel.orig/.cshrc
sed 's/\ \/sbin// ; s/sbin\,// ; s/local\/sbin\,//' /etc/skel.orig/.cshrc > /etc/skel/.cshrc
mv /etc/login.conf /etc/login.conf.orig
sed 's/\/usr\sbin\ \/sbin// ; s/\ \/usr\/local\/sbin.*/\:\\/' /etc/login.conf.orig > /etc/login.conf
## At this point you may want to consider about replicating the default login and renaming it to something else
## Like trusted, and give it the paths that does not have sbin stripped out.
#
#    Restrict users from being able to access tools normally used system maintenance, as this can be abused.
mv /usr/bin/fstat /usr/sbin && ln -s /usr/sbin/fstat /usr/bin/fstat && chmod -h 550 /usr/bin/fstat 
mv /usr/bin/netstat /usr/sbin && ln -s /usr/sbin/netstat /usr/bin/netstat && chmod -h 550 /usr/bin/netstat 
mv /usr/bin/logger /usr/sbin && ln -s /usr/sbin/logger /usr/bin/logger && chmod -h 550 /usr/bin/logger
chmod o= /usr/sbin/*
#
#    Restrict users from seeing processes that does not belong to them.
#    http://openbsd-archive.7691.n7.nabble.com/Patch-to-hide-processes-from-people-td382607.html