2
0
mirror of https://github.com/opnsense/docs synced 2024-11-15 06:12:58 +00:00
opensense-docs/source/troubleshooting/hardening.rst

51 lines
3.5 KiB
ReStructuredText
Raw Normal View History

=======================================
System hardening vs performance
=======================================
OPNsense tends to choose more strict hardening options by default, so when comparing performance between upstream
standard FreeBSD it's good to know which settings differ and can have an impact on your measurements.
This document aims to describe (some of) the differences, so when you value performance over security it is more obvious
which toggles might be worthwhile to change.
Keep in mind that most of the settings will need a reboot and can be altered using system tunables in :menuselection:`System --> Settings --> Tunables`.
IPv4 random ID's [net.inet.ip.random_id]
--------------------------------------------------
control IP(v4) IDs generation behaviour.
This closes a minor information leak which allows remote observers to determine the rate of packet generation on the machine by
watching the counter. At the same time, on high-speed links, it can decrease the ID reuse cycle greatly.
IPv6 flow IDs and fragment IDs are always random. (source :code:`man -S 4 inet`)
Our default is 1 (enabled).
Spectre and Meltdown
--------------------------------------------------
To mitigate some of the speculative execution vulnerabilities, there are a couple of settings available in FreeBSD.
More information about the various vulnerabilities and associated patches can be found `here <https://wiki.freebsd.org/SpeculativeExecutionVulnerabilities>`__
Meltdown mitigation using Page Table Isolation (PTI), although also enabled in FreeBSD it's worth tom mention which setting is responsible
for enabling this feature. To disable PTI set :code:`vm.pmap.pti` to 0. Not all cpu's are vulnerable for Meltdown, in which case PTI can be disabled safely.
Spectre variant 2, the system offers IBRS-based mitigation on Intel CPUs.
The IBRS mitigation main disadvantage is the significant performance penalty.
In OPNsense IBRS is enabled (for Intel) by default by disabling (0) :code:`hw.ibrs_disable`, upstream FreeBSD standard is disabled (1).
User/group separation (security.bsd)
--------------------------------------------------
Freebsd offers a couple of toggles to tighten security for ordinary users, these likely don't impact performance
a lot, but these are the ones including descriptions that differ on our end (source :code:`sysctl -d security.bsd`).
================================================= =================================================================================
Setting Description
================================================= =================================================================================
security.bsd.hardlink_check_gid [0->1] Unprivileged processes cannot create hard links to files owned by other groups
security.bsd.hardlink_check_uid [0->1] Unprivileged processes cannot create hard links to files owned by other users
security.bsd.unprivileged_proc_debug [1->0] Unprivileged processes may use process debugging facilities
security.bsd.see_other_gids [1->0] Unprivileged processes may see subjects/objects with different real gid
security.bsd.see_other_uids [1->0] Unprivileged processes may see subjects/objects with different real uid
security.bsd.unprivileged_read_msgbuf [1->0] Unprivileged processes may read the kernel message buffer
================================================= =================================================================================