jas-/.bashrc

## .bashrc
# Hostname
h=`hostname`

# Command to read input & mask it
cmd='read -sp "Enter password: " pass'

# Path to aide integrity tool
a="/usr/bin/aide"
# Path to aide policy database
adb="/var/lib/aide"

# Path to tripwire integrity tool
t="/usr/sbin/tripwire"
# Path to tripwire policy database
tdb="/var/lib/tripwire/"

# Path to GnuGPG
g="/usr/bin/gpg"

# Path to stored encrypted policy files
pt="/boot/.tools/audit/tripwire"
pa="/boot/.tools/audit/aide"

# Aide update policy baseline (decrypt, update database, encrypt & remove old)
alias aide-update="$g --symmetric --cipher-algo aes256 -o $adb/aide.db.gz $pa/aide.db.new.gz.gpg && $a --update && $g --symmetric --cipher-algo aes256 -o $pa/aide.db.new.gz.gpg $adb/aide.db.new.gz && rm $adb/aide.db.*"

# Aide check policy (decrypt, check database & remove)
alias aide-check="$g --symmetric --cipher-algo aes256 -o $adb/aide.db.new.gz $pa/aide.db.new.gz.gpg && $a --init && $a --check && rm /var/lib/aide/aide.db.new.gz"

# Initial setup of encrypted db & config for tripwire
alias tripwire-save="$cmd; echo '${pass}'|$g --yes --batch --passphrase-fd 0 --symmetric --cipher-algo aes256 -o $pt/$h.twd.gpg $tdb/$h.twd"

# Tripwire update policy baseline (disable high security mode, update policy, encrypt & remove old)
alias tripwire-update="$cmd; echo '${pass}'|$g --yes --no-tty --batch --passphrase-fd 0 --decrypt -o $tdb/$h.twd $pt/$h.twd.gpg && $t -m p --secure-mode low /etc/tripwire/twpol.txt; echo '${pass}'|$g --yes --no-tty --batch --passphrase-fd 0 --symmetric --cipher-algo aes256 -o $pt/$h.twd.gpg $tdb/$h.twd; rm -fv $tdb/*.twd*"

# Tripwire check policy (decrypt, check database & remove)
alias tripwire-check="$cmd; echo '${pass}'|$g --yes --no-tty --batch --passphrase-fd 0 --decrypt -o $tdb/$h.twd $pt/$h.twd.gpg && $t --check; rm -fv $tdb/*.twd*"

# Tripwire review report
alias tripwire-report="twprint -m r --twrfile $1"

## ipfw.conf
#!/bin/sh

# Default options
ipfw="/sbin/ipfw "
adp="fxp0"

# This machines IP
me=""

# Allowed DNS server(s)
dns1=""
dns2=""

# Allowed SSH host(s)
allowed1=""
allowed2=""

# Allowed SMTP host(s)
allowed3=""

# Flush current rules
$ipfw -f flush

# Bypass if previous state ok
$ipfw add 00010 check-state

# Divert all to suricata first
#$ipfw add 00020 divert 8000 ip from any to any

#### Loopback ####
$ipfw add 00021 allow all from any to any via lo0
$ipfw add 00022 deny all from any to 127.0.0.0/8
$ipfw add 00023 deny all from 127.0.0.0/8 to any
$ipfw add 00024 deny tcp from any to any frag

#### ALL OUTBOUND RULES ####

# DNS allowed rules
$ipfw add 00500 allow tcp from $me to $dns1 53 out via $adp setup keep-state
$ipfw add 00510 allow udp from $me to $dns1 53 out via $adp keep-state
$ipfw add 00520 allow tcp from $me to $dns2 53 out via $adp setup keep-state
$ipfw add 00530 allow udp from $me to $dns2 53 out via $adp keep-state

# Allow ping out
$ipfw add 00600 allow icmp from $me to any out via $adp keep-state

# Allow whois out
$ipfw add 00610 allow tcp from $me to any 43 out via $adp setup keep-state

# Allow sshd out
$ipfw add 00700 allow tcp from $me to any 22 out via $adp setup keep-state

# Allow http/https out
$ipfw add 00710 allow tcp from $me to any 80 out via $adp setup keep-state
$ipfw add 00720 allow tcp from $me to any 443 out via $adp setup keep-state

# Allow emails out
$ipfw add 00730 allow tcp from $me to $allowed3 25 out via $adp

# Log all other attempts out
$ipfw add 00800 deny log all from all to any out via $adp

#### ALL INBOUND RULES ####

# Deny all inbound from non-routeable address blocks
$ipfw add 00900 deny log all from 192.169.0.0/16 to any in via $adp
$ipfw add 00910 deny log all from 172.16.0.0/12 to any in via $adp
$ipfw add 00920 deny log all from 10.0.0.0/8 to any in via $adp
$ipfw add 00930 deny log all from 127.0.0.0/8 to any in via $adp
$ipfw add 00940 deny log all from 0.0.0.0/8 to any in via $adp
$ipfw add 00950 deny log all from 169.254.0.0/16 to any in via $adp
$ipfw add 00960 deny log all from 192.0.2.0/24 to any in via $adp
$ipfw add 00970 deny log all from 204.152.64.0/23 to any in via $adp
$ipfw add 00980 deny log all from 224.0.0.0/3 to any in via $adp

# Deny public pings
$ipfw add 01000 deny log icmp from any to $me in via $adp

# Deny ident(s)
$ipfw add 01100 deny log tcp from any to $me 113 in via $adp

# Drop netbios packets
$ipfw add 01200 deny log tcp from any to $me 137 in via $adp
$ipfw add 01210 deny log tcp from any to $me 138 in via $adp
$ipfw add 01220 deny log tcp from any to $me 139 in via $adp
$ipfw add 01230 deny log tcp from any to $me 81 in via $adp

# Drop late arrivals
$ipfw add 01300 deny log all from any to $me frag in via $adp

# Deny ACK packets no matching the dynamic rule table
$ipfw add 01400 deny log tcp from any to $me established in via $adp

# Allow configured host(s) to use SSH
$ipfw add 01500 allow tcp from $allowed1 to $me 22 in via $adp keep-state
$ipfw add 01510 allow tcp from $allowed2 to $me 22 in via $adp keep-state

# Allowed SMTP in
$ipfw add 01520 allow tcp from $allowed3 to $me 25 in via $adp keep-state

# Reject & log all others
$ipfw add 01600 deny log all from any to any in via $adp
$ipfw add 01700 deny log all from any to any

## rc.conf
# Network configuration
hostname=""
ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"
defaultrouter="xxx.xxx.xxx.xxx"

# Enabled services
sshd_enable="YES"
powerd_enable="YES"
syslogd_flags="-ss"

# Disabled services
sendmail_enable="NONE"
portmap_enable="NO"
inetd_enable="NO"

# Disable ipv6
ip6addrctl_enable="NO"
ip6addrctl_policy="ipv4_prefer"
ipv6_net_interfaces="NONE"
ipv6_activate_all_interfaces="NO"

# Security level
kern_securelevel_enable="YES"
kern_securelevel=3

# Clear /tmp on boot
clear_tmp_enable="YES"

# Network hardening
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
log_in_vain="YES"
tcp_drop_synfin="YES"

# Firewall settings
firewall_enable="YES"
firewall_script="/etc/ipfw.conf"
firewall_type="client"
firewall_quiet="NO"
firewall_logging="YES"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

## sysctl.conf
# Kernel sysctl configuration file
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding (enabled for NAT host only network)
net.ipv4.ip_forward = 1
#net.ipv4.conf.all.forwarding = 0
#net.ipv4.conf.all.mc_forwarding = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
net.ipv4.all.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# controls use of tcp syncookies
net.ipv4.tcp_synack_retries = 2

# Disable redirects, not a router
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_redirects=0

# log malformed
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# ignore icmp echo and timestamps
net.ipv4.icmp_echo_ignore_broadcasts = 1

# disable tcp timestamps
net.ipv4.tcp_timestamps = 0

# prevent syn floods
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1280

# prevent ipv6 redirects
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.send_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# prevent ipv6 router
net.ipv6.conf.default.router_solicitations = 0

# learn prefix in router advertisements
net.ipv6.conf.default.accept_ra_pinfo = 0

# disable hop limits from router
net.ipv6.conf.default.accept_ra_defrtr = 0

# disable auto conf
net.ipv6.conf.default.autoconf = 0

# disable neighbor solicitations
net.ipv6.conf.default.dad_transmits = 0

# set max ipv6
net.ipv6.conf.dfault.max_addresses = 1

# set kernel exec shield
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Enable kernel exec shield
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Disable sysrq
kernel.sysrq = 0

# Disable questionable icmp's
net.inet.icmp.bmcastecho = 0
net.inet.icmp.rediraccept = 0
net.inet.ip.accept_sourceroute = 0
net.inet.ip.redirect = 0
net.inet.ip.sourceroute = 0
	# Hostname
	h=`hostname`

	# Command to read input & mask it
	cmd='read -sp "Enter password: " pass'

	# Path to aide integrity tool
	a="/usr/bin/aide"
	# Path to aide policy database
	adb="/var/lib/aide"

	# Path to tripwire integrity tool
	t="/usr/sbin/tripwire"
	# Path to tripwire policy database
	tdb="/var/lib/tripwire/"

	# Path to GnuGPG
	g="/usr/bin/gpg"

	# Path to stored encrypted policy files
	pt="/boot/.tools/audit/tripwire"
	pa="/boot/.tools/audit/aide"

	# Aide update policy baseline (decrypt, update database, encrypt & remove old)
	alias aide-update="$g --symmetric --cipher-algo aes256 -o $adb/aide.db.gz $pa/aide.db.new.gz.gpg && $a --update && $g --symmetric --cipher-algo aes256 -o $pa/aide.db.new.gz.gpg $adb/aide.db.new.gz && rm $adb/aide.db.*"

	# Aide check policy (decrypt, check database & remove)
	alias aide-check="$g --symmetric --cipher-algo aes256 -o $adb/aide.db.new.gz $pa/aide.db.new.gz.gpg && $a --init && $a --check && rm /var/lib/aide/aide.db.new.gz"

	# Initial setup of encrypted db & config for tripwire
	alias tripwire-save="$cmd; echo '${pass}'\|$g --yes --batch --passphrase-fd 0 --symmetric --cipher-algo aes256 -o $pt/$h.twd.gpg $tdb/$h.twd"

	# Tripwire update policy baseline (disable high security mode, update policy, encrypt & remove old)
	alias tripwire-update="$cmd; echo '${pass}'\|$g --yes --no-tty --batch --passphrase-fd 0 --decrypt -o $tdb/$h.twd $pt/$h.twd.gpg && $t -m p --secure-mode low /etc/tripwire/twpol.txt; echo '${pass}'\|$g --yes --no-tty --batch --passphrase-fd 0 --symmetric --cipher-algo aes256 -o $pt/$h.twd.gpg $tdb/$h.twd; rm -fv $tdb/.twd"

	# Tripwire check policy (decrypt, check database & remove)
	alias tripwire-check="$cmd; echo '${pass}'\|$g --yes --no-tty --batch --passphrase-fd 0 --decrypt -o $tdb/$h.twd $pt/$h.twd.gpg && $t --check; rm -fv $tdb/.twd"

	# Tripwire review report
	alias tripwire-report="twprint -m r --twrfile $1"
	#!/bin/sh

	# Default options
	ipfw="/sbin/ipfw "
	adp="fxp0"

	# This machines IP
	me=""

	# Allowed DNS server(s)
	dns1=""
	dns2=""

	# Allowed SSH host(s)
	allowed1=""
	allowed2=""

	# Allowed SMTP host(s)
	allowed3=""

	# Flush current rules
	$ipfw -f flush

	# Bypass if previous state ok
	$ipfw add 00010 check-state

	# Divert all to suricata first
	#$ipfw add 00020 divert 8000 ip from any to any

	#### Loopback ####
	$ipfw add 00021 allow all from any to any via lo0
	$ipfw add 00022 deny all from any to 127.0.0.0/8
	$ipfw add 00023 deny all from 127.0.0.0/8 to any
	$ipfw add 00024 deny tcp from any to any frag

	#### ALL OUTBOUND RULES ####

	# DNS allowed rules
	$ipfw add 00500 allow tcp from $me to $dns1 53 out via $adp setup keep-state
	$ipfw add 00510 allow udp from $me to $dns1 53 out via $adp keep-state
	$ipfw add 00520 allow tcp from $me to $dns2 53 out via $adp setup keep-state
	$ipfw add 00530 allow udp from $me to $dns2 53 out via $adp keep-state

	# Allow ping out
	$ipfw add 00600 allow icmp from $me to any out via $adp keep-state

	# Allow whois out
	$ipfw add 00610 allow tcp from $me to any 43 out via $adp setup keep-state

	# Allow sshd out
	$ipfw add 00700 allow tcp from $me to any 22 out via $adp setup keep-state

	# Allow http/https out
	$ipfw add 00710 allow tcp from $me to any 80 out via $adp setup keep-state
	$ipfw add 00720 allow tcp from $me to any 443 out via $adp setup keep-state

	# Allow emails out
	$ipfw add 00730 allow tcp from $me to $allowed3 25 out via $adp

	# Log all other attempts out
	$ipfw add 00800 deny log all from all to any out via $adp

	#### ALL INBOUND RULES ####

	# Deny all inbound from non-routeable address blocks
	$ipfw add 00900 deny log all from 192.169.0.0/16 to any in via $adp
	$ipfw add 00910 deny log all from 172.16.0.0/12 to any in via $adp
	$ipfw add 00920 deny log all from 10.0.0.0/8 to any in via $adp
	$ipfw add 00930 deny log all from 127.0.0.0/8 to any in via $adp
	$ipfw add 00940 deny log all from 0.0.0.0/8 to any in via $adp
	$ipfw add 00950 deny log all from 169.254.0.0/16 to any in via $adp
	$ipfw add 00960 deny log all from 192.0.2.0/24 to any in via $adp
	$ipfw add 00970 deny log all from 204.152.64.0/23 to any in via $adp
	$ipfw add 00980 deny log all from 224.0.0.0/3 to any in via $adp

	# Deny public pings
	$ipfw add 01000 deny log icmp from any to $me in via $adp

	# Deny ident(s)
	$ipfw add 01100 deny log tcp from any to $me 113 in via $adp

	# Drop netbios packets
	$ipfw add 01200 deny log tcp from any to $me 137 in via $adp
	$ipfw add 01210 deny log tcp from any to $me 138 in via $adp
	$ipfw add 01220 deny log tcp from any to $me 139 in via $adp
	$ipfw add 01230 deny log tcp from any to $me 81 in via $adp

	# Drop late arrivals
	$ipfw add 01300 deny log all from any to $me frag in via $adp

	# Deny ACK packets no matching the dynamic rule table
	$ipfw add 01400 deny log tcp from any to $me established in via $adp

	# Allow configured host(s) to use SSH
	$ipfw add 01500 allow tcp from $allowed1 to $me 22 in via $adp keep-state
	$ipfw add 01510 allow tcp from $allowed2 to $me 22 in via $adp keep-state

	# Allowed SMTP in
	$ipfw add 01520 allow tcp from $allowed3 to $me 25 in via $adp keep-state

	# Reject & log all others
	$ipfw add 01600 deny log all from any to any in via $adp
	$ipfw add 01700 deny log all from any to any
	# Network configuration
	hostname=""
	ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"
	defaultrouter="xxx.xxx.xxx.xxx"

	# Enabled services
	sshd_enable="YES"
	powerd_enable="YES"
	syslogd_flags="-ss"

	# Disabled services
	sendmail_enable="NONE"
	portmap_enable="NO"
	inetd_enable="NO"

	# Disable ipv6
	ip6addrctl_enable="NO"
	ip6addrctl_policy="ipv4_prefer"
	ipv6_net_interfaces="NONE"
	ipv6_activate_all_interfaces="NO"

	# Security level
	kern_securelevel_enable="YES"
	kern_securelevel=3

	# Clear /tmp on boot
	clear_tmp_enable="YES"

	# Network hardening
	icmp_drop_redirect="YES"
	icmp_log_redirect="YES"
	log_in_vain="YES"
	tcp_drop_synfin="YES"

	# Firewall settings
	firewall_enable="YES"
	firewall_script="/etc/ipfw.conf"
	firewall_type="client"
	firewall_quiet="NO"
	firewall_logging="YES"

	# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
	dumpdev="NO"
	# Kernel sysctl configuration file
	#
	# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
	# sysctl.conf(5) for more details.

	# Controls IP packet forwarding (enabled for NAT host only network)
	net.ipv4.ip_forward = 1
	#net.ipv4.conf.all.forwarding = 0
	#net.ipv4.conf.all.mc_forwarding = 0

	# Controls source route verification
	net.ipv4.conf.default.rp_filter = 1
	net.ipv4.all.default.rp_filter = 1

	# Do not accept source routing
	net.ipv4.conf.default.accept_source_route = 0

	# Controls the System Request debugging functionality of the kernel
	kernel.sysrq = 0

	# Controls whether core dumps will append the PID to the core filename.
	# Useful for debugging multi-threaded applications.
	kernel.core_uses_pid = 1

	# controls use of tcp syncookies
	net.ipv4.tcp_synack_retries = 2

	# Disable redirects, not a router
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.accept_redirects=0

	# log malformed
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.conf.default.log_martians = 1

	# ignore icmp echo and timestamps
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# disable tcp timestamps
	net.ipv4.tcp_timestamps = 0

	# prevent syn floods
	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_max_syn_backlog = 1280

	# prevent ipv6 redirects
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv6.conf.all.send_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# prevent ipv6 router
	net.ipv6.conf.default.router_solicitations = 0

	# learn prefix in router advertisements
	net.ipv6.conf.default.accept_ra_pinfo = 0

	# disable hop limits from router
	net.ipv6.conf.default.accept_ra_defrtr = 0

	# disable auto conf
	net.ipv6.conf.default.autoconf = 0

	# disable neighbor solicitations
	net.ipv6.conf.default.dad_transmits = 0

	# set max ipv6
	net.ipv6.conf.dfault.max_addresses = 1

	# set kernel exec shield
	kernel.exec-shield = 1
	kernel.randomize_va_space = 1

	# Disable netfilter on bridges.
	net.bridge.bridge-nf-call-ip6tables = 0
	net.bridge.bridge-nf-call-iptables = 0
	net.bridge.bridge-nf-call-arptables = 0

	# Enable kernel exec shield
	kernel.exec-shield = 1
	kernel.randomize_va_space = 1

	# Disable sysrq
	kernel.sysrq = 0

	# Disable questionable icmp's
	net.inet.icmp.bmcastecho = 0
	net.inet.icmp.rediraccept = 0
	net.inet.ip.accept_sourceroute = 0
	net.inet.ip.redirect = 0
	net.inet.ip.sourceroute = 0