Lockdown

Latest release: 2.0.0 (24 June 2005)

News

2.0.0 released (24 June 2005):

Finally a new release and dare I say it a more stable one. Lockdown has yet again been rewritten, but I have a good feeling about this one. Lockdown is now a script making use of edittools, which is a group of programs for editing different file formats. At some point I'll create a separate port for edittools and add support for more file formats.

Go get the new release while it's hot ;-)

Future plans (22 March 2005):

I'm aware of the bugs in lockdown and is working on a new release. Lockdown will stay where it is, but the new release is a redesign of lockdown and should be more stable.

1.0.1 released (09 May 2004):

Only a small bug was fixed, so nothing new in this release. If I don't find any more bugs, this may be the last lockdown release. Lockdown is NOT dead, but I'll rewrite it so much that a name change (to 'autosetup' I think) and a move from security to sysutils will be in order. In this new port lockdown will be present, but as a script using a lot of small programs to edit the different files. "Autosetup" (if that is what I'll call it) will be more general than lockdown and also include some programs to help you configure other system features, making FreeBSD more user friendly and faster/easier to configure.

1.0.0 released (16 April 2004):

Since only one bug was reported in version 0.1 (which was fixed in 0.1.1), I guess lockdown is stable enough to become version 1.0 and is thereby ready for production usage. Most of lockdown has been rewritten in this release and changes to the configuration file were made. In the future I'll try not to change the keywords too much, so that lockdown will be compatible with older configuration files. Some new features were added, so I recommend that you take a look at the man page and the new default configuration file. As a last note I want to remind you that the default configuration file is NOT meant to be so general, that it can be used by all without editing it. There is no such thing as default security and I have therefore made lockdown as flexible as possible, because most users would have to make their own configuration files. However please write me if the default configuration file breaks the system and also write me if it could be more restrict. It would be nice if we could centralize the knowledge of how strict FreeBSD can be set up without breaking. Enjoy the new release :-)

New Lockdown mirror (01 April 2004):

Thanks to Martin Kruse lockdown.TruNet.dk now has a mirror at lockdown.loproc.dk

0.1.1 released (27 March 2004):

A small bug was fixed. Thank you David Powers for reporting it. Next major release will be 1.0 and it will happen sometime next month

Description

Lockdown is a script designed to harden a FreeBSD system by editing the system's configuration files and set permissions, flags and ownership on SUID, GID and "information" files. To do this lockdown uses edittools, a group of small programs written in C++ and released under the BSD license. Edittools currently has support for:

/etc/fstab
/etc/ttys
/etc/login.conf
The kernel configuration file
Simple files like /etc/rc.conf and /etc/sshd/sshd_config

On the todo list we have:

/etc/syslog.conf
/etc/newsyslog.conf

However, the main goal is to centralize knowledge on how much you can harden the system without breaking it. So if you feel something should be add to the script or changed because it breaks something or could be even more secure, then please let me know.

Download

Lockdown is in the port collection under "security".

Source: lockdown-2.0.0.tar.gz

Source: lockdown-1.0.1.tar.gz

Source: lockdown-1.0.tar.gz

Source: lockdown-0.1.1.tar.gz

Source: lockdown-0.1.tar.gz

Contact

Write to Daniel Blankensteiner <db at TruNet dot dk>
If you want to request a feature please check "todo" under Description
If to want to add something to the lockdown script, please make sure it has something to do with security and is concerning something in the FreeBSD base system.