Assess FreeBSD Security with cnspec
Assess FreeBSD Security with cnspec
Rely on cnspec to ensure your FreeBSD systems follow security best practices, such as hardening kernel parameters, securing SSH configuration, enforcing file system permissions, managing user accounts and groups, auditing installed packages, and verifying that unnecessary services are disabled.
Before you begin
- cnspec installed on your workstation
- SSH access to the target FreeBSD system
Scan a FreeBSD asset
cnspec connects to FreeBSD systems remotely over SSH.
Scan a remote machine over SSH
To scan a remote FreeBSD machine using SSH with password authentication:
cnspec scan ssh user@HOSTTo use an SSH key for authentication:
cnspec scan ssh user@HOST -i /path/to/identity_keyTo scan using a specific port:
cnspec scan ssh user@HOST -p 2222Understand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure SSH root login is disabled
✕ Fail: Ensure IP forwarding is disabled
✓ Pass: Ensure no user has an empty passwordAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
cnspec automatically detects the platform and applies the appropriate security policy. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
Run cnspec shell ssh user@HOST to open the cnspec interactive shell connected to a remote FreeBSD system. From there you can make checks like the examples below.
Ensure SSH root login is disabled
cnspec> sshd.config.params["PermitRootLogin"] == "no"
[ok] value: "no"Ensure IP forwarding is disabled
cnspec> kernel.parameters["net.inet.ip.forwarding"] == 0
[ok] value: 0Ensure no user has an empty password
cnspec> users.where( name != "nobody" ).all( password.empty == false )
[ok] value: trueEnsure the SSH service is running
cnspec> service("sshd").running
[ok] value: trueList all listening ports and their processes
cnspec> ports.listening { port protocol address process.executable }Ensure strong SSH ciphers are configured
cnspec> sshd.config.ciphers.none( _ == "arcfour" || _ == "arcfour128" || _ == "arcfour256" )
[ok] value: trueThese are just a few examples. You can create your own policies to define the checks that matter most for your FreeBSD environment.
Learn more
-
To learn how to run ad hoc checks interactively, read Create Checks in cnspec Shell.
-
For a list of all the OS resources and fields you can query, read the Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.
-
To learn more about how MQL works, read Write Effective MQL.