FreeBSD 9.0 in VirtualBox 4.1.12

I've been a FreeBSD fan for years now and I must say I really like this OS. Sadly, most people feel it is way too complicated to be used and recently I was asked to provide a simple walkthrough.

The FreeBSD handbook is a great resource, but some people get easily lost reading it... I'll show in this post the steps necessary to get a Virtual Machine running trying to give just a brief explanation when needed to keep it simple.

At this time, I'm using VirtualBox 4.1.12 (no Extension Pack) and FreeBSD 9.0 (64 bit) but you can use 32 bit as well.


1. Create a Virtual Machine for a "BSD" Operating System and the "FreeBSD (64 bit)" Version, I suggest 512MB of RAM memory and a virtual hard drive with 8GB of space (as you might feel a bit tight with the default options).
2. Use the default configuration, you might want to disable audio as it won't be needed.


You should have no trouble selecting the options you need and you can select the default if you are not familiar with the dialogs, just change the following:

1. You need to type your hostname in the Set Hostname screen, I suggest "freebsd" but you might want another name for it. If you plan to use this system to host a network service like Kerberos or LDAP you might want to use a full qualified domain name here.
2. Uncheck everything in the Distribution Select screen, we'll deal with that later.
3. Select "<Guided>" in the Partitioning screen, select "<Entire Disk>" in the Partition screen, select "<Finish>" at the Partition Editor screen and select "<Commit>" when the Confirmation dialog shows up. This will create a 64kB partition for boot, a 409 MB for swap and the rest for the file system root "/" using UFS.
4. In the Network Configuration screen, select "<Yes>" for "IPv4", select "<Yes>" for "DHCP", select "<No>" for IPv6 (VirtualBox 4.1.10 has limited support for IPv6) and select "<OK>" in the resolver configuration (your DNS servers should be there already but be sure to type at least one IP address if your fields are blank).
5. Check only "ssh" in the System Configuration screen.
6. Select "<No>" in the Dumpdev Configuration screen.
7. Select "<No>" in the Manual Configuration screen.

Remeber to unmount your virtual CD when the VirtualBox logo appears or it might boot from it again.


A minimal system is running, here is what you need to know in order to get started in the FreeBSD world.

Keep your Kernel updated

You probably want to check if there are updates (especially security ones) for your Kernel, use the following command to get the updates available:
 freebsd-update fetch
If updates are found, use the following command to install them:
 freebsd-update install

Get your Ports collection and keep it updated with Portsnap

We need to install the software we are going to use and for that I recommend you to use FreeBSD Ports, you can add binary packages in a similar way to linux using pkg commands but you will likely encounter bugs that are already fixed on the source code.

There is no need to fear the source code, many people I know do not want to compile everything because they are afraid of compilation errors but the FreeBSD Ports do a pretty good job and the only disadvantage is the time needed for the compilation process.

One big plus is, you can look for vulnerabilities reported on the FreeBSD Ports and proactively take action.

Use the root account with the password set during the installation, we don't have sudo installed just yet.

Get the FreeBSD Ports collection and extract it using the following command:
 portsnap fetch extract  
When you are back at the command line you will have the collection available at /usr/ports/, the Ports are inside directories grouped by category.

You'll probably want to keep your FreeBSD Ports up to date, you can use the following command when you want to download and apply the available updates for your collection:
 portsnap fetch update  
To check if there are new versions of your Ports use the following command:
 pkg_version -v  

Audit your Ports collection with Portaudit

Portaudit checks for known security issues with your installed Ports, alerts if there are vulnerabilities reported in your installations and even prevents the installation of compromised Software. Install it with the following commands:
 cd /usr/ports/ports-mgmt/portaudit  
 make install clean  
Log out and log in again to have the binaries available in your path and use the following command to update and view the known vulnerabilities of your Ports:
 portaudit -Fda 
If your system is going to be up and running 24/7 you might want to use the following command to edit /etc/crontab:
 ee /etc/crontab  
Add the following lines to keep your vulnerabilities database updated everyday at 3:00am:
 # Portaudit  
 0    3    *    *    *    root  /usr/local/sbin/portaudit -Fda  
Any time you want to check if there are vulnerabilities reported for any of your installed Ports use the following command:
 portaudit -a  
You cannot install a Port if there is a vulnerability reported, but in case you want to force it you just have to add the -DDISABLE_VULNERABILITIES option when you call make, like the following:
 make -DDISABLE_VULNERABILITIES install clean  
Be sure to read the vulnerability report first to know how your system is compromised!.

Update your installed Ports with Portmanager

Portsnap will help you to keep the source code updated for your Ports but it will not upgrade the installed binaries. Portmanager will help you to install new versions of your Ports when Portsnap updates their source code, install it with the following commands (leave the default options when asked):
 cd /usr/ports/ports-mgmt/portmanager  
 make install clean  
Log out and log in again to have the binaries available in your path and use the following command to compile and upgrade your installed Ports:
 portmanager -u  

Install and configure sudo:

It is a good idea to use sudo as it will leave a trace of every command used by the administrators for audit purposes, you never know what can hit you and if everyone is using the root account for administration this can lead to serious consequences as the attakers can delete their own traces easily... on the other hand, someone on your staff did something wrong you'll never know who (I've seen around 20 people using the root account for administration on a single system when I've been called to find out what caused the disaster!).

This might not be bulletproof, but it certainly helps to close the gap, install it with the following commands (leave the default options when asked):
 cd /usr/ports/security/sudo  
 make install clean  
You might want to create a group for the sudoers, use the following command to add the group sudoers:
 pw groupadd sudoers  
Log out and log in again to have the binaries available in your path and use the following command to configure sudo:
Add the following line at the end of the file:
 %sudoers ALL=(ALL) ALL  
Any sudoer can gan root access, you might want to tighten up your security a bit using the following lines instead to prevent the use of visudo, the access as root using the command su and the access as root through one of the installed shells:
 # visudo, disabling user switching and visudo  
 Cmnd_Alias  NSHELLS = /bin/csh,/bin/tcsh,/bin/sh  
 Cmnd_Alias  NSU = /usr/bin/su  
 Cmnd_Alias  NVISUDO = /usr/local/sbin/visudo  
Now you just need to add your users to the group sudoers, use the following command to add user johndoe:
 pw usermod johndoe -G sudoers  
If you wish to disable root access entirely use the following command:
 pw lock root  
If you disabled root access, a sudoer can enable it using the following command:
 sudo pw unlock root  

At this point you have the base system ready to install the Ports you want, you might want to export the appliance (473MB), clone the Virtual Machine or save a Snapshot.
I hope this will help someone out there, please feel free to send any comments.

No comments:

Post a Comment