FreeBSD : Installation de Bastille

Liens :

1/ Passage en mode super-utilisateur.

[util01@station66 ~]$ sudo su
You have mail.
root@station66:/usr/home/util01 # 

2/ Installation de Bastille.

root@station66:/usr/home/util01 # pkg install bastille

3/ Activation Bastille.

root@station66:/usr/home/util01 # sysrc bastille_enable=YES
bastille_enable:  -> YES
root@station66:/usr/home/util01 # 

4/ Configuration.

Ouvrir :


Chercher :


Remplacer par :


Chercher :


Rempalcer par :


Chercher :


Remplacer par :

A vérifier avec : zpool list

5/ Création d'une interace de loopback.

root@station66:/usr/home/util01 # sysrc cloned_interfaces+=lo2
cloned_interfaces: lo1 -> lo1 lo2
root@station66:/usr/home/util01 # 
root@station66:/usr/home/util01 # sysrc ifconfig_lo2_name="bastille0"
ifconfig_lo2_name:  -> bastille0
root@station66:/usr/home/util01 # 
root@station66:/usr/home/util01 # service netif cloneup
Created clone interfaces: lo2.
root@station66:/usr/home/util01 # 
root@station66:/usr/home/util01 # cat /etc/rc.conf
ifconfig_msk0="inet netmask"
cloned_interfaces="lo1 lo2"
root@station66:/usr/home/util01 #

6/ Configuration de PF.

Créer :


Ajouter :

ext_if est le nom de l'interface réseau externe

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)

## Enable dynamic rdr (see below) bastille 0.7+
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet #disable for VNET
pass in inet proto tcp from any to any port ssh flags S/SA keep state

7/ Activation de PF.

root@station66:/usr/home/util01 # sysrc pf_enable=YES
pf_enable: NO -> YES
root@station66:/usr/home/util01 # service pf start
Enabling pf.

8/ Boostrap.

root@station66:/usr/home/util01 # bastille bootstrap 13.1-RELEASE update
Bootstrapping FreeBSD distfiles...
/usr/local/bastille/cache/13.1-RELEASE/MANIFES        1046  B 9038 kBps    00s
Bootstrap successful.
Scanning /usr/local/bastille/releases/13.1-RELEASE/usr/share/certs/trusted for certificates...
root@station66:/usr/home/util01 # 

9/ Création d'un container de test.

root@station66:/usr/home/util01 # bastille create alcatraz 13.1-RELEASE
Valid: (

Creating a thinjail...

alcatraz: created

Applying template: default/thin...
Applying template: default/base...
[alcatraz]: 0

syslogd_flags: -s -> -ss

sendmail_enable: NO -> NO

sendmail_submit_enable: YES -> NO

sendmail_outbound_enable: YES -> NO

sendmail_msp_queue_enable: YES -> NO

cron_flags:  -> -J 60

/etc/resolv.conf -> /usr/local/bastille/jails/alcatraz/root/etc/resolv.conf

Template applied: default/base

Template applied: default/thin

alcatraz: removed

alcatraz: created

root@station66:/usr/home/util01 # 

10/ Listing des jails disponibles.

root@station66:/usr/home/util01 # bastille list
 JID             IP Address      Hostname                      Path
 web_reseau01_local      web.reseau01.local            /jail/web.reseau01.local
 alcatraz   alcatraz                      /usr/local/bastille/jails/alcatraz/root
root@station66:/usr/home/util01 # 

11/ Connexion au jail 'alcatraz'.

root@station66:/usr/home/util01 # bastille console alcatraz
root@alcatraz:~ # 

12/ Actication de ssh.

root@station66:/usr/home/util01 # bastille sysrc alcatraz sshd_enable=YES
sshd_enable: NO -> YES

root@station66:/usr/home/util01 # 

13/ Démarrage de ssh :

root@station66:/usr/home/util01 # bastille service alcatraz sshd start
Generating RSA host key.
3072 SHA256:ks4DnAQpkNCqLw9Z4XY827Km4oTGahX7O0QGxkDICQI root@alcatraz (RSA)
Generating ECDSA host key.
256 SHA256:B3Js9g40tsLBtOO985UTWLzEQ+WcsqEHfivw4ifyjJ0 root@alcatraz (ECDSA)
Generating ED25519 host key.
256 SHA256:N6ESBxpkvlirTyy75SCGoD0Zxp2KCxHeKV3rsX7G5gE root@alcatraz (ED25519)
Performing sanity check on sshd configuration.
Starting sshd.

root@station66:/usr/home/util01 # 

14/ Changer le mot de passe de 'root'.

root@alcatraz:~ # passwd 
Changing local password for root
New Password:
Retype New Password:
root@alcatraz:~ # 

15/ Création de l'utilisateur 'util01'.

root@alcatraz:~ # adduser
Username: util01
root@alcatraz:~ # 
root@station66:/usr/home/util01 # ssh util01@
Password for util01@alcatraz:
To do a fast search for a file, try

     locate filename

locate uses a database that is updated every Saturday (assuming your computer
is running FreeBSD at the time) to quickly find files based on name only.
util01@alcatraz:~ $ 

16/ Installation de l'outil pkg.

root@alcatraz:~ # pkg install pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+, please wait...
Verifying signature with trusted certificate done
[alcatraz] Installing pkg-1.18.3...
[alcatraz] Extracting pkg-1.18.3: 100%
Updating FreeBSD repository catalogue...
[alcatraz] Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
[alcatraz] Fetching packagesite.pkg: 100%    6 MiB 286.8kB/s    00:23    
Processing entries: 100%
FreeBSD repository update completed. 31626 packages processed.
All repositories are up to date.
Updating database digests format: 100%
pkg: No packages available to install matching 'visudo' have been found in the repositories
root@alcatraz:~ # 

17/ Installation du paquet 'sudo'.

root@alcatraz:~ # pkg install sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    gettext-runtime: 0.21
    indexinfo: 0.3.1
    sudo: 1.9.11p3

Number of packages to be installed: 3

The process will require 8 MiB more space.
2 MiB to be downloaded.

Proceed with this action? [y/N]: y
[alcatraz] [1/3] Fetching indexinfo-0.3.1.pkg: 100%    6 KiB   5.7kB/s    00:01    
[alcatraz] [2/3] Fetching sudo-1.9.11p3.pkg: 100%    2 MiB 264.0kB/s    00:06    
[alcatraz] [3/3] Fetching gettext-runtime-0.21.pkg: 100%  166 KiB 169.9kB/s    00:01    
Checking integrity... done (0 conflicting)
[alcatraz] [1/3] Installing indexinfo-0.3.1...
[alcatraz] [1/3] Extracting indexinfo-0.3.1: 100%
[alcatraz] [2/3] Installing gettext-runtime-0.21...
[alcatraz] [2/3] Extracting gettext-runtime-0.21: 100%
[alcatraz] [3/3] Installing sudo-1.9.11p3...
[alcatraz] [3/3] Extracting sudo-1.9.11p3: 100%
root@alcatraz:~ # 

18/ Activation des droits d'administration pour l'utilisateur 'util01'.

root@alcatraz:~ # visudo

Chercher :

root ALL=(ALL) ALL

Ajouter après :

util01 ALL=(ALL) ALL

19/ Test.

root@station66:/usr/home/util01 # ssh util01@
Password for util01@alcatraz:
To search for files that match a particular name, use find(1); for example

    find / -name "*GENERIC*" -ls

will search '/', and all subdirectories, for files with 'GENERIC' in the name.
        --  Stephen Hilton <>
util01@alcatraz:~ $ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

root@alcatraz:/usr/home/util01 #