What are some specific changes you make when hardening a new NetBSD install?

Solution 1:

Please see security(8) in NetBSD manual. You can:

• Set securelevel in rc.conf to harden a production system
• Enable security.curtain = 1 in sysctl.conf to limit users from seeing each other.
• Make relevant files immutable or append only with chflags
• Enable PaX mprotect and Address Space Layout Randomization (aslr) extensions in sysctl.conf (security.pax.mprotect.global=1, security.pax.aslr.global=1)
• Consider Veriexec verified binaries

Please also see Elad Efrat's paper Recent Security Enhancements in NetBSD.

Please note that features that prevent changing binaries also prevent you from upgrading the system so prepare to make upgrades in single user mode.

PaX extensions may prevent some software such as gnu make from working at all. You can leave the .global flags disabled and set PaX flags on binary basis with paxctl.

Solution 2:

It's the same with every system:

• Install and configure a firewall. Make it as restrictive as possible.
• Make sure the system is updated regularly
• Disable password login for ssh, only allow certificates
• Set up good logging and log-analyzing procedures.
• When setting up servers: If possible, but it behind bars (chroot jails)
• Don't install X11, a web browser or any non-server software (except it's a workstation, of course ...).
• Disconnect it from the network ;-)

Solution 3:

As SvenW said, the basic concepts pretty well apply across the board.

For a detailed read, the Center for Internet Security has a Benchmark available for FreeBSD. I imagine that it should be fairly easy to translate to your environment.