freebsd-skq/etc/defaults/bluetooth.device.conf
Conrad Meyer 648176e095 bluetooth: Default to discoverable off
Try to not expose bluetooth devices to external devices unless the user
explicitly configures it, like any other radio/network device.  Bluetooth
has a long history of security problems and it is probably best to keep it
disabled if not needed.

Users who do use the bluetooth device should enable "discoverable" in
bluetooth.device.conf(5) after this change.

Keep in mind that bluetooth addresses can be discovered by passive
monitoring or whole address-space scans[0], so a safety conscious user
should also disable "connectable" in bluetooth.device.conf(5).

[0]: https://www.sans.edu/cyber-research/security-laboratory/article/bluetooth

Reviewed by:	emax, hselasky
Security:	maybe
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D12831
2017-11-01 18:58:54 +00:00

112 lines
3.8 KiB
Plaintext

# Copyright (c) 2005 Maksim Yevmenkin <m_evmenkin@yahoo.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
# The authentication_enable parameter controls if the device requires to
# authenticate the remote device at connection setup. At connection setup,
# only the devices with the authentication_enable parameter enabled will
# try to authenticate the other device.
#
# Possible values:
#
# NO or 0 authentication disabled (default);
# YES or 1 authentication enabled.
# authentication_enable="NO"
# The class parameter is used to indicate the capabilities of the device to
# other devices.
#
# For more details see "Assigned Numbers - Bluetooth Baseband" document
#
# Possible value:
#
# xx:xx:xx where xx is a hex number
# class="ff:01:0c"
# The connectable parameter controls whether or not the device should
# periodically scan for page attempts from other devices.
#
# Possible values:
#
# NO or 0 do not scan for page attempts;
# YES or 1 scan for page attempts (default).
# connectable="YES"
# The discoverable parameter controls whether or not the device should
# periodically scan for inquiry requests from other devices.
#
# Possible values:
#
# NO or 0 do not scan for inquiry requests;
# YES or 1 scan for inquiry requests (default).
# discoverable="NO"
# The encryption_mode parameter controls if the device requires encryption
# to the remote device at connection setup. At connection setup, only the
# devices with the authentication_enable parameter enabled and encryption_mode
# parameter enabled will try to encrypt the connection to the other device.
#
# Possible values:
#
# NONE or 0 encryption disabled (default);
# P2P or 1 encryption only for point-to-point packets;
# ALL or 2 encryption for both point-to-point and broadcast packets.
# encryption_mode="NONE"
# HCI node debug level. Higher values mean more verbose output.
#
# Possible values: 0 - 4
# hci_debug_level="3"
# L2CAP node debug level. Higher values mean more verbose output.
#
# Possible values: 0 - 4
# l2cap_debug_level="3"
# The local_name parameter provides the ability to modify the user friendly
# name for the device.
# local_name="My device"
# The role_switch parameter controls whether the local device should perform
# role switch. By default, if role switch is supported, the local device will
# try to perform role switch and become Master on incoming connection. Some
# devices do not support role switch and thus incoming connections from such
# devices will fail. If role switch is disabled then accepting device will
# remain Slave.
#
# NO or 0 do not perform role switch;
# YES or 1 perform role switch (default).
# role_switch="YES"