HardenedBSD is a security enhanced fork of FreeBSD which happened in 2014. HardenedBSD is implementing many exploit mitigation and security technologies on top of FreeBSD which all started with implementation of Address Space Layout Randomization (ASLR). The fork has been created for ease of development.
To cite the https://hardenedbsd.org/content/about page – “HardenedBSD aims to implement innovative exploit mitigation and security solutions for the FreeBSD community. (…) HardenedBSD takes a holistic approach to security by hardening the system and implementing exploit mitigation technologies.”
Most FreeBSD enthusiasts know mfsBSD project by Martin Matuska – http://mfsbsd.vx.sk/ – FreeBSD system loaded completely into memory. The mfsBSD synonym for the HardenedBSD world is SoloBSD – https://www.solobsd.org/ – which is based on HardenedBSD sources.
One may ask how HardenedBSD project compared to more well know for its security OpenBSD system and it is very important question. The OpenBSD developers try to write ‘good’ code without dirty hacks for performance or other reasons. Clean and secure code is most important in OpenBSD world. The OpenBSD project even made security audit of all OpenBSD code available, line by line. This was easier to achieve in FreeBSD or HardenedBSD because OpenBSD code base its about ten times smaller. This has also other implications, possibilities. While FreeBSD (and HardenedBSD) offer many new features like mature SMP subsystem even with some NUMA support, ZFS filesystem, GEOM storage framework, Bhyve virtualization, Virtualbox option and many other new modern features the OpenBSD remains classic UNIX system with UFS filesystem and with very ‘theoretical’ SMP support. The vmm
project tried to implement new hypervisor in OpenBSD world, but because of lack of support for graphics its for OpenBSD, Illumos and Linux currently, You will not virtualize Windows or Mac OS X there. This is also only virtualization option for OpenBSD as there are no Jails on OpenBSD. Current Bhyve implementation allows one even to boot latest Windows 2019 Technology Preview.
A HardenedBSD project is FreeBSD system code base with LOTS of security mechanisms and mitigations that are not available on FreeBSD system. For example entire lib32 tree has been disabled by default on HardenedBSD to make it more secure. Also LibreSSL is the default SSL library on HardenedBSD, same as OpenBSD while FreeBSD uses OpenSSL for compatibility reasons.
Comparison between LibreSSL and OpenSSL vulnerabilities.
- https://en.wikipedia.org/wiki/LibreSSL#Security
- https://wiki.freebsd.org/LibreSSL#LibreSSL_.28and_OpenSSL.29_Security_Vulnerabilities
One may see HardenedBSD as FreeBSD being successfully pulled up to the OpenBSD level (at least that is the goal), but as FreeBSD has tons more code and features it will be harder and longer process to achieve the goal.
As I do not have that much competence on the security field I will just repost the comparison from the HardenedBSD project versus other BSD systems. The comparison is also available here – https://hardenedbsd.org/content/easy-feature-comparison – on the HardenedBSD website.
Install
The installation is almost identical to the FreeBSD system, an example installation of HardenedBSD system (on ZFS with Boot Environments) is shown below.
First Login
This is how just installed HardenedBSD system looks like.
% ssh notme@localhost Password for root@hardenedbsd.local: FreeBSD 11.1-STABLE-HBSD (HARDENEDBSD) #0 [STABLE:HardenedBSD-11-STABLE-v1100054.1]: Thu Nov 30 03:11:44 UTC 2017 +------------------------------------------------------------------------------+ | | | Welcome to HardenedBSD! | | | | _ _ _ _ ____ _____ _____ | | | | | | | | | | _ \ / ____| __ \ | | | |__| | __ _ _ __ __| | ___ _ __ ___ __| | |_) | (___ | | | | | | | __ |/ _` | '__/ _` |/ _ \ '_ \ / _ \/ _` | _ < \___ \| | | | | | | | | | (_| | | | (_| | __/ | | | __/ (_| | |_) |____) | |__| | | | |_| |_|\__,_|_| \__,_|\___|_| |_|\___|\__,_|____/|_____/|_____/ | | | +------------------------------------------------------------------------------+ | keyword: sysctl, secadm, git, github.com/hardenedbsd hardenedbsd.org | +------------------------------------------------------------------------------+ Edit /etc/motd to change this login announcement. root@hardenedbsd:~ #
ZFS Boot Environments
We can use pkg(8)
as usual and as I intentionally not installed the latest version of HardenedBSD the pkg(8)
warns about possible compatibility issues. As sysutils/beadm
is just a shell script I would install it anyway.
root@hardenedbsd:~ # pkg install beadm The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y Bootstrapping pkg from pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64, please wait... Verifying signature with trusted certificate pkg.hardenedbsd.org.2014-09-04... done Installing pkg-1.10.5... Newer FreeBSD version for package pkg: To ignore this error set IGNORE_OSVERSION=yes - package: 1101512 - running kernel: 1101506 Allow missmatch now?[Y/n]: y Extracting pkg-1.10.5: 100% Updating HardenedBSD repository catalogue... pkg: Repository HardenedBSD load error: access repo file(/var/db/pkg/repo-HardenedBSD.sqlite) failed: No such file or directory Fetching meta.txz: 100% 1 KiB 1.5kB/s 00:01 Fetching packagesite.txz: 100% 6 MiB 628.8kB/s 00:10 Processing entries: 0% Newer FreeBSD version for package p5-Statistics-Frequency: To ignore this error set IGNORE_OSVERSION=yes - package: 1101512 - running kernel: 1101506 Allow missmatch now?[Y/n]: y Processing entries: 100% HardenedBSD repository update completed. 30459 packages processed. All repositories are up to date. Updating database digests format: 100% The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: beadm: 1.2.7_4 [HardenedBSD] Number of packages to be installed: 1 9 KiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching beadm-1.2.7_4.txz: 100% 9 KiB 9.6kB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Installing beadm-1.2.7_4... [1/1] Extracting beadm-1.2.7_4: 100%
root@hardenedbsd:~ # beadm list BE Active Mountpoint Space Created default NR / 426.0M 2018-04-05 20:24
Same as FreeBSD the HardenedBSD system comes with ‘crippled’ system layout when it comes to its usability under ZFS Boot Environments. The problem is in /var
and /usr
filesystems/datasets NOT being placed under the pool/ROOT/bename
path so they will be omitted when new Boot Environments is created. This makes beadm
(and whole Boot Environments idea) quite uselss as packages and base system userspace under /usr/local
and /usr
respectively along with /var/db/pkg
installed packages information and other ‘databases’ are not protected by it. But with two commands it is very easy to fix that ‘crippled’ setup even on a running system without unmounting anything.
The default HardenedBSD (and FreeBSD) ‘crippled’ system layout looks as follows.
root@hardenedbsd:~ # zfs list NAME USED AVAIL REFER MOUNTPOINT zroot 428M 15.0G 88K /zroot zroot/ROOT 426M 15.0G 88K none zroot/ROOT/default 426M 15.0G 426M / zroot/tmp 88K 15.0G 88K /tmp zroot/usr 352K 15.0G 88K /usr zroot/usr/home 88K 15.0G 88K /usr/home zroot/usr/ports 88K 15.0G 88K /usr/ports zroot/usr/src 88K 15.0G 88K /usr/src zroot/var 572K 15.0G 88K /var zroot/var/audit 88K 15.0G 88K /var/audit zroot/var/crash 88K 15.0G 88K /var/crash zroot/var/log 132K 15.0G 132K /var/log zroot/var/mail 88K 15.0G 88K /var/mail zroot/var/tmp 88K 15.0G 88K /var/tmp
With these two commands we move the /usr
and /var
filesystems/datasets under the pool/ROOT/bename
so when new Boot Environments are created they will be covered and protected by Boot Environment.
root@hardenedbsd:~ # zfs rename -u zroot/usr zroot/ROOT/default/usr root@hardenedbsd:~ # zfs rename -u zroot/var zroot/ROOT/default/var
New layout after the fix is shown below.
root@hardenedbsd:~ # zfs list NAME USED AVAIL REFER MOUNTPOINT zroot 428M 15.0G 88K /zroot zroot/ROOT 427M 15.0G 88K none zroot/ROOT/default 426M 15.0G 426M / zroot/ROOT/default/usr 352K 15.0G 88K /usr zroot/ROOT/default/usr/home 88K 15.0G 88K /usr/home zroot/ROOT/default/usr/ports 88K 15.0G 88K /usr/ports zroot/ROOT/default/usr/src 88K 15.0G 88K /usr/src zroot/ROOT/default/var 572K 15.0G 88K /var zroot/ROOT/default/var/audit 88K 15.0G 88K /var/audit zroot/ROOT/default/var/crash 88K 15.0G 88K /var/crash zroot/ROOT/default/var/log 132K 15.0G 132K /var/log zroot/ROOT/default/var/mail 88K 15.0G 88K /var/mail zroot/ROOT/default/var/tmp 88K 15.0G 88K /var/tmp zroot/tmp 88K 15.0G 88K /tmp
Base System Update
While FreeBSD uses freebsd-update
for base system updates HardenedBSD project uses its own hbsd-update
tool that does not rely on delta patches.
root@hardenedbsd:~ # freebsd-update freebsd-update: Command not found.
The hbsd-update
tools has nice feature to make update in a new separate Boot Environment to which you can reboot while leaving the running system untouched. That way You can go back to not upgraded system anytime if anything would went wrong in the update procedure or after the update itself.
As I installed older 1100054.1 version we will now make an update to the latest 1100055 version.
root@hardenedbsd:~ # hbsd-update -I -V -b updated [*] Latest build: hbsd-v1100055-069a9206df22a498095e5e20f5ee28b9fd859080 /tmp/tmp.wP3U86Ci/update.tar 100% of 299 MB 434 kBps 11m46s [*] Verified hash: 39e2c6a4c8a8387bf4091584bd029aad615378e49206ad1f863bd3602a77cdb7 = 39e2c6a4c8a8387bf4091584bd029aad615378e49206ad1f863bd3602a77cdb7 [*] Checking validity of the public key [*] Checking the validity of base.txz [*] Checking the validity of etcupdate.tbz [*] Checking the validity of skip.txt [*] Checking the validity of kernel-HARDENEDBSD.txz [*] Checking the validity of ObsoleteFiles.txt [*] Checking the validity of ObsoleteDirs.txt [*] Checking the validity of script.sh [*] Checking the validity of secadm.integriforce.rules ****************** * IMPORTANT NOTE * ****************** This update includes the PTI patch. Third-party kernel modules (such as x11/nvidia-driver and hardenedbsd/secadm-kmod) will need to be recompiled/reinstalled. If you wish to postpone installing this update, please hit Control-C within the next ten (10) seconds. Created successfully Mounted successfully on '/tmp/tmp.tFMmByeO' [*] Applying base [*] Updating /etc [*] Manual merges need to be done. Resolving conflict in '/etc/motd': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: h (p) postpone - ignore this conflict for now (df) diff-full - show all changes made to merged file (e) edit - change merged file in an editor (r) resolved - accept merged version of file (mf) mine-full - accept local version of entire file (ignore new changes) (tf) theirs-full - accept new version of entire file (lose local changes) (h) help - show this list Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: mf Resolving conflict in '/etc/periodic/daily/200.backup-passwd': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/pf.os': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/rc.initdiskless': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/devd/usb.conf': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/rc.firewall': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/mtree/BSD.root.dist': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/mtree/BSD.debug.dist': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/mtree/BSD.usr.dist': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/mtree/BSD.tests.dist': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/mtree/BSD.include.dist': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/rc.d/ntpd': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/rc.d/fsck': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/rc.d/ipsec': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/rc.d/pf': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/rc.d/sendmail': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/rc.d/ipfw': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/services': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/regdomain.xml': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/sysctl.conf': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/rc.subr': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/mail/mailer.conf': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/ssh/sshd_config': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/master.passwd': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: h (p) postpone - ignore this conflict for now (df) diff-full - show all changes made to merged file (e) edit - change merged file in an editor (r) resolved - accept merged version of file (mf) mine-full - accept local version of entire file (ignore new changes) (tf) theirs-full - accept new version of entire file (lose local changes) (h) help - show this list Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: df --- /tmp/tmp.tFMmByeO/etc/master.passwd 2018-04-05 20:25:29.869447000 +0200 +++ /tmp/tmp.tFMmByeO/var/db/etcupdate/conflicts/etc/master.passwd 2018-04-06 09:36:06.231096000 +0200 @@ -1,6 +1,10 @@ # $FreeBSD$ # + (stock) toor:*:0:0::0:0:Bourne-again Superuser:/root: daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5::0:0:System &:/:/usr/sbin/nologin Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: mf Resolving conflict in '/etc/devd.conf': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf Resolving conflict in '/etc/defaults/rc.conf': Select: (p) postpone, (df) diff-full, (e) edit, (h) help for more options: tf [*] Updating the password database [*] Applying kernel HARDENEDBSD [*] Removing obsolete files Remove /tmp/tmp.tFMmByeO/boot/pcibios.4th (Y/n)? y [+] Removing /tmp/tmp.tFMmByeO/boot/pcibios.4th Remove /tmp/tmp.tFMmByeO/usr/lib/librt_p.a (Y/n)? y [+] Removing /tmp/tmp.tFMmByeO/usr/lib/librt_p.a [*] Applying Integriforce rules Unmounted successfully Activated successfully
The update procedure is now finished, new Boot Environment is present and already set as Activated upon reboot.
root@hardenedbsd:~ # beadm list BE Active Mountpoint Space Created default N / 95.4M 2018-04-05 20:24 updated R - 887.4M 2018-04-06 09:35
Before rebooting into the updated system we may want to modify some files. Lets mount that Boot Environment for that purpose.
root@hardenedbsd:~ # beadm mount updated Mounted successfully on '/tmp/BE-updated.8sbzisOh' root@hardenedbsd:~ # beadm list BE Active Mountpoint Space Created default N / 95.5M 2018-04-05 20:24 updated R /tmp/BE-updated.8sbzisOh 887.4M 2018-04-06 09:35 root@hardenedbsd:~ # cd /tmp/BE-updated.8sbzisOh // MAKE NEEDED CHANGES BEFORE REBOOT root@hardenedbsd:/tmp/BE-updated.8sbzisOh # cd root@hardenedbsd:~ # beadm umount updated Unmounted successfully root@hardenedbsd:~ # shutdown -r now
After the reboot we can see that our HardenedBSD system indeed is upgraded to newer version.
root@hardenedbsd:~ # sysctl hardening.version hardening.version: 1100055
The pkg(8)
does not warn now about possible incompatibilities because we were using older HardenedBSD version.
root@hardenedbsd:~ # pkg install beadm The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y Bootstrapping pkg from pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64, please wait... Verifying signature with trusted certificate pkg.hardenedbsd.org.2014-09-04... done Installing pkg-1.10.5... Extracting pkg-1.10.5: 100% Updating HardenedBSD repository catalogue... pkg: Repository HardenedBSD load error: access repo file(/var/db/pkg/repo-HardenedBSD.sqlite) failed: No such file or directory Fetching meta.txz: 100% 1 KiB 1.5kB/s 00:01 Fetching packagesite.txz: 100% 6 MiB 224.6kB/s 00:28 Processing entries: 100% HardenedBSD repository update completed. 30459 packages processed. All repositories are up to date. Updating database digests format: 100% The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: beadm: 1.2.7_4 [HardenedBSD] Number of packages to be installed: 1 9 KiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching beadm-1.2.7_4.txz: 100% 9 KiB 9.6kB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Installing beadm-1.2.7_4... [1/1] Extracting beadm-1.2.7_4: 100%
root@hardenedbsd:~ # beadm list BE Active Mountpoint Space Created default - - 95.6M 2018-04-05 20:24 updated NR / 928.1M 2018-04-06 09:35
As we see we still can get back to older Boot Environment with out 1100054.1 HardenedBSD system if needed.
Here are datasets for both systems.
root@hardenedbsd:~ # zfs list NAME USED AVAIL REFER MOUNTPOINT zroot 930M 14.5G 88K /zroot zroot/ROOT 928M 14.5G 88K none zroot/ROOT/default 364K 14.5G 426M / zroot/ROOT/default/usr 0 14.5G 88K /usr zroot/ROOT/default/usr/home 0 14.5G 88K /usr/home zroot/ROOT/default/usr/ports 0 14.5G 88K /usr/ports zroot/ROOT/default/usr/src 0 14.5G 88K /usr/src zroot/ROOT/default/var 132K 14.5G 88K /var zroot/ROOT/default/var/audit 0 14.5G 88K /var/audit zroot/ROOT/default/var/crash 0 14.5G 88K /var/crash zroot/ROOT/default/var/log 76K 14.5G 132K /var/log zroot/ROOT/default/var/mail 0 14.5G 88K /var/mail zroot/ROOT/default/var/tmp 56K 14.5G 88K /var/tmp zroot/ROOT/updated 927M 14.5G 497M / zroot/ROOT/updated/usr 300M 14.5G 300M /usr zroot/ROOT/updated/usr/home 88K 14.5G 88K /usr/home zroot/ROOT/updated/usr/ports 88K 14.5G 88K /usr/ports zroot/ROOT/updated/usr/src 144K 14.5G 88K /usr/src zroot/ROOT/updated/var 36.0M 14.5G 35.2M /var zroot/ROOT/updated/var/audit 144K 14.5G 88K /var/audit zroot/ROOT/updated/var/crash 144K 14.5G 88K /var/crash zroot/ROOT/updated/var/log 216K 14.5G 132K /var/log zroot/ROOT/updated/var/mail 144K 14.5G 88K /var/mail zroot/ROOT/updated/var/tmp 144K 14.5G 88K /var/tmp zroot/tmp 88K 14.5G 88K /tmp
We will now destroy the older 1100054.1 HardenedBSD system as its no longer needed.
root@hardenedbsd:~ # beadm destroy default Are you sure you want to destroy 'default'? This action cannot be undone (y/[n]): y Boot environment 'default' was created from existing snapshot Destroy 'updated@2018-04-06-09:35:01' snapshot? (y/[n]): y Destroyed successfully
Lets check if we are running the latest version.
root@hardenedbsd:~ # hbsd-update -I -V -b new [*] This system is already on the latest version.
HardenedBSD Ports
To get general idea, if software is in FreeBSD Ports, then it would be in HardenedBSD Ports. Both FreeBSD and HardenedBSD provide packages built from their ports trees, but not all FreeBSD packages available on FreeBSD are available on HardenedBSD because some fail to build against LibreSSL (FreeBSD still has OpenSSL in base) and other fail to build because of HardenedBSD security mechanisms and mitigations enabled. There is also one counter example to that rule, there is audio/lame
package in HardenedBSD while there is none on FreeBSD.
The good thing about HardenedBSD community is their response speed. For example I had a problem with sysutils/bareos-client
port that failed to built – bareos-client fails to build – https://groups.google.com/a/hardenedbsd.org/forum/#!topic/users/xop4rVGVRC4 – and within hours they modified the port to allow me built it against GnuTLS – Bug 227318 – sysutils/bareos-server: Add GNUTLS option – https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227318 – which worked like a charm. It was that fast and accurate, that even overpriced enterprise support from Oracle or Dell EMC does not work that fast and that well.
Same as with freebsd-update
tool the HardenedBSD project does not use the portsnap
tool.
root@hardenedbsd:~ # portsnap fetch extract portsnap: Command not found.
The git
tool is used instead. You first need to add it from pkg(8)
repository as any other package, as shown below.
root@hardenedbsd:~ # pkg install git-lite
Now You may want to use git
to fetch the HardenedBSD Ports tree, one thing that I see not convenient is that You must KNOW the GitHub page to type, same as with OpenBSD for packages. I like the FreeBSD approach here more that I do not have to remember that.
root@hardenedbsd:~ # git clone --depth=1 https://github.com/HardenedBSD/hardenedbsd-ports.git /usr/ports Cloning into '/usr/ports'... remote: Counting objects: 170097, done. remote: Compressing objects: 100% (155861/155861), done. remote: Total 170097 (delta 11341), reused 115842 (delta 9658), pack-reused 0 Receiving objects: 100% (170097/170097), 64.51 MiB | 335.00 KiB/s, done. Resolving deltas: 100% (11341/11341), done. Checking out files: 100% (135035/135035), done.
Lets verify the contents.
root@hardenedbsd:~ # find /usr/ports | head -20 . ./www ./www/ocaml-net ./www/ocaml-net/files ./www/ocaml-net/files/patch-Makefile.rules ./www/ocaml-net/distinfo ./www/ocaml-net/Makefile ./www/ocaml-net/pkg-descr ./www/pear-Services_TinyURL ./www/pear-Services_TinyURL/distinfo ./www/pear-Services_TinyURL/Makefile ./www/pear-Services_TinyURL/pkg-descr ./www/grafana5 ./www/grafana5/files ./www/grafana5/files/grafana.in ./www/grafana5/files/grafana.conf.in ./www/grafana5/pkg-plist ./www/grafana5/pkg-descr ./www/grafana5/Makefile ./www/grafana5/distinfo
Next updates will be done using the git pull
command.
root@hardenedbsd:/usr/ports # git pull Already up to date.
The configured HardenedBSD system I use here has 1 GB RAM, but that with ZFS ARC default size is not not be enough for git
to run.
root@hardenedbsd:~ # grep git /var/log/messages Apr 6 14:47:42 hardenedbsd kernel: [18059] pid 32538 (git), uid 0, was killed: out of swap space
To increase amount of RAM for ‘processes’ and to take away some ZFS cache (ARC) put these into the /boot/loader.conf
file and reboot the system for the changes to take effect. The size of RAM that is known to not have issues with git
memory usage is 2 GB.
root@hardenedbsd:~ # cat >> /boot/loader.conf << __EOF # ZFS vfs.zfs.arc_min: 1M vfs.zfs.arc_max: 32M __EOF root@hardenedbsd:~ # shutdown -r now
HardenedBSD Base System Sources
The HardenedBSD base system sources are also fetched with git
tool. Below is an example command that fetches the sources.
root@hardenedbsd:~ # git clone --depth=1 --single-branch --branch hardened/11-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ /usr/src Cloning into '/usr/src'... remote: Counting objects: 2314758, done. remote: Compressing objects: 100% (4207/4207), done. remote: Total 2314758 (delta 53355), reused 51865 (delta 51526), pack-reused 2258987 Receiving objects: 100% (2314758/2314758), 1.26 GiB | 75.00 KiB/s, done. Resolving deltas: 100% (1769344/1769344), done. root@hardenedbsd:~ #
Security Administration (secadm)
The HardenedBSD secadm
tool allows users to toggle exploit mitigations on a per application and per jail basis. Users will typically use secadm
to disable PAGEEXEC and/or MPROTECT restrictions or to use Integriforce – implementation of verified execution. It enforces hash based signatures for binaries and their dependent shared objects.
First, lets add secadm
tool from the pkg(8)
repository.
root@hardenedbsd:~ # pkg search secadm secadm-0.5.1 HardenedBSD Security Administration secadm-kmod-0.5.1 HardenedBSD Security Administration root@hardenedbsd:~ # pkg install secadm secadm-kmod Updating HardenedBSD repository catalogue... HardenedBSD repository is up to date. All repositories are up to date. The following 3 package(s) will be affected (of 0 checked): New packages to be INSTALLED: secadm: 0.5.1 [HardenedBSD] secadm-kmod: 0.5.1 [HardenedBSD] libucl: 0.8.0 [HardenedBSD] Number of packages to be installed: 3 166 KiB to be downloaded. Proceed with this action? [y/N]: y [1/3] Fetching secadm-0.5.1.txz: 100% 53 KiB 54.6kB/s 00:01 [2/3] Fetching secadm-kmod-0.5.1.txz: 100% 12 KiB 12.7kB/s 00:01 [3/3] Fetching libucl-0.8.0.txz: 100% 100 KiB 102.6kB/s 00:01 Checking integrity... done (0 conflicting) [1/3] Installing libucl-0.8.0... [1/3] Extracting libucl-0.8.0: 100% [2/3] Installing secadm-0.5.1... [2/3] Extracting secadm-0.5.1: 100% [3/3] Installing secadm-kmod-0.5.1... [3/3] Extracting secadm-kmod-0.5.1: 100% Message from secadm-0.5.1: ====================================================================== When you running on custom kernel config, please consult with the kernel's source tree, especially with UPDATING-HardenedBSD file. If you have any other question, you can inform on FreeNode's IRC #hardenedbsd channel. Keywords: options PAX_CONTROL_ACL options PAX_CONTROL_ACL_OVERRIDE_SUPPORT options PAX_CONTROL_EXTATTR hbsdcontrol secadm https://github.com/HardenedBSD/hardenedBSD/blob/hardened/current/master/UPDATING-HardenedBSD#L1 ====================================================================== Message from secadm-kmod-0.5.1: ====================================================================== When you running on custom kernel config, please consult with the kernel's source tree, especially with UPDATING-HardenedBSD file. If you have any other question, you can inform on FreeNode's IRC #hardenedbsd channel. Keywords: options PAX_CONTROL_ACL options PAX_CONTROL_ACL_OVERRIDE_SUPPORT options PAX_CONTROL_EXTATTR hbsdcontrol secadm https://github.com/HardenedBSD/hardenedBSD/blob/hardened/current/master/UPDATING-HardenedBSD#L1 ======================================================================
Now lets create a simple Integriforce rule for the /bin/dd
command.
root@hardenedbsd:~ # cat >> /usr/local/etc/secadm.rules << __EOF secadm { integriforce { path: "/bin/dd", hash: "72be7c66d4b0a7b776bfac314310edc7423fc251666d548ccde8bf3f9b5b37af", type: "sha256", mode: "hard", } } __EOF
Lets enable the secadm in /etc/rc.conf
file.
root@hardenedbsd:~ # sysrc secadm_enable=YES
… and finally lets start security administration mechainsm.
root@hardenedbsd:~ # /usr/local/etc/rc.d/secadm start Starting secadm.
Now lets verify that it really works. Lets try to modify the /bin/dd
command.
root@hardenedbsd:~ # echo 1 >> /bin/dd /bin/dd: Operation not permitted. root@hardenedbsd:~ # tail -1 /var/log/messages Apr 6 12:44:28 hardenedbsd kernel: [10664] [SECADM] Prevented modification of (/bin/dd): protected by a SECADM rule.
But the /bin/dd
command works as usual.
root@hardenedbsd:~ # /bin/dd FILE bs=1m count=1 1+0 records in 1+0 records out 1048576 bytes transferred in 0.039543 secs (26517139 bytes/sec) root@hardenedbsd:~ # ls -lh FILE -rw-r--r-- 1 root wheel 1.0M Apr 6 12:06 FILE
Resources
The HardenedBSD Handbook is mainly copied FreeBSD Handbook with Chapter 14. HardenedBSD which is related to HardenedBSD. This is good because HardenedBSD is generally a modified FreeBSD system, so most things work the same way.
https://hardenedbsd.org/~shawn/hbsd_handbook/book.html#hardenedbsd-secadm
The HardenedBSD Forum is available on Google Groups.
https://groups.google.com/a/hardenedbsd.org/forum/#!forum/users
List of HardenedBSD applications that need custom secadm
rules is available here.
https://github.com/HardenedBSD/hardenedBSD/wiki/Non-Compliant-Applications
There is also whole github page with secadm
rules.
https://github.com/HardenedBSD/secadm-rules
The Twitter accounts for both HardenedBSD and SoloBSD.
https://twitter.com/HardenedBSD
https://twitter.com/SoloBSD
OPNsense Connection
One last thing to notice is the OPNsense connection broadly described here.
https://wiki.opnsense.org/relations/hardenedBSD.html
https://hardenedbsd.org/article/shawn-webb/2015-06-10/first-official-opnsense-images-hardenedbsd
UPDATE 1 – HardenedBSD Switching Back to OpenSSL
To cite the HardenedBSD project site:
Over a year ago, HardenedBSD switched to LibreSSL as the default cryptographic library in base for 12-CURRENT. 11-STABLE followed suit later on. Bernard Spil has done an excellent job at keeping our users up-to-date with the latest security patches from LibreSSL.
After recently updating 12-CURRENT to LibreSSL 2.7.2 from 2.6.4, it has become increasingly clear to us that performing major upgrades requires a team larger than a single person. Upgrading to 2.7.2 caused a lot of fallout in our ports tree. As of 28 Apr 2018, several ports we consider high priority are still broken. As it stands right now, it would take Bernard a significant amount of his spare personal time to fix these issues.
Until we have a multi-person team dedicated to maintaining LibreSSL in base along with the patches required in ports, HardenedBSD will use OpenSSL going forward as the default crypographic library in base. LibreSSL will co-exist with OpenSSL in the source tree, as it does now. However, MK_LIBRESSL will default to “no” instead of the current “yes”. Bernard will continue maintaining LibreSSL in base along with addressing the various problematic ports entries.
To provide our users with ample time to plan and perform updates, we will wait a period of two months prior to making the switch. The switch will occur on 01 Jul 2018 and will be performed simultaneously in 12-CURRENT and 11-STABLE. HardenedBSD will archive a copy of the LibreSSL-centric package repositories and binary updates for base for a period of six months after the switch (expiring the package repos on 01 Jan 2019). This essentially gives our users eight full months for an upgrade path.
As part of the switch back to OpenSSL, the default NTP daemon in base will switch back from OpenNTPd to ISC NTP. Users who have local_openntpd_enable=”YES” set in rc.conf will need to switch back to ntpd_enable=”YES”.
Users who build base from source will want to fully clean their object directories. Any and all packages that link with libcrypto or libssl will need to be rebuilt or reinstalled.
With the community’s help, we look forward to the day when we can make the switch back to LibreSSL. We at HardenedBSD believe that providing our users options to rid themselves of software monocultures can better increase security and manage risk.
UPDATE 2
The Introduction to HardenedBSD World article was included in the BSD Now 245 – ZFS User Conf 2018 episode.
Thanks for mentioning!
UPDATE 3
The Chapter 14. HardenedBSD of the HardenedBSD Handbook has been migrated/ported to wiki page available here – https://github.com/HardenedBSD/hardenedBSD/wiki – enjoy.
Pingback: IntroducciΓ³n al mundo de HardenedBSD – The Daemon's In My Head
Good job vermaden π
One thing more. There are only FreeBSD iso avilable when you buy dedicated server for example ovh,kimsufi,soyoustart etc. There is a very easy way to convert FreeBSD into HardenedBSD:
https://xmj.github.io/articles/hardenedbsd/convert_freebsd_to_hardenedbsd.html
LikeLike
Thanks bryn1u.
LikeLike
Pingback: FreeBSD Desktop – Part 2 – Install | vermaden
Pingback: Home | vermaden
How to proceed in order to have the latest version of repositories for packages of the moment in HardenedBSD ? With which command do you check to see if the system has any vulnerabilities?
Greetings!
LikeLike
> How to proceed in order to have the latest version of repositories for packages of the moment in HardenedBSD?
# pkg update -f
> With which command do you check to see if the system has any vulnerabilities?
# pkg audit -F
LikeLike