Tag Archives: openbsd

Valuable News – 2018/08/25

UNIX

OpenBSD adds kcov(4) kernel code coverage tracing driver.
So far 8 distinct panics have been found and fixed.
https://marc.info/?l=openbsd-cvs&m=153467896308034&w=2

GCC 8.2 now packaged and available in Illumos/OpenIndiana.
https://bsd.network/@sehnsucht/100581557620270760
https://pkg.openindiana.org/hipster/info/0/developer%2Fgcc-8%408.2.0%2C5.11-2018.0.0.0%3A20180815T204704Z

FreeBSD arc4random is now based on ChaCha20 implementation from OpenBSD.
https://twitter.com/lattera/status/1031280553301925888
https://svnweb.freebsd.org/base?view=revision&revision=338059

Valve forked WINE into Proton as compatibility tool for Steam Play.
https://github.com/ValveSoftware/Proton/
https://steamcommunity.com/games/221410/announcements/detail/1696055855739350561

AMD Threadripper 2990WX 32-core/64-thread on DragonFly BSD.
http://apollo.backplane.com/DFlyMisc/threadripper.txt
http://lists.dragonflybsd.org/pipermail/users/2018-August/357858.html

Using 10GE Adapters with PowerVM SEA – Virtual Ethernet Considerations.
http://ibmsystemsmag.com/aix/administrator/virtualization/using-10gbit-ethernet-adapters/

Native ZFS Encryption on FreeBSD CFT on the road to 12.0-RELEASE.
https://lists.freebsd.org/pipermail/freebsd-current/2018-August/070832.html

Backup FreeNAS and TrueNAS to Backblaze B2 Cloud.
https://www.backblaze.com/blog/how-to-setup-freenas-cloud-storage/

Colin Percival heroic (I am not joking here) fight for removing unneeded sleeps during boot on FreeBSD.
https://twitter.com/cperciva/status/1031928231635677184
https://reviews.freebsd.org/D16723

Writing SYSTEMD service files.
https://twitter.com/mulander/status/1031908074733428736
https://obsd.pl/mfm/iptables/

Illumos/Tribblix packages of openjdk9 and openjdk10 available.
https://twitter.com/ptribble/status/1031650238266789893
https://twitter.com/ptribble/status/1031900360271491074
http://pkgs.tribblix.org/openjdk/

Difference between OpenBSD xenodm and regular xdm.
https://undeadly.org/cgi?action=article&sid=20160911231712

X.Org Security Advisory – 2018/08/21.
http://seclists.org/oss-sec/2018/q3/146

FreeBSD removes legacy DRM and DRM2 from its tree.
https://twitter.com/f0andrey/status/1032234624544583680
https://svnweb.freebsd.org/base?view=revision&revision=338172

OmniOS CE (Community Edition) r151026p/r151024ap/r151022bn with CVE-2018-15473 addressed.
https://omniosce.org/article/releases-026p-024ap-022bn.html

Running Mastodon on FreeBSD.
https://ftfl.ca/blog/2017-05-23-mastodon-freebsd.html

Upgrading Mastodon on FreeBSD.
https://ftfl.ca/blog/2017-05-27-mastodon-freebsd-upgrade.html

KDE Plasma 5.x on Pinebook Laptop.
https://twitter.com/SoftpediaLinux/status/1032262240437723137

FreeBSD – Raspberry Pi 3B+ – UART.
https://blackdot.be/2018/08/freebsd-uart-and-raspberry-pi-3-b/

FreeBSD – Raspberry Pi 3B+ – Remote Access Console.
https://blackdot.be/2018/08/remote-access-console-using-raspberry-pi-3b-and-freebsd/

FreeBSD 12.x has LUA loader enabled by default.
https://twitter.com/bsdimp/status/1031638933690441728

In Other BSDs for 2018/08/18.
https://www.dragonflydigest.com/2018/08/18/21609.html

Shared library load order randomization in HardenedBSD for use with Firefox/Chromium/Iridium.
https://twitter.com/lattera/status/1030823681843507202

Researchers Blame ‘Monolithic’ Linux Code Base for Critical Vulnerabilities.
https://threatpost.com/researchers-blame-monolithic-linux-code-base-for-critical-vulnerabilities/136785/

2018/08/23 is the End of Life for NetBSD 6.x tree.
https://www.netbsd.org/changes/#netbsd6eol

Carlos Neira ZCAGE is now able to create BHYVE Branded Zones on Illumos.
https://bsd.network/@sehnsucht/100599247272911030
https://www.npmjs.com/package/zcage
https://asciinema.org/a/QLnjO8J2NVVPQrs3jh0EKEGta

FreeNAS 11.1-U6 Available.
https://twitter.com/FreeBSD_News/status/1032666675194167297
https://www.ixsystems.com/blog/library/freenas-11-1-u6/

FreeBSD vs. DragonFly BSD vs. Linux on AMD Threadripper 2990WX.
https://www.phoronix.com/scan.php?page=article&item=bsd-threadripper-2990wx

Disable SMT/Hyperthreading in all Intel BIOSes – Theo de Raadt.
https://marc.info/?l=openbsd-tech&m=153504937925732&w=2

OpenSSH 7.8 Released.
https://www.openssh.com/releasenotes.html#7.8

TRIM Consolidation on UFS/FFS Filesystems on FreeBSD.
https://lists.freebsd.org/pipermail/freebsd-current/2018-August/070797.html

FreeBSD vt(4) will now cache most recently drawn text to not redraw it.
https://reviews.freebsd.org/D16723

What is New in Solaris 11.4?
https://www.oracle.com/a/ocom/docs/dc/sev100738019-ww-us-on-ce1-ie1a-ev.html

OpenBSD Foundation gets first 2018 Iridium ($100K+) donation.
https://undeadly.org/cgi?action=article;sid=20180824145543

How to Run a More Secure Browser.
https://www.dragonflybsd.org/docs/docs/handbook/RunSecureBrowser/

Hardware

IBM POWER9 E950 and E980 Servers Launched.
https://www.servethehome.com/ibm-power9-e950-and-e980-servers-launched/

Intel Microcode EULA Prohibits Benchmarking!
https://twitter.com/RaptorEng/status/1031919319909892096
https://pastebin.com/raw/J8MXpPdh

GIGABYTE Cavium ThunderX2 1U and 2U Systems.
https://www.anandtech.com/show/13234/gigabyte-starts-sales-of-cavium-thunderx2-to-general-customers

Fujitsu Presents Post-K arm64 A64FXβ„’ CPU CPU Specifications with 48 Computing Cores and 4 Assistant Cores.
http://www.fujitsu.com/global/about/resources/news/press-releases/2018/0822-02.html

A4000TX ATX Motherboard.
http://www.amibay.com/showthread.php?101477-A4000TX-ATX-Amiga-motherboard

IBM POWER9 Scale Up CPUs with Huge IO and Effective 32 Channel DDR4.
https://www.servethehome.com/ibm-power9-hc30/

Life

Why We Sleep by Matthew Walker review – how more sleep can save your life.
https://www.theguardian.com/books/2017/sep/21/why-we-sleep-by-matthew-walker-review
https://youtube.be/pwaWilO_Pig

Bullshit jobs and the yoke of managerial feudalism.
https://www.economist.com/open-future/2018/06/29/bullshit-jobs-and-the-yoke-of-managerial-feudalism

Why Garbagemen Should Earn More Than Bankers.
https://evonomics.com/why-garbage-men-should-earn-more-than-bankers/

Solitude.
https://www.pa-mar.net/Lifestyle/Solitude.html

Akrasia Effect – Why We Dont Follow Through on What We Set Out to Do and What to Do About It.
https://jamesclear.com/akrasia

Other

Move/migrate Oracle and MySQL databases to PostgreSQL.
http://www.ora2pg.com/start.html
https://github.com/darold/ora2pg/releases

LIDL Killed SAP Migration After Spending 500 Million Dollars.
https://it.toolbox.com/blogs/clintonjones/lidl-cans-sap-project-after-spending-half-a-billion-073118

All BlackHat 2018 Attendee Registration Data Hacked and Available via Unauthenticated API.
https://ninja.style/post/bcard/
https://twitter.com/binitamshah/status/1032084847345459204

GOG Launches FCKDRM to Promote DRM-Free Art and Media.
https://torrentfreak.com/gog-launches-fckdrm-to-promote-drm-free-art-and-media-180822/

EOF
Advertisements

Introduction to HardenedBSD World

HardenedBSD is a security enhanced fork of FreeBSD which happened in 2014. HardenedBSD is implementing many exploit mitigation and security technologies on top of FreeBSD which all started with implementation of Address Space Layout Randomization (ASLR). The fork has been created for ease of development.

To cite the https://hardenedbsd.org/content/about page – “HardenedBSD aims to implement innovative exploit mitigation and security solutions for the FreeBSD community. (…) HardenedBSD takes a holistic approach to security by hardening the system and implementing exploit mitigation technologies.”

Most FreeBSD enthusiasts know mfsBSD project by Martin Matuska – http://mfsbsd.vx.sk/ – FreeBSD system loaded completely into memory. The mfsBSD synonym for the HardenedBSD world is SoloBSD – https://www.solobsd.org/ – which is based on HardenedBSD sources.

SoloBSD.Boot.Menu

One may ask how HardenedBSD project compared to more well know for its security OpenBSD system and it is very important question. The OpenBSD developers try to write ‘good’ code without dirty hacks for performance or other reasons. Clean and secure code is most important in OpenBSD world. The OpenBSD project even made security audit of all OpenBSD code available, line by line. This was easier to achieve in FreeBSD or HardenedBSD because OpenBSD code base its about ten times smaller. This has also other implications, possibilities. While FreeBSD (and HardenedBSD) offer many new features like mature SMP subsystem even with some NUMA support, ZFS filesystem, GEOM storage framework, Bhyve virtualization, Virtualbox option and many other new modern features the OpenBSD remains classic UNIX system with UFS filesystem and with very ‘theoretical’ SMP support. The vmm project tried to implement new hypervisor in OpenBSD world, but because of lack of support for graphics its for OpenBSD, Illumos and Linux currently, You will not virtualize Windows or Mac OS X there. This is also only virtualization option for OpenBSD as there are no Jails on OpenBSD. Current Bhyve implementation allows one even to boot latest Windows 2019 Technology Preview.

A HardenedBSD project is FreeBSD system code base with LOTS of security mechanisms and mitigations that are not available on FreeBSD system. For example entire lib32 tree has been disabled by default on HardenedBSD to make it more secure. Also LibreSSL is the default SSL library on HardenedBSD, same as OpenBSD while FreeBSD uses OpenSSL for compatibility reasons.

Comparison between LibreSSL and OpenSSL vulnerabilities.

One may see HardenedBSD as FreeBSD being successfully pulled up to the OpenBSD level (at least that is the goal), but as FreeBSD has tons more code and features it will be harder and longer process to achieve the goal.

As I do not have that much competence on the security field I will just repost the comparison from the HardenedBSD project versus other BSD systems. The comparison is also available here – https://hardenedbsd.org/content/easy-feature-comparison – on the HardenedBSD website.

HardenedBSD.Easy.Feature.Comparison

Install

The installation is almost identical to the FreeBSD system, an example installation of HardenedBSD system (on ZFS with Boot Environments) is shown below.

HardenedBSD-install-00

HardenedBSD-install-01

HardenedBSD-install-02

HardenedBSD-install-03

HardenedBSD-install-04

HardenedBSD-install-05

HardenedBSD-install-06

HardenedBSD-install-07

HardenedBSD-install-08

HardenedBSD-install-09

HardenedBSD-install-10

HardenedBSD-install-11

HardenedBSD-install-12

HardenedBSD-install-13

HardenedBSD-install-14

HardenedBSD-install-15

HardenedBSD-install-16

HardenedBSD-install-17

HardenedBSD-install-18

HardenedBSD-install-19

HardenedBSD-install-20

HardenedBSD-install-21

HardenedBSD-install-22

HardenedBSD-install-23

HardenedBSD-install-24

HardenedBSD-install-25

HardenedBSD-install-26

HardenedBSD-install-31

First Login

This is how just installed HardenedBSD system looks like.

% ssh notme@localhost
Password for root@hardenedbsd.local:
FreeBSD 11.1-STABLE-HBSD (HARDENEDBSD) #0 [STABLE:HardenedBSD-11-STABLE-v1100054.1]: Thu Nov 30 03:11:44 UTC 2017

+------------------------------------------------------------------------------+
|                                                                              |
|                             Welcome to HardenedBSD!                          |
|                                                                              |
|       _    _               _                     _ ____   _____ _____        |
|      | |  | |             | |                   | |  _ \ / ____|  __ \       |
|      | |__| | __ _ _ __ __| | ___ _ __   ___  __| | |_) | (___ | |  | |      |
|      |  __  |/ _` | '__/ _` |/ _ \ '_ \ / _ \/ _` |  _ < \___ \| |  | |      |
|      | |  | | (_| | | | (_| |  __/ | | |  __/ (_| | |_) |____) | |__| |      |
|      |_|  |_|\__,_|_|  \__,_|\___|_| |_|\___|\__,_|____/|_____/|_____/       |
|                                                                              |
+------------------------------------------------------------------------------+
|     keyword: sysctl, secadm, git, github.com/hardenedbsd hardenedbsd.org     |
+------------------------------------------------------------------------------+
                Edit /etc/motd to change this login announcement.               

root@hardenedbsd:~ # 

ZFS Boot Environments

We can use pkg(8) as usual and as I intentionally not installed the latest version of HardenedBSD the pkg(8) warns about possible compatibility issues. As sysutils/beadm is just a shell script I would install it anyway.

root@hardenedbsd:~ # pkg install beadm
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64, please wait...
Verifying signature with trusted certificate pkg.hardenedbsd.org.2014-09-04... done
Installing pkg-1.10.5...
Newer FreeBSD version for package pkg:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1101512
- running kernel: 1101506
Allow missmatch now?[Y/n]: y
Extracting pkg-1.10.5: 100%
Updating HardenedBSD repository catalogue...
pkg: Repository HardenedBSD load error: access repo file(/var/db/pkg/repo-HardenedBSD.sqlite) failed: No such file or directory
Fetching meta.txz: 100%    1 KiB   1.5kB/s    00:01    
Fetching packagesite.txz: 100%    6 MiB 628.8kB/s    00:10    
Processing entries:   0%
Newer FreeBSD version for package p5-Statistics-Frequency:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1101512
- running kernel: 1101506
Allow missmatch now?[Y/n]: y
Processing entries: 100%
HardenedBSD repository update completed. 30459 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        beadm: 1.2.7_4 [HardenedBSD]

Number of packages to be installed: 1

9 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching beadm-1.2.7_4.txz: 100%    9 KiB   9.6kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing beadm-1.2.7_4...
[1/1] Extracting beadm-1.2.7_4: 100%
root@hardenedbsd:~ # beadm list
BE      Active Mountpoint  Space Created
default NR     /          426.0M 2018-04-05 20:24

Same as FreeBSD the HardenedBSD system comes with ‘crippled’ system layout when it comes to its usability under ZFS Boot Environments. The problem is in /var and /usr filesystems/datasets NOT being placed under the pool/ROOT/bename path so they will be omitted when new Boot Environments is created. This makes beadm (and whole Boot Environments idea) quite uselss as packages and base system userspace under /usr/local and /usr respectively along with /var/db/pkg installed packages information and other ‘databases’ are not protected by it. But with two commands it is very easy to fix that ‘crippled’ setup even on a running system without unmounting anything.

The default HardenedBSD (and FreeBSD) ‘crippled’ system layout looks as follows.

root@hardenedbsd:~ # zfs list
NAME                 USED  AVAIL  REFER  MOUNTPOINT
zroot                428M  15.0G    88K  /zroot
zroot/ROOT           426M  15.0G    88K  none
zroot/ROOT/default   426M  15.0G   426M  /
zroot/tmp             88K  15.0G    88K  /tmp
zroot/usr            352K  15.0G    88K  /usr
zroot/usr/home        88K  15.0G    88K  /usr/home
zroot/usr/ports       88K  15.0G    88K  /usr/ports
zroot/usr/src         88K  15.0G    88K  /usr/src
zroot/var            572K  15.0G    88K  /var
zroot/var/audit       88K  15.0G    88K  /var/audit
zroot/var/crash       88K  15.0G    88K  /var/crash
zroot/var/log        132K  15.0G   132K  /var/log
zroot/var/mail        88K  15.0G    88K  /var/mail
zroot/var/tmp         88K  15.0G    88K  /var/tmp

With these two commands we move the /usr and /var filesystems/datasets under the pool/ROOT/bename so when new Boot Environments are created they will be covered and protected by Boot Environment.

root@hardenedbsd:~ # zfs rename -u zroot/usr zroot/ROOT/default/usr
root@hardenedbsd:~ # zfs rename -u zroot/var zroot/ROOT/default/var

New layout after the fix is shown below.

root@hardenedbsd:~ # zfs list
NAME                           USED  AVAIL  REFER  MOUNTPOINT
zroot                          428M  15.0G    88K  /zroot
zroot/ROOT                     427M  15.0G    88K  none
zroot/ROOT/default             426M  15.0G   426M  /
zroot/ROOT/default/usr         352K  15.0G    88K  /usr
zroot/ROOT/default/usr/home     88K  15.0G    88K  /usr/home
zroot/ROOT/default/usr/ports    88K  15.0G    88K  /usr/ports
zroot/ROOT/default/usr/src      88K  15.0G    88K  /usr/src
zroot/ROOT/default/var         572K  15.0G    88K  /var
zroot/ROOT/default/var/audit    88K  15.0G    88K  /var/audit
zroot/ROOT/default/var/crash    88K  15.0G    88K  /var/crash
zroot/ROOT/default/var/log     132K  15.0G   132K  /var/log
zroot/ROOT/default/var/mail     88K  15.0G    88K  /var/mail
zroot/ROOT/default/var/tmp      88K  15.0G    88K  /var/tmp
zroot/tmp                       88K  15.0G    88K  /tmp

Base System Update

While FreeBSD uses freebsd-update for base system updates HardenedBSD project uses its own hbsd-update tool that does not rely on delta patches.

root@hardenedbsd:~ # freebsd-update
freebsd-update: Command not found.

The hbsd-update tools has nice feature to make update in a new separate Boot Environment to which you can reboot while leaving the running system untouched. That way You can go back to not upgraded system anytime if anything would went wrong in the update procedure or after the update itself.

As I installed older 1100054.1 version we will now make an update to the latest 1100055 version.

root@hardenedbsd:~ # hbsd-update -I -V -b updated
[*] Latest build: hbsd-v1100055-069a9206df22a498095e5e20f5ee28b9fd859080
/tmp/tmp.wP3U86Ci/update.tar                  100% of  299 MB  434 kBps 11m46s
[*] Verified hash: 39e2c6a4c8a8387bf4091584bd029aad615378e49206ad1f863bd3602a77cdb7 = 39e2c6a4c8a8387bf4091584bd029aad615378e49206ad1f863bd3602a77cdb7
[*] Checking validity of the public key
[*] Checking the validity of base.txz
[*] Checking the validity of etcupdate.tbz
[*] Checking the validity of skip.txt
[*] Checking the validity of kernel-HARDENEDBSD.txz
[*] Checking the validity of ObsoleteFiles.txt
[*] Checking the validity of ObsoleteDirs.txt
[*] Checking the validity of script.sh
[*] Checking the validity of secadm.integriforce.rules
******************
* IMPORTANT NOTE *
******************

This update includes the PTI patch. Third-party kernel modules (such
as x11/nvidia-driver and hardenedbsd/secadm-kmod) will need to be
recompiled/reinstalled.

If you wish to postpone installing this update, please hit Control-C
within the next ten (10) seconds.
Created successfully
Mounted successfully on '/tmp/tmp.tFMmByeO'
[*] Applying base
[*] Updating /etc
[*] Manual merges need to be done.
Resolving conflict in '/etc/motd':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: h
  (p)  postpone    - ignore this conflict for now
  (df) diff-full   - show all changes made to merged file
  (e)  edit        - change merged file in an editor
  (r)  resolved    - accept merged version of file
  (mf) mine-full   - accept local version of entire file (ignore new changes)
  (tf) theirs-full - accept new version of entire file (lose local changes)
  (h)  help        - show this list
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: mf
Resolving conflict in '/etc/periodic/daily/200.backup-passwd':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/pf.os':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.initdiskless':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/devd/usb.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.firewall':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.root.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.debug.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.usr.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.tests.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.include.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/ntpd':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/fsck':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/ipsec':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/pf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/sendmail':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/ipfw':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/services':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/regdomain.xml':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/sysctl.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.subr':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mail/mailer.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/ssh/sshd_config':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/master.passwd':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: h
  (p)  postpone    - ignore this conflict for now
  (df) diff-full   - show all changes made to merged file
  (e)  edit        - change merged file in an editor
  (r)  resolved    - accept merged version of file
  (mf) mine-full   - accept local version of entire file (ignore new changes)
  (tf) theirs-full - accept new version of entire file (lose local changes)
  (h)  help        - show this list
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: df
--- /tmp/tmp.tFMmByeO/etc/master.passwd 2018-04-05 20:25:29.869447000 +0200
+++ /tmp/tmp.tFMmByeO/var/db/etcupdate/conflicts/etc/master.passwd      2018-04-06 09:36:06.231096000 +0200
@@ -1,6 +1,10 @@
 # $FreeBSD$
 #
+ (stock)
 toor:*:0:0::0:0:Bourne-again Superuser:/root:
 daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
 operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: mf
Resolving conflict in '/etc/devd.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/defaults/rc.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
[*] Updating the password database
[*] Applying kernel HARDENEDBSD
[*] Removing obsolete files
Remove /tmp/tmp.tFMmByeO/boot/pcibios.4th (Y/n)? y
    [+] Removing /tmp/tmp.tFMmByeO/boot/pcibios.4th
Remove /tmp/tmp.tFMmByeO/usr/lib/librt_p.a (Y/n)? y
    [+] Removing /tmp/tmp.tFMmByeO/usr/lib/librt_p.a
[*] Applying Integriforce rules
Unmounted successfully
Activated successfully

The update procedure is now finished, new Boot Environment is present and already set as Activated upon reboot.

root@hardenedbsd:~ # beadm list
BE      Active Mountpoint  Space Created
default N      /           95.4M 2018-04-05 20:24
updated R      -          887.4M 2018-04-06 09:35

Before rebooting into the updated system we may want to modify some files. Lets mount that Boot Environment for that purpose.

root@hardenedbsd:~ # beadm mount updated
Mounted successfully on '/tmp/BE-updated.8sbzisOh'

root@hardenedbsd:~ # beadm list
BE      Active Mountpoint                Space Created
default N      /                         95.5M 2018-04-05 20:24
updated R      /tmp/BE-updated.8sbzisOh 887.4M 2018-04-06 09:35

root@hardenedbsd:~ # cd /tmp/BE-updated.8sbzisOh

// MAKE NEEDED CHANGES BEFORE REBOOT

root@hardenedbsd:/tmp/BE-updated.8sbzisOh # cd

root@hardenedbsd:~ # beadm umount updated
Unmounted successfully

root@hardenedbsd:~ # shutdown -r now

After the reboot we can see that our HardenedBSD system indeed is upgraded to newer version.

root@hardenedbsd:~ # sysctl hardening.version
hardening.version: 1100055

The pkg(8) does not warn now about possible incompatibilities because we were using older HardenedBSD version.

root@hardenedbsd:~ # pkg install beadm
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64, please wait...
Verifying signature with trusted certificate pkg.hardenedbsd.org.2014-09-04... done
Installing pkg-1.10.5...
Extracting pkg-1.10.5: 100%
Updating HardenedBSD repository catalogue...
pkg: Repository HardenedBSD load error: access repo file(/var/db/pkg/repo-HardenedBSD.sqlite) failed: No such file or directory
Fetching meta.txz: 100%    1 KiB   1.5kB/s    00:01    
Fetching packagesite.txz: 100%    6 MiB 224.6kB/s    00:28    
Processing entries: 100%
HardenedBSD repository update completed. 30459 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        beadm: 1.2.7_4 [HardenedBSD]

Number of packages to be installed: 1

9 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching beadm-1.2.7_4.txz: 100%    9 KiB   9.6kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing beadm-1.2.7_4...
[1/1] Extracting beadm-1.2.7_4: 100%
root@hardenedbsd:~ # beadm list
BE      Active Mountpoint  Space Created
default -      -           95.6M 2018-04-05 20:24
updated NR     /          928.1M 2018-04-06 09:35

As we see we still can get back to older Boot Environment with out 1100054.1 HardenedBSD system if needed.

Here are datasets for both systems.

root@hardenedbsd:~ # zfs list
NAME                           USED  AVAIL  REFER  MOUNTPOINT
zroot                          930M  14.5G    88K  /zroot
zroot/ROOT                     928M  14.5G    88K  none
zroot/ROOT/default             364K  14.5G   426M  /
zroot/ROOT/default/usr            0  14.5G    88K  /usr
zroot/ROOT/default/usr/home       0  14.5G    88K  /usr/home
zroot/ROOT/default/usr/ports      0  14.5G    88K  /usr/ports
zroot/ROOT/default/usr/src        0  14.5G    88K  /usr/src
zroot/ROOT/default/var         132K  14.5G    88K  /var
zroot/ROOT/default/var/audit      0  14.5G    88K  /var/audit
zroot/ROOT/default/var/crash      0  14.5G    88K  /var/crash
zroot/ROOT/default/var/log      76K  14.5G   132K  /var/log
zroot/ROOT/default/var/mail       0  14.5G    88K  /var/mail
zroot/ROOT/default/var/tmp      56K  14.5G    88K  /var/tmp
zroot/ROOT/updated             927M  14.5G   497M  /
zroot/ROOT/updated/usr         300M  14.5G   300M  /usr
zroot/ROOT/updated/usr/home     88K  14.5G    88K  /usr/home
zroot/ROOT/updated/usr/ports    88K  14.5G    88K  /usr/ports
zroot/ROOT/updated/usr/src     144K  14.5G    88K  /usr/src
zroot/ROOT/updated/var        36.0M  14.5G  35.2M  /var
zroot/ROOT/updated/var/audit   144K  14.5G    88K  /var/audit
zroot/ROOT/updated/var/crash   144K  14.5G    88K  /var/crash
zroot/ROOT/updated/var/log     216K  14.5G   132K  /var/log
zroot/ROOT/updated/var/mail    144K  14.5G    88K  /var/mail
zroot/ROOT/updated/var/tmp     144K  14.5G    88K  /var/tmp
zroot/tmp                       88K  14.5G    88K  /tmp

We will now destroy the older 1100054.1 HardenedBSD system as its no longer needed.

root@hardenedbsd:~ # beadm destroy default
Are you sure you want to destroy 'default'?
This action cannot be undone (y/[n]): y
Boot environment 'default' was created from existing snapshot
Destroy 'updated@2018-04-06-09:35:01' snapshot? (y/[n]): y
Destroyed successfully

Lets check if we are running the latest version.

root@hardenedbsd:~ # hbsd-update -I -V -b new
[*] This system is already on the latest version.

HardenedBSD Ports

To get general idea, if software is in FreeBSD Ports, then it would be in HardenedBSD Ports. Both FreeBSD and HardenedBSD provide packages built from their ports trees, but not all FreeBSD packages available on FreeBSD are available on HardenedBSD because some fail to build against LibreSSL (FreeBSD still has OpenSSL in base) and other fail to build because of HardenedBSD security mechanisms and mitigations enabled. There is also one counter example to that rule, there is audio/lame package in HardenedBSD while there is none on FreeBSD.

The good thing about HardenedBSD community is their response speed. For example I had a problem with sysutils/bareos-client port that failed to built – bareos-client fails to buildhttps://groups.google.com/a/hardenedbsd.org/forum/#!topic/users/xop4rVGVRC4 – and within hours they modified the port to allow me built it against GnuTLS – Bug 227318 – sysutils/bareos-server: Add GNUTLS optionhttps://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227318 – which worked like a charm. It was that fast and accurate, that even overpriced enterprise support from Oracle or Dell EMC does not work that fast and that well.

Same as with freebsd-update tool the HardenedBSD project does not use the portsnap tool.

root@hardenedbsd:~ # portsnap fetch extract
portsnap: Command not found.

The git tool is used instead. You first need to add it from pkg(8) repository as any other package, as shown below.

root@hardenedbsd:~ # pkg install git-lite

Now You may want to use git to fetch the HardenedBSD Ports tree, one thing that I see not convenient is that You must KNOW the GitHub page to type, same as with OpenBSD for packages. I like the FreeBSD approach here more that I do not have to remember that.

root@hardenedbsd:~ # git clone --depth=1 https://github.com/HardenedBSD/hardenedbsd-ports.git /usr/ports
Cloning into '/usr/ports'...
remote: Counting objects: 170097, done.
remote: Compressing objects: 100% (155861/155861), done.
remote: Total 170097 (delta 11341), reused 115842 (delta 9658), pack-reused 0
Receiving objects: 100% (170097/170097), 64.51 MiB | 335.00 KiB/s, done.
Resolving deltas: 100% (11341/11341), done.
Checking out files: 100% (135035/135035), done.

Lets verify the contents.

root@hardenedbsd:~ # find /usr/ports | head -20
.
./www
./www/ocaml-net
./www/ocaml-net/files
./www/ocaml-net/files/patch-Makefile.rules
./www/ocaml-net/distinfo
./www/ocaml-net/Makefile
./www/ocaml-net/pkg-descr
./www/pear-Services_TinyURL
./www/pear-Services_TinyURL/distinfo
./www/pear-Services_TinyURL/Makefile
./www/pear-Services_TinyURL/pkg-descr
./www/grafana5
./www/grafana5/files
./www/grafana5/files/grafana.in
./www/grafana5/files/grafana.conf.in
./www/grafana5/pkg-plist
./www/grafana5/pkg-descr
./www/grafana5/Makefile
./www/grafana5/distinfo

Next updates will be done using the git pull command.

root@hardenedbsd:/usr/ports # git pull
Already up to date.

The configured HardenedBSD system I use here has 1 GB RAM, but that with ZFS ARC default size is not not be enough for git to run.

root@hardenedbsd:~ # grep git /var/log/messages 
Apr  6 14:47:42 hardenedbsd kernel: [18059] pid 32538 (git), uid 0, was killed: out of swap space

To increase amount of RAM for ‘processes’ and to take away some ZFS cache (ARC) put these into the /boot/loader.conf file and reboot the system for the changes to take effect. The size of RAM that is known to not have issues with git memory usage is 2 GB.

root@hardenedbsd:~ # cat >> /boot/loader.conf << __EOF
# ZFS
vfs.zfs.arc_min: 1M
vfs.zfs.arc_max: 32M
__EOF

root@hardenedbsd:~ # shutdown -r now

HardenedBSD Base System Sources

The HardenedBSD base system sources are also fetched with git tool. Below is an example command that fetches the sources.

root@hardenedbsd:~ # git clone --depth=1 --single-branch --branch hardened/11-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ /usr/src
Cloning into '/usr/src'...
remote: Counting objects: 2314758, done.
remote: Compressing objects: 100% (4207/4207), done.
remote: Total 2314758 (delta 53355), reused 51865 (delta 51526), pack-reused 2258987
Receiving objects: 100% (2314758/2314758), 1.26 GiB | 75.00 KiB/s, done.
Resolving deltas: 100% (1769344/1769344), done.
root@hardenedbsd:~ #

Security Administration (secadm)

The HardenedBSD secadm tool allows users to toggle exploit mitigations on a per application and per jail basis. Users will typically use secadm to disable PAGEEXEC and/or MPROTECT restrictions or to use Integriforce – implementation of verified execution. It enforces hash based signatures for binaries and their dependent shared objects.

First, lets add secadm tool from the pkg(8) repository.

root@hardenedbsd:~ # pkg search secadm
secadm-0.5.1                   HardenedBSD Security Administration
secadm-kmod-0.5.1              HardenedBSD Security Administration

root@hardenedbsd:~ # pkg install secadm secadm-kmod
Updating HardenedBSD repository catalogue...
HardenedBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        secadm: 0.5.1 [HardenedBSD]
        secadm-kmod: 0.5.1 [HardenedBSD]
        libucl: 0.8.0 [HardenedBSD]

Number of packages to be installed: 3

166 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/3] Fetching secadm-0.5.1.txz: 100%   53 KiB  54.6kB/s    00:01    
[2/3] Fetching secadm-kmod-0.5.1.txz: 100%   12 KiB  12.7kB/s    00:01    
[3/3] Fetching libucl-0.8.0.txz: 100%  100 KiB 102.6kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/3] Installing libucl-0.8.0...
[1/3] Extracting libucl-0.8.0: 100%
[2/3] Installing secadm-0.5.1...
[2/3] Extracting secadm-0.5.1: 100%
[3/3] Installing secadm-kmod-0.5.1...
[3/3] Extracting secadm-kmod-0.5.1: 100%
Message from secadm-0.5.1:

======================================================================

When you running on custom kernel config, please consult with the 
kernel's source tree, especially with UPDATING-HardenedBSD file.

If you have any other question, you can inform on FreeNode's IRC
#hardenedbsd channel.

Keywords:

 options PAX_CONTROL_ACL
 options PAX_CONTROL_ACL_OVERRIDE_SUPPORT
 options PAX_CONTROL_EXTATTR

 hbsdcontrol secadm

 https://github.com/HardenedBSD/hardenedBSD/blob/hardened/current/master/UPDATING-HardenedBSD#L1

======================================================================
Message from secadm-kmod-0.5.1:

======================================================================

When you running on custom kernel config, please consult with the 
kernel's source tree, especially with UPDATING-HardenedBSD file.

If you have any other question, you can inform on FreeNode's IRC
#hardenedbsd channel.

Keywords:

 options PAX_CONTROL_ACL
 options PAX_CONTROL_ACL_OVERRIDE_SUPPORT
 options PAX_CONTROL_EXTATTR

 hbsdcontrol secadm

 https://github.com/HardenedBSD/hardenedBSD/blob/hardened/current/master/UPDATING-HardenedBSD#L1

======================================================================

Now lets create a simple Integriforce rule for the /bin/dd command.

root@hardenedbsd:~ # cat >> /usr/local/etc/secadm.rules << __EOF
secadm {
  integriforce {
    path: "/bin/dd",
    hash: "72be7c66d4b0a7b776bfac314310edc7423fc251666d548ccde8bf3f9b5b37af",
    type: "sha256",
    mode: "hard",
  }
}
__EOF

Lets enable the secadm in /etc/rc.conf file.

root@hardenedbsd:~ # sysrc secadm_enable=YES

… and finally lets start security administration mechainsm.

root@hardenedbsd:~ # /usr/local/etc/rc.d/secadm start
Starting secadm.

Now lets verify that it really works. Lets try to modify the /bin/dd command.

root@hardenedbsd:~ # echo 1 >> /bin/dd
/bin/dd: Operation not permitted.

root@hardenedbsd:~ # tail -1 /var/log/messages 
Apr 6 12:44:28 hardenedbsd kernel: [10664] [SECADM] Prevented modification of (/bin/dd): protected by a SECADM rule.

But the /bin/dd command works as usual.

root@hardenedbsd:~ # /bin/dd  FILE bs=1m count=1
1+0 records in
1+0 records out
1048576 bytes transferred in 0.039543 secs (26517139 bytes/sec)

root@hardenedbsd:~ # ls -lh FILE
-rw-r--r--  1 root  wheel   1.0M Apr  6 12:06 FILE

Resources

The HardenedBSD Handbook is mainly copied FreeBSD Handbook with Chapter 14. HardenedBSD which is related to HardenedBSD. This is good because HardenedBSD is generally a modified FreeBSD system, so most things work the same way.
https://hardenedbsd.org/~shawn/hbsd_handbook/book.html#hardenedbsd-secadm

The HardenedBSD Forum is available on Google Groups.
https://groups.google.com/a/hardenedbsd.org/forum/#!forum/users

List of HardenedBSD applications that need custom secadm rules is available here.
https://github.com/HardenedBSD/hardenedBSD/wiki/Non-Compliant-Applications

There is also whole github page with secadm rules.
https://github.com/HardenedBSD/secadm-rules

The Twitter accounts for both HardenedBSD and SoloBSD.
https://twitter.com/HardenedBSD
https://twitter.com/SoloBSD

OPNsense Connection

One last thing to notice is the OPNsense connection broadly described here.
https://wiki.opnsense.org/relations/hardenedBSD.html
https://hardenedbsd.org/article/shawn-webb/2015-06-10/first-official-opnsense-images-hardenedbsd

UPDATE 1 – HardenedBSD Switching Back to OpenSSL

To cite the HardenedBSD project site:

Over a year ago, HardenedBSD switched to LibreSSL as the default cryptographic library in base for 12-CURRENT. 11-STABLE followed suit later on. Bernard Spil has done an excellent job at keeping our users up-to-date with the latest security patches from LibreSSL.

After recently updating 12-CURRENT to LibreSSL 2.7.2 from 2.6.4, it has become increasingly clear to us that performing major upgrades requires a team larger than a single person. Upgrading to 2.7.2 caused a lot of fallout in our ports tree. As of 28 Apr 2018, several ports we consider high priority are still broken. As it stands right now, it would take Bernard a significant amount of his spare personal time to fix these issues.

Until we have a multi-person team dedicated to maintaining LibreSSL in base along with the patches required in ports, HardenedBSD will use OpenSSL going forward as the default crypographic library in base. LibreSSL will co-exist with OpenSSL in the source tree, as it does now. However, MK_LIBRESSL will default to “no” instead of the current “yes”. Bernard will continue maintaining LibreSSL in base along with addressing the various problematic ports entries.

To provide our users with ample time to plan and perform updates, we will wait a period of two months prior to making the switch. The switch will occur on 01 Jul 2018 and will be performed simultaneously in 12-CURRENT and 11-STABLE. HardenedBSD will archive a copy of the LibreSSL-centric package repositories and binary updates for base for a period of six months after the switch (expiring the package repos on 01 Jan 2019). This essentially gives our users eight full months for an upgrade path.

As part of the switch back to OpenSSL, the default NTP daemon in base will switch back from OpenNTPd to ISC NTP. Users who have local_openntpd_enable=”YES” set in rc.conf will need to switch back to ntpd_enable=”YES”.

Users who build base from source will want to fully clean their object directories. Any and all packages that link with libcrypto or libssl will need to be rebuilt or reinstalled.

With the community’s help, we look forward to the day when we can make the switch back to LibreSSL. We at HardenedBSD believe that providing our users options to rid themselves of software monocultures can better increase security and manage risk.

UPDATE 2

The Introduction to HardenedBSD World article was included in the BSD Now 245 – ZFS User Conf 2018 episode.

Thanks for mentioning!

UPDATE 3

The Chapter 14. HardenedBSD of the HardenedBSD Handbook has been migrated/ported to wiki page available here – https://github.com/HardenedBSD/hardenedBSD/wiki – enjoy.

EOF

FreeBSD Desktop – Part 1 – Simplified Boot

This is the first post in the FreeBSD Desktop series.

You may want to check other articles in the FreeBSD Desktop series on the FreeBSD Desktop – Global Page where you will find links to all episodes of the series along with table of contents for each episode’s contents.

The default FreeBSD boot process is quite verbose with a lot of debugging information along with kernel messages. We may divide that boot process into several β€˜screens’ or stages. First thing You see is the β€˜BIOS’ screen of the computer manufacturer. SecondΒ  thing is the FreeBSD BTX Loader. The third one is the FreeBSD Boot Menu with eventual ZFS Boot Environments if You use ZFS for root filesystem and other options to select like Single User Mode for example. The 4th one is the system boot along with kernel messages in non-native resolution. In the middle of that stage screen switches to native resolution and continues to display kernel messages and services leading to the text prompt with login: at the end. There comes optional fifth screen which may be graphically started (x11) login manager like slim or gdm.

This verbose information is usually useful for servers but not that much for laptops and/or desktop/workstation systems. The UNIX philosophy is to not β€˜say’ anything to stdout if everything is OK, so stdout/stderr should only be used when something is wrong … like on AMIGA, if anything is wrong then I want to see big red sign like [GURU MEDITAION] but if everything is ok, shut the … slience is golden πŸ™‚

guru-meditation

I really like Sun Solaris 10 approach here, that it boots with minimal information like its version and hostname into the login: prompt in less then 10 lines. The image below is from the first Sun Solaris 10 boot, so it includes additional OpenSSH server key generation information.

sun-solaris-10-boot-first

Unfortunately – despite what Oracle says – Oracle Solaris is dying, I gathered most of the information here – Oracle just killed Solaris/SPARC/ZFS teams – https://forums.freebsd.org/threads/62320/ – on FreeBSD Forums. The recent Oracle Solaris 11.4 release process along with public beta will not change that. Oracle Solaris will be kept in maintenance mode for the rest of its life, which is set by Oracle to 2034 currently. Pity because even BSD bits recently found its way into it Solaris, for example the OpenBSD PF firewall, there are some differences – Comparing PF in Oracle Solaris to IP Filter and to OpenBSD Packet Filter – https://docs.oracle.com/cd/E37838_01/html/E60993/pfovw-comparall.html – but there are differences between OpenBSD PF and FreeBSD PF too.

Back to FreeBSD – according to the project website – https://freebsd.org/ – β€œFreeBSD is an operating system used to power modern servers, desktops, and embedded platforms” so why not tune the boot process to be more appealing on laptops/desktops? Below are the stages of the default FreeBSD boot process up to the login: prompt.

stage0-BIOS.jpg

stage1-BTX-Loader.jpg

stage2-Boot-Menu.jpg

stage3-NOMOD-Non-Native-Boot.jpg

stage4a-NOMOD-Native-Boot-A.jpg.jpg

stage4b-NOMOD-Native-Boot-B.jpg

Not very lean to my standards. But with one parameter in /boot/loader.conf and 5 slightly silenced startup scripts its whole a lot better. Here are the modifications needed.

First add the boot_mute=YES option to the /boot/loader.conf file.

As we are here, You may as well add autoboot_delay=2 parameter to the /boot/loader.conf file to speed up boot process by 8 seconds. Default delay is 10 seconds.

% grep boot_mute /boot/loader.conf
boot_mute=YES
%

Next we will need to modify these startup scripts.

  • /etc/rc.d/ldconfig
  • /etc/rc.d/netif
  • /etc/rc.d/nfsclient
  • /etc/rc.d/random
  • /etc/rc.d/routing

Here is the summary of the changes. In most cases its just adding 1> /dev/null or 1> /dev/null 2> /dev/null to not display unneeded information at boot process.

% grep -n -E '(1|2)> /dev/null' /etc/rc.d/* | grep -E 'routing|netif|ldconfig'
/etc/rc.d/ldconfig:40: check_startmsgs && echo 'ELF ldconfig path:' ${_LDC} 1> /dev/null
/etc/rc.d/ldconfig:60: echo '32-bit compatibility ldconfig path:' ${_LDC} 1> /dev/null
/etc/rc.d/netif:260: /sbin/ifconfig ${ifn} 1> /dev/null 2> /dev/null
/etc/rc.d/routing:70: eval static_${_a} delete $_if 1> /dev/null 2> /dev/null
/etc/rc.d/routing:97: static_$2 add $3 1> /dev/null 2> /dev/null
/etc/rc.d/routing:104: static_$2 add $3 add $3 1> /dev/null 2> /dev/null

The only exception is the /etc/rc.d/random which requires little more love.

% grep -n -A 8 'random_start()' /etc/rc.d/random
45:random_start()
46-{
47-
48-   # if [ ${harvest_mask} -gt 0 ]; then
49-   #       echo -n 'Setting up harvesting: '
50-   #       ${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null
51-   #       ${SYSCTL_N} kern.random.harvest.mask_symbolic
52-   # fi
53-

Here are diff(1) patches if that way will be easier for you.

% diff -rq ~/CLEAN-FreeBSD-11.1-RELEASE/etc/rc.d /etc/rc.d | column -t
Files  ~/CLEAN-FreeBSD-11.1-RELEASE/etc/rc.d/ldconfig   and  /etc/rc.d/ldconfig   differ
Files  ~/CLEAN-FreeBSD-11.1-RELEASE/etc/rc.d/netif      and  /etc/rc.d/netif      differ
Files  ~/CLEAN-FreeBSD-11.1-RELEASE/etc/rc.d/nfsclient  and  /etc/rc.d/nfsclient  differ
Files  ~/CLEAN-FreeBSD-11.1-RELEASE/etc/rc.d/random     and  /etc/rc.d/random     differ
Files  ~/CLEAN-FreeBSD-11.1-RELEASE/etc/rc.d/routing    and  /etc/rc.d/routing    differ
% diff -u ./rc.d/ldconfig /etc/rc.d/ldconfig
--- ./rc.d/ldconfig     2017-07-21 04:11:06.000000000 +0200
+++ /etc/rc.d/ldconfig  2017-12-18 09:12:18.190074000 +0100
@@ -37,7 +37,7 @@
                                _LDC="${_LDC} ${i}"
                        fi
                done
-               check_startmsgs && echo 'ELF ldconfig path:' ${_LDC}
+               check_startmsgs && echo 'ELF ldconfig path:' ${_LDC} 1> /dev/null
                ${ldconfig} -elf ${_ins} ${_LDC}
 
                case `sysctl -n hw.machine_arch` in
@@ -57,7 +57,7 @@
                                fi
                        done
                        check_startmsgs &&
-                           echo '32-bit compatibility ldconfig path:' ${_LDC}
+                           echo '32-bit compatibility ldconfig path:' ${_LDC} 1> /dev/null
                        ${ldconfig} -32 -m ${_ins} ${_LDC}
                        ;;
                esac

% diff -u ./rc.d/netif /etc/rc.d/netif
--- ./rc.d/netif        2017-07-21 04:11:06.000000000 +0200
+++ /etc/rc.d/netif     2017-11-30 17:32:11.394251000 +0100
@@ -257,7 +257,7 @@
                esac
                if check_startmsgs; then
                        for ifn in ${_ok}; do
-                               /sbin/ifconfig ${ifn}
+                               /sbin/ifconfig ${ifn} 1> /dev/null 2> /dev/null
                        done
                fi
        fi
% diff -u ./rc.d/nfsclient /etc/rc.d/nfsclient
--- ./rc.d/nfsclient    2017-07-21 04:11:06.000000000 +0200
+++ /etc/rc.d/nfsclient 2017-12-18 09:15:38.200376000 +0100
@@ -44,7 +44,7 @@
        # successfully notified about a previous client shutdown.
        # If there is no /var/db/mounttab, we do nothing.
        if [ -f /var/db/mounttab ]; then
-               rpc.umntall -k
+               rpc.umntall -k 2> /dev/null
        fi
 }
 load_rc_config $name
% diff -u ./rc.d/random /etc/rc.d/random
--- ./rc.d/random       2017-07-21 04:11:06.000000000 +0200
+++ /etc/rc.d/random    2018-01-09 13:32:18.439347000 +0100
@@ -45,13 +45,13 @@
 random_start()
 {
 
-       if [ ${harvest_mask} -gt 0 ]; then
-               echo -n 'Setting up harvesting: '
-               ${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null
-               ${SYSCTL_N} kern.random.harvest.mask_symbolic
-       fi
+       # if [ ${harvest_mask} -gt 0 ]; then
+       #       echo -n 'Setting up harvesting: '
+       #       ${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null
+       #       ${SYSCTL_N} kern.random.harvest.mask_symbolic
+       # fi
 
-       echo -n 'Feeding entropy: '
+       echo -n 'Feeding entropy:'
 
        if [ ! -w /dev/random ] ; then
                warn "/dev/random is not writeable"

% diff -u ./rc.d/routing /etc/rc.d/routing
--- ./rc.d/routing      2017-07-21 04:11:06.000000000 +0200
+++ /etc/rc.d/routing   2017-12-18 09:22:16.604428000 +0100
@@ -67,7 +67,7 @@
        ""|[Aa][Ll][Ll]|[Aa][Nn][Yy])
                for _a in inet inet6 atm; do
                        afexists $_a || continue
-                       eval static_${_a} delete $_if
+                       eval static_${_a} delete $_if 1> /dev/null 2> /dev/null
                        # When $_if is specified, do not flush routes.
                        if ! [ -n "$_if" ]; then
                                eval routing_stop_${_a}
@@ -94,14 +94,14 @@
        _ret=0
        case $1 in
        static)
-               static_$2 add $3
+               static_$2 add $3 1> /dev/null 2> /dev/null
                _ret=$?
                ;;
        options)
                options_$2
                ;;
        doall)
-               static_$2 add $3
+               static_$2 add $3 add $3 1> /dev/null 2> /dev/null
                _ret=$?
                options_$2
                ;;

Now lets see how FreeBSD boots now after the modifications.

stage0-BIOS.jpg

stage1-BTX-Loader.jpg

stage2-Boot-Menu.jpg

stage3-MOD-Non-Native-Boot.jpg.jpg

stage4a-MOD-Native-Boot-A.jpg.jpg

stage4b-MOD-Native-Boot-B.jpg

Its definitely not perfect, but a lot better in my taste.

Now lets login to desktop πŸ™‚

I prefer not to use a login manager so I have an alias named x to xinit command. This way after I login I type x press [ENTER] and x11 desktop is started.

% which x
x: aliased to xinit ~/.xinitrc -- -dpi 75 -nolisten tcp 1> /dev/null 2> /dev/null

stage4c-MOD-Native-Boot-C.jpg

stage5-X11.jpg

UPDATE 1 – FreeBSD 12.x

I recently tried FreeBSD 12.0-RC* versions and there is one ‘talkative’ script that also could be ‘silenced’ a little.

Its the /etc/rc.d/devmatch scrtipt.

Here is the needed patch to make it great again nice and clean again.

% diff -u /home/vermaden/rc-devmatch devmatch 
--- /home/vermaden/rc-devmatch        2018-11-27 17:49:53.573514000 +0100
+++ devmatch    2018-11-27 17:50:11.955342000 +0100
@@ -65,7 +65,7 @@
                case "#${x}#" in
                *"#${m}#"*) continue ;;
                esac
-               echo "Autoloading module: ${m}"
+               # echo "Autoloading module: ${m}"
                kldload -n ${m}
        done
        devctl thaw

UPDATE 2 – The drm-kmod Silencing

Recently to get support for newer GPUs the drm-kmod meta port/package is needed. The thing is that if you add the /boot/modules/i915kms.ko (for Intel GPUs) to the kld_list parameter it will display following error message from the kernel even with boot_mute=YES in the /boot/loader.conf file.

Loading kernel modules:
Dec 16 11:08:03 t420s kernel: Failed to add WC MTRR for [0xe0000000-0xefffffff]: -28; performance may suffer

The syslogd is guilty here with its default configuration in the /etc/syslog.conf file. To make it silent (not print pointless messages) make this change in the /etc/syslog.conf file.

% diff -u /root/syslog.conf /etc/syslog.conf
--- /root/syslog.conf   2018-12-18 11:49:48.204878000 +0100
+++ /etc/syslog.conf    2018-12-18 11:49:55.681504000 +0100
@@ -5,7 +5,7 @@
 #      separators. If you are sharing this file between systems, you
 #      may want to use only tabs as field separators here.
 #      Consult the syslog.conf(5) manpage.
-*.err;kern.warning;auth.notice;mail.crit                       /dev/console
+# *.err;kern.warning;auth.notice;mail.crit                       /dev/console
 *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err  /var/log/messages
 security.*                                                     /var/log/security
 auth.info;authpriv.info                                        /var/log/auth.log

Now it will not print these pointless messages.

This applies both to 11.2-RELEASE and 12.0-RELEASE versions.

UPDATE 3 – Silence the Services Starting Messages

Thanks to the vmisev suggestion we can silence the FreeBSD boot process even more.

Just add rc_startmsgs=NO to your /etc/rc.conf file and reboot to see effects.

Here is already silenced boot process by my earlier settings.

rc_startmsgs_YES.jpg

After adding rc_startmsgs=NO to the /etc/rc.conf file the boot messages are cut in half.

rc_startmsgs_NO.jpg

Now its very close to Solaris/Illumos provides πŸ™‚

EOF

FreeBSD Network Management with network.sh Script

When You use only one connection on FreeBSD, then the best practice is to just put its whole configuration into the /etc/rc.conf file, for example typical server redundant connection would look like that one below.

cloned_interfaces="lagg0"
ifconfig_igb0="-lro -tso -vlanhwtag mtu 9000 up"
ifconfig_igb1="-lro -tso -vlanhwtag mtu 9000 up"
ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up"
ifconfig_lagg0_alias0="inet 10.254.17.2/24"

If You must use more then one connection and You often switch between them, sometimes several times a day, then using the main FreeBSD’s config file is not the most convenient way for such operations.

For laptops where You often switch between WWAN (usually 3G connection) and WLAN (typical WiFi connection) and even LAN cable.

You can of course use graphical NetworkMgr from GhostBSD project which is described as “Python GTK3 network manager for FreeBSD, GhostBSD, TrueOS and DragonFlyBSD. NetworkMgr support both netif and OpenRC network” citing the project site – https://github.com/GhostBSD/networkmgr – it is also available in FreeBSD Ports and as package – net-mgmt/networkmgr.

GhostBSD-networkmgr

What I miss in NetworkMgr is the WWAN connection management, DNS management, optional random MAC generation and network shares unmount at disconnect from network. With my solution – network.sh – you still need to edit /etc/wpa_supplicant.conf and /etc/ppp/ppp.conf files by hand so it’s also not a perfect solution for typical desktop usage, but you do not edit these files every day.

As I use WWAN, WLAN and LAN connections on my laptop depends on the location I wrote a script to automate this connection management in a deterministic and convenient way, at least for me.

It can also set DNS to some safe/nologging providers or even a random safe DNS and generate legitimate MAC address for both LAN and WLAN if needed, even with real OUI first three octets if You also have additional network.sh.oui.txt file with them inside.

Here is the network.sh script help message.

% network.sh help
USAGE:
 network.sh TYPE [OPTIONS]

TYPES:
 lan
 wlan
 wwan
 dns

OPTIONS:
 start
 start SSID|PROFILE
 stop
 example

EXAMPLES:
 network.sh lan start
 network.sh lan restart
 network.sh wlan start
 network.sh wlan start HOME-NETWORK-SSID
 network.sh wwan example
 network.sh dns onic
 network.sh dns udns
 network.sh dns random
 network.sh doas
 network.sh sudo

If You run network.sh with appreciate arguments to start network connection it will display on the screen what commands it would run to achieve that. It also makes use of sudo(8) or doas(1) assuming that You are in the network group. To add yourself into the network group type this command below.

# pw groupmod network -m yourself

The network.sh doas command will print what rights it needs to work without root privileges, same for network.sh sudo command, an example below.

% network.sh doas
 # pw groupmod network -m YOURUSERNAME
 # cat /usr/local/etc/doas.conf
 permit nopass :network as root cmd /bin/cat args /etc/ppp/ppp.conf
 permit nopass :network as root cmd /etc/rc.d/netif args onerestart
 permit nopass :network as root cmd dhclient
 permit nopass :network as root cmd ifconfig
 permit nopass :network as root cmd killall args -9 dhclient
 permit nopass :network as root cmd killall args -9 ppp
 permit nopass :network as root cmd killall args -9 wpa_supplicant
 permit nopass :network as root cmd ppp
 permit nopass :network as root cmd tee args -a /etc/resolv.conf
 permit nopass :network as root cmd tee args /etc/resolv.conf
 permit nopass :network as root cmd umount
 permit nopass :network as root cmd wpa_supplicant

The network.sh script does not edit /usr/local/etc/doas.conf or /usr/local/etc/sudoers files, You have to put these lines there by yourself. An example doas setup for network.sh script is below.

# pkg install -y doas

# cat >> /usr/local/etc/doas.conf << __EOF
permit nopass :network as root cmd /bin/cat args /etc/ppp/ppp.conf
permit nopass :network as root cmd /etc/rc.d/netif args onerestart
permit nopass :network as root cmd dhclient
permit nopass :network as root cmd ifconfig
permit nopass :network as root cmd killall args -9 dhclient
permit nopass :network as root cmd killall args -9 ppp
permit nopass :network as root cmd killall args -9 wpa_supplicant
permit nopass :network as root cmd ppp
permit nopass :network as root cmd tee args -a /etc/resolv.conf
permit nopass :network as root cmd tee args /etc/resolv.conf
permit nopass :network as root cmd umount
permit nopass :network as root cmd wpa_supplicant
__EOF
# 

# pw groupmod network -m yourself

The network.sh script upon disconnect would also forcefully unmount all network shares.

The idea is that it does only one connection type at a time, When You type network.sh lan start and then type network.sh wlan start, then it will reset entire FreeBSD network stack to defaults (to settings that are in /etc/rc.conf file) and then connect to WiFi in a ‘clean network environment’ as I could say. As I use 3 different methods of connecting to various networks I do not have any network settings in theΒ /etc/rc.conf file, but You may prefer for example to have DHCP for local LAN enabled if that is more convenient for You.

The settings are on the beginning of the network.sh script, You should modify them to your needs and hardware that You own.

# SETTINGS
LAN_IF=em0
LAN_RANDOM_MAC=0
WLAN_IF=wlan0
WLAN_PH=iwn0
WLAN_RANDOM_MAC=1
WWAN_IF=tun0
WWAN_PROFILE=WWAN
NAME=$( basename ${0} )
NETFS="nfs,smbfs,fusefs.sshfs"
TIMEOUT=16
DELAY=0.5
SUDO=0
DOAS=1

You can specify other NETFS filesystems that You want to forcefully unmount during network stop or set different physical WLAN adapter (WLAN_PH option), like ath0 for Atheros chips. similar for LAN interface which also defaults to Intel based network card with em0 driver (LAN_IF option).

If you want to disable random MAC address for LAN with LAN_RANDOM_MAC=0 and enable generation of random MAC address for WiFi networks with WLAN_RANDOM_MAC=1 option.

You should also decide if You want to use sudo (SUDO option) or doas (DOAS option).

Here are network.shΒ script and optional network.sh.oui.txt OUI data.

After downloading please rename them accordingly (WordPress limitation).

% mv network-sh.key         network.sh 
% mv network-sh-oui-txt.key network.sh.oui.txt

Here is example of all network connections stop.

% network.sh stop
doas killall -9 wpa_supplicant
doas killall -9 ppp
doas killall -9 dhclient
doas ifconfig wlan0 destroy
doas ifconfig em0 down
echo | doas tee /etc/resolv.conf
doas /etc/rc.d/netif onerestart
%

Here is example of WWAN network connection start.

% network.sh wwan start
doas killall -9 wpa_supplicant
doas killall -9 ppp
doas killall -9 dhclient
doas ifconfig wlan0 destroy
doas ifconfig em0 down
echo | doas tee /etc/resolv.conf
doas /etc/rc.d/netif onerestart
doas ppp -ddial WWAN
%

Here is example od DNS change.

% network.sh dns onic
echo | doas tee /etc/resolv.conf
echo 'nameserver 87.98.175.85' | doas tee -a /etc/resolv.conf
echo 'nameserver 193.183.98.66' | doas tee -a /etc/resolv.conf

If You have any problems with the network.sh script then let me know, I will try to fix them ASAP.

If You are more into OpenBSD then FreeBSD then Vincent Delft wrote nmctlNetwork Manager Control tool for OpenBSD – available here – http://vincentdelft.be/post/post_20171023.

Ther is also another OpenBSD project by Aaron Poffenberger for network management – netctl –Β cli network-location manager for OpenBSD –Β available here – https://github.com/akpoff/netctl.

UPDATE 1 – Connect to Open/Unsecured WiFi Network

Recently when I was attending the Salt workshop during NLUUG Autumn Conference 2018 at Utrecht, Nederlands I wanted to connect to open unsecured WiFi network called 'Utrecht Hotel'. My phone of course attached to it instantly but on the other hand FreeBSD was not able to connect to it. As it turns out if you want to enable wpa_supplicant(8) to connect to open unsecured network a separate /etc/wpa_supplicant.conf option is needed (on option for all open unsecured
networks – no need to create such rule for each open/unsecured network).

Its these lines in the /etc/wpa_supplicant.conf file:

% grep -C 2 key_mgmt=NONE /etc/wpa_supplicant.conf

network={
        key_mgmt=NONE
        priority=0
}

I also modified the network.sh to contain that information in the examples section and also made little fix to always reset the previously set/forced SSID during earlier usage.

# ifconfig wlan0 ssid -

Now the network.sh should be even more pleasant to use.

UPDATE 2 – Openbox Integration

In on of the FreeBSD Desktop series articles I described how to setup Openbox window manager – FreeBSD Desktop – Part 12 – Configuration – Openbox – available here.

Below is an example of integration of that network.sh script with Openbox window manager.

network.sh.openbox.menu.jpg

… and here is the code used in the ~/.config/openbox/menu.xml file.

network.sh.openbox.menu.code

EOF