Tag Archives: security

FreeBSD Desktop – Part 2.1 – Install FreeBSD 12

This article is an update/rewrite to the already published FreeBSD Desktop – Part 2 – Install. With the upcoming introduction of the FreeBSD 12.0-RELESE version new possibilities arise when it comes to installation. I already talked/showed that method in my ZFS Boot Environments Reloaded at NLUUG presentation but to make it more available and obvious part of my FreeBSD Desktop series I write about it again in dedicated article entry.

You may want to check other articles in the FreeBSD Desktop series on the FreeBSD Desktop – Global Page where you will find links to all episodes of the series along with table of contents for each episode’s contents.

Now (in FreeBSD 12.x) it is possible to install FreeBSD on GELI encrypted root on ZFS pool without any additional partitions or filesystems. No longer separate UFS or ZFS boot pool /boot filesystem is needed. And what is even more appealing such setup is supported both on UEFI and BIOS (also refereed as Legacy or CSM) systems. Such setup is also compatible with both new bectl(8) utility and the old proven beadm(8) tool. It is also nice that to make such setup you only need to choose the Auto ZFS option from the bsdinstall(8) so you will not have to do it by hand. I advice using GPT (BIOS+UEFI) as it will support both system types so when you are running BIOS system now and will move the disk to other system that boots with UEFI it will also just work out of the box.

The FreeBSD 12.0 is currently at the RC1 stage so we will use that one for below examples of such setup. The 12.0-RELEASE is expected to arise before Christmas if no significant problems or bugs will be found on the road to RC2 and RC3 editions.

For the record here is the FreeBSD 12.0-RC1 Availability information page and aggregated FreeBSD 12.0-RELEASE Release Notes for the upcoming new major FreeBSD version, but it is not yet complete/ready.

I will only show one install process that will work for both UEFI and BIOS systems – the crucial option here is GPT (BIOS+UEFI) to select (which is also the default one). The other option that You need to select is Yes for the Encryption part and also select the SWAP size. You may as well do not use swap and enter ‘0‘ here which means that SWAP partition will not be created. You may as well create ZFS ZVOL partition for SWAP on ZFS pool later or just create a file like /SWAP and enable it as SWAP. No matter which SWAP option you will choose if your system swaps then you are too low on memory and neither of these methods are better or worse then.

freebsd-install-01.png

freebsd-install-02.png

freebsd-install-03.png

One last thing about the default FreeBSD (no matter if 11.x or 12.x) ZFS dataset/filesystem layout. I showed it on my ZFS Boot Environments/ZFS Boot Environments Reloaded presentations but without any text comment as I talked it live.

By default both /var and /usr filesystems are part of the Boot Environment. They are protected and snapshoted during the beadm create newbe process (or by bectl(8) also). Its appears that /var and /usr are separate processes when you type zfs list commend as shown on the slide below.

zroot-layout-01.png

… but when you check the canmount parameter for all ZFS datasets, then it become obvious that /usr and /var are ’empty’ datasets (not mounted).

zroot-layout-02.png

… and also confirmation from theΒ df(1) tool.

zroot-layout-03.png

I asked FreeBSD Developers what is the reason for such construct and its for the mountpoint inheritance purposes. For example when zroot/usr has mountpoint set to /usr then when you create zroot/usr/local dataset, then it will automatically get the /usr/local for the mountpoint parameter by inheritance. At the first sight it may be misleading (I also got caught) but it makes sense when you think about it.

The only filesystems that are NOT included for the Boot Environment protection are these:

  • /usr/home
  • /usr/ports
  • /usr/src
  • /var/audit
  • /var/crash
  • /var/log
  • /var/mail
  • /var/tmp

While in most cases it is not needed to protect these in the Boot Environment protection if you want to also protect these type these two comments to move all the /usr/* and /var/* datasets/filesystems into the Boot Environment pool/ROOT/dataset. It will work on a running system without need for reboot, just make sure you use -u flag.

# zfs rename -u zroot/usr zroot/ROOT/default/usr
# zfs rename -u zroot/var zroot/ROOT/default/var

Now grab that FreeBSD ISO and install it the best possible way up to date πŸ™‚

You will probably want to get amd64 version which is suitable for both 64-bit AMD and Intel systems.

EOF

Β 

Advertisements

Valuable News – 2018/10/27

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX or BSD systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here so someone else can

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

UNIX

FreeBSD 12.0-BETA1 Available.
https://lists.freebsd.org/pipermail/freebsd-stable/2018-October/089821.html

ZFS Replication Tool zrepl 0.1.0-rc2 Available.
https://github.com/zrepl/zrepl/releases/tag/0.1.0-rc2

In Other BSDs for 2018/10/20.
https://www.dragonflydigest.com/2018/10/20/21945.html

OpenBSD – How to fix a broken ACPI.
https://www.echinopsys.de/en/blog/fix-broken-acpi-on-openbsd.html

DNS over TLS in FreeBSD 12.
https://blog.des.no/2018/10/dns-over-tls-in-freebsd-12/

FreeBSD switch default PHP version from 7.1 to 7.2.
https://svnweb.freebsd.org/ports?view=revision&revision=482746

No more joy in FreeBSD.
https://twitter.com/pbiernacki/status/1054325671705669633
https://lists.freebsd.org/pipermail/svn-src-head/2018-October/119022.html

OpenBSD 6.4 with nested virtualization at gridscale.
https://hazardous.org/archive/blog/2018/10/21/openbsd64-nested-vt-gridscale

DragonFly BSD Performance – SMP Scaling (2018).
What FreeBSD always was suposed to be.
https://www.dragonflybsd.org/performance/

OpenBSD switched default linker on amd64 from GNU to LLVM lld.
https://twitter.com/openbsd/status/1054465364657168384
https://marc.info/?l=openbsd-ports&m=154023755628845&w=2

How to install FreeBSD 11 on Google Cloud Compute.
https://www.cyberciti.biz/faq/howto-deploying-freebsd11-unix-on-google-cloud/

VirtualBox 6.0 Beta 1 Released.
VirtualBox 6.0 will be a new minor release. Yes fuck logic.
https://forums.virtualbox.org/viewtopic.php?f=1&t=89946

FreeBSD commit to introduce /etc/src.conf knob to build userland with retpoline.
https://twitter.com/FreeBSDHelp/status/1053841202896764928
https://svnweb.freebsd.org/base?view=revision&revision=339511

OpenIndiana Hipster 2018.10 Available.
https://www.openindiana.org/2018/10/24/openindiana-hipster-2018-10-is-here/
https://wiki.openindiana.org/oi/2018.10+Release+notes
http://dlc.openindiana.org/

FreeBSD runs RISC-V in multiuser on lowRISC Nexys 4 DDR.
https://twitter.com/ed_maste/status/1054795743725268993

XigmaNAS 11.2.0.4.6154 Available.
https://sourceforge.net/projects/xigmanas/files/XigmaNAS-11.2.0.4/11.2.0.4.6154/

Barman 2.5 with Support for PostgreSQL 11.
https://www.postgresql.org/about/news/1897/

POWER9 Desktop.
https://twitter.com/hughhalf/status/1054642786727800833https://twitter.com/hughhalf/status/1054642786727800833

Installing Arcan on FreeBSD.
https://github.com/wolfspider/ArcanFreeBSDGuide

What I learned from porting my projects to FreeBSD.
https://github.com/shlomif/what-i-learned-from-porting-to-freebsd#what-i-learned-from-porting-my-projects-to-freebsd

GhostBSD 18.10 RC1/RC2 Available.
https://ghostbsd.org/18.10_RC1_release_announcement
https://ghostbsd.org/18.10_RC2_release_announcement

FreeBSD is not Linux distribution.
https://www.youtube.com/watch?v=ps67ECyh0sM

OpenBSD 0-day Xorg/Xenocara LPE via CVE-2018-14665.
https://twitter.com/hackerfantastic/status/1055568290112831490

Microsoft are services run by UNIX systems.
Hotmail on FreeBSD.
MSN using Apache on Solaris.
bCentral ad servers running on FreeBSD.
https://twitter.com/unix_byte/status/1053848882793181188

OpenBSD Foundation reached its 2018 fundraising goal.
https://www.openbsdfoundation.org/contributors.html

Hardware

AMD EPYC 3251 Benchmarks and Review the Challenger We Need.
https://www.servethehome.com/amd-epyc-3251-benchmarks-and-review/

ASRock DeskMini A300 STX Motherboard.
https://smallformfactor.net/forum/threads/possibility-of-amd-on-stx-form-factor.6798/page-6#post-119036

Supermicro CEO Letter Addressing Recent Article.
https://www.supermicro.com/en/news/CEO-letter

Intel kills off the 10nm process.
https://semiaccurate.com/2018/10/22/intel-kills-off-the-10nm-process/

Need modest ARM Cortex-A CPU? Just apply online with $125,000.
https://www.theregister.co.uk/2018/10/22/arm_cortex_a5_designstart/

Porting Coreboot to the 51NB ThinkPad X210 Mod.
https://mjg59.dreamwidth.org/50924.html

Thinkpad X62.
https://geoff.greer.fm/2017/07/16/thinkpad-x62/

How IBM ThinkPad Became Design Icon.
https://www.fastcompany.com/90145427/how-ibms-thinkpad-became-a-design-icon
https://news.ycombinator.com/item?id=18273305

HP Spectre 13.3 x360 – Quad-Core i7 with 22.5 Hour Battery Life.
https://www.anandtech.com/show/13509/hp-launches-ultra-thin-hp-spectre-13-x360

Life

Not exercising worse for your health than smoking, diabetes and heart disease, study reveals.
https://edition.cnn.com/2018/10/19/health/study-not-exercising-worse-than-smoking/index.html

Other

Warhol and the Amiga.
https://www.warhol.org/exhibition/warhol-and-the-amiga/

Soviet Tesla – Electric Lada from 30 Years Ago That Was Mass Produced.
http://englishrussia.com/2018/09/04/soviet-tesla-electric-lada-from-30-years-ago-that-was-mass-produced/

NASA finds perfectly rectangular iceberg in Antarctica as if it was deliberately cut.
https://www.physics-astronomy.org/2018/10/nasa-finds-perfectly-rectangular.html

Apple and Samsung fined for deliberately slowing down phones.
https://www.theguardian.com/technology/2018/oct/24/apple-samsung-fined-for-slowing-down-phones

EOF

Valuable News – 2018/10/07

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX or BSD systems. Whenever I stumble upon something worth mentioning on the Internet I just put it here so someone else can

Today the amount information that we get using various information streams is at massive overload. Thus one needs to focus only on what is important without the need to grep(1) the Internet everyday. Hence the idea of providing such information ‘bulk’ as I already do that grep(1).

UNIX

Using Dummynet for Traffic Shaping on FreeBSD.
https://www.hyperois.com/members/knowledgebase.php?action=displayarticle&id=1

HardenedBSD 1100056.6 Released.
https://hardenedbsd.org/article/op/2018-09-30/stable-release-hardenedbsd-stable-11-stable-v11000566

Cache Invalidation Bug in Linux Memory Management.
https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

IBM is responsible for making \ the path separator instead of / in MS-DOS.
https://twitter.com/fahickman/status/1045809677827596288
https://github.com/Microsoft/MS-DOS/blob/master/v2.0/source/README.txt

State of Memory Safety in Linux.
https://blog.araj.me/state-of-memory-safety-in-linux/

Haiku R1/Beta1 Released.
http://www.osnews.com/story/30758/Haiku_R1_beta_1_released
https://www.haiku-os.org/get-haiku/release-notes/

FreshRSS – free self-hostable aggregator.
https://freshrss.org/

Miniflux is a minimalist and opinionated feed reader.
https://miniflux.app/

Using very old ZFS filesystem can give you kernel panic on Linux.
https://utcc.utoronto.ca/~cks/space/blog/linux/ZFSOldFilesystemPanic

OpenBSD vmd(8) now works out of the box on AMD Ryzen.
https://twitter.com/LeoUnglaub/status/1046058268555186176

The origin of the name POSIX.
https://stallman.org/articles/posix.html

PostgreSQL Per-Table Autovacuum Tuning.
https://www.keithf4.com/per-table-autovacuum-tuning/

Sequence Caching: Oracle vs. PostgreSQL.
https://seiler.us/2018-10-02-sequence-caching-oracle-vs-postgresql/

Polish BSD User Group.
https://oshogbo.vexillium.org/blog/55/

OpenSSH 2.3-7.4 Mass Username Enumeration (CVE-2018-15473).
https://github.com/trimstray/massh-enum

The POWER9 Desktop is Now Official!
https://twitter.com/PCzanik/status/1047782986660364290

If you were the Linus Torvalds of FreeBSD what would be the first thing you would change?
https://twitter.com/freebsdbytes/status/1047563491828277253

BSD Now 266 – File Type History.
https://www.jupiterbroadcasting.com/127441/file-type-history-bsd-now-266/

OpenBSD on the Desktop: some thoughts.
https://blog.gsora.xyz/openbsd-on-the-desktop-some-thoughts/

Installing Gophernicus in OpenBSD.
http://gopher.solobsd.org/gophernicus.html?utm_source=discoverbsd

FreeBSD finally updates GNOME port to 3.28 version.
https://twitter.com/wezm/status/1047990697838563329
https://svnweb.freebsd.org/ports?view=revision&revision=480951
https://help.gnome.org/misc/release-notes/3.28/

FreeBSD – FCP-0101 – Deprecating Most 10/100 Ethernet Drivers.
https://lists.freebsd.org/pipermail/freebsd-stable/2018-October/089717.html

In Other BSDs for 2018/10/06.
https://www.dragonflydigest.com/2018/10/06/21880.html

DTrace is coming to Windows. Already available on FreeBSD/macOs/Illumos. The only holdout is Linux.
https://twitter.com/TheGlasspelican/status/1048405923318943744
https://youtu.be/tG8R5SQGPck?t=732

Announcing pkgsrc-2018Q3 Release.
https://mail-index.netbsd.org/tech-pkg/2018/10/05/msg020326.html?utm_source=discoverbsd

Migrating OmniOS VM from KVM to bhyve.
https://omniosce.org/info/bhyve_migrate

FreeBSD diskinfo -wS (synchronous writes) bandwidth limits on Optane devices.
https://twitter.com/nickprincipe/status/1048251974532124673

First SmartOS snapshot with bhyve support as alternative hypervisor to QEMU/KVM.
https://bsd.network/@sehnsucht/100843128594097501
http://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20180315T080815Z
https://github.com/joyent/smartos-live/commit/48cb3c49e1a9c4cf204a59bed8312b0096f6209e

FreeBSD amd64: make memset less slow with mov.
https://svnweb.freebsd.org/base?view=revision&revision=339205

Hardware

AMD 12-core (2970WX) and 24-core (2920X) Threadripper 2 CPUs on 29th October.
https://www.anandtech.com/show/13443/amd-announces-availability-of-12-and-24core-threadripper-2-cpus-coming-late-october

RISC-V Inches Toward The Center.
https://semiengineering.com/risc-v-inches-toward-the-center/

Lenovo ThinkPad X1 Extreme / 6-core / 64 GB RAM / GTX 1050 Ti / under 4 pounds.
https://arstechnica.com/gadgets/2018/08/lenovos-thinkpad-x1-extreme-hex-core-gtx-1050-ti-64gb-ram-under-4-pounds/

ARM Partners with Xilinx to Bring Cortex-M Processors to FPGAs.
https://blog.hackster.io/arm-partners-with-xilinx-to-bring-cortex-m-processors-to-fpga-be60b4c77b1a

iDRACula Vulnerability Impacts Millions of Legacy Dell EMC Servers.
https://www.servethehome.com/idracula-vulnerability-impacts-millions-of-legacy-dell-emc-servers/

Wi-Fi Alliance Introduces Wi-Fi 6 (802.11ax) Technology.
Wi-Fi 5 to identify devices that support 802.11ac technology.
Wi-Fi 4 to identify devices that support 802.11n technology
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-wi-fi-6

MicroZed Chronicles: XDF & Versal.
https://blog.hackster.io/microzed-chronicles-xdf-versal-b5a04cd0f973

Intel Customized SoC for HP: Amber Lake-Y with On-Package LTE Modem.
https://www.anandtech.com/show/13434/intel-custom-amber-lake-y-with-lte-modem

High resolution photos of the motherboard that looks almost the same in Bloomberg.
https://twitter.com/1kevin335200/status/1047960097937346566

Life

Insufficient Sleep Associated with Risky Teen Behavior.
https://neurosciencenews.com/sleep-teen-behavior-9938/

Annoying habits of highly effective people.
https://www.economist.com/business/2018/09/29/the-annoying-habits-of-highly-effective-people

Your IQ Matters Less Than You Think.
http://nautil.us/issue/65/in-plain-sight/your-iq-matters-less-than-you-think

Other

World’s Oldest Torrent Still Alive After 15 Years.
https://torrentfreak.com/worlds-oldest-torrent-still-alive-after-15-years-180929/

After Seeing These 15 Maps You’ll Never Look At The World The Same.
http://www.physics-astronomy.org/2018/05/after-seeing-these-15-maps-youll-never.html

EOF

Valuable News – 2018/09/02

UNIX

In Other BSDs for 2018/08/25.
https://www.dragonflydigest.com/2018/08/25/21658.html

FreeBSD 12.0-ALPHA3 Available.
http://ftp.freebsd.org/pub/FreeBSD/snapshots/ISO-IMAGES/12.0/

FreeBSD bsdinstall/zfsboot enables new UEFI+GELI support.
https://svnweb.freebsd.org/base?view=revision&revision=338282
https://svnweb.freebsd.org/base?view=revision&revision=336252
https://reviews.freebsd.org/D12315

Setup unbound-adblock on OpenBSD.
https://www.geoghegan.ca/unbound-adblock.html

New XigmaNAS Release 11.2.0.4.5925 based on FreeBSD 11.2-RELEASE-p2.
https://sourceforge.net/projects/xigmanas/files/XigmaNAS-11.2.0.4/11.2.0.4.5925/

Mac-like FreeBSD Laptop.
http://trafyx.com/?p=2551

Baldur’s Gate in 1080p on OpenBSD via GemRB.
https://bsd.network/@thfr/100620499116867070

My Backup Solution Leveraging OpenZFS/rsync/WOL/crontab.
https://farhan.codes/2018/05/20/my-backup-solution-leveraging-openzfs-rsync-wol-and-crontab/

Why I’m mostly not interest in exploring new fonts (on Unix).
https://utcc.utoronto.ca/~cks/space/blog/unix/MyFontDisinterest

Why ed(1) is not a good editor today.
https://utcc.utoronto.ca/~cks/space/blog/unix/EdNoLongerGoodEditor

Mozilla will disable legacy Firefox 52 ESR add-ons on 2018/09/05.
https://blog.mozilla.org/addons/2018/08/21/timeline-for-disabling-legacy-firefox-add-ons/

Linux Maintains Bugs – Real Reason ifconfig(8) on Linux is Deprecated in ip(8).
https://farhan.codes/2018/06/25/linux-maintains-bugs-the-real-reason-ifconfig-on-linux-is-deprecated/
https://lkml.org/lkml/2012/12/23/75

Remove Yarrow PRNG algorithm option in accordance with due notice given in random(4) on FreeBSD.
https://twitter.com/lattera/status/1033734043207172096
https://svnweb.freebsd.org/base?view=revision&revision=338324
https://svnweb.freebsd.org/base?view=revision&revision=273872

Insight into Future of TrueOS BSD and Project Trident.
https://itsfoss.com/project-trident-interview/

Look Beyond the BSD Teacup – OmniOS Installation.
https://eerielinux.wordpress.com/2018/08/25/a-look-beyond-the-bsd-teacup-omnios-installation/

HardenedBSD 1100056.4 Released.
https://hardenedbsd.org/article/op/2018-08-27/stable-release-hardenedbsd-stable-11-stable-v11000564

BSD vs Linux. (old but worth resurrecting)
https://www.over-yonder.net/~fullermd/rants/bsd4linux/01

Send packet of death to any Linux 4.x kernel and it will make CPU spin in infinite loop.
https://twitter.com/perrymetzger/status/1034196371316719617
http://www.openwall.com/lists/oss-security/2018/08/27/1

Raspberry Pi as Stratum-1 NTP Server.
https://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

Linux 4.18 on Intel Core 2 Duo makes CPU stall and complete system freeze.
https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.18-Old-CPU-Issue

Oracle Solaris 11.4 Released for General Availability.
https://blogs.oracle.com/solaris/oracle-solaris-114-released-for-general-availability

FreeBSD: UEFI Bootloader stuck on BootCurrent/BootOrder/BootInfo on Asus Motherboards (and fix).
https://www.neelc.org/freebsd-uefi-on-asus-motherboards/

FreeBSD on 11″ MacBook Air 5.1 (mid-2012).
https://www.geeklan.co.uk/?p=2214
https://www.geeklan.co.uk/files/macbookair/freebsd-dmesg.txt

OpenBSD on 11″ MacBook Air 5.1 (mid-2012).
https://www.geeklan.co.uk/?p=1283

The Design and Implementation of the NetBSD (and FreeBSD) rc.d system.
https://www.usenix.org/legacy/events/usenix01/freenix01/full_papers/mewburn/mewburn_html/index.html

OpenBSD Gaming Resource – What Games Are Available and Where to Get Them.
https://mrsatterly.com/openbsd_games.html

In 2005/05 FreeBSD team described TLBleed on SA and suggested to disable INTEL SMT.
https://bsd.network/@sehnsucht/100637654685544116
https://www.freebsd.org/security/advisories/FreeBSD-SA-05:09.htt.asc

BSD Now 260 – Hacking Tour of Europe.
https://www.jupiterbroadcasting.com/126821/hacking-tour-of-europe-bsd-now-260/

BSD Now 261 – FreeBSDcon Flashback.
https://www.jupiterbroadcasting.com/126916/freebsdcon-flashback-bsd-now-261/

OpenBSD on the Microsoft Surface Go.
https://jcs.org/2018/08/31/surface_go

2FA with SSH on OpenBSD.
https://chown.me/blog/2FA-with-ssh-on-OpenBSD.html

How does the process title works?
https://oshogbo.vexillium.org/blog/51/

In Other BSDs for 2018/09/01.
https://www.dragonflydigest.com/2018/09/01/21713.html

New FreeBSD 12.0-ALPHA4 Snapshots Available.
https://lists.freebsd.org/pipermail/freebsd-snapshots/2018-September/000445.html

CNCF Survey: Use of Cloud Native Technologies in Production Has Grown Over 200%.
https://twitter.com/nitisht_/status/1035008388713701377
https://www.cncf.io/blog/2018/08/29/cncf-survey-use-of-cloud-native-technologies-in-production-has-grown-over-200-percent/

The bsd.network Mastodon Instance runs on OpenBSD 6.4-beta.
https://twitter.com/phessler/status/1035664766906368001

OpenBSD Workstation.
http://eradman.com/posts/openbsd-workstation.html

Badness Enumerated by Robots.
https://bsdly.blogspot.com/2018/08/badness-enumerated-by-robots.html

CoreDNS 1.2.2 Released.
https://github.com/coredns/coredns/releases/tag/v1.2.2

Hardware

SMT is Tagged on AMD CPUs thus not vulnerable like Intel CPUs.
https://www.extremetech.com/wp-content/uploads/2018/08/AMD-SMT-Zen-1.jpg

Hyper Converged NAS with Silverstone CS01-HS and Silverstone SST-ST30SF PSU.
https://www.silverstonetek.com/product.php?pid=458

GlobalFoundries Stops All 7nm Development – Opts To Focus on Specialized Processes.
https://www.anandtech.com/show/13277/globalfoundries-stops-all-7nm-development

AMD 7nm CPUs/GPUs To Be Fabbed by TSMC as GlobalFoundries Stops 7mm Development.
https://www.anandtech.com/show/13279/amd-to-fab-7nm-cpus-gpus-at-tsmc

Is Intel Hyper-Threading a Fundamental Security Risk?
https://www.extremetech.com/computing/276138-is-hyper-threading-a-fundamental-security-risk

Why the Future of Data Storage is (Still) Magnetic Tape.
https://spectrum.ieee.org/computing/hardware/why-the-future-of-data-storage-is-still-magnetic-tape

UNITEX USB 3.0 connected LTO7 tape drive.
http://www.cxp.com.au/articles/unitex-launches-usb3-0-connected-lto7-tape-drive

UNITEX USB 3.0 connected LTO8 tape drives.
http://www.cxp.com.au/articles/unitex-launches-high-speed-usb3-0-and-lto8-usb-connected-tape-drives

Spectre and Meltdown in Hardware: Intel Clarifies Whiskey Lake and Amber Lake.
https://www.anandtech.com/show/13301/spectre-and-meltdown-in-hardware-intel-clarifies-whiskey-lake-and-amber-lake

Performance Cost of Spectre/Meltdown/Foreshadow Mitigations on Linux 4.19.
https://www.phoronix.com/scan.php?page=article&item=linux-419-mitigations

Life

Eating in 10-hour window can override disease-causing genetic defects, nurture health.
https://www.salk.edu/news-release/eating-in-10-hour-window-can-override-disease-causing-genetic-defects-nurture-health/

My life with 12 programmers in 2 rooms and one 21st century dream.
https://www.salon.com/2016/09/17/hacker-house-blues-my-life-with-12-programmers-2-rooms-and-one-21st-century-dream/

Tech Workers Say Poor Leadership Is Number One Cause for Burnout.
http://blog.teamblind.com/index.php/2018/08/20/tech-workers-say-poor-leadership-is-number-one-cause-for-burnout/

Procrastination: It’s pretty much all in the mind.
https://www.bbc.com/news/health-45295392

Other

After 24 years Doom II final secret has been found!
https://www.rockpapershotgun.com/2018/08/31/after-24-years-doom-iis-final-secret-has-been-found/

3M Knew About the Dangers of PFOA and PFOS Decades Ago – Internal Documents Show.
https://theintercept.com/2018/07/31/3m-pfas-minnesota-pfoa-pfos/

EOF

Introduction to HardenedBSD World

HardenedBSD is a security enhanced fork of FreeBSD which happened in 2014. HardenedBSD is implementing many exploit mitigation and security technologies on top of FreeBSD which all started with implementation of Address Space Layout Randomization (ASLR). The fork has been created for ease of development.

To cite the https://hardenedbsd.org/content/about page – “HardenedBSD aims to implement innovative exploit mitigation and security solutions for the FreeBSD community. (…) HardenedBSD takes a holistic approach to security by hardening the system and implementing exploit mitigation technologies.”

Most FreeBSD enthusiasts know mfsBSD project by Martin Matuska – http://mfsbsd.vx.sk/ – FreeBSD system loaded completely into memory. The mfsBSD synonym for the HardenedBSD world is SoloBSD – https://www.solobsd.org/ – which is based on HardenedBSD sources.

SoloBSD.Boot.Menu

One may ask how HardenedBSD project compared to more well know for its security OpenBSD system and it is very important question. The OpenBSD developers try to write ‘good’ code without dirty hacks for performance or other reasons. Clean and secure code is most important in OpenBSD world. The OpenBSD project even made security audit of all OpenBSD code available, line by line. This was easier to achieve in FreeBSD or HardenedBSD because OpenBSD code base its about ten times smaller. This has also other implications, possibilities. While FreeBSD (and HardenedBSD) offer many new features like mature SMP subsystem even with some NUMA support, ZFS filesystem, GEOM storage framework, Bhyve virtualization, Virtualbox option and many other new modern features the OpenBSD remains classic UNIX system with UFS filesystem and with very ‘theoretical’ SMP support. The vmm project tried to implement new hypervisor in OpenBSD world, but because of lack of support for graphics its for OpenBSD, Illumos and Linux currently, You will not virtualize Windows or Mac OS X there. This is also only virtualization option for OpenBSD as there are no Jails on OpenBSD. Current Bhyve implementation allows one even to boot latest Windows 2019 Technology Preview.

A HardenedBSD project is FreeBSD system code base with LOTS of security mechanisms and mitigations that are not available on FreeBSD system. For example entire lib32 tree has been disabled by default on HardenedBSD to make it more secure. Also LibreSSL is the default SSL library on HardenedBSD, same as OpenBSD while FreeBSD uses OpenSSL for compatibility reasons.

Comparison between LibreSSL and OpenSSL vulnerabilities.

One may see HardenedBSD as FreeBSD being successfully pulled up to the OpenBSD level (at least that is the goal), but as FreeBSD has tons more code and features it will be harder and longer process to achieve the goal.

As I do not have that much competence on the security field I will just repost the comparison from the HardenedBSD project versus other BSD systems. The comparison is also available here – https://hardenedbsd.org/content/easy-feature-comparison – on the HardenedBSD website.

HardenedBSD.Easy.Feature.Comparison

Install

The installation is almost identical to the FreeBSD system, an example installation of HardenedBSD system (on ZFS with Boot Environments) is shown below.

HardenedBSD-install-00

HardenedBSD-install-01

HardenedBSD-install-02

HardenedBSD-install-03

HardenedBSD-install-04

HardenedBSD-install-05

HardenedBSD-install-06

HardenedBSD-install-07

HardenedBSD-install-08

HardenedBSD-install-09

HardenedBSD-install-10

HardenedBSD-install-11

HardenedBSD-install-12

HardenedBSD-install-13

HardenedBSD-install-14

HardenedBSD-install-15

HardenedBSD-install-16

HardenedBSD-install-17

HardenedBSD-install-18

HardenedBSD-install-19

HardenedBSD-install-20

HardenedBSD-install-21

HardenedBSD-install-22

HardenedBSD-install-23

HardenedBSD-install-24

HardenedBSD-install-25

HardenedBSD-install-26

HardenedBSD-install-31

First Login

This is how just installed HardenedBSD system looks like.

% ssh notme@localhost
Password for root@hardenedbsd.local:
FreeBSD 11.1-STABLE-HBSD (HARDENEDBSD) #0 [STABLE:HardenedBSD-11-STABLE-v1100054.1]: Thu Nov 30 03:11:44 UTC 2017

+------------------------------------------------------------------------------+
|                                                                              |
|                             Welcome to HardenedBSD!                          |
|                                                                              |
|       _    _               _                     _ ____   _____ _____        |
|      | |  | |             | |                   | |  _ \ / ____|  __ \       |
|      | |__| | __ _ _ __ __| | ___ _ __   ___  __| | |_) | (___ | |  | |      |
|      |  __  |/ _` | '__/ _` |/ _ \ '_ \ / _ \/ _` |  _ < \___ \| |  | |      |
|      | |  | | (_| | | | (_| |  __/ | | |  __/ (_| | |_) |____) | |__| |      |
|      |_|  |_|\__,_|_|  \__,_|\___|_| |_|\___|\__,_|____/|_____/|_____/       |
|                                                                              |
+------------------------------------------------------------------------------+
|     keyword: sysctl, secadm, git, github.com/hardenedbsd hardenedbsd.org     |
+------------------------------------------------------------------------------+
                Edit /etc/motd to change this login announcement.               

root@hardenedbsd:~ # 

ZFS Boot Environments

We can use pkg(8) as usual and as I intentionally not installed the latest version of HardenedBSD the pkg(8) warns about possible compatibility issues. As sysutils/beadm is just a shell script I would install it anyway.

root@hardenedbsd:~ # pkg install beadm
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64, please wait...
Verifying signature with trusted certificate pkg.hardenedbsd.org.2014-09-04... done
Installing pkg-1.10.5...
Newer FreeBSD version for package pkg:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1101512
- running kernel: 1101506
Allow missmatch now?[Y/n]: y
Extracting pkg-1.10.5: 100%
Updating HardenedBSD repository catalogue...
pkg: Repository HardenedBSD load error: access repo file(/var/db/pkg/repo-HardenedBSD.sqlite) failed: No such file or directory
Fetching meta.txz: 100%    1 KiB   1.5kB/s    00:01    
Fetching packagesite.txz: 100%    6 MiB 628.8kB/s    00:10    
Processing entries:   0%
Newer FreeBSD version for package p5-Statistics-Frequency:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1101512
- running kernel: 1101506
Allow missmatch now?[Y/n]: y
Processing entries: 100%
HardenedBSD repository update completed. 30459 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        beadm: 1.2.7_4 [HardenedBSD]

Number of packages to be installed: 1

9 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching beadm-1.2.7_4.txz: 100%    9 KiB   9.6kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing beadm-1.2.7_4...
[1/1] Extracting beadm-1.2.7_4: 100%
root@hardenedbsd:~ # beadm list
BE      Active Mountpoint  Space Created
default NR     /          426.0M 2018-04-05 20:24

Same as FreeBSD the HardenedBSD system comes with ‘crippled’ system layout when it comes to its usability under ZFS Boot Environments. The problem is in /var and /usr filesystems/datasets NOT being placed under the pool/ROOT/bename path so they will be omitted when new Boot Environments is created. This makes beadm (and whole Boot Environments idea) quite uselss as packages and base system userspace under /usr/local and /usr respectively along with /var/db/pkg installed packages information and other ‘databases’ are not protected by it. But with two commands it is very easy to fix that ‘crippled’ setup even on a running system without unmounting anything.

The default HardenedBSD (and FreeBSD) ‘crippled’ system layout looks as follows.

root@hardenedbsd:~ # zfs list
NAME                 USED  AVAIL  REFER  MOUNTPOINT
zroot                428M  15.0G    88K  /zroot
zroot/ROOT           426M  15.0G    88K  none
zroot/ROOT/default   426M  15.0G   426M  /
zroot/tmp             88K  15.0G    88K  /tmp
zroot/usr            352K  15.0G    88K  /usr
zroot/usr/home        88K  15.0G    88K  /usr/home
zroot/usr/ports       88K  15.0G    88K  /usr/ports
zroot/usr/src         88K  15.0G    88K  /usr/src
zroot/var            572K  15.0G    88K  /var
zroot/var/audit       88K  15.0G    88K  /var/audit
zroot/var/crash       88K  15.0G    88K  /var/crash
zroot/var/log        132K  15.0G   132K  /var/log
zroot/var/mail        88K  15.0G    88K  /var/mail
zroot/var/tmp         88K  15.0G    88K  /var/tmp

With these two commands we move the /usr and /var filesystems/datasets under the pool/ROOT/bename so when new Boot Environments are created they will be covered and protected by Boot Environment.

root@hardenedbsd:~ # zfs rename -u zroot/usr zroot/ROOT/default/usr
root@hardenedbsd:~ # zfs rename -u zroot/var zroot/ROOT/default/var

New layout after the fix is shown below.

root@hardenedbsd:~ # zfs list
NAME                           USED  AVAIL  REFER  MOUNTPOINT
zroot                          428M  15.0G    88K  /zroot
zroot/ROOT                     427M  15.0G    88K  none
zroot/ROOT/default             426M  15.0G   426M  /
zroot/ROOT/default/usr         352K  15.0G    88K  /usr
zroot/ROOT/default/usr/home     88K  15.0G    88K  /usr/home
zroot/ROOT/default/usr/ports    88K  15.0G    88K  /usr/ports
zroot/ROOT/default/usr/src      88K  15.0G    88K  /usr/src
zroot/ROOT/default/var         572K  15.0G    88K  /var
zroot/ROOT/default/var/audit    88K  15.0G    88K  /var/audit
zroot/ROOT/default/var/crash    88K  15.0G    88K  /var/crash
zroot/ROOT/default/var/log     132K  15.0G   132K  /var/log
zroot/ROOT/default/var/mail     88K  15.0G    88K  /var/mail
zroot/ROOT/default/var/tmp      88K  15.0G    88K  /var/tmp
zroot/tmp                       88K  15.0G    88K  /tmp

Base System Update

While FreeBSD uses freebsd-update for base system updates HardenedBSD project uses its own hbsd-update tool that does not rely on delta patches.

root@hardenedbsd:~ # freebsd-update
freebsd-update: Command not found.

The hbsd-update tools has nice feature to make update in a new separate Boot Environment to which you can reboot while leaving the running system untouched. That way You can go back to not upgraded system anytime if anything would went wrong in the update procedure or after the update itself.

As I installed older 1100054.1 version we will now make an update to the latest 1100055 version.

root@hardenedbsd:~ # hbsd-update -I -V -b updated
[*] Latest build: hbsd-v1100055-069a9206df22a498095e5e20f5ee28b9fd859080
/tmp/tmp.wP3U86Ci/update.tar                  100% of  299 MB  434 kBps 11m46s
[*] Verified hash: 39e2c6a4c8a8387bf4091584bd029aad615378e49206ad1f863bd3602a77cdb7 = 39e2c6a4c8a8387bf4091584bd029aad615378e49206ad1f863bd3602a77cdb7
[*] Checking validity of the public key
[*] Checking the validity of base.txz
[*] Checking the validity of etcupdate.tbz
[*] Checking the validity of skip.txt
[*] Checking the validity of kernel-HARDENEDBSD.txz
[*] Checking the validity of ObsoleteFiles.txt
[*] Checking the validity of ObsoleteDirs.txt
[*] Checking the validity of script.sh
[*] Checking the validity of secadm.integriforce.rules
******************
* IMPORTANT NOTE *
******************

This update includes the PTI patch. Third-party kernel modules (such
as x11/nvidia-driver and hardenedbsd/secadm-kmod) will need to be
recompiled/reinstalled.

If you wish to postpone installing this update, please hit Control-C
within the next ten (10) seconds.
Created successfully
Mounted successfully on '/tmp/tmp.tFMmByeO'
[*] Applying base
[*] Updating /etc
[*] Manual merges need to be done.
Resolving conflict in '/etc/motd':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: h
  (p)  postpone    - ignore this conflict for now
  (df) diff-full   - show all changes made to merged file
  (e)  edit        - change merged file in an editor
  (r)  resolved    - accept merged version of file
  (mf) mine-full   - accept local version of entire file (ignore new changes)
  (tf) theirs-full - accept new version of entire file (lose local changes)
  (h)  help        - show this list
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: mf
Resolving conflict in '/etc/periodic/daily/200.backup-passwd':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/pf.os':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.initdiskless':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/devd/usb.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.firewall':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.root.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.debug.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.usr.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.tests.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mtree/BSD.include.dist':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/ntpd':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/fsck':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/ipsec':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/pf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/sendmail':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.d/ipfw':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/services':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/regdomain.xml':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/sysctl.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/rc.subr':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/mail/mailer.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/ssh/sshd_config':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/master.passwd':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: h
  (p)  postpone    - ignore this conflict for now
  (df) diff-full   - show all changes made to merged file
  (e)  edit        - change merged file in an editor
  (r)  resolved    - accept merged version of file
  (mf) mine-full   - accept local version of entire file (ignore new changes)
  (tf) theirs-full - accept new version of entire file (lose local changes)
  (h)  help        - show this list
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: df
--- /tmp/tmp.tFMmByeO/etc/master.passwd 2018-04-05 20:25:29.869447000 +0200
+++ /tmp/tmp.tFMmByeO/var/db/etcupdate/conflicts/etc/master.passwd      2018-04-06 09:36:06.231096000 +0200
@@ -1,6 +1,10 @@
 # $FreeBSD$
 #
+ (stock)
 toor:*:0:0::0:0:Bourne-again Superuser:/root:
 daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
 operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: mf
Resolving conflict in '/etc/devd.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
Resolving conflict in '/etc/defaults/rc.conf':
Select: (p) postpone, (df) diff-full, (e) edit,
        (h) help for more options: tf
[*] Updating the password database
[*] Applying kernel HARDENEDBSD
[*] Removing obsolete files
Remove /tmp/tmp.tFMmByeO/boot/pcibios.4th (Y/n)? y
    [+] Removing /tmp/tmp.tFMmByeO/boot/pcibios.4th
Remove /tmp/tmp.tFMmByeO/usr/lib/librt_p.a (Y/n)? y
    [+] Removing /tmp/tmp.tFMmByeO/usr/lib/librt_p.a
[*] Applying Integriforce rules
Unmounted successfully
Activated successfully

The update procedure is now finished, new Boot Environment is present and already set as Activated upon reboot.

root@hardenedbsd:~ # beadm list
BE      Active Mountpoint  Space Created
default N      /           95.4M 2018-04-05 20:24
updated R      -          887.4M 2018-04-06 09:35

Before rebooting into the updated system we may want to modify some files. Lets mount that Boot Environment for that purpose.

root@hardenedbsd:~ # beadm mount updated
Mounted successfully on '/tmp/BE-updated.8sbzisOh'

root@hardenedbsd:~ # beadm list
BE      Active Mountpoint                Space Created
default N      /                         95.5M 2018-04-05 20:24
updated R      /tmp/BE-updated.8sbzisOh 887.4M 2018-04-06 09:35

root@hardenedbsd:~ # cd /tmp/BE-updated.8sbzisOh

// MAKE NEEDED CHANGES BEFORE REBOOT

root@hardenedbsd:/tmp/BE-updated.8sbzisOh # cd

root@hardenedbsd:~ # beadm umount updated
Unmounted successfully

root@hardenedbsd:~ # shutdown -r now

After the reboot we can see that our HardenedBSD system indeed is upgraded to newer version.

root@hardenedbsd:~ # sysctl hardening.version
hardening.version: 1100055

The pkg(8) does not warn now about possible incompatibilities because we were using older HardenedBSD version.

root@hardenedbsd:~ # pkg install beadm
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64, please wait...
Verifying signature with trusted certificate pkg.hardenedbsd.org.2014-09-04... done
Installing pkg-1.10.5...
Extracting pkg-1.10.5: 100%
Updating HardenedBSD repository catalogue...
pkg: Repository HardenedBSD load error: access repo file(/var/db/pkg/repo-HardenedBSD.sqlite) failed: No such file or directory
Fetching meta.txz: 100%    1 KiB   1.5kB/s    00:01    
Fetching packagesite.txz: 100%    6 MiB 224.6kB/s    00:28    
Processing entries: 100%
HardenedBSD repository update completed. 30459 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        beadm: 1.2.7_4 [HardenedBSD]

Number of packages to be installed: 1

9 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching beadm-1.2.7_4.txz: 100%    9 KiB   9.6kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing beadm-1.2.7_4...
[1/1] Extracting beadm-1.2.7_4: 100%
root@hardenedbsd:~ # beadm list
BE      Active Mountpoint  Space Created
default -      -           95.6M 2018-04-05 20:24
updated NR     /          928.1M 2018-04-06 09:35

As we see we still can get back to older Boot Environment with out 1100054.1 HardenedBSD system if needed.

Here are datasets for both systems.

root@hardenedbsd:~ # zfs list
NAME                           USED  AVAIL  REFER  MOUNTPOINT
zroot                          930M  14.5G    88K  /zroot
zroot/ROOT                     928M  14.5G    88K  none
zroot/ROOT/default             364K  14.5G   426M  /
zroot/ROOT/default/usr            0  14.5G    88K  /usr
zroot/ROOT/default/usr/home       0  14.5G    88K  /usr/home
zroot/ROOT/default/usr/ports      0  14.5G    88K  /usr/ports
zroot/ROOT/default/usr/src        0  14.5G    88K  /usr/src
zroot/ROOT/default/var         132K  14.5G    88K  /var
zroot/ROOT/default/var/audit      0  14.5G    88K  /var/audit
zroot/ROOT/default/var/crash      0  14.5G    88K  /var/crash
zroot/ROOT/default/var/log      76K  14.5G   132K  /var/log
zroot/ROOT/default/var/mail       0  14.5G    88K  /var/mail
zroot/ROOT/default/var/tmp      56K  14.5G    88K  /var/tmp
zroot/ROOT/updated             927M  14.5G   497M  /
zroot/ROOT/updated/usr         300M  14.5G   300M  /usr
zroot/ROOT/updated/usr/home     88K  14.5G    88K  /usr/home
zroot/ROOT/updated/usr/ports    88K  14.5G    88K  /usr/ports
zroot/ROOT/updated/usr/src     144K  14.5G    88K  /usr/src
zroot/ROOT/updated/var        36.0M  14.5G  35.2M  /var
zroot/ROOT/updated/var/audit   144K  14.5G    88K  /var/audit
zroot/ROOT/updated/var/crash   144K  14.5G    88K  /var/crash
zroot/ROOT/updated/var/log     216K  14.5G   132K  /var/log
zroot/ROOT/updated/var/mail    144K  14.5G    88K  /var/mail
zroot/ROOT/updated/var/tmp     144K  14.5G    88K  /var/tmp
zroot/tmp                       88K  14.5G    88K  /tmp

We will now destroy the older 1100054.1 HardenedBSD system as its no longer needed.

root@hardenedbsd:~ # beadm destroy default
Are you sure you want to destroy 'default'?
This action cannot be undone (y/[n]): y
Boot environment 'default' was created from existing snapshot
Destroy 'updated@2018-04-06-09:35:01' snapshot? (y/[n]): y
Destroyed successfully

Lets check if we are running the latest version.

root@hardenedbsd:~ # hbsd-update -I -V -b new
[*] This system is already on the latest version.

HardenedBSD Ports

To get general idea, if software is in FreeBSD Ports, then it would be in HardenedBSD Ports. Both FreeBSD and HardenedBSD provide packages built from their ports trees, but not all FreeBSD packages available on FreeBSD are available on HardenedBSD because some fail to build against LibreSSL (FreeBSD still has OpenSSL in base) and other fail to build because of HardenedBSD security mechanisms and mitigations enabled. There is also one counter example to that rule, there is audio/lame package in HardenedBSD while there is none on FreeBSD.

The good thing about HardenedBSD community is their response speed. For example I had a problem with sysutils/bareos-client port that failed to built – bareos-client fails to buildhttps://groups.google.com/a/hardenedbsd.org/forum/#!topic/users/xop4rVGVRC4 – and within hours they modified the port to allow me built it against GnuTLS – Bug 227318 – sysutils/bareos-server: Add GNUTLS optionhttps://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227318 – which worked like a charm. It was that fast and accurate, that even overpriced enterprise support from Oracle or Dell EMC does not work that fast and that well.

Same as with freebsd-update tool the HardenedBSD project does not use the portsnap tool.

root@hardenedbsd:~ # portsnap fetch extract
portsnap: Command not found.

The git tool is used instead. You first need to add it from pkg(8) repository as any other package, as shown below.

root@hardenedbsd:~ # pkg install git-lite

Now You may want to use git to fetch the HardenedBSD Ports tree, one thing that I see not convenient is that You must KNOW the GitHub page to type, same as with OpenBSD for packages. I like the FreeBSD approach here more that I do not have to remember that.

root@hardenedbsd:~ # git clone --depth=1 https://github.com/HardenedBSD/hardenedbsd-ports.git /usr/ports
Cloning into '/usr/ports'...
remote: Counting objects: 170097, done.
remote: Compressing objects: 100% (155861/155861), done.
remote: Total 170097 (delta 11341), reused 115842 (delta 9658), pack-reused 0
Receiving objects: 100% (170097/170097), 64.51 MiB | 335.00 KiB/s, done.
Resolving deltas: 100% (11341/11341), done.
Checking out files: 100% (135035/135035), done.

Lets verify the contents.

root@hardenedbsd:~ # find /usr/ports | head -20
.
./www
./www/ocaml-net
./www/ocaml-net/files
./www/ocaml-net/files/patch-Makefile.rules
./www/ocaml-net/distinfo
./www/ocaml-net/Makefile
./www/ocaml-net/pkg-descr
./www/pear-Services_TinyURL
./www/pear-Services_TinyURL/distinfo
./www/pear-Services_TinyURL/Makefile
./www/pear-Services_TinyURL/pkg-descr
./www/grafana5
./www/grafana5/files
./www/grafana5/files/grafana.in
./www/grafana5/files/grafana.conf.in
./www/grafana5/pkg-plist
./www/grafana5/pkg-descr
./www/grafana5/Makefile
./www/grafana5/distinfo

Next updates will be done using the git pull command.

root@hardenedbsd:/usr/ports # git pull
Already up to date.

The configured HardenedBSD system I use here has 1 GB RAM, but that with ZFS ARC default size is not not be enough for git to run.

root@hardenedbsd:~ # grep git /var/log/messages 
Apr  6 14:47:42 hardenedbsd kernel: [18059] pid 32538 (git), uid 0, was killed: out of swap space

To increase amount of RAM for ‘processes’ and to take away some ZFS cache (ARC) put these into the /boot/loader.conf file and reboot the system for the changes to take effect. The size of RAM that is known to not have issues with git memory usage is 2 GB.

root@hardenedbsd:~ # cat >> /boot/loader.conf << __EOF
# ZFS
vfs.zfs.arc_min: 1M
vfs.zfs.arc_max: 32M
__EOF

root@hardenedbsd:~ # shutdown -r now

HardenedBSD Base System Sources

The HardenedBSD base system sources are also fetched with git tool. Below is an example command that fetches the sources.

root@hardenedbsd:~ # git clone --depth=1 --single-branch --branch hardened/11-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ /usr/src
Cloning into '/usr/src'...
remote: Counting objects: 2314758, done.
remote: Compressing objects: 100% (4207/4207), done.
remote: Total 2314758 (delta 53355), reused 51865 (delta 51526), pack-reused 2258987
Receiving objects: 100% (2314758/2314758), 1.26 GiB | 75.00 KiB/s, done.
Resolving deltas: 100% (1769344/1769344), done.
root@hardenedbsd:~ #

Security Administration (secadm)

The HardenedBSD secadm tool allows users to toggle exploit mitigations on a per application and per jail basis. Users will typically use secadm to disable PAGEEXEC and/or MPROTECT restrictions or to use Integriforce – implementation of verified execution. It enforces hash based signatures for binaries and their dependent shared objects.

First, lets add secadm tool from the pkg(8) repository.

root@hardenedbsd:~ # pkg search secadm
secadm-0.5.1                   HardenedBSD Security Administration
secadm-kmod-0.5.1              HardenedBSD Security Administration

root@hardenedbsd:~ # pkg install secadm secadm-kmod
Updating HardenedBSD repository catalogue...
HardenedBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        secadm: 0.5.1 [HardenedBSD]
        secadm-kmod: 0.5.1 [HardenedBSD]
        libucl: 0.8.0 [HardenedBSD]

Number of packages to be installed: 3

166 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/3] Fetching secadm-0.5.1.txz: 100%   53 KiB  54.6kB/s    00:01    
[2/3] Fetching secadm-kmod-0.5.1.txz: 100%   12 KiB  12.7kB/s    00:01    
[3/3] Fetching libucl-0.8.0.txz: 100%  100 KiB 102.6kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/3] Installing libucl-0.8.0...
[1/3] Extracting libucl-0.8.0: 100%
[2/3] Installing secadm-0.5.1...
[2/3] Extracting secadm-0.5.1: 100%
[3/3] Installing secadm-kmod-0.5.1...
[3/3] Extracting secadm-kmod-0.5.1: 100%
Message from secadm-0.5.1:

======================================================================

When you running on custom kernel config, please consult with the 
kernel's source tree, especially with UPDATING-HardenedBSD file.

If you have any other question, you can inform on FreeNode's IRC
#hardenedbsd channel.

Keywords:

 options PAX_CONTROL_ACL
 options PAX_CONTROL_ACL_OVERRIDE_SUPPORT
 options PAX_CONTROL_EXTATTR

 hbsdcontrol secadm

 https://github.com/HardenedBSD/hardenedBSD/blob/hardened/current/master/UPDATING-HardenedBSD#L1

======================================================================
Message from secadm-kmod-0.5.1:

======================================================================

When you running on custom kernel config, please consult with the 
kernel's source tree, especially with UPDATING-HardenedBSD file.

If you have any other question, you can inform on FreeNode's IRC
#hardenedbsd channel.

Keywords:

 options PAX_CONTROL_ACL
 options PAX_CONTROL_ACL_OVERRIDE_SUPPORT
 options PAX_CONTROL_EXTATTR

 hbsdcontrol secadm

 https://github.com/HardenedBSD/hardenedBSD/blob/hardened/current/master/UPDATING-HardenedBSD#L1

======================================================================

Now lets create a simple Integriforce rule for the /bin/dd command.

root@hardenedbsd:~ # cat >> /usr/local/etc/secadm.rules << __EOF
secadm {
  integriforce {
    path: "/bin/dd",
    hash: "72be7c66d4b0a7b776bfac314310edc7423fc251666d548ccde8bf3f9b5b37af",
    type: "sha256",
    mode: "hard",
  }
}
__EOF

Lets enable the secadm in /etc/rc.conf file.

root@hardenedbsd:~ # sysrc secadm_enable=YES

… and finally lets start security administration mechainsm.

root@hardenedbsd:~ # /usr/local/etc/rc.d/secadm start
Starting secadm.

Now lets verify that it really works. Lets try to modify the /bin/dd command.

root@hardenedbsd:~ # echo 1 >> /bin/dd
/bin/dd: Operation not permitted.

root@hardenedbsd:~ # tail -1 /var/log/messages 
Apr 6 12:44:28 hardenedbsd kernel: [10664] [SECADM] Prevented modification of (/bin/dd): protected by a SECADM rule.

But the /bin/dd command works as usual.

root@hardenedbsd:~ # /bin/dd  FILE bs=1m count=1
1+0 records in
1+0 records out
1048576 bytes transferred in 0.039543 secs (26517139 bytes/sec)

root@hardenedbsd:~ # ls -lh FILE
-rw-r--r--  1 root  wheel   1.0M Apr  6 12:06 FILE

Resources

The HardenedBSD Handbook is mainly copied FreeBSD Handbook with Chapter 14. HardenedBSD which is related to HardenedBSD. This is good because HardenedBSD is generally a modified FreeBSD system, so most things work the same way.
https://hardenedbsd.org/~shawn/hbsd_handbook/book.html#hardenedbsd-secadm

The HardenedBSD Forum is available on Google Groups.
https://groups.google.com/a/hardenedbsd.org/forum/#!forum/users

List of HardenedBSD applications that need custom secadm rules is available here.
https://github.com/HardenedBSD/hardenedBSD/wiki/Non-Compliant-Applications

There is also whole github page with secadm rules.
https://github.com/HardenedBSD/secadm-rules

The Twitter accounts for both HardenedBSD and SoloBSD.
https://twitter.com/HardenedBSD
https://twitter.com/SoloBSD

OPNsense Connection

One last thing to notice is the OPNsense connection broadly described here.
https://wiki.opnsense.org/relations/hardenedBSD.html
https://hardenedbsd.org/article/shawn-webb/2015-06-10/first-official-opnsense-images-hardenedbsd

UPDATE 1 – HardenedBSD Switching Back to OpenSSL

To cite the HardenedBSD project site:

Over a year ago, HardenedBSD switched to LibreSSL as the default cryptographic library in base for 12-CURRENT. 11-STABLE followed suit later on. Bernard Spil has done an excellent job at keeping our users up-to-date with the latest security patches from LibreSSL.

After recently updating 12-CURRENT to LibreSSL 2.7.2 from 2.6.4, it has become increasingly clear to us that performing major upgrades requires a team larger than a single person. Upgrading to 2.7.2 caused a lot of fallout in our ports tree. As of 28 Apr 2018, several ports we consider high priority are still broken. As it stands right now, it would take Bernard a significant amount of his spare personal time to fix these issues.

Until we have a multi-person team dedicated to maintaining LibreSSL in base along with the patches required in ports, HardenedBSD will use OpenSSL going forward as the default crypographic library in base. LibreSSL will co-exist with OpenSSL in the source tree, as it does now. However, MK_LIBRESSL will default to “no” instead of the current “yes”. Bernard will continue maintaining LibreSSL in base along with addressing the various problematic ports entries.

To provide our users with ample time to plan and perform updates, we will wait a period of two months prior to making the switch. The switch will occur on 01 Jul 2018 and will be performed simultaneously in 12-CURRENT and 11-STABLE. HardenedBSD will archive a copy of the LibreSSL-centric package repositories and binary updates for base for a period of six months after the switch (expiring the package repos on 01 Jan 2019). This essentially gives our users eight full months for an upgrade path.

As part of the switch back to OpenSSL, the default NTP daemon in base will switch back from OpenNTPd to ISC NTP. Users who have local_openntpd_enable=”YES” set in rc.conf will need to switch back to ntpd_enable=”YES”.

Users who build base from source will want to fully clean their object directories. Any and all packages that link with libcrypto or libssl will need to be rebuilt or reinstalled.

With the community’s help, we look forward to the day when we can make the switch back to LibreSSL. We at HardenedBSD believe that providing our users options to rid themselves of software monocultures can better increase security and manage risk.

UPDATE 2

The Introduction to HardenedBSD World article was included in the BSD Now 245 – ZFS User Conf 2018 episode.

Thanks for mentioning!

UPDATE 3

The Chapter 14. HardenedBSD of the HardenedBSD Handbook has been migrated/ported to wiki page available here – https://github.com/HardenedBSD/hardenedBSD/wiki – enjoy.

EOF