|
|
Welcome to HardenedBSD's wiki! We're actively working on this as a place for initial documentation.
|
|
|
# About HardenedBSD
|
|
|
|
|
|
[Applications with issues on HardenedBSD](https://github.com/HardenedBSD/hardenedBSD/wiki/Non-Compliant-Applications) - Using secadm to work around those issues.
|
|
|
07 Oct 2018: Please note that this document is under active and heavy
|
|
|
construction. Not all sections are complete.
|
|
|
|
|
|
[ideas](https://github.com/HardenedBSD/hardenedBSD/wiki/idea---todo)
|
|
|
[paxctl](https://github.com/HardenedBSD/hardenedBSD/wiki/paxctl-memo)
|
|
|
HardenedBSD is a fork of FreeBSD, founded in 2014, that implements
|
|
|
exploit mitigations and security hardening technologies. The primary
|
|
|
goal of HardenedBSD is to perform a clean-room re-implementation of
|
|
|
the grsecurity patchset for Linux to HardenedBSD.
|
|
|
|
|
|
[paxlog](https://github.com/HardenedBSD/hardenedBSD/wiki/paxlog)
|
|
|
Some of HardenedBSD's features can be toggled on a per-application and
|
|
|
per-jail basis using secadm or hbsdcontrol. Documentation for both
|
|
|
tools will be covered later.
|
|
|
|
|
|
[segvguard](https://github.com/HardenedBSD/hardenedBSD/wiki/segvguard2-ideas---brainstorm)
|
|
|
## History
|
|
|
|
|
|
[settings](https://github.com/HardenedBSD/hardenedBSD/wiki/settings)
|
|
|
Work on HardenedBSD began in 2013 when Oliver Pinter and Shawn Webb
|
|
|
started working on an implementation of Address Space Layout
|
|
|
Randomization (ASLR), based on PaX's publicly-available documentation,
|
|
|
for FreeBSD. At that time, HardenedBSD was meant to be a staging area
|
|
|
for experimental development on the ASLR patch. Over time, as the
|
|
|
process of upstreaming ASLR to FreeBSD became more difficult,
|
|
|
HardenedBSD naturally became a fork.
|
|
|
|
|
|
HardenedBSD completed its ASLR implementation in 2015 with the
|
|
|
strongest form of ASLR in any of the BSDs. Since then, HardenedBSD has
|
|
|
moved on to implementing other exploit mitigations and hardening
|
|
|
technologies. OPNsense, an open source firewall based on FreeBSD,
|
|
|
incorporated HardenedBSD's ASLR implementation in 2016.
|
|
|
|
|
|
HardenedBSD exists today as a fork of FreeBSD that closely follow's
|
|
|
FreeBSD's source code. HardenedBSD syncs with FreeBSD every six hours.
|
|
|
Some of the branches, but not all, are listed below:
|
|
|
|
|
|
1. HEAD -> hardened/current/master
|
|
|
1. stable/11 -> hardened/stable/11
|
|
|
1. releng/11.2 -> hardened/releng/11.2
|
|
|
|
|
|
## Features
|
|
|
|
|
|
HardenedBSD has successfully implemented the following features:
|
|
|
|
|
|
1. PaX-inspired ASLR
|
|
|
1. PaX-inspired NOEXEC
|
|
|
1. PaX-inspired SEGVGUARD
|
|
|
1. Base compiled as Position Independent Executables (PIEs)
|
|
|
1. Base compiled with full RELRO (RELRO + BIND_NOW)
|
|
|
1. Hardening of certain sensitive sysctl nodes
|
|
|
1. Network stack hardening
|
|
|
1. Executable file integrity enforcement
|
|
|
1. Boot process hardening
|
|
|
1. procs/linprocfs hardening
|
|
|
1. LibreSSL as an optional crypto library in base
|
|
|
1. Trusted Path Execution (TPE)
|
|
|
1. Randomized PIDs
|
|
|
1. SafeStack in base
|
|
|
1. SafeStack available in ports
|
|
|
1. Non-Cross-DSO CFI in base
|
|
|
1. Non-Cross-DSO CFI available in ports
|
|
|
|
|
|
## Generic Kernel Options
|
|
|
|
|
|
All of HardenedBSD's features that rely on kernel code require the
|
|
|
following kernel option:
|
|
|
|
|
|
```
|
|
|
options PAX
|
|
|
```
|
|
|
|
|
|
Additionally, the following kernel option is not required, but exposes
|
|
|
extra sysctl nodes:
|
|
|
|
|
|
```
|
|
|
options PAX_SYSCTLS
|
|
|
```
|
|
|
|
|
|
Generic system hardening can be enabled with the following kernel
|
|
|
option:
|
|
|
|
|
|
```
|
|
|
options PAX_HARDENING
|
|
|
```
|
|
|
|
|
|
## Generic System Hardening
|
|
|
|
|
|
HardenedBSD implements generic system hardening with the
|
|
|
`PAX_HARDENING` kernel option. Many of these hardening features deal
|
|
|
with restricting what non-root users are permitted to do. When the
|
|
|
kernel is compiled with the `PAX_HARDENING` kernel option, certain
|
|
|
`sysctl(8)` nodes are modified from their defaults.
|
|
|
|
|
|
`procfs(5)` and `linprocfs(5)` are modified to prevent arbitrary
|
|
|
writes to a process's registers. This behavior is controlled by the
|
|
|
`hardening.procfs_harden` `sysctl(8)` node.
|
|
|
|
|
|
`kld(4)` related system calls are restricted to non-jailed, root-only
|
|
|
users. Attempting to list kernel modules using `modfind(2)`,
|
|
|
`kldfind(2)`, and other KLD-related system calls will result in
|
|
|
permission denied if used by a non-root or jailed user.
|
|
|
|
|
|
### Modified sysctl Nodes
|
|
|
|
|
|
These are the nodes that are modified from their original defaults
|
|
|
when `PAX_HARDENING` is enabled in the kernel:
|
|
|
|
|
|
| Node | Description | Type | Original Value | Hardened Value |
|
|
|
|:-------------------------------------:|:------------------------------------------------------------------------------:|:-------:|:--------------:|:---------------------------------------:|
|
|
|
| kern.msgbuf_show_timestamp | Show timestamp in msgbuf | Integer | 0 | 1 |
|
|
|
| kern.randompid | Random PID Modulus | Integer | 0, read+write | Randomly set at boot and made read-only |
|
|
|
| net.inet.ip.random_id | Assign random IP ID values | Integer | 0 | 1 |
|
|
|
| net.inet6.ip6.use_deprecated | Allow the use of addresses whose preferred lifetimes have expired | Integer | 1 | 0 |
|
|
|
| net.inet6.ip6.use_tempaddr | Use IPv6 temporary addresses with SLAAC | Integer | 0 | 1 |
|
|
|
| net.inet6.ip6.prefer_tempaddr | Prefer IPv6 temporary address generated last | Integer | 0 | 1 |
|
|
|
| security.bsd.see_other_gids | Unprivileged processes may see subjects/objects with different real gid | Integer | 1 | 0 |
|
|
|
| security.bsd.see_other_uids | Unprivileged processes may see subjects/objects with different real uid | Integer | 1 | 0 |
|
|
|
| security.bsd.hardlink_check_gid | Unprivileged processes cannot create hard links to files owned by other groups | Integer | 0 | 1 |
|
|
|
| security.bsd.hardlink_check_uid | Unprivileged processes cannot create hard links to files owned by other users | Integer | 0 | 1 |
|
|
|
| security.bsd.stack_guard_page | Insert stack guard page ahead of the growable segments | Integer | 0 | 1 |
|
|
|
| security.bsd.unprivileged_proc_debug | Unprivileged processes may use process debugging and tracing facilities | Integer | 1 | 0 |
|
|
|
| security.bsd.unprivileged_read_msgbuf | Unprivileged processes may read the kernel message buffer | Integer | 1 | 0 |
|
|
|
|
|
|
[stable to current](https://github.com/HardenedBSD/hardenedBSD/wiki/Stable-To-Current)
|
|
|
|
|
|
[installation](https://github.com/HardenedBSD/hardenedBSD/wiki/installation) |
|
|
\ No newline at end of file |