HardenedBSD June 2022 Status Report
12 views
Skip to first unread message
Shawn Webb
Jun 28, 2022, 4:19:26 PM6/28/22
to HardenedBSD Users
Hey all,
June saw some cool security enhancements to HardenedBSD. So let's kick off our
usual list:
In src, 14-CURRENT:
1. The HardenedBSD amd64 kernel configs have been unified to be based off of
HARDENEDBSD-CORE.
2. OpenSSH's ssh-sk-helper program violates the cfi-icall scheme. Until I get
time to dive in (or if someone beats me to it), I've disabled the cfi-icall
scheme for that program. Users can now use the integrated FIDO2/U2F key
support in OpenSSH.
3. Our Trusted Path Execution feature from secadm now exists in base. There are
some differences, which I will document in our wiki soon. TPE violations are
logged. One major thing left to do is integrate with mmap(fd, PROT_EXEC).
This would also prevent a PaX NOEXEC bypass by virtue of creating a file with
an executable payload, mapping it in memory, and executing it.
4. The RTLD has been significantly hardened. This has the potential to cause
issues, especially when building ports/packages. A new sysctl node
(hardening.harden_rtld) has been added and is defaulted to 1 (enabled).
I plan to MFC all of the above to 13-STABLE soon. If you build your own packages
or ports, please take special note of item four above. Here's a few more details
on how we've hardened the RTLD (when hardening.harden_rtld is set to 1):
1. LD_PRELOAD is fully prohibited.
2. Set dangerous_ld_env, which isn't used much in the RTLD, but could be used
more in the future.
3. Sensitive LD_* environment variables are scrubbed.
4. Using the RTLD to execute applications is prohibited.
5. Tracing of loaded objects is prohibited. This change in particular breaks
ldd(1), which is used by a lot of ports during the build process. This is
what can cause the most headaches.
In ports:
1. SafeStack and CFI are disabled if PKGNAMESUFFIX ends with -static.
2. PaX PAGEEXEC is disabled for sysutils/syslog-ng
3. New port added: sysutils/pc-sysinstall
4. SMB support was added to multimedia/ffmpeg
5. PaX MPROTECT is disabled for emulators/wine
6. PaX MPROTECT is disabled for emulators/wine-proton
7. PaX MPROTECT is disabled for net-im/nheko
8. PaX MPROTECT is disabled for net-im/quaternion
9. PaX MPROTECT is disabled for www/node16
Other projects:
1. Work is now officially underway to provide the HardenedBSD community with a
HardenedBSD 13-STABLE based fork of OPNsense. We're really close to providing
a proof-of-concept build--likely before the end of July 2022. We will provide
periodic (montly? bi-weekly?) updates. If you'd like to follow along, the
repos are at [0].
2. The old 12-STABLE package building server will be used to perform periodic
automated builds of Loic's LiveCD project, making it an official HardenedBSD
project. This server will also build the HardenedBSD+OPNsense builds. Time
frame for completing this will likely be in August 2022.
[0]: https://git.hardenedbsd.org/hbsdfw
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
June saw some cool security enhancements to HardenedBSD. So let's kick off our
usual list:
In src, 14-CURRENT:
1. The HardenedBSD amd64 kernel configs have been unified to be based off of
HARDENEDBSD-CORE.
2. OpenSSH's ssh-sk-helper program violates the cfi-icall scheme. Until I get
time to dive in (or if someone beats me to it), I've disabled the cfi-icall
scheme for that program. Users can now use the integrated FIDO2/U2F key
support in OpenSSH.
3. Our Trusted Path Execution feature from secadm now exists in base. There are
some differences, which I will document in our wiki soon. TPE violations are
logged. One major thing left to do is integrate with mmap(fd, PROT_EXEC).
This would also prevent a PaX NOEXEC bypass by virtue of creating a file with
an executable payload, mapping it in memory, and executing it.
4. The RTLD has been significantly hardened. This has the potential to cause
issues, especially when building ports/packages. A new sysctl node
(hardening.harden_rtld) has been added and is defaulted to 1 (enabled).
I plan to MFC all of the above to 13-STABLE soon. If you build your own packages
or ports, please take special note of item four above. Here's a few more details
on how we've hardened the RTLD (when hardening.harden_rtld is set to 1):
1. LD_PRELOAD is fully prohibited.
2. Set dangerous_ld_env, which isn't used much in the RTLD, but could be used
more in the future.
3. Sensitive LD_* environment variables are scrubbed.
4. Using the RTLD to execute applications is prohibited.
5. Tracing of loaded objects is prohibited. This change in particular breaks
ldd(1), which is used by a lot of ports during the build process. This is
what can cause the most headaches.
In ports:
1. SafeStack and CFI are disabled if PKGNAMESUFFIX ends with -static.
2. PaX PAGEEXEC is disabled for sysutils/syslog-ng
3. New port added: sysutils/pc-sysinstall
4. SMB support was added to multimedia/ffmpeg
5. PaX MPROTECT is disabled for emulators/wine
6. PaX MPROTECT is disabled for emulators/wine-proton
7. PaX MPROTECT is disabled for net-im/nheko
8. PaX MPROTECT is disabled for net-im/quaternion
9. PaX MPROTECT is disabled for www/node16
Other projects:
1. Work is now officially underway to provide the HardenedBSD community with a
HardenedBSD 13-STABLE based fork of OPNsense. We're really close to providing
a proof-of-concept build--likely before the end of July 2022. We will provide
periodic (montly? bi-weekly?) updates. If you'd like to follow along, the
repos are at [0].
2. The old 12-STABLE package building server will be used to perform periodic
automated builds of Loic's LiveCD project, making it an official HardenedBSD
project. This server will also build the HardenedBSD+OPNsense builds. Time
frame for completing this will likely be in August 2022.
[0]: https://git.hardenedbsd.org/hbsdfw
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Shawn Webb
Jun 29, 2022, 9:29:55 PM6/29/22
to HardenedBSD Users
On Tue, Jun 28, 2022 at 04:19:23PM -0400, Shawn Webb wrote:
> Other projects:
>
> 1. Work is now officially underway to provide the HardenedBSD community with a
> HardenedBSD 13-STABLE based fork of OPNsense. We're really close to providing
> a proof-of-concept build--likely before the end of July 2022. We will provide
> periodic (montly? bi-weekly?) updates. If you'd like to follow along, the
> repos are at [0].
> 2. The old 12-STABLE package building server will be used to perform periodic
> automated builds of Loic's LiveCD project, making it an official HardenedBSD
> project. This server will also build the HardenedBSD+OPNsense builds. Time
> frame for completing this will likely be in August 2022.
>
> [0]: https://git.hardenedbsd.org/hbsdfw
For anyone feeling adventurous, I've uploaded a very early build. I
> Other projects:
>
> 1. Work is now officially underway to provide the HardenedBSD community with a
> HardenedBSD 13-STABLE based fork of OPNsense. We're really close to providing
> a proof-of-concept build--likely before the end of July 2022. We will provide
> periodic (montly? bi-weekly?) updates. If you'd like to follow along, the
> repos are at [0].
> 2. The old 12-STABLE package building server will be used to perform periodic
> automated builds of Loic's LiveCD project, making it an official HardenedBSD
> project. This server will also build the HardenedBSD+OPNsense builds. Time
> frame for completing this will likely be in August 2022.
>
> [0]: https://git.hardenedbsd.org/hbsdfw
can't guarantee that in-place updates will work, so to update to the
next build, the following procedures would likely need to be followed:
1. Backup config
2. Reinstall with new build
3. Restore config
For anyone who does indeed want to test this out, please let me know
how it goes. Everything from just a simple "works for me" to "hey,
this needs work" is appreciated.
https://hardenedbsd.org/~shawn/hbsdfw/hbsdfw_installer_vga_13.1-20220629-185410.iso.xz
SHA256 (hbsdfw_installer_vga_13.1-20220629-185410.iso.xz) =
f6f3f4c678844d653fc67dba3d67a762db3a7870b88477ffa333064afd23e4af
Dustin Marquess
Jun 30, 2022, 7:57:30 PM6/30/22
to Shawn Webb, HardenedBSD Users
On Wed, Jun 29, 2022 at 8:29 PM Shawn Webb <shawn...@hardenedbsd.org> wrote:
>
> For anyone feeling adventurous, I've uploaded a very early build. I
> can't guarantee that in-place updates will work, so to update to the
> next build, the following procedures would likely need to be followed:
>
> 1. Backup config
> 2. Reinstall with new build
> 3. Restore config
>
> For anyone who does indeed want to test this out, please let me know
> how it goes. Everything from just a simple "works for me" to "hey,
> this needs work" is appreciated.
Awesome, I'll try and give it a go in a VM here shortly.
>
> For anyone feeling adventurous, I've uploaded a very early build. I
> can't guarantee that in-place updates will work, so to update to the
> next build, the following procedures would likely need to be followed:
>
> 1. Backup config
> 2. Reinstall with new build
> 3. Restore config
>
> For anyone who does indeed want to test this out, please let me know
> how it goes. Everything from just a simple "works for me" to "hey,
> this needs work" is appreciated.
Personally I'd love an arm64 version to try on a MochiattoBin some day...
-Dustin
Eva Winterschön
Jul 7, 2022, 6:39:14 PM7/7/22
to HardenedBSD Users, HardenedBSD Users, Shawn Webb
Re: HBSD-FW
- Initial crash/bug report attached with GUI info + some debug info from SOL output, dmidecode, etc
- Functionality seems fine other than some PHP errors after a default install.
- Next steps are setting up VLANs, testing WLAN (separate mPCIe chipsets on PCIe carriers for 2.4Ghz and 5Ghz), WWAN LTE modem
- Load generator tests will follow once networking customizations are completed and additional NICs installed (will be testing Intel X710 10G and Mellanox CX-4 100G)
Reply all
Reply to author
Forward
0 new messages