Hardened BSD 12
Spooked by the recent string of vulnerabilities in critical components like systemd, Mayank Sharma is looking beyond Linux to protect his cat GIFS.
Spooked by the string of vulnerabilities in critical components like Systemd, Mayank Sharma is looking beyond Linux to protect his collection of cat GIFS.
The Hardenedbsd project is the combination of the repositories of two developers individually working to strengthen the security of FREEBSD. They decided to collaborate in order to add various exploit mitigations and well-known security-hardening mechanisms to the standard FREEBSD release. One of the first few notable protections included a working implementation of the grsecurity patch for Linux, and the Address Space Layout Randomisation feature popularly known as ASLR. Thanks to ASLR, an attacker will not be able to take advantage of even a known vulnerability in the target installation. Although there have been attempts to implement ASLR in earlier BSDS, Hardenedbsd claims its efforts are the strongest of the lot. In fact,
Opnsense – a software firewall appliance based on FREEBSD – switched to Hardenedbsd’s ASLR implementation in 2016.
Some of the defence mechanisms employed by the OS include a reinforced network stack as well as a hardened boot process and certain sensitive sysctl nodes. It also enforces the integrity of executables, and in this latest v12 release Hardenedbsd has applied the ‘retpoline’ patch (to mitigate the Spectre attack) to the base and ports collection.
The release also takes advantage of all security features in the base FREEBSD 12 release. The most notable security enhancement in FREEBSD 12 is the ability to restrict bhyve virtual machines inside jailed instances that are completely isolated from the main filesystem. The project maintains a comparative list of security features between Hardenedbsd, FREEBSD, OPENBSD and NETBSD on its website, and you can get details about its security enhancements in the project’s wiki.
Hardenedbsd is available for 64-bit machines only, as an ISO as well as an IMG file for bootable USB disks. You can use the images to boot into a Live environment, which isn’t unlike the typical Live Linux graphical environment. The Hardenedbsd live environment drops you to a shell from where you can experiment with the OS without disturbing your hard disk. Working on the BSD CLI isn’t the same as working on the Linux CLI, so make sure you keep the BSD handbook in close proximity.
For anchoring the OS on your computer you’ll have to navigate through a text-based installer. It does feature a partition editor that offers both automatic and manual partitioning modes, but it’s best if first-time users experiment with it inside the comforts of a virtual machine. In line with its purpose, one of the most interesting options during installation is the ability to enable about a dozen system-hardening options. All options have a single-line explanation and, apart from a couple, are disabled by default. While they are all rather straightforward and will make sense if you’ve ever tried to enhance the security of your installation, you can just press ahead without making any changes in this section.
Since Hardenedbsd is based on FREEBSD, it also uses its pkg binary package management system, which isn’t unlike the apt-get or dnf package management systems. You can use it to transform the base installation into a full-fledged desktop or any kind of server. As with any DIY installation, while setting up Hardenedbsd is an involved process that takes a lot longer, the resulting system will be a lot faster than a pre-packaged installation.