August HardenedBSD Status Report

We at HardenedBSD have decided to do a periodic (likely quarterly) status report in order to keep the community informed of what's going on in HardenedBSD. So here goes the first status report:

The Call for Donations is going well. We have raised nearly $1,000 USD of our goal of $7,000 USD. The Internet Systems Consortium, the people behind BIND and ISC-DHCPD, have offered to match donations up to $1,000 USD. We've decided to run the donations until November 30th. We appreciate all the help and support from the community. We're excited to see where this round of donations takes us. We plan to start the 501(C)(3) organization investigation in January.

We added Brian Salcedo as an official developer, tasked with rewriting secadm nearly from scratch. He has been hard at work revamping how the rules are stored in the kernel. As part of the rewrite, he'll include ugidfw(8) functionality. The basic rewrite is 100% complete and pending a thorough code review. We're hoping to have a beta released soon.

We have started storing a cache of secadm rules for applications that are known to misbehave with our awesome enhancements. If you have a secadm rule for an application and would like to see it up there, please send us either a Pull Request on GitHub or email us a patch. Feel free to also drop in IRC and let us know. Oliver has created a little script to help in rule validation.

Shawn has been working with the OPNSense team to deliver quality builds based on HardenedBSD. Experimental builds have been posted here, the latest build being hbsd-exp-05. Work is in progress to provide a binary upgrade path and an official download location. Shawn has also been working with Baptiste Darrousin from the FreeBSD project to test his RELRO patch. The RELRO patch is in the hardened/current/unstable branch and is undergoing extensive testing, including a full package build with a number of packages being compiled with RELRO. We hope to have the RELRO patch merged into the hardened/current/master branch within the next week or two. Shawn is also preparing to give a number of presentations. He'll be speaking at vBSDcon, DerbyCon, and BSidesDC. The BSidesDC will be a recorded, four-hour presentation diving deep into HardenedBSD's internals.

Oliver has been working hard on bringing FORTIFY_SOURCE to FreeBSD for his Google Summer of Code project. He has made a lot of progress. He's currently splitting the work out into smaller patches for easier review by the FreeBSD development team. It builds fine with both clang and gcc. He also backported our ASLR code to 10-STABLE. Oliver also has been keeping tabs on HardenedBSD's infrastructure, ensuring everything runs smoothly. We had a failing disk earlier this week on our Jenkins machine and we got that replaced within a few hours. The main CPU fan pinout on the motherboard of the package building server has stopped working. Luckily there's a second pinout for an additional CPU fan. The motherboard should be under warranty. As a bandaid, the CPU fan was moved to the second pinout. We'll be working on replacing the motherboard through the normal warranty process soon.

A user reported having issues with golang on HardenedBSD. After some digging, we found out that in golang versions prior to 1.5, COMPAT_FREEBSD32 needs to be enabled in your kernel config. We have removed it from the HARDENEDBSD kernel config. Golang version 1.5, which is already in the ports tree, fixes this. We will be following up with a new package build soon.