LibreSSL Package Repo

We are pleased to announce the availability of the LibreSSL package repo for 11-CURRENT/amd64. This repo is based off of the LibreSSL-in-base branch (hardened/current/master-libressl) that Bernard Spil has been working on. Going forward, along with providing binary updates for that branch via hbsd-update(8), we will also provide binary packages. We will also provide binary packages soon for the LibreSSL 10-STABLE branch (hardened/10-stable/master-libressl). Having both the feature branches along with package repos will allow us to investigate making LibreSSL the standard in HardenedBSD.

We would like to thank Bernard Spil for his continuous hard work. We're glad to have him on the team. Thanks to him, HardenedBSD is the first downstream FreeBSD project to have both LibreSSL in base along with a package repo that matches.

hbsd-update now installing Integriforce ruleset

We are excited to announce the ability to easily utilize Integriforce with base. From now on, hbsd-update(8) will install a full Integriforce ruleset as /etc/secadm.d/base.integriforce.rules for base. If you include this file in your normal secadm.rules(5) ruleset, you will get full integrity enforcement on all executable files in base. If you include the applications from ports/packages in your secadm.rules(5) file, you can turn on whitelisting mode, in which case, all executable files that aren't protected by Integriforce will be denied execution. If you only utilize applications from base, you can turn on whitelisting mode and get the same results.

Using the Integriforce ruleset is entirely optional, but highly recommended.

An example secadm.rules file might look something like this:

secadm {
    pax {
        path: "/usr/local/lib/firefox/firefox",
        pageexec: false,
        mprotect: false
    }

    .include "/etc/secadm.d/base.integriforce.rules"
}

New stable release: HardenedBSD-stable 10-STABLE v46.2

HardenedBSD-10-STABLE-v46.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

This is a security update, but by default none of the currently released FreeBSD SAs affect HardenedBSD, since we fixed the libarchive issue in v46.1 and the COMPAT layers are disabled by default.

https://security.freebsd.org/advisories/FreeBSD-SA-16:22.libarchive.asc
https://security.freebsd.org/advisories/FreeBSD-SA-16:21.43bsd.asc
https://security.freebsd.org/advisories/FreeBSD-SA-16:20.linux.asc

New stable release: HardenedBSD-stable 10-STABLE v46.1

HardenedBSD-10-STABLE-v46.1
----------------------------------------
https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
https://github.com/HardenedBSD/hardenedBSD-stable/commits/HardenedBSD-10...

This release fixes CVE-1541 and CVE-2015-2304 in libarchive, a lot of Coverity warnings / programing errors and an overflow in amd64's sysarch system call (00696f0, eac2aab, bd784f7).

New stable version: HardenedBSD-stable 11-CURRENT v46.2

HardenedBSD-11-CURRENT-v46.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

UPDATE TO THIS RELEASE IS STRONGLY ADVISED!

This release fixes two locally exploitable security issue, namely the followings:
https://security.freebsd.org/advisories/FreeBSD-SA-16:19.sendmsg.asc
https://security.freebsd.org/advisories/FreeBSD-SA-16:18.atkbd.asc

New stable version: HardenedBSD-stable 10-STABLE v46

UPDATE TO THIS RELEASE IS STRONGLY ADVISED!

This release fixes two locally exploitable security issue, namely the followings:
https://security.freebsd.org/advisories/FreeBSD-SA-16:19.sendmsg.asc
https://security.freebsd.org/advisories/FreeBSD-SA-16:18.atkbd.asc

Other news in this release:

Backported a lot of smaller coverity issues from FreeBSD.
Introduced fully enabled PIE, RELRO and BIND_NOW in the base system.

If you encounter build failures due the PIEified base system, you could empty the /usr/obj directory
and retry the build. For more details please consult the ${SRCTOP}/UPDATING-HardenedBSD
file.

https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

LibreSSL in HardenedBSD Base

A few months ago, we added Bernard Spil to the HardenedBSD team with a goal to bring in and maintain LibreSSL in base. Given the effort involved in maintaining such a complex piece of software, we at HardenedBSD have made the decision to keep it as a feature branch in the playground repo for now. Those who wish to check out Bernard's awesome, hard work can check out the repo here. We will soon start auto-syncing that feature branch on our normal six-hour cycle and we will produce periodic binary updates. As of today, the first binary update has been published. You can use this hbsd-update.conf file to tell hbsd-update to switch to the LibreSSL branch. If you wish to compile your own version of HardenedBSD with LibreSSL base, you will need to add WITH_LIBRESSL=yes to src.conf.

We would like to thank Bernard for volunteering. He has been a tremendous help. Here is a teaser screenshot.

Pages

Subscribe to HardenedBSD RSS