New stable release: HardenedBSD-stable 10-STABLE v42.2

Secadm 0.3.0 Released

We at HardenedBSD have been hard at work on secadm. Brian Salcedo rewrote core parts of secadm, making it much more efficient. As part of the rewrite, the rule syntax has changed. Please refer to the new secadm.conf(5) manpage for details on the new syntax.

Here's what has changed between secadm 0.2 and secadm 0.3.0:

  • Rewritten backend
  • Integriforce dedup - more on this below
  • Integriforce in whitelist mode - more on this below
  • manpages! secadm(8) and secadm.rules(5)
  • Allow modification and deletion of files that have rules pertaining to them if the rule is disabled
  • Various bugfixes

Integriforce in whitelist mode is a form of verified application whitelisting. When Integriforce is set in whitelisting mode, all desired applications along with their shared objects must have an Integriforce rule. The rtld should also have an Integriforce rule. If an application attempts to start and there is no Integriforce rule for that application or the shared objects it depends on, execution is denied. Whitelisting is only enforced when explicitly enabled and there is at least one Integriforce rule loaded.

As we at HardenedBSD found out with the new rewrite, in the beta releases of secadm 0.3, it was not possible to have Integriforce rules loaded for two files that were hardlinks to each other, like /bin/[ and /bin/test. secadm 0.3 now supports that, but will disregard the second (or following) rules. Both files are still protected as they really point to the same underlying file. As a result, if a hash mismatch occurs, the filename printed out refers to the first rule that matches the hardlinked file.

Download secadm 0.3.0 here. GPG signature is here

New stable versions: HardenedBSD-stable 10-STABLE v40.3 and v40.4 and 11-CURRENT v40.2

HardenedBSD-10-STABLE-v40.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
---------------------------------------
[hardenedbsd] HBSD: fix MAP32_BIT mode mmap when allowed

HardenedBSD-10-STABLE-v40.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
---------------------------------------
[hardenedbsd] HBSD: add WITHOUT_HBSD_UPDATE src.conf knob to disable hbsd-build's installation
[hardenedbsd] HBSD: fix build on i386
[hardenedbsd] Revert "HBSD: Default jemalloc's lg_chunk to 16 from 21."
[freebsd] FreeBSD 10.3-BETA2
[freebsd] EFI fixes
[freebsd] Adjust initialization of random(9) so it is usable earlier.
[hardenedbsd] lot of new hardenedbsd related man page
[freebsd] OpenSSH 7.1p2
[hardenedbsd] HBSD: Update updater root certificate

HardenedBSD-11-CURRENT-v40.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
------------------------------------------
[hardenedbsd] HBSD: add WITHOUT_HBSD_UPDATE src.conf knob to disable hbsd-build's installation
[hardenedbsd] HBSD: fix build on i386
[hardenedbsd] Revert "HBSD: Default jemalloc's lg_chunk to 16 from 21."
[freebsd] EFI fixes
[freebsd] Adjust initialization of random(9) so it is usable earlier.
[hardenedbsd] lot of new hardenedbsd related man page
[freebsd] OpenSSH 7.1p2
[hardenedbsd] HBSD: Update updater root certificate
[freebsd] Update em(4) to 7.6.1; update igb(4) to 2.5.3. (skylake support)
[freebsd] hyperv support cleanup / rewrite
[freebsd] ZFS + UEFI support

Pages

Subscribe to HardenedBSD RSS