HardenedBSD installers

14-CURRENT
git git clone --single-branch --branch hardened/current/master https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git hardenedbsd-current
installers https://ci-01.nyi.hardenedbsd.org/pub/hardenedbsd/current/
13-STABLE
git git clone --single-branch --branch hardened/13-stable/master https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git hardenedbsd-13-stable
installers https://ci-01.nyi.hardenedbsd.org/pub/hardenedbsd/13-stable/
PORTS
git git clone --single-branch --branch hardenedbsd/main https://git.hardenedbsd.org/hardenedbsd/ports.git /usr/ports/
tar.gz fetch -o hardenedbsd-ports.tar.gz 'https://git.hardenedbsd.org/hardenedbsd/ports/-/archive/hardenedbsd/main...'
zip fetch -o hardenedbsd-ports.zip 'https://git.hardenedbsd.org/hardenedbsd/ports/-/archive/hardenedbsd/main...'

Upcoming HardenedBSD Infrastructure Changes

On Sunday, 27 Nov 2022, we will be temporarily taking down the HardenedBSD development and build infrastructure. We are working to find a new home for it and will be working those details out over the next few months.

We provide a read-only mirror of src and ports at GitHub:

src: https://github.com/HardenedBSD/hardenedBSD
ports: https://github.com/HardenedBSD/ports

Here are the short-term physical infrastructure changes:

1. GitLab will (hopefully) be brought back up within one week.
2. The Tor Onion Service endpoints will be brought back up at around the same time.
3. The nightly build server will be taken offline for an extended period of time until we find a new home for it.
4. The binary update server will be taken offline and brought back up at around the same time as the nightly build server.
5. The package building servers will be taken offline for an even more extended period of time. We encourage our community to learn how to use Poudriere to build their own packages.

Here are the short-term infrastructure policy changes:

1. Once the nightly build server is back online, we will no longer produce nightly builds. We will likely build twice per month on a bi-weekly schedule.
2. We will do the same for the binary update server. We will do our best to pair the hbsd-update builds with the bi-weekly builds to keep our users more in-sync with what is installed versus the latest update artifact.

If you know of a hosting provider within a two to four hour drive of Baltimore, Maryland, USA that would host our infrastructure for free with at least one public IPv4 address, please reach out. As a reminder, all donations--whether that's funding, equipment, services, or otherwise--are eligible for tax deductions in the US.

In full, our infrastructure takes around 24U, but we can get around with 16U. The physical infrastructure changes outlined above would be around 5U worth of equipment.

We appreciate the continued help and support from the community. HardenedBSD's continued success is enabled by the many generous ways in which the community contributes to the project.

Please reach out to me (shawn.webb@hardenedbsd.org and/or foundation@hardenedbsd.org) if you have any questions, comments, or concerns.

HardenedBSD October 2022 Status Report

It has been an exciting month for HardenedBSD. First up is an important announcement. I am officially looking for new job opportunities. This is important for the HardenedBSD project since the development and build infrastructure is housed at my (now former) employer's office.

I'm grateful for the two-and-a-half years in which BlackhawkNest has provided the project with free hosting. They have agreed to continue hosting the development/build infrastructure for free until the end of November. BlackhawkNest has been incredibly supportive of the project in many ways and I wish them well in their future endeavors.

HardenedBSD's development and build infrastructure will need to find a new home. Looking at the long term, I would eventually like HardenedBSD to stand independent of my employment. However, we currently lack the funding and will need to continue to rely on my employer until we gain enough sustained funding.

It is my hope that HardenedBSD's development and build infrastructure is transitioned in a timely manner to its new home, where ever that may be, before the end of November 2022. If you would like to help out in the effort to make HardenedBSD's infrastructure stand independent, please donate. We appreciate the community's contributions to the project, regardless of the form those contributions come in (code, advocacy, funding, etc.)

Please note that OS binary updates, package repos, and installer images are hosted elsewhere and will not be interrupted. GitLab and the build systems will be the only systems impacted.

Now, let's get into progress in the project itself!

In src:

  1. Shawn added a new sysctl tunable (hardening.pax.kmod_laod_disable) that, when set, disables loading all kernel modules from that point forward. The kld rc script has been updated such that users can specify hbsd_late_kld_prohibit in rc.conf, which will set the sysctl node after loading modules specified in kld_list. This work was sponsored by BlackhawkNest, Inc.
  2. Significant progress has been made on Cross-DSO CFI support. An installable version of HardenedBSD 14-CURRENT with Cross-DSO CFI enable can now build itself (meaning, `make buildworld buildkernel` works in a fully Cross-DSO CFI'd system.)
    • There's still more work to be done here. On a normal install of HardenedBSD 14-CURRENT, the following command fails when building the compiler toolchain:
      make buildworld WITHOUT_SYSTEM_COMPILER=yes WITHOUT_SYSTEM_LINKER=yes
    • The `ctfmerge` application segfaults when building the kernel. ctfmerge is needed for DTrace support. I plan to disable ctfmerge (thus disabling DTrace) in the Cross-DSO CFI feature branch and circle back around to fixing whatever bugs lie in ctfmerge. I'd rather keep the momentum around Cross-DSO CFI support going.

In ports:

  1. Shawn forked FreeBSD's Poudriere project to support the needs of building packages in HardenedBSD. By default, Poudriere creates a 1GB tmpfs mount for data. HardenedBSD has (slightly) outgrown that, so the size has increased to 2GB to account for future growth.
  2. Shawn disabled CFI for x11-servers/xorg-server
  3. Loic fixed x11-wm/enlightenment
  4. Loic fixed mail/bogofilter
  5. Loic fixed sysutils/pefs-kmod
  6. Loic fixed net-mgmt/netdisco-mibs
  7. Loic fixed x11-toolkits/gtkd
  8. Loic fixed x11-wm/piewm
  9. Loic removed lib32 in emulators/libc6-shim
  10. Shawn bumped the version for hardenedbsd/liblattutil

HardenedBSD September 2022 Status Report

I apologize for the delay in getting the September 2022 status report out. But alas, it has arrived!

My time was spent mostly on infrastructure. We're slowly aging out some incredibly old servers in our infrastructure, occasionally not by choice. The Dell R410 server that ran our auto-sync cron jobs decided to die. So I rebuilt the auto-sync jail on another Dell R410 server of the same age, but the PERC controller decided to die. So now, the auto-sync jail is hosted on another server--but this time on a performant, stable system.

In src and ports land, I spent most of my time just resolving the occasional merge conflict.

In src:

  1. Shawn ensured that the HardenedBSD copyright is always applied
  2. Loic did some house cleaning with a few files in src
  3. Loic removed leftover cruft from our LibreSSL-in-base experiment
  4. MrUnix0 changed the HardenedBSD pkg repo configuration in 14-CURRENT to use HTTPS rather than HTTP. We're still exploring whether this change can be safely MFC'd to 13-STABLE, but we're being very conservative here.
  5. FreeBSD updated `less(1)` to v608, which introduced a number of CFI violations. Shawn fixed two that were readily apparent.
  6. Loic set `-fstack-protector-strong` for the kernel.
  7. Loic fixed a few compiler warnings/errors when using a modified kernel config.

In ports:

  1. Shawn enabled PulseAudio support for net/freerdp. Having audio over RDP seems pretty useful.
  2. Loic enabled the sort plugin for editors/pluma.
  3. Loic added games/scratch
  4. Loic fixed the uname output in sysutils/mate-system-monitor
  5. Loic disabled Java support by default for editors/libreoffice
  6. Loic Fixed textproc/docbook2mdoc
  7. Shawn fixed the llvm compiler toolchain component tests, fixing CFI applicability detection
  8. Loic forced lld for graphics/cimg, science/cdo, and math/octave
  9. Loic disabled PaX MPROTECT for emulators/qemu70
  10. Loic fixed java/openjdk11
  11. MrUnix disabled PaX MPROTECT and PaX PAGEEXEC for games/assaultcube
  12. MrUnix disabled PaX MPROTECT and PaX PAGEEXEC for x11/lumina-core
  13. MrUnix disabled PaX MPROTECT and PaX PAGEEXEC for games/xonotic

I did a new build of hbsdfw in late September, but I didn't get around to deploying it at home as a good first test. I'm following some of the work the OPNsense folks are doing and it seems best to hold off on a new build until some things settle down in their core repo. I plan to kick off a new build once I'm confident the dust has settled.

Upcoming plans:

Many of those in the HardenedBSD community know that I've worked (incredibly slowly) off-and-on throughout the years on Cross-DSO CFI support in HardenedBSD. In October, I plan to resume that work starting mid-October. Here's where we stand on Cross-DSO CFI today:

I can compile (nearly) the entire dynamic world with Cross-DSO CFI. However, there is an interesting recursion issue at early application startup with some applications. The Cross-DSO CFI runtime intercepts calls to dlopen and dlclose. In certain cases, libc itself may call dlopen and/or dlclose. Some applications, even some in base (like `id(1)`) call libc functions that call into dlopen/dlclose. This presents problems with llvm's Cross-DSO CFI runtime.

libc is an incredibly attractive target given its large surface area. It's incredibly complex. At this time, I feel applying Cross-DSO CFI to libc itself may be too large of an undertaking, preventing tangible progress. Thus, my initial goal will be to apply CFI to as many shared libraries in base as I can, but likely not libc at this time. As Rome was not built in a single day, neither
will a Cross-DSO CFI HardenedBSD be. It is my hope that we will indeed apply CFI in the future to libc (in whole or in part), but that day is not today.

Building ports/packages will be another huge aspect of this. Back in 2018, the last time I made tangible progress on Cross-DSO CFI, the memory footprint ballooned when building packages due to CFI'd libraries in base. Eventually, the experimental package build failed due to memory pressure.

My main objective: end 2023 (yes: 2023) with Cross-DSO CFI enabled in HardenedBSD by default. Whether libc is a part of that is unknown, but we can hope.

To fit that main objective, I plan to take a back seat to most other development aspects of the project, with the exception of hbsdfw. I will definitely be involved in all other aspects of the project (the infrastructure, the Foundation, etc.) The only thing that is changing: I am formally delegating the implementation of new security and hardening techniques to the wider HardenedBSD community so that I can focus on Cross-DSO CFI.

I appreciate all the help the community has given the project to date. I'm especially grateful for the continued contributions, the advocacy, the support. This little project would not exist in its current state without the recurring love and support you, the community, provide. As I focus my attention on a more difficult and involved goal (that of Cross-DSO CFI), I'm hopeful for a renewed sense of excitement and support from the community.

HardenedBSD August 2022 Status Report

It's that time of the month for the HardenedBSD status report! My own status is pretty darn simple: Little time, no hacks. I hope to be back in the swing of things by the beginning of November. Life is keeping me busy. So I'm ever more grateful for the continued contributions by the HardenedBSD community.

However, Loic and MrUnix fixed a number of issues in both the source and ports repos.

In src:

  1. Loic fixed an issue MrUnix reported about a missing PaX ASLR macro when building a kernel with COMPAT_FREEBSD32 enabled.
  2. Loic updated bsdinstall with a few changes, updating which sysctl nodes to set.
  3. I pulled in a change from OpenBSD that randomizes how often the chacha20-based arc4random(3) reseeds itself.
  4. HardenedBSD user "apache2" enabled multi-console booting by default, enabling use of the serial console by default.

In ports:

  1. Loic disabled PIE for java/eclipse
  2. I disabled SafeStack for x11-servers/xorg-server
  3. Loic added a new port: hardenedbsd/kernel-nodebug
  4. Loic disabled PIE for sysutils/grub2-efi
  5. Loic disabled PIE for net-im/profanity
  6. Loic disabled PIE for astr/xephem
  7. Loic disabled PIE for lang/zig-devel
  8. Loic fixed sysutils/pefs-kmod
  9. Loic fixed textproc/sxml
  10. Loic disabled PIE for sysutils/fluent-bit
  11. Loic disabled PIE for mat/4ti2
  12. Loic disabled PIE for mat/mprime
  13. Loic disabled DTRACE for lang/erlang-runtime25
  14. Loic disabled the PDF option in comms/fl_moxgen
  15. Loic fixed mail/bogofilter
  16. Loic fixed lang/gcc13-devel
  17. Shawn disable variable auto-init for security/tor
  18. MrUNIX disabled the JIT for net-im/signal-desktop
  19. MrUNIX disabled MPROTECT and PAGEEXEC for games/veloren
  20. MrUNIX fixed the build of lang/mono5.10, lang/mono5.20, and lang/mono6.8

For hbsdfw:

hbsdfw, aka the HardenedBSD Firewall, has a new build for this month. As usual, the process for updating is:

  1. Backup your config
  2. Reinstall with the new build
  3. Restore your config

The default username and password have been changed:

Username: root
Password: hbsdfw

You can find the new build at [0].

[0]: https://hardenedbsd.org/~shawn/hbsdfw/hbsdfw_installer_vga_13.1-20220824...

SHA256 (hbsdfw_installer_vga_13.1-20220824-140520.iso.xz) = 0656808643dfaf2ba640c561686da5f861969dadd3ebb9185abfa7c640a6af44

HardenedBSD July 2022 Status Report

This month was a crazy month for me (Shawn Webb). My wife and I adopted a new puppy, so life has been a bit on the exciting side. I'm hoping to get back into the swing of things in the next month or two.

With that said, let's get right into it.

In src:

  1. TPE and RTLD hardening were merged into 13-STABLE. I had posted a HEADS UP email on the users@ mailing list[0]. If you build your own ports/packages, please take note. RTLD hardening can cause issues when building ports/packages.

In ports:

  1. Loic fixed misc/rump
  2. Loic fixed sysutils/bareos18-server
  3. Loic disabled PaX MPROTECT and PAGEEXEC for lang/python39
  4. Loic fixed math/libpgmath
  5. Loic fixed building openjdk8 and openjdk11 for 14-CURRENT
  6. Loic fixed graphics/scrot
  7. Loic fixed devel/objecthash
  8. Loic fixed lang/perl5.36
  9. Loic fixed GCC 12 and 13-devel
  10. Loic fixed net/waypipe
  11. Loic fixed devel/vxlog
  12. Loic fixed www/vdr-plugin-live
  13. Loic fixed comms/telldus-core
  14. Loic fixed graphics/enblend
  15. Shawn enabled MTP support by default for multimedia/vlc
  16. Loic disabled PIE for net/ndpi
  17. Ibrahim Kaikaa (Mr.UNIX) disabled PaX SEGVGUARD for memcheck-amd64-freebsd in devel/valgrind-devel and devel/valgrind
  18. Ibrahim Kaikaa disabled PaX MPROTECT for net-im/signal-desktop
  19. Ibrahim Kaikaa fixed lang/gcc11

For hbsdfw (the HardenedBSD 13-STABLE fork of OPNsense):

Today (30 Jul 2022), I published a new build[1]. It migrates us to PHP 8.0 and Python 3.9. It appears that the PHP 8.0 Radius extension (php80-pecl-radius) has issues, so I removed the package from the build. So if you're testing hbsdfw out and rely on Radius authentication, you'll want to skip this build.

I haven't had the time to fully bring up the infrastructure needed for in-place updates for hbsdfw, so the normal process of backing up the running config, reinstalling with the new build, and restoring the config is needed for this build and at least the following next few builds.

Please test the build out and let me know how it goes for you. Any message, whether it's "works fine for me" or "hey, we got a problem" helps me determine follow-up tasks for this fork.

The default username is "root" and the password is "dynfi". (The reason for the password being "dynfi" is because we use a forked version of the dynfi build scripts, which pull in the default dynfi opnsense config.)

SHA256 (hbsdfw_installer_vga_13.1-20220729-224841.iso.xz) =
99876a3ba436a274564f4ce51f83b71f901559d8e49926a18c438b483e3d288c

[0]: https://groups.google.com/a/hardenedbsd.org/g/users/c/u6HcO415_OE/m/8g2N...
[1]: https://hardenedbsd.org/~shawn/hbsdfw/hbsdfw_installer_vga_13.1-20220729...

HardenedBSD June 2022 Status Report

June saw some cool security enhancements to HardenedBSD. So let's kick off our usual list:

In src, 14-CURRENT:

  1. The HardenedBSD amd64 kernel configs have been unified to be based off of HARDENEDBSD-CORE.
  2. OpenSSH's ssh-sk-helper program violates the cfi-icall scheme. Until I get time to dive in (or if someone beats me to it), I've disabled the cfi-icall scheme for that program. Users can now use the integrated FIDO2/U2F key support in OpenSSH.
  3. Our Trusted Path Execution feature from secadm now exists in base. There are some differences, which I will document in our wiki soon. TPE violations are logged. One major thing left to do is integrate with mmap(fd, PROT_EXEC). This would also prevent a PaX NOEXEC bypass by virtue of creating a file with an executable payload, mapping it in memory, and executing it.
  4. The RTLD has been significantly hardened. This has the potential to cause issues, especially when building ports/packages. A new sysctl node (hardening.harden_rtld) has been added and is defaulted to 1 (enabled).

I plan to MFC all of the above to 13-STABLE soon. If you build your own packages or ports, please take special note of item four above. Here's a few more details on how we've hardened the RTLD (when hardening.harden_rtld is set to 1):

  1. LD_PRELOAD is fully prohibited.
  2. Set dangerous_ld_env, which isn't used much in the RTLD, but could be used more in the future.
  3. Sensitive LD_* environment variables are scrubbed.
  4. Using the RTLD to execute applications is prohibited.
  5. Tracing of loaded objects is prohibited. This change in particular breaks ldd(1), which is used by a lot of ports during the build process. This is what can cause the most headaches.

In ports:

  1. SafeStack and CFI are disabled if PKGNAMESUFFIX ends with -static.
  2. PaX PAGEEXEC is disabled for sysutils/syslog-ng
  3. New port added: sysutils/pc-sysinstall
  4. SMB support was added to multimedia/ffmpeg
  5. PaX MPROTECT is disabled for emulators/wine
  6. PaX MPROTECT is disabled for emulators/wine-proton
  7. PaX MPROTECT is disabled for net-im/nheko
  8. PaX MPROTECT is disabled for net-im/quaternion
  9. PaX MPROTECT is disabled for www/node16

Other projects:

  1. Work is now officially underway to provide the HardenedBSD community with a HardenedBSD 13-STABLE based fork of OPNsense. We're really close to providing a proof-of-concept build--likely before the end of July 2022. We will provide periodic (montly? bi-weekly?) updates. If you'd like to follow along, the repos are here.
  2. The old 12-STABLE package building server will be used to perform periodic automated builds of Loic's LiveCD project, making it an official HardenedBSD project. This server will also build the HardenedBSD+OPNsense builds. Time frame for completing this will likely be in August 2022.

HardenedBSD May 2022 Status Report

In May 2022, HardenedBSD saw a few changes.

In src:

  1. chroot(2) is now prohibited when a directory file descriptor is opened.
  2. The HARDENEDBSD-NODEBUG kernel configuration was updated to remove a few more debugging-related options.
  3. Loic merged a lot of updates to 13-STABLE, especially regarding hbsd-update.

In ports:

  1. LTO is now disabled for the firefox port.
  2. The virtualbox ports were fixed by Loic.
  3. net/opennx port is fixed.
  4. Loic fixed devel/mingw32-gcc
  5. Loic fixed devel/bmake

Other projects:

Recent changes in FreeBSD caused breakages with secadm. Shawn fixed secadm by complying to those ABI/API-breaking changes made by FreeBSD.

HardenedBSD April 2022 Status Report

In src:

  1. Shawn introduced the notion of an "insecure/untrustworthy" kernel module. Certain kernel modules, like this linux syscall translation layer commonly called the "linuxulator", may create interesting attack vectrors. Some modules are old and likely contain vulnerabilities (old: smbfs, vulnerable: fusefs.) By default, HardenedBSD prevents loading these kernel modules post-boot (eg, via rc.conf(5)'s `kld_list`). The list of kernel modules currently tagged as "insecure" is below at the end of this status report.
  2. Loic hardened the default sshd_config. Please reference commit b7961aade549f05f62d65b0906db495b9423c940 for more information. The changes that might carry the most impact are:
    • MaxSessions 5
    • AllowTcpForwarding no
    • AllowAgentForwarding no

In ports:

  1. Shawn fixed the harfbuzz bug that plagued devel/doxygen (via pango). Though the errant code was indeed in pango, the harfbuzz project did not do a thorough job at ensuring the sanity of arguments passed in to one of its provided APIs (a NULL dereference bug in harfbuzz, manifest by errant code in pango.)
  2. Loic fixed a compiler error in the wine ports.
  3. Loic fixed the virtualbox-ose-* ports.

Other projects or items of note:

  1. The HardenedBSD Foundation's Ben Welch has been working on a new static site for us, migrating us away from Drupal. There's a few things to wrap up, but I suspect on the inside of three months, the HardenedBSD website will look quite a bit different from what it looks like today.
  2. I (Shawn) am quite far behind on the administrative side of the HardenedBSD project. I need to do the financials and other administrative things. I apologize for the delays on the various administrative tasks.

Kernel modules currently marked as insecure:

  1. smbfs
  2. accf_http
  3. accf_dns
  4. linux_common
  5. linux/linux64
  6. lindebugfs (NOTE: this impacts drm-*-kmod KMS drivers)
  7. fusefs

As of this writing, HardenedBSD 14-CURRENT (both amd64 and arm64) users can overwrite these insecure markings by using hbsdcontrol:


# hbsdcontrol pax disable insecure_kmod /path/to/kernel/module

This is especially useful for drm-*-kmod users. I plan to MFC the hbsdcontrol integration commit mid-to-late next week (so somewhere between 05 May and 08 May 2022) after more thorough testing on my HardenedBSD laptops.

Please note that April 2022 concludes official support for the 12-STABLE branch. Effective 01 May 2022, support for the 12-STABLE branch must come from the wider HardenedBSD community. On 31 Dec 2022, the package repo and all build artifacts pertaining to 12-STABLE will be fully removed.

HardenedBSD March 2022 Status Report

We made some cool progress in March. Though I, Shawn, am writing this report, I'll refer to myself in the third person for the rest of the report. :-)

In src:

  1. Shawn reverted a potential LPE race condition in ZFS introduced by OpenZFS. Only 14-CURRENT was affected.
  2. Shawn merged in zlib's CVE-2018-25032 fix.
  3. Shawn enabled -ftrivial-auto-var-init=zero in base clang by default. This now means we don't need to pass in any compiler flags to support this feature. All ports that rely on the system compiler will now automatically benefit.
  4. FreeBSD introduced a change that enables dumpon to use the underlying non-encrypted swap device when encrypted swap is used. Shawn reverted this change since users who choose to encrypt their swap encrypt it for a reason--HardenedBSD should proactively protect users by respecting their encryption preferences.
  5. Loic found and fixed an issue with the linuxulator in HardenedBSD, with the default stack permissions.
  6. Coming up soon: sponsored work by BlackhawkNest, Inc that provides support in base for (more) easily building HardenedBSD 13-STABLE based versions of OPNsense. This is in the hopes to provide the wider community with the ability to produce their own builds. Some of this work has landed in a special feature branch.

In ports:

  1. In tandem with src change #3, Shawn modified the ports tree to rely on the system compiler's application of -ftrivial-auto-var-init=zero. There's no need to apply that feature via CFLAGS injection.
  2. Loic removed `stackautoinit:off` USE_HARDENING flag from a very large number of ports. This was a huge lift and his work on this is very much appreciated. He and Shawn worked a lot on this.
  3. Ibrahim Kaikaa (Mr.UNIX) has helped fix a number of ports. We still have a number of outstanding merge requests that I need to verify.

Infrastructure:

  1. The HardenedBSD GitLab server had a drive failure. I had already planned to rebuild the pool from a bunch of older 1TB spinning rust drives to a bunch of 2TB SSDs. The drive failure accellerated the pool rebuild, which completed successfully.
  2. After a large number of months of downtime, our arm64 package building server has come back online! We're now building 14-CURRENT/arm64 packages.
  3. After src change #3 landed, all of the build infrastructure servers were updated.

Cool projects:

  1. Loic released an unofficial livecd of HardenedBSD that boots into XFCE[0]. I've started the discussion with him to convert that from from an "unofficial" project to an "official" one. :-)

Special notes:

  1. As a reminder, support for HardenedBSD 12-STABLE will be delegated to the community. As such, binary updates and package builds will cease. The hardened/12-stable/master branch will no longer be auto-synced.
  2. Please remember to let us know if you have any thoughts to share on whether HardenedBSD should support the linuxulator by 15 Apr 2022.
  3. Please remember to let us know if you have any thoughts to share on the proposed changes to the default sshd configuration[1].

[0]: https://groups.google.com/a/hardenedbsd.org/g/users/c/QUTUJfm30Dg/m/0VNK...
[1]: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/60

Pages

Subscribe to HardenedBSD RSS