Introduction
It is my pleasure to formally announce the first release of our Security Administration project, known as secadm. Version 0.1 is now available and can be downloaded here along with its GPG signature here.
History
When Shawn Webb started work on enhancing Oliver Pinter's ASLR patch for FreeBSD, nothing existed to toggle ASLR per-binary. Of course, we want ASLR aplied to all binaries, but naturally cases exist where ASLR cannot be applied (maybe some buggy, third-party, proprietary application that misbehaves under ASLR). Shawn extended the mac_bsdextended(4) MAC module along with its companion ugidfw(8) application. This extension was more of a temporary workaround than a production-ready solution. Eventually, the extension was removed and will not be upstreamed to FreeBSD.
A new solution had to be put in place. HardenedBSD was born some months previous in order to further organize the work of upstreaming ASLR and other exploit mitigation features. Development of the security administration tool, originally known as secfw, followed shortly. The project's original naming of secfw was to reflect is inspiration from ugidfw. However, the naming convention was found to be confusing and the project was renamed to secadm.
Requirements
secadm currently only requires libucl from ports. Fun trivia: libucl was introduced into FreeBSD's ports tree to support secadm's development. (Thank you koobs!)
The secadm project will not work on FreeBSD. It currently relies on a few HardenedBSD-centric features. It requires HardenedBSD version 9 or above (as of the time of this writing, we're at version 16).
secadm does not exist as a port in HardenedBSD's ports tree. Thus, you will need to pull in the dependencies yourself. Once secadm matures, it will reside in the HardenedBSD ports tree and pull in the dependencies automatically.
Installing, Configuring, and Running
We've provided a handy README file that contains a lot of in-depth information about how to use secadm.
Now, please excuse us while we get our groove on implementing NetBSD-like Veriexec capabilities into secadm.