HardenedBSD March 2023 Status Report

I missed February's status report, so March's will contain both months. Let's start off with a bit of personal news, though. My wife, our two dogs, and I are officially moving to Colorado! Our move-out date is June 10th.

Additionally, my wife and I have set up a GoFundMe. Please note that donations to the GoFundMe are NOT eligible for tax deductions, but donations directly to The HardenedBSD Foundation are.

I plan to purchase a number of pieces of equipment to help with the move to make sure that the equipment arrives intact. HardenedBSD could still definitely use your continued support, for which I and the rest of the community are grateful.

This move obviously will impact the project. I've spent most of March working on getting the project and the HardenedBSD Foundation ready administratively for the move. There's only three things left to do, and the Foundation will have officially moved headquarters from Maryland to Colorado. We will be leaving a skeleton organziation in Maryland in case we want to do Maryland-specific things. For example, there could be some future Maryland-specific fundraiser or service opportunity.

I plan to keep the infrastructure online as long as I can. I suspect the infrastructure will be taken offline on around 09 June 2023, when we start loading the truck. However, there's a chance that the infrastructure will be taken down up to a week in advance. Since we don't know where we're going to land, I cannot provide an ETA as to when the infrastructure would be back online.

We plan to rent only for up to one year at most. We want to explore Colorado a bit to find out where we want to plant our roots. So there will be another infrastructure-disrupting move on the inside of a year from June. Hopefully that move will be to the home in which we retire in two-ish decades. I'm going to make having full self-hosting capabilities a priority in our "forever" home. So, now, let's get on to the src and ports updates since the end of January 2023.

In src:

  1. tarfs is marked as insecure.
  2. tarfs has been opted into -ftrivial-var-auto-init=zero.
  3. geli has been opted into -ftrivial-var-auto-init=zero.
  4. FreeBSD merged llvm 15 into base, so some fixups were needed on our side.
  5. pf has been opted into -ftrivial-var-auto-init=zero.
  6. pfsync has been opted into -ftrivial-var-auto-init=zero.
  7. pflog has been opted into -ftrivial-var-auto-init=zero.
  8. Default net.inet6.icmp6.nodeinfo to 0. This prevents host information disclosures via ICMP6.
  9. Added some safty nets in the new netlink code
  10. Dislabed netlink multiple times in multiple ways, chasing FreeBSD's continued attempt at enabling netlink by default.
  11. cfi-icall has been disabled for various NFS-related applications.
  12. The TTY pushback vulnerability has been mitigated by hardening the TIOCSTI ioctl. Attempts to use the TIOCSTI ioctl node will fail with EPERM. A new per-jail sysctl tunable (`hardening.harden_tty`) has been added, defaulted to 1.
  13. The default packet TTL is randomized at boot-time, with a minimum of 32 hops. This feature is controlled by the new `HBSD_RESIST_FINGERPRINTING` kernel option, which is enabled by default. This feature can help with resisting fingerprinting attacks and preventing information leaks.
  14. 0x1eef fixed a few typos in libhbsdcontrol.3.

SPECIAL NOTE ON ITEM 13: This has the potential for network disruption. I probably need to adjust the minimum hops as 32 might be too limiting. Please reach out to me directly if you are unable to get to resources that you used to get to. The sysctl node being set is `net.inet.ip.ttl`, and that can be adjusted anytime post-boot.

In ports:

  1. DTRACE is disabled for www/node18.
  2. CFI is disabled for security/sudo.
  3. java/openjdk11 was fixed.
  4. MrUNIX disabled PaX MPROTECT for bin/kdeconnect-app
  5. MrUNIX disabled PaX MPROTECT for multimedia/mpv
  6. MrUNIX disabled PaX MPROTECT for www/librewolf
  7. MrUNIX disabled PaX MPROTECT and PaX PAGEEXEC for www/otter-browser
  8. MrUNIX disabled PaX MPROTECT for www/tor-browser
  9. MrUNIX enabled CFI and SafeStack for x11-wm/i3-gaps

HardenedBSD Firewall (hbsdfw)

hbsdfw is a fork of OPNsense based on HardenedBSD 13-STABLE.

A new build of hbsdfw is out. We still don't provide official in-place updatesupport, so your update process should be as follows:

1. Backup your existing config
2. Reinstall with the new image
3. Restore the config

The default username and password is:

Username: root
Password: hbsdfw

HardenedBSD Infrastructure

We now regularly build 13-STABLE and 14-CURRENT, on the first and fourteenth day of each month. The 13-STABLE and 14-CURRENT package build jobs are still kicked off manually, but usually follow on the same day or the day after the installation media build.

We're looking for more mirrors for the installation media. We're grateful for those who currently run public mirrors.