HardenedBSD July 2022 Status Report

Submitted by Shawn Webb on

This month was a crazy month for me (Shawn Webb). My wife and I adopted a new puppy, so life has been a bit on the exciting side. I'm hoping to get back into the swing of things in the next month or two.

With that said, let's get right into it.

In src:

  1. TPE and RTLD hardening were merged into 13-STABLE. I had posted a HEADS UP email on the users@ mailing list[0]. If you build your own ports/packages, please take note. RTLD hardening can cause issues when building ports/packages.

In ports:

  1. Loic fixed misc/rump
  2. Loic fixed sysutils/bareos18-server
  3. Loic disabled PaX MPROTECT and PAGEEXEC for lang/python39
  4. Loic fixed math/libpgmath
  5. Loic fixed building openjdk8 and openjdk11 for 14-CURRENT
  6. Loic fixed graphics/scrot
  7. Loic fixed devel/objecthash
  8. Loic fixed lang/perl5.36
  9. Loic fixed GCC 12 and 13-devel
  10. Loic fixed net/waypipe
  11. Loic fixed devel/vxlog
  12. Loic fixed www/vdr-plugin-live
  13. Loic fixed comms/telldus-core
  14. Loic fixed graphics/enblend
  15. Shawn enabled MTP support by default for multimedia/vlc
  16. Loic disabled PIE for net/ndpi
  17. Ibrahim Kaikaa (Mr.UNIX) disabled PaX SEGVGUARD for memcheck-amd64-freebsd in devel/valgrind-devel and devel/valgrind
  18. Ibrahim Kaikaa disabled PaX MPROTECT for net-im/signal-desktop
  19. Ibrahim Kaikaa fixed lang/gcc11

For hbsdfw (the HardenedBSD 13-STABLE fork of OPNsense):

Today (30 Jul 2022), I published a new build[1]. It migrates us to PHP 8.0 and Python 3.9. It appears that the PHP 8.0 Radius extension (php80-pecl-radius) has issues, so I removed the package from the build. So if you're testing hbsdfw out and rely on Radius authentication, you'll want to skip this build.

I haven't had the time to fully bring up the infrastructure needed for in-place updates for hbsdfw, so the normal process of backing up the running config, reinstalling with the new build, and restoring the config is needed for this build and at least the following next few builds.

Please test the build out and let me know how it goes for you. Any message, whether it's "works fine for me" or "hey, we got a problem" helps me determine follow-up tasks for this fork.

The default username is "root" and the password is "dynfi". (The reason for the password being "dynfi" is because we use a forked version of the dynfi build scripts, which pull in the default dynfi opnsense config.)

SHA256 (hbsdfw_installer_vga_13.1-20220729-224841.iso.xz) =
99876a3ba436a274564f4ce51f83b71f901559d8e49926a18c438b483e3d288c

[0]: https://groups.google.com/a/hardenedbsd.org/g/users/c/u6HcO415_OE/m/8g2N...
[1]: https://hardenedbsd.org/~shawn/hbsdfw/hbsdfw_installer_vga_13.1-20220729...