We are pleased to announce the availability of the LibreSSL package repo for 11-CURRENT/amd64. This repo is based off of the LibreSSL-in-base branch (hardened/current/master-libressl) that Bernard Spil has been working on. Going forward, along with providing binary updates for that branch via hbsd-update(8), we will also provide binary packages. We will also provide binary packages soon for the LibreSSL 10-STABLE branch (hardened/10-stable/master-libressl). Having both the feature branches along with package repos will allow us to investigate making LibreSSL the standard in HardenedBSD.

We would like to thank Bernard Spil for his continuous hard work. We're glad to have him on the team. Thanks to him, HardenedBSD is the first downstream FreeBSD project to have both LibreSSL in base along with a package repo that matches.

We are excited to announce the ability to easily utilize Integriforce with base. From now on, hbsd-update(8) will install a full Integriforce ruleset as /etc/secadm.d/base.integriforce.rules for base. If you include this file in your normal secadm.rules(5) ruleset, you will get full integrity enforcement on all executable files in base. If you include the applications from ports/packages in your secadm.rules(5) file, you can turn on whitelisting mode, in which case, all executable files that aren't protected by Integriforce will be denied execution. If you only utilize applications from base, you can turn on whitelisting mode and get the same results.

Using the Integriforce ruleset is entirely optional, but highly recommended.

An example secadm.rules file might look something like this:

secadm {
    pax {
        path: "/usr/local/lib/firefox/firefox",
        pageexec: false,
        mprotect: false
    }

    .include "/etc/secadm.d/base.integriforce.rules"
}

HardenedBSD-10-STABLE-v46.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

This is a security update, but by default none of the currently released FreeBSD SAs affect HardenedBSD, since we fixed the libarchive issue in v46.1 and the COMPAT layers are disabled by default.

https://security.freebsd.org/advisories/FreeBSD-SA-16:22.libarchive.asc
https://security.freebsd.org/advisories/FreeBSD-SA-16:21.43bsd.asc
https://security.freebsd.org/advisories/FreeBSD-SA-16:20.linux.asc

HardenedBSD-11-CURRENT-v46.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

UPDATE TO THIS RELEASE IS STRONGLY ADVISED!

This release fixes two locally exploitable security issue, namely the followings:
https://security.freebsd.org/advisories/FreeBSD-SA-16:19.sendmsg.asc
https://security.freebsd.org/advisories/FreeBSD-SA-16:18.atkbd.asc

HardenedBSD-10-STABLE-v44.6 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...