Hardening FreeBSD, does anyone have any documentation that may help?

Robert Watson rwatson at FreeBSD.org
Tue Nov 21 11:59:47 UTC 2006 

On Mon, 20 Nov 2006, Jeremie Le Hen wrote:

> On Thu, Nov 09, 2006 at 11:54:10PM +1100, Vini Engel wrote:
>
>> This may not seem to be the best place to ask for this but as this is 
>> supposed to be a list for high level discussions I am assuming that some 
>> people have must know how to harden FreeBSD and/or may have articles and 
>> other docs that can be shared.
>>
>> We have a set of simple policies that are used to harden FreeBSD machines 
>> but I would like make it better and also would like to see how people do it 
>> out there so that I can pick the ideas that we find interesting/useful for 
>> us here and improve our hardening skills.
>>
>> Our machines range from dns servers to mail servers and a few 
>> router/firewalls. Some of them don't have to have anything special but some 
>> others have to comply with the policy of the highly protected networks that 
>> they live in, hence the reason why I want to improve my hardening skills.
>>
>> Any info will be greatly appreciated!
>
> I have a patch to integrate ProPolice into FreeBSD RELENG_6. Though this is 
> obviously not officially supported by FreeBSD, some people (including me) 
> use it on production servers.  It might be worth using it, depending on 
> which security measures you are looking for.
>
> See http://tataz.chchile.org/~tataz/FreeBSD/SSP/

FYI, Silby gave a nice mini-talk/discussion at EuroBSDCon on the topic of gcc4 
security features.  It seems like there's a lot of support for having these 
things in FreeBSD, but a strong reluctance to have large outstanding patchsets 
against the compiler and build chain, hence the continued "strategy" of 
waiting for them to arrive in gcc4.  Most questions boiled down to:

- What are the ABI impacts?  Assuming that protection features arrive and
   depart, and that reasonable application backward compatibility is required
   for programs and libraries.  Of particular interest was the case where we
   turn on a protection feature in X.Y and discover that this was a bad idea,
   so turn it off in X.Y+1.

- What are the performance characteristics in a variety of real-world
   workloads?

One of the universal comments was that we really think it's great that a patch 
is being maintained against current FreeBSD releases/branches with this 
functionality.

Robert N M Watson
Computer Laboratory
University of Cambridge

More information about the freebsd-hackers mailing list